Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/31/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

International Firms Struggle to Adapt as China's Cybersecurity Law Takes Shape

After the release of new guidelines on critical information infrastructure, international companies are still searching for clarity on how to comply with the country's new cyber regime.

With China's broad-based and controversial Cybersecurity Law officially taking effect on June 1, 2017, the full range of implications for the international business community is just beginning to become clear — and the costs of compliance will likely be high.

Since the law was finalized last year, the Cybersecurity Administration of China and other government offices have released a series of more targeted rules aimed at clarifying some of the law's more sweeping statutes, including a set of hardware standards for network operators and guidelines restricting cross-border information transfers, among others.

The newest set of regulations, released July 10, governs critical information infrastructure (CII), a category of particularly sensitive network operators that will be subject to an additional level of scrutiny. Though the rules were intended to provide specificity, they still raise many more questions than they answer.

What Is CII?
The overarching Cybersecurity Law designated CII as a separate class of industries and companies whose data, if damaged, leaked, or destroyed, would constitute a serious threat to national security or public welfare. Communication and information services, electronic governance, financial services, traffic, and major utilities were specifically listed as CII in the original law, but the new rules cast an even wider net.

Who Is Likely to Be Affected?
Article 18 of the new CII regulations list five broad industry classes within which network operators could be considered CII. Two notable inclusions are likely to have international firms on edge over the coming months.

First, cloud computing, big data, and other large-scale public information network services are on the CII list. China is one of the most connected countries in the world, with more than 730 million Internet users underpinning a vast market for data services. China is currently investing heavily in its domestic cloud computing and big data industries, turning a once-sleepy town in Guizhou province into the country's own "big data valley."

The CII label means that companies in this space will have to conform to stringent security checks and data localization laws, maintaining all data on Chinese operations within the country's borders. International companies are already changing business practices to comply: Apple recently announced a partnership with a Chinese company to open a data center in Guizhou, and Airbnb relocated some of its servers to China late last year. Microsoft recently released a custom version of Windows 10 tailored for Chinese government use, saying it's an "honor and a privilege today to be in China."

Second, the CII list wraps up with a vague mention of "other key sectors." In essence, basically any company can be classified as CII as long as the current administration deems it sufficiently key to domestic stability. That degree of regulatory uncertainty poses a significant barrier to entry particularly for new tech companies interested in tapping into the Chinese market.

Leaving the CII list open-ended also underscores the degree to which the Chinese legal infrastructure on cybersecurity is still in flux. Companies under the Article 18 umbrella could be considered CII, but the very next article of the law states that yet another set of regulations for identifying CII operators is still forthcoming and that officials in individual industries will be responsible for designating what counts as CII and what doesn't. Even with this proliferation of regulations, we're still a long way from a cogent, clearly enforceable cybersecurity statute.

What Can We Expect Moving Forward?
The new regulations lay out several requirements for companies ultimately designated as CII, including instituting internal security protocols and recovery measures, conforming to emergency incident response procedures, and identifying an individual responsible for cybersecurity management. 

Many of these stipulations represent commonsense cybersecurity hygiene. But when combined with the broader Cybersecurity Law's blanket limitations on international data transfers and broad government powers to inspect proprietary corporate data, the whole package is a collection of potential compliance pitfalls.

Now that the public comment period for these CII regulations is closed, we'll likely see a new wave of guidelines in the coming months further clarifying CII designation procedures and technical review processes. In the meantime, international companies will simply have to wait and see — and decide how much control they're willing to trade in exchange for access to Chinese business.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kaelyn Lowmaster is the Principal Analyst for One World Identity, an independent strategy and research firm focused on identity. She leads OWI Labs research for the Asia-Pacific region, and has authored foundational reports on identity issues across industries, ranging from ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17660
PUBLISHED: 2019-10-16
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO.
CVE-2019-11281
PUBLISHED: 2019-10-16
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input...
CVE-2019-16521
PUBLISHED: 2019-10-16
The broken-link-checker plugin through 1.11.8 for WordPress (aka Broken Link Checker) is susceptible to Reflected XSS due to improper encoding and insertion of an HTTP GET parameter into HTML. The filter function on the page listing all detected broken links can be exploited by providing an XSS payl...
CVE-2019-16522
PUBLISHED: 2019-10-16
The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. A...
CVE-2019-16523
PUBLISHED: 2019-10-16
The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.