What are the new China Cybersecurity Law provisions? And how CISOs should respond

Chinese Cybersecurity Law definition

China’s CyberSecurity Law (CSL), passed in 2016, is broad legislation that dictates how companies should approach security and privacy within the country. It includes strict controls around online activities and provisions around storing data locally, having joint venture partners, and in some cases registering network assets. It also has mandatory requirements around breach notification, appointing a head of cybersecurity, incident response plans, and more.

Additional provisions – known as the Regulations on Internet Security Supervision and Inspection by Public Security Organs – were passed in November 2018 and outline how the country’s main domestic security agency, the Ministry of Public Security (MPS), can conduct both onsite and remote inspection of computer networks, which are generally defined in the CSL as five or more computers connected to the internet.

Onsite inspections require at least two police officers to be present and show both identification and inspection certificates. The MPS may go into business premises, computer rooms and workplaces and “copy information related to internet safety supervision and inspection.”

Recorded Future’s analysis of the legislation says information that could be copied includes “any and all user information, technical measures for the network, and information security protection, hosting, or domain name information, as well as any content distribution the organization may be conducting.”

The language of the law does not stipulate exactly what inspectors will be looking for beyond whether the requirements of the core CSL are being followed. It does, however, define methodology or tools that will be used during inspections. Remote inspection can also be carried out: “Trusted network security services can be entrusted with the corresponding technical capacity to provide technical support.”

Though the MPS may copy data during an inspection, the new provisions state that any personal information, trade secrets and state secrets observed during the inspection “shall be kept strictly confidential and shall not be disclosed, sold or illegally provided to others.”

Will China use network inspections for information gathering?

It would be easy to assume that the new provisions are simply about gathering intel from multinational companies, given China’s use of the Great Firewall to censor information, that one in five corporations say China has stolen their IP within the last year, plus reports about companies being asked to hand over source code for government inspection. “The Chinese system is not there to enable you to do business in China,” says Priscilla Moriuchi, director of strategic threat development at Recorded Future. “They’re using the idea of improving cybersecurity as a way to enable these much more invasive measures that would then enable the government access to any number of sensitive business information from companies globally.”

However, some legal experts say the reality is more nuanced and the poor state of cybersecurity of many domestic companies needs to be considered. “When it comes to many things involving cybersecurity in China, there are a number of different motives,” says Ronald Cheng, partner at O’Melveny & Myers LLP, “There’s certainly an existing data security problem in China both in terms of crime as well as a need to improve cybersecurity practices.”

“The provisions have included assurances that the information that’s collected is supposed to be maintained confidential and is not to be provided to others. How credible that is, I think it’s really up to others to determine and it’s certainly understandable some are skeptical about that,” says Cheng.

The MPS has had similar powers around inspection for over a decade. “These are not entirely new regulations,” says Paul McKenzie, managing partner at legal firm Morrison & Foerster’s Beijing office. “There were regulations already going back to 2006 which already gave the Public Security Bureau quite significant powers in relation to supervision of computer networks in China. [The new provisions] are significant perhaps not so much because they’ve given the security bureau much greater powers but as an example of the Chinese government looking to further codify it’s approach to network security.”

While McKenzie says the legislation might not be as dramatic as it first seems, it is still worth paying attention to and only a sign of things to come. The MPS and other regulators are taking their network security authority more seriously, and enforcement activity in the space is increasing.

How is the China Cybersecurity Law being enforced?

No one CSO spoke to knew of any inspections of companies taking place since these new provisions came into force and noted that enforcement of CSL infringements so far have mostly been focused on domestic companies. Norton Rose Fulbright reports that in the CSL’s first year 15 enforcement cases were made against companies such as Baidu, Tieba, Taobao, 58.com and Alibaba Cloud (also known as Aliyun). However, as the MPS matures its operations, companies should expect more regular visits and inspections.

“The enforcement that we’ve seen so far, that it’s tended to be directed against domestic companies, but I’ve no doubt that the enforcement will get more sophisticated and there may be very well a day when a foreign business is affected,” says Cheng.

What is the security risk of the China Cybersecurity Law?

Much of the language within the legislation is vague. The MPS should provide notice and outline scope of inspections to affected companies, but the details seem to be up to the bureau to decide. “The regulations don’t define how far the MPS can ostensibly get or travel within the networks of a company that they gain access to, or how they’re allowed to gain access,” explains Recorded Future’s Moriuchi. “Can they utilize only known public vulnerabilities or are they able to use vulnerabilities that only they know about or zero-day exploits for example? There’s no obligation to report back to the companies what they discovered, and there’s no time limitation or scope limitation either.”

The regulations also fail to outline the timing or the effects of an inspection beyond the idea that they “shall not interfere with or disrupt the normal operation of the network.” What the MPS is required to report back to organizations they have inspected is unclear.

“I think this is fairly typical of the regulations that we see in this and other areas where there are a large number of mandates,” says Cheng. “As far as definition and specification as to how those mandates are carried out, or in terms of what the government does, what limits are placed on what the government does, there just isn’t the same level of detail as we might see in other jurisdictions. What exactly on-site inspection supervision and remote testing involves, it’s hard to say.”

While there is nothing specifically giving the MPS the authority to explore a company’s network beyond Chinese borders, the vagueness of the language doesn’t seem to outright prevent the possibility, and if networks are connected there is a possibility any inspections could reach out beyond China-based operations.

Stephen Breidenbach, privacy, cybersecurity and technology attorney at Moritt Hock & Hamroff, says such inspections could be used to further the country’s monitoring efforts on its citizens, and could also provide customer data to domestic companies. “China is already collecting a great deal of information about what’s going on in the country. Now they can get access to the data on the back end. If they can get into the back end of that site, each piece of this puzzle becomes more and more complete and that individual’s profile gets more and more intimate to that person and what they’re going to do.”

He also adds that if data is copied by the MPS, it could trigger breach warnings if some of the data on those Chinese networks, for example, has information on European citizens (or has direct connections to such data), which could potentially count as an incident under GDPR. “There could be some positive benefits to this if they were just penetration testing a company and providing feedback to that company, as you have the government, which I would assume has better capability of testing security,” says Breidenbach. “That would be one benefit if they were actually doing this because they could proactively monitor and check for vulnerabilities. The issue comes if they do not actually notify, and if they can take data essentially it’s like hacking into a computer and you’re just making it legal for the government.” 

Government involvement with company networks a growing trend

While China’s privacy and security landscape is often the subject of focus, it is far from the only place where governments are looking to be more directly involved in company networks. Japan recently announced its own government-sponsored penetration efforts, but its scope is limited to scanning IoT devices for default or easily guessed passwords.

Vietnam also recently passed its own cybersecurity law, which has similar provisions and restrictions as China’s and includes provisions around government “auditing” of systems. Both Australia and the UK have introduced controversial bills that would undermine encryption within technologies and enable government-sponsored backdoors.

“Many governments, even democracies, are going to push on companies as hard as they can for transparency and control into companies’ operations,” says Recorded Future’s Moriuchi. While maybe not all governments will adopt measures quite as extreme as the one China has, there’s a broad scale of information control and oversight by governments across the world. The U.S., for example, has a government-sponsored penetration testing unit, known as the National Cybersecurity Assessments and Technical Services (NCATS), but it must be invited to conduct tests on organizations.

How should CISOs respond to the China Cybersecurity Law?

The network inspection legislation is only one part of a wider set of requirements around cybersecurity in China, the experts CSO spoke to have recommended best practices around doing business in China and preparing for possible inspections.

Understand China’s legal landscape and how it applies to your operations: “If you’re doing business in China, you have to observe local law and figure out the areas of Chinese regulations that affect you,” says Cheng. “Are you handling personal information, and are you handling so-called ‘important data’? Because if you are, then there are other requirements that apply to you. Those are important things to look at as well.”

Ensure you’re compliant: “The company should be fairly sure that it is in compliance with all the various security regulations so that if inspection does happen it doesn’t wind up in the same place as some of these domestic companies that have been cited under the law,” says Cheng

Have a dawn raid protocol: “For international companies doing business in Asia, it’s good advice to  have a dawn raid protocol in place so they can deal with regulatory visits if any particular government agency comes calling,” says Morrison & Foerster’s McKenzie. “It might be the Public Security Bureau in connection with network security. It could be anti-monopoly authority visiting about anti-trust violations.”

Understand your Chinese network: “Establish a baseline of you own systems,” advises Recorded Future’s Moriuchi, “including the known vulnerabilities you haven’t been able to patch, what part of your infrastructure has already been registered with the government and which haven’t, and really do a complete baseline of your domestic China IT infrastructure and how it connects to your global systems.”

Segment your Chinese network as much as possible and accept that it may be monitored: “We’re urging as much segmentation as possible of domestic China operations from the rest of the company’s global network,” says Moriuchi, “and to just assume that whatever business and research you’re conducting domestically in China will make its way to the government at some point.”

Install extra controls and monitoring anywhere the Chinese part of your network touches the rest of your global network: “If I have a Chinese IP address that is going to try to access my computers, that’s going to have a higher level of protection or maybe even block it for certain servers,” says Breidenbach at Moritt Hock & Hamroff, “so this way they can’t even knock on the door.”