Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/31/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

International Firms Struggle to Adapt as China's Cybersecurity Law Takes Shape

After the release of new guidelines on critical information infrastructure, international companies are still searching for clarity on how to comply with the country's new cyber regime.

With China's broad-based and controversial Cybersecurity Law officially taking effect on June 1, 2017, the full range of implications for the international business community is just beginning to become clear — and the costs of compliance will likely be high.

Since the law was finalized last year, the Cybersecurity Administration of China and other government offices have released a series of more targeted rules aimed at clarifying some of the law's more sweeping statutes, including a set of hardware standards for network operators and guidelines restricting cross-border information transfers, among others.

The newest set of regulations, released July 10, governs critical information infrastructure (CII), a category of particularly sensitive network operators that will be subject to an additional level of scrutiny. Though the rules were intended to provide specificity, they still raise many more questions than they answer.

What Is CII?
The overarching Cybersecurity Law designated CII as a separate class of industries and companies whose data, if damaged, leaked, or destroyed, would constitute a serious threat to national security or public welfare. Communication and information services, electronic governance, financial services, traffic, and major utilities were specifically listed as CII in the original law, but the new rules cast an even wider net.

Who Is Likely to Be Affected?
Article 18 of the new CII regulations list five broad industry classes within which network operators could be considered CII. Two notable inclusions are likely to have international firms on edge over the coming months.

First, cloud computing, big data, and other large-scale public information network services are on the CII list. China is one of the most connected countries in the world, with more than 730 million Internet users underpinning a vast market for data services. China is currently investing heavily in its domestic cloud computing and big data industries, turning a once-sleepy town in Guizhou province into the country's own "big data valley."

The CII label means that companies in this space will have to conform to stringent security checks and data localization laws, maintaining all data on Chinese operations within the country's borders. International companies are already changing business practices to comply: Apple recently announced a partnership with a Chinese company to open a data center in Guizhou, and Airbnb relocated some of its servers to China late last year. Microsoft recently released a custom version of Windows 10 tailored for Chinese government use, saying it's an "honor and a privilege today to be in China."

Second, the CII list wraps up with a vague mention of "other key sectors." In essence, basically any company can be classified as CII as long as the current administration deems it sufficiently key to domestic stability. That degree of regulatory uncertainty poses a significant barrier to entry particularly for new tech companies interested in tapping into the Chinese market.

Leaving the CII list open-ended also underscores the degree to which the Chinese legal infrastructure on cybersecurity is still in flux. Companies under the Article 18 umbrella could be considered CII, but the very next article of the law states that yet another set of regulations for identifying CII operators is still forthcoming and that officials in individual industries will be responsible for designating what counts as CII and what doesn't. Even with this proliferation of regulations, we're still a long way from a cogent, clearly enforceable cybersecurity statute.

What Can We Expect Moving Forward?
The new regulations lay out several requirements for companies ultimately designated as CII, including instituting internal security protocols and recovery measures, conforming to emergency incident response procedures, and identifying an individual responsible for cybersecurity management. 

Many of these stipulations represent commonsense cybersecurity hygiene. But when combined with the broader Cybersecurity Law's blanket limitations on international data transfers and broad government powers to inspect proprietary corporate data, the whole package is a collection of potential compliance pitfalls.

Now that the public comment period for these CII regulations is closed, we'll likely see a new wave of guidelines in the coming months further clarifying CII designation procedures and technical review processes. In the meantime, international companies will simply have to wait and see — and decide how much control they're willing to trade in exchange for access to Chinese business.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kaelyn Lowmaster is the Principal Analyst for One World Identity, an independent strategy and research firm focused on identity. She leads OWI Labs research for the Asia-Pacific region, and has authored foundational reports on identity issues across industries, ranging from ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11856
PUBLISHED: 2020-09-22
Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR.
CVE-2020-16202
PUBLISHED: 2020-09-22
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
CVE-2020-24333
PUBLISHED: 2020-09-22
A vulnerability in Arista’s CloudVision Portal (CVP) prior to 2020.2 allows users with “read-only� or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing ...
CVE-2020-4619
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 184976.
CVE-2020-4620
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allo...