Understanding China’s Incoming Cybersecurity Legislation

China’s national economic growth has been significantly expedited from several advancements in digital technology since the opening of its market space in the late 1970s. According to Project Syndicate, modern day China is a force to be reckoned with, accounting for 42 percent of global e-commerce and conducting 11 times more mobile payments than their American counterparts per year. 

As the cashless trend spreads across various local communities, the Chinese government has started enforcing new Cyber Security Law and Draft Encryption Law to help secure its rapidly expanding digital environment. With China’s digital economy continuing to expand, it is important for enterprises to know key regulations that will come to define the e-commerce landscape in China in 2018. 

China’s Cyber Security Law

The CSL, otherwise known as China's Cyber Security Law, took effect on June 1, 2017. This law is the nation's first comprehensive legislation that addresses cybersecurity and is designed to complement other laws, bilateral initiatives and existing regulations. The CSL outlines various security practices to be upheld by two core communities -- the network providers and critical information infrastructure operators -- whose activities will be assessed by approved regulators from the state. However, ambiguity and the lack of coherent implementation guidelines have raised concerns amongst multinational corporations (MNCs) with international operations within China's territories. 

These uncertainties have triggered vehement criticism from over 50 American, European and Japanese MNCs, who collectively fear that they may not be compliant under the CSL and regulators might be plagued by patchy interpretation, conflicting signals and unpredictable enforcement. Although the Cyberspace Administration of China (CAC), otherwise known as China’s internet regulator, subsequently announced an 18-month adjustment period, it does little to ease companies from the stress of operating within its national territories. 

China Encryption Law

Subsequently, China's State Cryptography Administration (SCA) published a draft Encryption Law for public comments and review on April 13, 2017. The encryption law would be the first comprehensive Chinese legislation to address encryption across multiple industries systematically, all enforced under a single uniform regulatory framework overseeing all forms of encryption overseen by the SCA. The incoming encryption legislation also appears to possess compulsory decryption support, where state agencies can legally seek the support of telecommunication companies and Internet Service Providers (ISPs) for decryption. 

The legislation shares various similarities to the incoming CSL. For instance, the encryption laws stringently focus on networks that can be categorized under the critical infrastructure paradigm. The legislation also outlines several penalty risks for noncompliance but does not outline what the penalties are. Given that encryption law is still at the draft stage, it remains unclear as to how stringent their encryption guidelines will be when finalized or how the legislation will operate alongside the CSL. 

On the surface, both incoming legislations can be visualized as a means for China to enforce security best practices to ensure the security of its national digital environment. While official statements claim that the incoming legislation’s focus is on increasing China’s national security capabilities within cyberspace, it comes with challenges to businesses operating within its territorial borders. The scale of how the law would affect businesses remains relatively unclear, despite the amount of time that has elapsed since the announcement of the legislation. A primary challenge is the ambiguity of its data protection requirements, classifications and implementation procedures. 

Overall, MNCs will experience increasingly active compliance enforcements from Chinese state agencies, particularly in data handling and cross-border sharing. MNCs seeking to establish themselves in China after the 18-month grace period should be aware that both legislations provide the government with legally reinforced capabilities to obtain (and retain) data and other forms of intellectual property. China’s security requirements on localized data can limit the capabilities for comprehensive analytics on a globalized scale and thus inhibit accurate market projection analyses.

When placed within the context of the relationship between Chinese companies and the state, these requirements might raise safety concerns over the intellectual property security of MNCs operating in China. 

Double-edged Motives

These legislations are not to be confused with the General Data Protection Regulation (GDPR) occurring in Europe. They are national and not regional regulations. While both legislations undoubtedly possess legitimate objectives of securing China’s national digital environment, it also holds an ulterior political (and intelligence) purpose. 

While China has moved away from being an ‘imitator' to becoming an ‘innovator,' there are still gaps within its technological development and close state-private relationships. Specific to the CSL, companies are required to store their data within China and can be privy to stringent security checks from state security services. A similar requirement is also prevalent in the incoming encryption law which enables the SCA to conduct on-site inspections and investigation, access data, and seize equipment and facilities. 

While these activities can be conducted under legitimate reasons of security preservation, they can just as easily be exploited for domestic intelligence collection purposes. One could even draw a similarity with the Prism Program (albeit a legally supported one), which was a surveillance tool developed by the National Security Agency (NSA) to collect data from major service providers such as Google, Yahoo, Facebook, Microsoft, Apple and others. 

Aside from the obvious protectionist objectives, laws also function as enablers. Despite official declarations that the new law was to ensure China’s alignment with international cybersecurity standards, the law remains fundamentally aligned with China’s progressive ‘balkanization of the internet’ and facilitates an unprecedented degree of political leverage into multiple domains. 

Moving Forward

With regards to the incoming Chinese legislation, there are three keywords to remember: learn, prepare and adapt.  Enterprises must learn how their corporate infrastructure and data typologies fit within the classification paradigms outlined in the CSL. In addition, they must also proactively seek out information on who the regulators are, and what encryption services have been approved by Chinese state agencies. Subsequently, they must prepare their data management procedures and internal cybersecurity policies in anticipation of an external review from the state. 

Finally, they must be willing to adapt various corporate elements, processes, and procedures as both CSL and Encryption Law come into force. As data becomes increasingly crucial toward state survivability, enterprises are advised to be flexible. 

Cheng Lai Ki, CyberOps consultant, Horangi Cyber Security contributed to this article. 

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.