Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/31/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

International Firms Struggle to Adapt as China's Cybersecurity Law Takes Shape

After the release of new guidelines on critical information infrastructure, international companies are still searching for clarity on how to comply with the country's new cyber regime.

With China's broad-based and controversial Cybersecurity Law officially taking effect on June 1, 2017, the full range of implications for the international business community is just beginning to become clear — and the costs of compliance will likely be high.

Since the law was finalized last year, the Cybersecurity Administration of China and other government offices have released a series of more targeted rules aimed at clarifying some of the law's more sweeping statutes, including a set of hardware standards for network operators and guidelines restricting cross-border information transfers, among others.

The newest set of regulations, released July 10, governs critical information infrastructure (CII), a category of particularly sensitive network operators that will be subject to an additional level of scrutiny. Though the rules were intended to provide specificity, they still raise many more questions than they answer.

What Is CII?
The overarching Cybersecurity Law designated CII as a separate class of industries and companies whose data, if damaged, leaked, or destroyed, would constitute a serious threat to national security or public welfare. Communication and information services, electronic governance, financial services, traffic, and major utilities were specifically listed as CII in the original law, but the new rules cast an even wider net.

Who Is Likely to Be Affected?
Article 18 of the new CII regulations list five broad industry classes within which network operators could be considered CII. Two notable inclusions are likely to have international firms on edge over the coming months.

First, cloud computing, big data, and other large-scale public information network services are on the CII list. China is one of the most connected countries in the world, with more than 730 million Internet users underpinning a vast market for data services. China is currently investing heavily in its domestic cloud computing and big data industries, turning a once-sleepy town in Guizhou province into the country's own "big data valley."

The CII label means that companies in this space will have to conform to stringent security checks and data localization laws, maintaining all data on Chinese operations within the country's borders. International companies are already changing business practices to comply: Apple recently announced a partnership with a Chinese company to open a data center in Guizhou, and Airbnb relocated some of its servers to China late last year. Microsoft recently released a custom version of Windows 10 tailored for Chinese government use, saying it's an "honor and a privilege today to be in China."

Second, the CII list wraps up with a vague mention of "other key sectors." In essence, basically any company can be classified as CII as long as the current administration deems it sufficiently key to domestic stability. That degree of regulatory uncertainty poses a significant barrier to entry particularly for new tech companies interested in tapping into the Chinese market.

Leaving the CII list open-ended also underscores the degree to which the Chinese legal infrastructure on cybersecurity is still in flux. Companies under the Article 18 umbrella could be considered CII, but the very next article of the law states that yet another set of regulations for identifying CII operators is still forthcoming and that officials in individual industries will be responsible for designating what counts as CII and what doesn't. Even with this proliferation of regulations, we're still a long way from a cogent, clearly enforceable cybersecurity statute.

What Can We Expect Moving Forward?
The new regulations lay out several requirements for companies ultimately designated as CII, including instituting internal security protocols and recovery measures, conforming to emergency incident response procedures, and identifying an individual responsible for cybersecurity management. 

Many of these stipulations represent commonsense cybersecurity hygiene. But when combined with the broader Cybersecurity Law's blanket limitations on international data transfers and broad government powers to inspect proprietary corporate data, the whole package is a collection of potential compliance pitfalls.

Now that the public comment period for these CII regulations is closed, we'll likely see a new wave of guidelines in the coming months further clarifying CII designation procedures and technical review processes. In the meantime, international companies will simply have to wait and see — and decide how much control they're willing to trade in exchange for access to Chinese business.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kaelyn Lowmaster is the Principal Analyst for One World Identity, an independent strategy and research firm focused on identity. She leads OWI Labs research for the Asia-Pacific region, and has authored foundational reports on identity issues across industries, ranging from ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...