The Chinese Cybersecurity Law

The People’s Republic of China (PRC) released the new cyber security law, which was passed by their main (only?) political party on November 7, 2016. 

Analysis

Potential negative impact to tech companies operating within China’s borders exist as a result of the following key points within the law:

1. Due to a shifting and opaque definition of critical information infrastructure, foreign technology firms may face new business risks and uncertainty. This is due to their reliance on being connected in some way to it, depending on what it is defined as within a court of law. Currently the translation of critical infrastructure is simply not clear.

2. Security requirements regarding data transmission and storage are included in the law but are ill-defined and potentially costly.

3. The law imposes new financial punishments on foreign firms that run afoul of the law, which appears to be relatively easy to do due to high potential for mistranslations on either side of the law.

4. The law will encourage new investment in cyber-security talent development, including investments in training for skills and technologies that may be applied to cyber-threat activity. This also induces risk to companies with confidential information, such as market strategies and other common forms of intellectual capital.

According to China’s official news agency, Xinhua News, the highlights of the Cyber Security Law include the following:

ï Clarification of the principle of cyber-space sovereignty (明确网络空间主权的原则).

ï Clarification of the security obligations of network products, to include service providers and supporting networks (明确了网络产品和服务提供者,和网络运营者的安全义务).

ï Further perfection of regulations aimed at protecting personal information (进一步完善了个人信息保护规则).

ï The establishment of a security protection system for key information infrastructure and regulations for the cross-border transmission of important data for key information infrastructure (建立了关键信息基础设施安全保护制度和关键信息基础设施重要数据跨境传输的规则).

Within the law are 79 provisions organized into seven chapters.

The first draft of the Cyber Security Law was introduced in June 2015. At the time, the law committee of the NPC explained that the legislative purpose of the law was to…“safeguard cyberspace sovereignty.” In keeping with the principle of equal emphasis on security and development, the law was intended to provide measures for a national cyber-security strategy. This included security planning and support of critical information infrastructure.

As was to be expected, Chinese media reported positively on the new law. Domestic commentaries express a belief that the Cyber Security Law will provide guidance for solving cyber-security-related issues, to include the leaking of personal information, corporate data and intellectual property theft, and fraud losses.

Financial experts have predicted a rise in stock prices for cyber-security-related domestic companies as the law is promulgated. Foreign media has expressed uncertainty about the implications of the law, with most criticism coming from the western hemisphere. Foreign IT firms worry about being restricted from doing business in critical Chinese sectors, and human rights groups assess that the law will strengthen the PRC government’s control of all digital communications.

Changes Made in the Final Draft

The third (and current) version of the Cyber Security Law partially revised sections in the second draft by further defining the scope of critical information infrastructure and measures to punish foreign organizations or individuals deemed to be attacking or destroying China’s critical information infrastructure.

The law lists critical infrastructure sectors including public telecommunications and information services, energy, transportation, irrigation, finance, public services, and military networks. It also further defines critical information infrastructure as “…networks and systems owned or managed by network service providers with massive numbers of users.” It places the responsibility of protecting critical information infrastructure on a handful of State Council departments.

The law also creates new consequences for foreign organizations and individuals deemed to be attacking or destroying China’s critical information infrastructure. It states they “…will be subject to lawful prosecution; the State Council public security department and relevant departments may also decide to freeze the assets of, or take other necessary punitive measures against, these individuals or organizations.”

In addition, the current version added provisions to punish online fraud and other forms of illegal or criminal cyber activities. It also allowed for the strengthening cyber-security talent training and protecting the online safety of minors.

Previously, western media reported concerns about provisions in the first draft stating that Internet Service Providers (ISPs) and other Internet-focused companies will be required to store all data in China. However, Article 37 of the current version states that data requiring storage in China includes that which is collected and produced by critical information infrastructure operators. It also states that “where due to business requirements it is truly necessary [to] provide it outside the mainland, a security assessment shall be conducted according to the measures jointly formulated by the National Cyberspace Administration and the relevant departments of the State Council.”

There appears to be a lack of consistent language pertaining to assessment requirements at this time. This creates a source of anxiety for businesses impacted by the rule due to an unknown scope or methodology for conducting security assessments of this data.

Understanding the Changes and Impact

The scope and security protection requirements of critical information infrastructure are simply not clear or readily discerned.

The Cyber Security Law says that the State Council is in charge of formulating security protection measures for critical information infrastructure. However, it does not indicate the timeline for this or whether the details of requirements will be made available to the public.

The stated scope and security protection requirements of critical information infrastructure should be clarified before the law comes into effect in June 2017. The imprecise language about a timeline, and a lack of specifics pertaining to the scope is creating a high degree of uncertainty regarding how the government will apply the law in terms of punishing foreign organizations and individuals deemed to be attacking or destroying critical information infrastructure.

Punitive measures of the Cyber Security Law can also represent a high degree of risk for companies doing cyber-related business in China.

The current version of the law added a provision for punishing foreign organizations and individuals who conduct cyber-activities that are deemed harmful to China’s critical information infrastructure. One of the punitive measures is to freeze assets of” those foreign organizations and individuals under Article 75 of the law. Even though the law does not specify the location of the assets, the jurisdiction of the law obviously indicates the assets have to be located inside mainland China.

It stands to reason the targeted foreign organizations or individuals within the scope of the law are those doing business in China, they have acquired or moved assets that are located within China. It also stands to reason that foreign organizations or individuals with assets in China should examine this provision carefully and protect those assets accordingly when doing business in that country.

Of note, the law does not specify where any such infraction need take place. Potentially, a company’s activities anywhere in the world, if determined to be harmful to China’s critical information infrastructure, may incur legal problems. This presents potential ramifications of a political response to anything deemed unfavorable to China’s image or global strength, and again, is left very open to interpretation.

Within the law, Chinese wording of adverse activities is very close to English wording. For instance:

ï The Cyber Security Law describes activities that harm the critical information infrastructure including “attacking” (攻击), “intruding into” (侵入), “interfering with” (干扰), and “destroying” (破坏).

The law does not address the general categories of cyber-threat activity that are widely used in the international cyber-security industry, such as hacktivism (黑客行为), cyber-crime (网络犯罪), or cyber-espionage (网络间谍). Chinese terminology can sometimes be specific to a Chinese cultural context, but the harmful behaviors mentioned in the law should be considered representative of hacking activities as defined throughout the world and in a variety of other languages.

The Cyber Security Law does not specify its application to Hong Kong and Macau, but experts are speculating that it can be applied to Hong Kong and Macau when deemed necessary.

A comparable example is the National Security Law passed in 2015. The National Security Law states that Hong Kong and Macau “…shall fulfill the responsibility of safeguarding national security.” Some experts believe this is the principle of sovereignty expressed in the law. This principle can also be applied to the Cyber Security Law when necessary.

Cyber Security Research and Training

The current version of The Cyber Security Law added a section describing state support for “…the fostering of cybersecurity talents…” and to encourage “…innovation and the application of network technology” (Article 3). It also added that research institutes and universities with enterprises and organizations focused on network sectors are supported by the state to “…participate in the formulation of national and industry standards for cybersecurity” (Article 15). These changes are in line with the research and development (R&D) programs stemming from the 13th Five-Year-Plan (2016-2020). 

This may include exchange programs in order to send trainees overseas for training, or the creation of special military cyber-training centers. Most of the skills and technologies promulgated through this training infer dual-use applications and may contribute to the further development of China’s capabilities to carry out cyber-espionage activities or support cyber warfare plans.