Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/31/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

International Firms Struggle to Adapt as China's Cybersecurity Law Takes Shape

After the release of new guidelines on critical information infrastructure, international companies are still searching for clarity on how to comply with the country's new cyber regime.

With China's broad-based and controversial Cybersecurity Law officially taking effect on June 1, 2017, the full range of implications for the international business community is just beginning to become clear — and the costs of compliance will likely be high.

Since the law was finalized last year, the Cybersecurity Administration of China and other government offices have released a series of more targeted rules aimed at clarifying some of the law's more sweeping statutes, including a set of hardware standards for network operators and guidelines restricting cross-border information transfers, among others.

The newest set of regulations, released July 10, governs critical information infrastructure (CII), a category of particularly sensitive network operators that will be subject to an additional level of scrutiny. Though the rules were intended to provide specificity, they still raise many more questions than they answer.

What Is CII?
The overarching Cybersecurity Law designated CII as a separate class of industries and companies whose data, if damaged, leaked, or destroyed, would constitute a serious threat to national security or public welfare. Communication and information services, electronic governance, financial services, traffic, and major utilities were specifically listed as CII in the original law, but the new rules cast an even wider net.

Who Is Likely to Be Affected?
Article 18 of the new CII regulations list five broad industry classes within which network operators could be considered CII. Two notable inclusions are likely to have international firms on edge over the coming months.

First, cloud computing, big data, and other large-scale public information network services are on the CII list. China is one of the most connected countries in the world, with more than 730 million Internet users underpinning a vast market for data services. China is currently investing heavily in its domestic cloud computing and big data industries, turning a once-sleepy town in Guizhou province into the country's own "big data valley."

The CII label means that companies in this space will have to conform to stringent security checks and data localization laws, maintaining all data on Chinese operations within the country's borders. International companies are already changing business practices to comply: Apple recently announced a partnership with a Chinese company to open a data center in Guizhou, and Airbnb relocated some of its servers to China late last year. Microsoft recently released a custom version of Windows 10 tailored for Chinese government use, saying it's an "honor and a privilege today to be in China."

Second, the CII list wraps up with a vague mention of "other key sectors." In essence, basically any company can be classified as CII as long as the current administration deems it sufficiently key to domestic stability. That degree of regulatory uncertainty poses a significant barrier to entry particularly for new tech companies interested in tapping into the Chinese market.

Leaving the CII list open-ended also underscores the degree to which the Chinese legal infrastructure on cybersecurity is still in flux. Companies under the Article 18 umbrella could be considered CII, but the very next article of the law states that yet another set of regulations for identifying CII operators is still forthcoming and that officials in individual industries will be responsible for designating what counts as CII and what doesn't. Even with this proliferation of regulations, we're still a long way from a cogent, clearly enforceable cybersecurity statute.

What Can We Expect Moving Forward?
The new regulations lay out several requirements for companies ultimately designated as CII, including instituting internal security protocols and recovery measures, conforming to emergency incident response procedures, and identifying an individual responsible for cybersecurity management. 

Many of these stipulations represent commonsense cybersecurity hygiene. But when combined with the broader Cybersecurity Law's blanket limitations on international data transfers and broad government powers to inspect proprietary corporate data, the whole package is a collection of potential compliance pitfalls.

Now that the public comment period for these CII regulations is closed, we'll likely see a new wave of guidelines in the coming months further clarifying CII designation procedures and technical review processes. In the meantime, international companies will simply have to wait and see — and decide how much control they're willing to trade in exchange for access to Chinese business.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kaelyn Lowmaster is the Principal Analyst for One World Identity, an independent strategy and research firm focused on identity. She leads OWI Labs research for the Asia-Pacific region, and has authored foundational reports on identity issues across industries, ranging from ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...