Overview of China’s Newest Cyber Security Regulation and Implications

Author: Kayla Blomquist

Date: November 8, 2017

China’s Cyber Sovereignty

On June 1, China’s newest cybersecurity and network security law came into effect allowing Chinese authorities to gain greater control over internet content. The law, first passed in November 2016 by the China’s National People’s Congress, seeks to reform internet usage and data management regulations.[i]  Since 2010, China has actively pushed to establish what it calls “cyber sovereignty,” a term which justifies the state’s control over internet usage and content within country borders by equating it to an extension of the globally accepted norm of territorial sovereignty.^[ii] This term was first coined in China’s white paper, “The Internet in China,” which outlined Beijing’s basic principles of internet regulation and emphasized “active use, scientific development, law-based administration and ensured security.”^[iii] This document has served as the basis for China’s subsequent cyber regulations, which have led China to accomplish many seemingly impossible and highly controversial feats, such as creating one of the world’s most thorough online content filtering systems, widely known as “The Great Firewall of China.”

The 2016 cybersecurity law applies to network operators and businesses in critical sectors, which include “businesses involved in communications, information services, energy, transport, water, financial services, public services, and electronic government services.” It also applies to all businesses that manage their own networks, or even emails systems. Additionally, companies that do not fall directly within these sectors, but work with other companies who do, will also be subject to this law.^[iv] According to Chinese officials, this law will enhance the security of networks within the country by adopting measures similar to those found in the U.S. and Europe. However, this law has the potential to bar a number of foreign firms from entering into or remaining in the Chinese marketplace, as compliance measures will likely be costly.

Articles 10, 21, and 22

First, Articles 10 and 21 of the law require network operators to adopt specific network security measures , as well as comprehensive internal security management systems to protect against risks such as viruses and cyber-attacks. Article 22 requires network operators to conduct regular system maintenance on networks and to take action immediately after discovering any security flaw or vulnerability.  These security measures are not uncommon when one considers practices in the U.S. and Western Europe and represent what is currently viewed as global best practices for company and client data storage.^[v] According to Chinese officials, these new requirements will contribute to a more digitally secure business environment within the country. ^[vi] However, it will raise compliance costs and the barrier to entry for doing business in China. Some foreign firms are concerned the law will prevent them from doing business there altogether.^[vii]

Article 37

Regarding data storage and access, Article 37 requires network operators to store data gathered or produced by the network in Mainland China.  Further, these networks will be subject to periodic checks by Chinese authorities on network operations.^[viii]  Many foreign firms and governments are concerned by this set of requirements, as they may put at risk personal and company data.

The Impact

As with all large-scale public policies, the true impact of this law (and those that follow) will be determined by its implementation methods. However, clear implementation guidelines were excluded from the law in its final form and the law itself remains opaque. Since it was enacted less than six months ago, and only select components of the law have gone into effect thus far, there currently exist few examples of how it is being enforced.  Finally, it isn’t unprecedented for similar laws to be implemented or enforced inconsistently in China, based on factors such as the location of the company or the relationship the company has with government officials. Due to these factors, implications will vary widely across firms, and learning to navigate the developing rules of cyberspace in China will largely be an incremental, individualized process.

Spillover to Southeast Asia

Finally, the implications of China’s approach to cyber security reach far beyond its borders. Countries such as Vietnam, Thailand, and most recently, Cambodia, have all taken cues from China in adopting new laws and practices to regulate internet content and usage. For example, in 2015 Thailand’s military government attempted to adopt a single Internet gateway, similar to the one in China which enables extensive internet content blocking and filtering and was created.^[ix]  The parliament in Thailand will soon be considering a new cybersecurity bill, which seeks to establish a National Cyber Security Committee led by Prayuth Chan-ocha, the interim Prime Minister. The law also seeks to empower authorities to conduct spot checks on firms’ data and networks, thus raising data and personal information security concerns similar to those raised by China’s new law.^[x] Other countries like Vietnam already have similar internet content filtering mechanisms, like those established earlier on in China’s campaign for cyber sovereignty. It is clear countries with similar governance styles as China are closely watching the rollout of its cyber laws. Therefore, understanding China’s cyber laws and practices is critical for businesses operating not just in China, but in other countries in the Asia-Pacific.

Conclusion

China’s latest cyber security law has far-reaching implications for foreign firms seeking to conduct business in China. However, the implementation methods of the law remain unclear to many both in- and outside of China. Close tracking of country-wide implementation efforts will be valuable to those looking to understand how the law will affect their business. Further, as comprehensive and potentially overreaching cyber security laws that resemble those in China are implemented throughout the region, China’s example will be even more important to understand.  FAO Global looks forward to continuing to track and advise organizations on the effects of the implementation of this cyber security law, as well as many others in the Asia-Pacific region.

The original text of the cyber security law can be found at:

http://www.npc.gov.cn/npc/xinwen/2016-11/07/content_2001605.htm

 

---

About the Author:

Kayla Blomquist is a frequent contributor to FAO Global articles and projects. Her expertise is in International Development and Governance, with a focus on cyber issues. She holds a B.A. in International Relations and Public Policy from the University of Denver and has experience working with the U.S. Department of State and the Center for International Private Enterprise.

---

 

References

[i]  “People’s Republic of China Network Security Law,” The National People’s Congress of the People’s Republic of China. November 7, 2016. http://www.npc.gov.cn/npc/xinwen/2016-11/07/content_2001605.htm

^[ii] “Full Text: White paper on the Internet in China,” Information Office of the State Council of the People’s Republic of China. August 6, 2010. http://www.chinadaily.com.cn/china/2010-06/08/content_9950198.htm. Accessed October 6, 2017.

^[iii]   “Full Text: White paper on the Internet in China,” Information Office of the State Council of the People’s Republic of China. August 6, 2010. http://www.chinadaily.com.cn/china/2010-06/08/content_9950198.htm. Accessed October 6, 2017.

^[iv] “China’s Cybersecurity Law,” The Diplomat, Jack Wagner. June 1, 2017.  https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know/. Accessed October 6, 2017.

^[v] “Overview of China’s Cybersecurity Law,” KPMG China, IT Advisory. February 2017. https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf Accessed October 6, 2017.

^[vi] “China’s Cybersecurity Law,” The Diplomat, Jack Wagner. June 1, 2017.  https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know/. Accessed October 6, 2017.

^[vii] “China’s New Cybersecurity Law Leaves Foreign Firms Guessing,” New York Times, Wee Sui-Lee. May 31, 2017. https://www.nytimes.com/2017/05/31/business/china-cybersecurity-law.html. Accessed October 14, 2017.

^[viii] “China’s Cybersecurity Law,” The Diplomat, Jack Wagner. June 1, 2017.  https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know/. Accessed October 6, 2017.

^[ix] “Thailand scraps unpopular Internet ‘Great Firewall’ plan,” Reuters. October 15, 2015. https://www.reuters.com/article/us-thailand-internet/thailand-scraps-unpopular-internet-great-firewall-plan-idUSKCN0S916I20151015 Accessed October 14, 2017.

^[x] “Thailand: New, Tough Law on Cyber Security Drafted,” U.S. Library of Congress, Wendy Zeldin.  July 21, 2017. http://www.loc.gov/law/foreign-news/article/thailand-new-tough-law-on-cyber-security-drafted/ Accessed October 14, 2017.