Vietnam’s Law on Cybersecurity: Bad on Cybersecurity, Bad for Vietnam

When drafting a cybersecurity law, the objective is to reduce the risk of cyber threats to critical services – such as finance, energy, and health care – in an increasingly digitized world. If written effectively, the law would facilitate a robust cybersecurity ecosystem and avoid provisions that impose a burden without bringing a benefit. Such troublesome provisions not only dissuade trade and investment, they have an adverse effect on cybersecurity.

The U.S. Chamber has repeatedly shared this message with Vietnam’s leaders over the past 18 months, as they have developed the Law on Cybersecurity.

As currently written, however, Vietnam’s law is extremely problematic. As a result, it will discourage investment, violate Vietnam’s trade commitments, and put the country’s impressive economic growth at risk. Most astoundingly, given the purpose of the law, it will lead to lower levels of cybersecurity in Vietnam.

The law passed by Vietnam’s National Assembly earlier this year, and the subsequent draft Implementing Decree will force companies to:

• Localize large amounts of data in Vietnam;
• Establish physical offices in-country;
• Conduct onerous ex-ante audits of hardware and software; and
• Monitor the online activity of consumers and turn over to the Ministry of Public Security – which coincidently is drafting the law – any evidence of illegal activities, including criticizing the government or offending a person’s dignity.

Concern with the law is so significant that 61% of companies surveyed by the U.S. Chamber said they would be less likely to invest in Vietnam due to the law. While 89% said the law would make Vietnam’s digital economy less competitive.

So, why exactly are businesses concerned about the new law?

Costly and counter-productive localization requirements

In addition to imposing major costs on companies, data localization undermines cybersecurity by narrowing the range of storage providers that companies can use. When companies identify data storage providers, a top criterion is, “How secure will they keep our data?” If companies are forced to choose from a smaller pool of service providers – in this case, only those with servers in Vietnam – they may be forced to compromise on cybersecurity. In doing so, the law would put commercial and consumer data at greater risk of a breach, which runs counter to its stated purpose.

Violation of trade commitments

In imposing data localization and local presence requirements, the law risks violating Vietnam’s trade commitments under the World Trade Organization General Agreement on Trade in Services (GATS), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), and the European Union-Vietnam Free Trade Agreement (EVFTA). This will likely lead to legal cases being brought against Vietnam in the WTO and CPTPP – whether now or five years from now – and the potential for the EVFTA to be voted down in the European Parliament.

Fails to leverage international standards and best practices

In both the law and the implementing decree, Vietnam fails to utilize international standards and best practices for cybersecurity that have proven to be effective. On a national level, this means that Vietnam is starting from scratch, failing to build upon lessons already learned by the international community. On an international level, this contributes to the regulatory fragmentation of cybersecurity, creating blind spots that inhibit companies’ ability to respond to cyber attacks effectively.

Doesn’t account for risk

The onerous ex-ante audit requirements are an ineffective method for identifying vulnerabilities or exploits. Threats may not be known or identifiable when hardware or software is initially deployed; moreover, not all vulnerabilities pose a significant risk. The best cybersecurity solutions are risk-based and ensure that companies have a strategy to identify, protect, detect, respond, and recover from a cyber attack.

In the past few months alone, the U.S. Chamber has met with both the U.S. and Vietnamese embassies, with numerous U.S. and foreign government officials, with two Vietnamese deputy prime ministers, and with the Prime Minister of Vietnam Nguyen Xuan Phuc to discuss the law. The cybersecurity law was also a focus of the annual U.S.-Vietnam Business Summit, which was held by the U.S. Chamber and AmCham Vietnam in Hanoi on September 10.

The U.S. Chamber will continue its efforts to engage with Vietnam’s leaders and avert this looming crisis. The stated objective of finalizing the implementing decree by January 1, 2019, would indicate Vietnam’s misplaced priority of speed over quality. For all of the law’s faults, Vietnam has the ability to eliminate or reduce its most harmful effects through a well-crafted decree. But whether it will do so remains to be seen.

A well-written and effective implementing decree would benefit the worldwide cybersecurity environment and help Vietnam realize its economic growth and development objectives. The Ministry of Public Security should better engage the expertise of stakeholders across the Vietnamese government and the international community writ-large to align with proven cybersecurity best practices, promote trade and investment, honor its trade commitments, and ultimately reduce the risk posed by cyber threats.