China’s newest and broadest Cybersecurity Law went into effect on 1 June 2017. When first implemented, it created significant concerns for foreign businesses in that it directed new cybersecurity practices and data restrictions that appeared to threaten the independence and competitiveness of foreign corporations operating in China.
In the year since the Law’s implementation by the Cybersecurity Administration of China (CAC), a series of new regulations and guidelines have been published in China that have further constrained business operations and increased spending on cybersecurity practices. Some of the key provisions of the new measures include:
- The categories regulated now include cloud computing, big data, artificial intelligence, Internet of Things, and project control systems.
- Companies must provide the government all information on received cyberattacks and any “cyberthreat intelligence” in their possession.
- Network operators must conduct self-reviews of their cybersecurity systems once a year and report risks and remediation plans to the Ministry of Public Security.
- Data cannot be transferred out of the country that poses risks to China’s national security including the security of China’s national politics, territory, military, economy, culture, society, or technology.
- Foreign businesses can now use only the virtual private networks (VPN’s) that have been approved by the government.
So far, the violations of the Cybersecurity Law that have been prosecuted by the police have been limited to domestic Chinese companies. Only one foreign firm is known to have been investigated or punished under the Law. However, analysis of the financial impact on foreign businesses suggests that compliance has caused companies operating in China to spend up to 25 percent more than their overseas competitors on cybersecurity.
On 1 June 2017, the Chinese government put an extensive new Cybersecurity Law into effect. This Law applies to all network operations in China, by Chinese citizens and foreign business operations alike. Many US corporations operating in China expressed concerns about how this Law will impact their ability to operate under the more intrusive Chinese government control. The provisions with the potential for the greatest negative impact of foreign firms include:
- Definition of network operators. The scope of the Cybersecurity Law provides control over not just telecom operators and internet firms but also banking institutions, insurance companies, securities companies, providers of cybersecurity products and services, and essentially any enterprise with a website in China or that provides network services. The American Chamber of Commerce in China has said the Law, “will impact almost every company that operates in China.”
- Requirements for “critical information infrastructure” operators. The Law defines these to include “public communications and information services, energy, finance, transportation, water conservation, public services, e-governance,” and other enterprises that could harm national security or the economy if damaged. Foreign corporations included in this category now face restrictions on equipment and services they can use, and they are vulnerable to inspection and intrusion by the Chinese government.
- Restrictions on sending data outside China. The Law states that “personal information and other important data from operations within the PRC shall be stored within mainland China.” Business information and data on Chinese citizens cannot be transferred abroad without permission, and that would be contingent on intrusive “security assessments” by the Chinese government. Some US analysis suggests that this could also prohibit the export of economic, technological, or scientific data considered to “pose a threat to national security or the public interest.”
Part of the challenge posed to foreign businesses by the Cybersecurity Law was that while it went into effect in June 2017, the terms of the Law remained incomplete. Regulatory standards had not been finalized. Reviews necessary to complete the language for regulation of outbound data transfer are still not expected until the end of 2018.
However, during the year since initiation of the Law, a series of additional measures have been implemented that have fleshed out the control regime under which Chinese and foreign businesses must operate. This report reviews those measures and their potential impact.
NEW MEASURES EXPANDING THE CYBERSECURITY LAW
In June 2017, the CAC began supplementing the Cybersecurity Law with additional measures that, taken together, have made the control regime ever more restrictive. It started with a new document, “Guidelines for Cross-Border Data Transfer Security Assessment” which states that cross-border data transfers would be blocked “if the transfer does not comply with laws or regulations, poses risks to China’s national security or public interests, or has the potential of endangering the security China’s of national politics, territory, military, economy, culture, society, technology, information, ecological environment, resources, or nuclear facilities.” 
In July 2017, the CAC published draft Security Protection Regulations for Critical Information Infrastructure (CII) for comment. That draft did not clarify much about these regulations but did suggest a broad definition of CII that covered many new business sectors.
In August 2017, the CAC issued new rules under the Cybersecurity Law that require all users of internet forums, message boards, group chats, and comment threads to provide their real identities before posting. The new rules also establish a social media “credit score” system, part of a broader citizen monitoring regime that grades Chinese individuals’ online behavior. Access to social media services will be dependent on their credit rating. Inappropriate online behavior will reduce credit scores and result in reporting to the authorities. This provision, while a significant threat to Chinese “netizen” anonymity, should not impact foreign businesses.
In January 2018, the Ministry of Industry and Information Technology (MIIT) published the “Public Internet Cybersecurity Threat Monitoring and Mitigation Measures,” which is intended as a companion piece and expansion of the Cybersecurity Law. These regulations call for companies conducting business in China to hand over cyberthreat information to the MIIT. Companies are now required to report information on cyberattacks they have encountered and “cyberthreat intelligence” in their possession.
The language of the regulation states that “after cybersecurity threats are discovered by relevant professional organizations—basic telecommunication enterprises, cybersecurity enterprises, Internet companies, domain name registration management and service organs—information shall be submitted to MIIT … in a timely manner and in according with the content, indicators, and format of relevant regulations.” The information will be compiled in a national cyberthreat database managed by the Chinese Computer Emergency Response Technical Team (CN-CERT) which has recently been resubordinated under the CAC.
In February 2018 the Chinese government ordered state-owned telecoms to prevent customers from using virtual private networks (VPNs). In March 2018, the government announced that businesses including foreign businesses could now use only the VPNs that have been approved by the government. Businesses in China have reported that their clients were finding that connecting to websites outside of China or exchanging data with headquarters has become slower and less stable.
In June 2018, the Ministry of Public Security (MPS) published what may be the most significant addition to the Law thus far: the new “Draft Regulations on the Multi-Level Protection of Cybersecurity” (网络安全等级保护条例征求意见稿) for comment. An initial analysis by the Western firm Hunton Privacy noted that the Draft Regulation expands the categories that require regulated security protection from computer systems to “anything related to construction, operation, maintenance and use of networks, such as cloud computing, big data, artificial intelligence, Internet of Things, project control systems and mobile Internet.”
Under the Draft Regulation, all network operators are responsible for determining the appropriate security level (1-3, 3 being most critical) for their networks, based on the sensitivity of the system and its contents. Networks classified as level 2 or higher must have “expert review” of the classification level and may be required to obtain approval from industry regulators and the MPS.
This new document indicates that regulation would cover companies that did not previously fall under the scope of existing regulation by incorporating “all network operators” rather than just key industry systems. All network operators are now required to conduct a self-review of their cybersecurity systems at least once per year and report its risks and remediation plans to MPS. Network operators are required to report any cybersecurity incidents to MPS within 24 hours. New level 3 networks must be certified by testing agencies accredited by MPS before they can come online. The Draft Regulation also identifies the investigative powers of MPS to include on-site inspection, investigation, “summoning for consultation,” as well as sanctions for companies in violation including monetary fines and criminal liability.
Analysis of the impact of the Cybersecurity Law over its first year by Eversheds Sutherland, a multinational law firm, included a summary of select prosecutions by the CAC and Chinese police from July 2017 through May 2018. The incidents listed below illustrate the kinds of infractions that drew action by the authorities.
Violations and Penalties
Breach: Company not regularly evaluating security grade statuses of its information system.
Consequences: The company was warned and ordered to make rectifications.
Breach: Company not performing its cybersecurity protection obligations.
Consequences: The operator of the website and its legal representative were respectively fined for the non-compliance.
Breach: Publication of users’ information without authenticating users’ identities.
Consequences: Ordered to conduct immediate rectifications.
Breach: Allowing users who have not been authenticated to publish information.
Consequences: The site was ordered to require its users to provide authentic identification information and clear up all malicious information.
Breach: Allowing users to post forbidden materials.
Consequences: Fines were imposed on the technology giants Baidu and TenCent for their lack of control.
Breach: Company wrongly collecting users’ personal information without express consent of users.
Consequences: Demand that the company must comply with the law.
Breach: Two companies published content which infringed upon China’s sovereignty.
Consequences: Immediate rectification ordered by both companies.
Breach: Company sharing sensitive information on user’s spending to third parties.
Consequences: Demand that the company must comply with the law.
Breach: Company publishing inappropriate content.
Consequences: Founder of the public page was investigated by the authorities and permanently deleted the page.
It should be noted that all the incidents cited above and in fact almost all of the cases pursued have been against domestic Chinese companies. The infractions cited were primarily about Internet content control and the censorship regime in China. The one example found of intrusion into foreign-owned business for “national security” reasons was a brief shutdown of Marriott International internet access in China. Marriott’s transgression was publication of a customer questionnaire that listed Hong Kong, Macau, and Taiwan as separate countries from China. The Shanghai branch of the Cyberspace Administration of China shut down Marriott’s Chinese website and mobile phone services for a week. Despite a quick apology from Marriott, the Shanghai Cyberspace Administration reportedly initiated an investigation into whether Marriott had violated the Cybersecurity Law. Other than this incident, no reporting was found on foreign businesses being cited by Chinese authorities for Cybersecurity Law violations.
COSTS TO FOREIGN BUSINESSES
Even though foreign firms were not targeted for violations of the Law during this first year, compliance has had an impact on business operations. The auditing firm PwC estimated that compliance with the Cybersecurity Law caused companies in China and Hong Kong to spend almost 25 percent more last year on cybersecurity than their competition in other countries. PwC said that the greater expenses were incurred by conducting reviews of data and network assets and appointing senior staff to manage cybersecurity risks.
One of the costs of the regulation has been the necessity to build data storage centers inside China or to rely on local server providers rather than store data back in the U.S. According to the Wall Street Journal, Apple was spending about $1 billion to build a data center inside China to comply with rules stipulating that cloud data from Chinese consumers be stored in China. Foreign auto makers operating in China were also reportedly considering building data centers inside China.
It is possible for businesses in China to legally circumvent some of the new restrictions. For example, it is possible for a foreign company to switch from a VPN to a dedicated line to its outside headquarters, but the cost of this could be prohibitive for some companies. One estimate stated that a business with about 500 employees could see its communications bills rise from around $5,000 a year to up to $70,000.
There are limits as to what foreign corporations or governments can do to resist the full implementation of China’s control measures. In October 2017, the United States and Japan started a campaign against the draft rules at the WTO Council for Trade in Services, seeking to keep China from implementing final measures until foreign concerns were addressed and the draft regulations were made consistent with the WTO General Agreement on Trade in Services. As of April 2018, China did temporarily postpone work on part of the Guidelines, but the final answer to this request is pending.
The US-China Business Council, an association of US firms doing business with China, issued a report in February 2018 that identified three aspects of the Cybersecurity Law that were creating the greatest obstacles to successfully doing business in China. The key challenges noted were:
- The impediments and disruptions to the business operations caused by the Law’s data policies, including requirement of local data storage and restrictions on cross border data transfer;
- The stifling impact of China’s overly restrictive licensing regime on the use and innovation of global cloud products and services in China; and
- The unlevelled playing field in technology procurement resulting from the overly broad regimes for cybersecurity review of technological products and services.
The report included recommendations to the Chinese government as to how they should amend the Law to help international business, including narrowing the broad scope of the current policies, opening cloud computing services to foreign companies, and allowing foreign investors in Chinese joint ventures to retain ownership and control of software and other propriety technology licenses. No evidence was found, however, that the Chinese government is acting on these recommendations.
CONCLUSIONS: GOALS OF THE NEW CONTROLS
There remain questions about the real goals of the Cybersecurity Law. Is the government trying to gain greater transparency into business operations so they can more easily prosecute violations of Chinese internet laws? On the surface, it appears the Law is designed to strengthen data protection and the security of critical information infrastructure. However, many of the provisions appear to actually be designed to facilitate the Chinese government’s access to data held by domestic and foreign enterprises.
There is the suspicion that these measures are actually designed to make it harder for foreign companies to do business in China, making it easier for Chinese firms to compete. This concern is also engendered by the requirements for foreign firms to disclose their intellectual property as a condition for working in China.
China’s Cybersecurity Law covers much more than enterprise and network data security but includes a wide range of what is considered cyber-crime in China. Article 12 specifically prohibits the use of the Internet to:
- engage in activities endangering national security, national honor, and national interests;
- incite subversion of national sovereignty, overturn the socialist system, incite separatism, break national unity, advocate terrorism or extremism;
- advocate ethnic hatred and ethnic discrimination; or
- disseminate violent, obscene, or sexual information, false information to disrupt the economic or social order.
This indicates that one major goal of the Law is internal control by restricting Internet content that threatens the government in any way.
China’s stated goals in the cybersecurity domain indicate that these measures are in fact part of a larger goal: becoming a “cyber superpower.” In September 2017, a CAC team called the “Theoretical Studies Center Group” published an essay that supposedly identified the major elements of Xi Jinping’s strategic thinking on cyberspace policy and his goal of becoming what he calls a “cyber superpower”
(网络强国). In it, the team repeats the formulation often used by Xi himself: “Without cybersecurity there is no national security.” According to a translation by Paul Triolo of the Eurasia Group and his associates, Xi’s strategy calls for developing capabilities and governance capacity in four areas:
- Managing Internet content and creating “positive energy” online;
- Ensuring general cybersecurity, including protecting critical information infrastructure;
- Developing an independent, domestic technological base for the hardware and software that undergird of the Internet in China; and
- Increasing China’s role in building, governing, and operating the Internet globally.
Xi Jinping’s most definitive statements on this goal came in April 2018 when he convened a cybersecurity conference in Beijing and spoke at length on digital development, cybersecurity, and cyberspace governance. Xi explicitly outlined the national goals of “accelerating the construction of a cyber superpower” and “participation in international cyberspace governance processes.” The creation of the Cyberspace Administration of China as a central regulatory body and the implementation of the Cybersecurity Law under the CAC’s authority are seen as key measures in support of gaining the desired cyber power capabilities.
Contact the Wapack Labs for more information: 603-606-1246, or firstname.lastname@example.org.