New Cyber Security Laws put Compliance and Policy in the Spotlight

China’s cyber security law released in 2017, with a substantial implementing phase of one year, marks a significant overhaul of IT network regulations, surveillance and compliance rules for citizens and businesses in China. The overhaul comes on the heels of a significant push by the Chinese government and leadership to take more control over content and traffic on the Internet. Policy makers and security officials have recognized the importance of the Internet for Chinese citizens, businesses and the government itself.

Xi Jinping has made “Informatization” (the official name of the transformation of social relationships, manufacturing and governance through the use of the Internet), a top priority for the government and executive offices.

The most significant piece of legislation by far in this overhaul is the Cybersecurity Law of 2017, a broadly framed piece of legislation touching topics such as data protection, critical infrastructure network defense and the policing of online behavior.

A central piece of legislation

Released in June 2017, the cybersecurity law establishes general compliance rules for businesses that are operating networks and critical infrastructure companies. These compliance rules are prescribing a tough framework for cybersecurity controls, technological standards and a preference for national solutions if you are running a network for China. In principle, these rules are applying to private individuals and business operating in the country. Even more stringent regulations are aiming at critical infrastructure operators, which have to take additional measures to secure their networks and have to undergo controversial national security reviews of hardware and technology used1.

Additionally, new regulations about the handling of personal data of Chinese citizens are introduced, which requires the localization of personal data physically in China and storing of metadata and connections for criminal investigation purposes. Finally, other rules are aimed at internet and network usage in general and are specifying the extent to which individuals have rights and duties on the Internet.

“… there was a wave of speculation and negative perception about the Cybersecurity Law.”

Even before the law was officially released in written form, there was a wave of speculation and negative perception about the Cybersecurity Law. Some observers feared that the Chinese authorities would gain unprecedented access to source code and hardware material through the national security reviews, others were skeptical about the enforced data sharing with law enforcement authorities and compliance organizations. When the law was released critics raised the issue of broad and hardly defined language. Critical infrastructure providers, for instance, have to fulfill a large range of different obligations, but the term in itself is only vaguely defined in the law. According to experts, in some instances critical infrastructure providers could be reaching from food delivery services to financial service firms2.

The Cybersecurity Law relies on responsible and competent government authorities to have the broad and vague rules defined and applied in practice. This gives local offices a large room for maneuver in some areas, such as in designing their own rules and standards when performing national security reviews, especially on foreign technology. These implementing standards and laws have become the main focus of interest for most companies as they are more precisely defining the affected entities and obligations to fulfill.

Implementing regulations are the key to understand the direction of government reforms

The overhaul of existing legislation continues by means of new regulations released by the Ministry of Industry and Internet Technology (MIIT) as well as the standard setting and testing authorities and government agencies. One central legislation was released in January 2018 and establishes a large scale database for threat information sharing. Telecommunications providers, and other technology companies are required to send their information about attacks, malicious code and domains to a central repository maintained by the China-CERT under the auspices of the MIIT3.

Other implementing regulations were released directly next to the Cybersecurity Law or are being released in the coming months especially in early 2018. While most of them are covering very specific industries or details on personal data protection, the main line of government reforms and policies becomes apparent.

There is a concentrated push for more and centralized information exchange on cybersecurity issues. The Chinese government wants gather as much data on malicious activity as possible and enlists businesses to provide this data on a large scale.

“… the national security reviews are an opportunity for the Ministry for State Security to siphon off important data …”

According to research conducted by the Insikt group, the national security reviews (also more specified in accompanying implementing regulation) are an opportunity for the Ministry for State Security (MSS) to siphon off important data on source code, network product security measures. A company that has been identified as a front for parts of the MSS cyber operations has been authorized to conduct these national security reviews. Thus, opening up the possibility of proprietary information being handed to state-sponsored hackers4.

Know it all

The new push to exert greater control over China’s information space could have significant detrimental effects on foreign companies operating in China, or with partners in the country. This push gives more power and influence to China’s public authorities, while remaining sufficiently brought to be flexible in interpretation by authorities as circumstances dictate. Companies in China have to take steps in order to comply with new regulations wherever possible and determine the scope of their exposure. Legal departments as well as IT administration must mitigate the risks that these combinations of factors might pose to proprietary data and internal communication. Regulatory moves in the next months should be taken seriously, as Chinese authorities have permitted a grace period for implementation but have already began enforcement on certain aspects of the law, mainly with regards to formulate security management systems, storage of visitor data and the storage of network incidents as well as published website content.

Centralized threat databases, required sharing and security reviews are creating a tightly controlled framework for Internet activity of citizens and businesses. At the same time the state authorities are able to push national technology with newly established standards and rules. China is again changing the way the Internet and Internet governance is working by enforcing the new laws with the help of network operators themselves.

Who we are

The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries for their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.

1 Paul Triolo, Samm Sacks, Graham Webster & Rogier Creemers. New America. China’s Cybersecurity Law One Year On: An Evolving and Interlocking Framework. January 19 2018.

2 Jack Wagner. June 1, 2017. China’s Cybersecurity Law: What You Need to Know.

3 Chris Bing. Cyberscoop. January 2, 2018. China’s new law calls on private industry to hand over valuable cyberthreat data. Translation: Public Internet Cybersecurity Threat Monitoring and Mitigation Measures.

4 Insikt Group. August 31, 2017. China’s Cybersecurity Law Gives the Ministry of State Security Unprecedented New Powers Over Foreign Technology.