It all started with Edward Snowden in June 2013 when he revealed to the world that governments (including US and China) were actively collecting information on its citizens. That wake-up call spawned the global cyber awareness that prompted the EU Cybersecurity Strategy in 2013, followed by Japan and the US setting up their own Cybersecurity Acts shortly thereafter. Not to be left behind, China is joining the club with their law set to go into effect June 1, 2017.
China’s strategy goes one bold step further. China’s multiphase and evolutionary approach is designed with the goal of establishing its Cyber Sovereignty—exercising total control over data within its borders.
China’s New Cybersecurity Law
China’s view of cybersecurity is very inclusive. Most countries view cybersecurity as primarily focused on protecting critical servers, but China’s view protects the servers as well as the data that is stored, transmitted by, or created on the servers, regardless of where it is presently stored.
To China, cybersecurity equals National Security. The challenge is that political boundaries in cyberspace are much harder to define and control than physical boundaries on earth. In addition, another challenge is that data is hard to predict and contain. China’s new cybersecurity law attempts to address both issues and outlines China’s plan on how they will manage the process.
The so-called “New China Cybersecurity Law” isn’t a new law to replace an old law that has become obsolete, it’s new because one didn’t exist in China before now. It was created as more of a framework than a law and will be fleshed out with yet-to-be-defined policy and rule initiatives over time. China will spend the next several months publishing implementation policies and rules outlining exactly how foreign and domestic industries and the specific companies within them will need to modify their operations to comply.
Key Components of China’s Cybersecurity Law
The primary components of China’s cybersecurity law include:
- Define and establish requirements for organizations that are deemed as Critical Information Infrastructure (CII)
- Define and implement “National Security Review” methodologies and protocols
- Provide technical support to China’s security agencies and regulators
- Encourage data localization
Defining Critical Information Infrastructure Organizations
Perhaps the most contentious item of the framework concerns how to define which organizations are to be considered as “Critical Information Infrastructure” (CII for short). The first draft provided examples of CII organizations:
“Companies that provided network infrastructures within China for:
- Public telecommunications and media broadcasting;
- Key industries, such as energy, transportation, water resources and finance;
- Public services, such as the supply of electricity, water, gas, healthcare and social security services;
- Military and government agencies above the municipal level; and
- Network services used by a “very large” number of users.”
However, the evolving law’s final draft replaced the concrete CII examples of the first draft with a more general definition that could actually broaden the scope of CII. The final draft defined CIIs as:
“Public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure that if destroyed, degraded or vulnerable to leaks might endanger national security and the country’s economy, as well as people’s livelihood and the public interest.”
Missing from the final draft are the specifications defining “national security, country’s economy, people’s livelihood, or the public interest”, as well as the details that would define under what circumstances they could be “endangered”. In addition, the final draft delegates the responsibility for further defining the scope of CII to the State Council, which is China’s highest governmental body. Until the State Council provides clarity to define CII, multinational companies are in a state of limbo regarding whether or not they should comply with the CII data localization requirements.
CII Organizations and Non-Chinese Companies
If you think your organization might qualify as a CII, be forewarned: China’s cybersecurity approach will look for data localization within the CIIs first. CII organizations that do not localize their data will not likely pass a Cybersecurity Review, and suffer the consequences as a result. They could potentially lose their business license in mainland China, local executives may spend jail time, or at the very least, the government could seriously impede the ability for the organization to successfully conduct business in China.
It would be wise to consider local support should that data be involved in a regulatory or internal investigation as well as any cross border litigation dispute.
Will non-Chinese companies ever be considered CII? Not likely in the beginning, but very likely over time. Even so, China “encourages” all<all< em=””> companies to keep China data in-country, especially if the data may possibly contain personal information, sensitive data or state secrets.</all<>
At a recent briefing, I learned that unless a non-Chinese company has over one million users or customers, they wouldn’t likely be considered as CII in the beginning. I was curious about how cloud-based solutions such as Salesforce and LinkedIn would be treated. Following the presentation, one of the presenters shared with me that the language of the law does indeed allow for the CII scope to potentially include apps like Salesforce and LinkedIn. China Regulators have stated they would not expand the CII scope this far, but that principle isn’t stated in the law. WeChat has a greater likelihood to fall under CII since it has such a large user-base and impacts the public interest.
China’s Cybersecurity Review
The government is starting to define what will be involved with a National Security Review and beginning to identify which companies are CII priorities. On February 4, 2017, The Cyberspace Administration of China (CAC) provided their guidelines of what a Cybersecurity Review would look like and what would be required. The CAC renamed the review from “National Security Review” to “Cybersecurity Review” to underscore the importance the government is placing on national security in China’s cyberspace.
The CAC proposed a two-tier approach to prioritize which organizations need to comply with the cybersecurity regulations. The first tier includes Government agencies, Communist Party organizations, and key sector organizations that are not allowed to acquire any network products and/or services from CII operators who have not passed the Cybersecurity Review. In other words, if you are doing business with the China government, you need to make sure you comply, and comply now.
The second tier of organizations enjoy a bit more temporary leniency, although the government reserves the right to further review any acquisition that “may affect national security” at any time. The primary sectors for the second tier include finance, telecommunications, and energy.
One of the key components in the Cybersecurity Review will be to inspect how “secure and controllable” an organization protects their products and services. The intent is to determine what the organization has in place to mitigate:
- Personnel risks involving “research and development, delivery, and technical support”
- Products or services risks associated with “unlawfully controlled, interfered with, or interrupted” by another organization
- User reliance risks as a means to “engage in unfair competitive practices or otherwise harm consumers”
- The means for an organization to “illegally collect, store, process, or utilize users’ data”
China’s “secure and controllable” component goes beyond guarding the servers and infrastructure against intrusion, hacking or interference. Consistent with China’s inclusive view of cybersecurity, the “secure and controllable” encompasses protecting consumers and their data regardless where it resides in the world.
Cybersecurity Recommendations for Businesses in China
To borrow a saying from my Boy Scout years—“Be Prepared.”
- Determine who is in charge for cybersecurity at your company. I know, this sounds simple but it needs to be someone in the C-suite. It isn’t just about intrusion detection any more.
- Develop a culture of cybersecurity. It involves everyone, not just IT. It is truly time to implement best practices of Information Governance as a part of your company culture.
- Self monitor, evaluate, and get ready. It may not be tomorrow, but if your company is doing business with China, the day will come when your organization is reviewed as a part of a China Cybersecurity Review.
- Secure local support. One thing is for sure: China will fight to protect data that is currently on or created on CII. It would be wise to consider local support should that data be involved in a regulatory or internal investigation as well as any cross border litigation dispute.
Implement Holistic Information Governance Policies
Cybersecurity isn’t just about China, it’s about implementing a global plan for Information Governance. China is just one of the countries you must consider. If your plan is holistic, you’ll be in a much better place when—not if—your organization is subject to a (name the country) Cybersecurity Review, or probably even sooner than that, when you are required to leave certain data sets in-country for review.
China knows it is playing catch-up in the global race to establish its own cybersecurity. They will move fast. President Xi’s goal is to gain international cooperation by sharing China’s cybersecurity plan with other countries as a model for them to use as they develop their respective cyber borders. This sharing strategy is part of his vision for the world to accept and respect China’s internet governance and cyber sovereignty.