On June 1, 2017 China’s Cyber Security Law (CSL) went into effect. The CSL is probably the most comprehensive law to tackle cyber security concerns at the national level. It also represents a consolidation of previous laws and current regulations. The CSL is in keeping with the trend to strengthen cyber security around the globe. It also raises many questions for multi-national organizations (MNOs), such as “Will CSL apply to my organization or industry?”
Interpretation will play a great role in determining who is covered by the law and what is required of companies that fall within the law. This will be especially true for multi-national organizations (MNO).
Is your organization within the reach of CSL?
At its essence, CSL focuses on the “personal information” and “important data” – how these two terms are defined will be at the crux of determining the extent to which authorities will be able to investigate information. At this point, we don’t know. Decisions yet to come will determine the breadth and depth of these definitions.
Will your industry fall under CSL?
That’s going to be determined by another definition — “critical information infrastructure” (CII). CII usually is defined as a physical or virtual information system that controls, processes, transmits, receives and/or stores electronic information necessary to support critical infrastructure. The term “critical infrastructure” is used to describe assets that are essential for society and the economy to function. Therefore, CII normally would be associated with industries such as power, finance, transport, etc. However, what makes the CSL controversial is the additional inclusion of other infrastructure that may harm “people’s livelihoods.” If we interpret this to mean any foreign key supplier to any “critical” sector, than any MNO that has a significant information (however that is defined) about citizens of the People’s Republic of China (PRC), could fall under the purview of regulators vested with enforcing the CSL.
The definitions become essential in concluding which systems, data, transport, etc. meet the criteria of “personal information” and “critical data.” The CSL would require localizing this information to the PRC, which would entail a security assessment and approval before transferring the data out of the PRC.
What is “personal information”? Personal information may be any information, that when taken alone or in combination with other data provides enough information to ascertain an individual’s identity (such as phone number, address, date of birth, or identification number). This definition can be extended to include information that is similarly defined in the State Secret Law. In short, any information that is associated with national security, economic development, health, or public interest may fall under the scrutiny of assessors.
Clearly, CSL is intended to counter the attacks of cyber criminals, protect domestic infrastructure, and thwart future cyber-attacks. It also may be able to uncover MNOs’ vulnerabilities to cyber-attacks. However, CSL additionally may provide the Chinese government with a legal ability to obtain intellectual property, which is of great concern to MNOs.
The process of determining the full extent of CSL’s reach and its impacts (keeping proprietary and confidential information from being appropriated) will be determined by the courts. Ensuring that CSL protects CII and does not go beyond reasonable boundaries will be closely watched, and more than 50 MNOs and business groups have already lobbied against the law.
Cybersecurity has become an integral part of business continuity, and it is the duty of all resilience professionals to understand the threats and how to mitigate against them to protect their organizations. For more information, please visit www.drii.org.