International Firms Struggle to Adapt as China's Cybersecurity Law Takes Shape

With China's broad-based and controversial Cybersecurity Law officially taking effect on June 1, 2017, the full range of implications for the international business community is just beginning to become clear — and the costs of compliance will likely be high.

Since the law was finalized last year, the Cybersecurity Administration of China and other government offices have released a series of more targeted rules aimed at clarifying some of the law's more sweeping statutes, including a set of hardware standards for network operators and guidelines restricting cross-border information transfers, among others.

The newest set of regulations, released July 10, governs critical information infrastructure (CII), a category of particularly sensitive network operators that will be subject to an additional level of scrutiny. Though the rules were intended to provide specificity, they still raise many more questions than they answer.

What Is CII?
The overarching Cybersecurity Law designated CII as a separate class of industries and companies whose data, if damaged, leaked, or destroyed, would constitute a serious threat to national security or public welfare. Communication and information services, electronic governance, financial services, traffic, and major utilities were specifically listed as CII in the original law, but the new rules cast an even wider net.

Who Is Likely to Be Affected?
Article 18 of the new CII regulations list five broad industry classes within which network operators could be considered CII. Two notable inclusions are likely to have international firms on edge over the coming months.

First, cloud computing, big data, and other large-scale public information network services are on the CII list. China is one of the most connected countries in the world, with more than 730 million Internet users underpinning a vast market for data services. China is currently investing heavily in its domestic cloud computing and big data industries, turning a once-sleepy town in Guizhou province into the country's own "big data valley."

The CII label means that companies in this space will have to conform to stringent security checks and data localization laws, maintaining all data on Chinese operations within the country's borders. International companies are already changing business practices to comply: Apple recently announced a partnership with a Chinese company to open a data center in Guizhou, and Airbnb relocated some of its servers to China late last year. Microsoft recently released a custom version of Windows 10 tailored for Chinese government use, saying it's an "honor and a privilege today to be in China."

Second, the CII list wraps up with a vague mention of "other key sectors." In essence, basically any company can be classified as CII as long as the current administration deems it sufficiently key to domestic stability. That degree of regulatory uncertainty poses a significant barrier to entry particularly for new tech companies interested in tapping into the Chinese market.

Leaving the CII list open-ended also underscores the degree to which the Chinese legal infrastructure on cybersecurity is still in flux. Companies under the Article 18 umbrella could be considered CII, but the very next article of the law states that yet another set of regulations for identifying CII operators is still forthcoming and that officials in individual industries will be responsible for designating what counts as CII and what doesn't. Even with this proliferation of regulations, we're still a long way from a cogent, clearly enforceable cybersecurity statute.

What Can We Expect Moving Forward?
The new regulations lay out several requirements for companies ultimately designated as CII, including instituting internal security protocols and recovery measures, conforming to emergency incident response procedures, and identifying an individual responsible for cybersecurity management. 

Many of these stipulations represent commonsense cybersecurity hygiene. But when combined with the broader Cybersecurity Law's blanket limitations on international data transfers and broad government powers to inspect proprietary corporate data, the whole package is a collection of potential compliance pitfalls.

Now that the public comment period for these CII regulations is closed, we'll likely see a new wave of guidelines in the coming months further clarifying CII designation procedures and technical review processes. In the meantime, international companies will simply have to wait and see — and decide how much control they're willing to trade in exchange for access to Chinese business.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.