As early as 27 February 2014, President Xi Jinping, the head of the Office of the Central Leading Group for Cyberspace Affairs, said that “No cyber safety means no national security.” On 1 July 2015, the National Security Law of the People’s Republic of China (《中华人民共和国国家安全法》)( NSL ) came into effect. For the first time, the NSL clearly provides that the state shall “safeguard sovereignty, security and development interests of cyberspace in the state.”
Cyber security has become an increasingly prominent issue, and the Chinese government chosen to focus on several key areas of concern. First, illegal intrusions and attacks in cyberspace that seriously threaten China’s information infrastructure across all significant sectors. Second, increased illicit online activities that harm Chinese society, particularly in the areas of personal information theft and intellectual property misappropriation. Third, the increased use of China’s networks to promote terrorism, extremism, instigation, or subversion of the system, all of which threaten national security and the public interest.
On 6 July 2015, the Standing Committee of the National People’s Congress released the Cyber Security Law of the People’s Republic of China (Draft) ( 《中华人民共和国网络安全法（草案）》)(Draft ) for public comments. Once adopted, this will be the first Chinese law that focuses exclusively on cyber security. The Draft signals that the Chinese government is preparing to tighten its grip on domestic networks and data security, which is in line with the government’s focus on reinforcing national security.
In this article, we will provide an overview of the Draft, and then discuss the potential impacts theDraft may have on business interests. Particular focus will be given to Draft provisions on network products and services security, network operation security, network data security, and network information security.
Overview of the Draft
The Draft aims to safeguard the sovereignty of national cyberspace and Chinese national security. According to Article 2 of the Draft, the following areas will be governed under this new law: the construction, operation, maintenance, and use of networks; and the supervision and administration of cyber security within the territory of the People’s Republic of China.
The Draft contains 68 articles and has a broad regulatory scope on cyber security, including specific provisions on: the strategic plan for cyber security; network products and service security; network operation security; network data security; network information security; alarm and emergency response systems; and, a regulatory regime for network supervision.
The Draft establishes a comprehensive regulatory regime for cyber security, creates legal responsibilities for network operators and network service providers, and defines some important terms in the context of cyber security. The Draft states that the “national network and information authority” is responsible for comprehensively planning and coordinating network security efforts and related supervision and management efforts of different government authorities.
Network Products and Service Security
Ensuring the security of network products and services is fundamental to cyber security. The Chinese government intends to implement a strict policy on network products and services to improve China’s cyber security. The Draft sets up a system where key IT hardware and equipment must meet mandatory security qualifications, and acquire government certification, before being sold and implemented.
Article 19 of the Draft states that key network facilities and special network safety products may only be sold after being certified or after passing a test established by the relevant authority. The catalog of key network facilities and special network safety products will be published by the national network and information authority and relevant departments under the State Council separately.
However, this approach may not be novel—it may be a reflection on, and consequence of, recent events. Specifically, foreign IT suppliers may face greater challenges when attempting to provide any of the aforementioned products or services.
Until recently, Chinese companies and administrative authorities widely used foreign software and hardware in their IT systems. However, when the PRISM project was uncovered in 2013, the Chinese government was alerted to the inherent dangers of foreign IT products; products from American IT tycoons like IBM, Oracle, and EMC ( IOE ) were ubiquitous. Since these foreign IT products create the potential risk that foreign governments could be provided with critical and confidential information, more and more Chinese companies and administrative authorities stopped using foreign IT products (including, but not limited to, IOE). Instead, Chinese entities have turned to domestically developed products and services, or have started developing their own technologies.
In response to these concerns, the Guidelines on Banks Using Secure and Controllable Information Technology (2014-2015) (《银行应用安全可控信息技术推进指南（2014-2015）》) ( Guidelines ) were promulgated by the Ministry of Industry and Information Technology and the China Banking Regulatory Commission ( CBRC ) on 26 December 2014. While the Guidelines does not explicitly prohibit foreign suppliers from selling IT software and hardware to the Chinese banking industry, it does set a very high bar for foreign suppler entry into the market. For example, source codes of the software attached to certain network equipment (e.g. backbone routers ) and storage equipment (e.g. storage FC switches) must be filed with the Technology and Information Department of CBRC for recording purposes; the monitoring and administering interface of certain network equipment (e.g. firewalls) must be tested and certified by the Technology and Information Department of CBRC; suppliers of certain kinds of network equipment (e.g. core switches) and storage equipment (e.g. tape library) are required to establish R&D centers in China.
In early 2015, CBRC compromised with the fierce critics of the Guidelines, stating that the guidelines apply to all companies without regard for nationality. However, if banks are using secure information technology platforms that fall within the scope of “key network facilities and special network safety products,” as governed by the Draft’s Article 19, then the Draft rules will apply. As a result, if the Draft’s standards turn out to be higher than those listed in the Guidelines, the banking industry may be subject to stricter regulation, despite any previously reached compromises under theGuidelines.
Network Operation Security
In order to safeguard the security of key information infrastructure facilities, the Draft implements new requirements for operators of these facilities. The Draft sets high requirements for the operational security of facilities deemed to be part of China’s “key information infrastructure facilities,” and includes the integration of national security examinations under certain circumstances. However, due to the ambiguity of some terms in the Draft, the impact of this new regulatory requirement will largely depend on the scope of these terms as interpreted by the regulatory authorities.
Definition of Key Information Infrastructure Facilities
According to Article 25 of the Draft, “key information infrastructure facilities” include: basic information networks; important information systems in important industries or in public service sectors; military networks; government networks for state organs at city level or higher; and networks and systems owned or managed by network service providers with a significant number of users.
This broad scope of key information infrastructure facilities leaves space for the regulatory authorities’ interpretation of the law. And given this, it is hard to know how these ambiguities will interact with one another once this Draft enters into force. For instance, since there is no definition for what will be considered a “network service provider,” it is most probable that all kinds of services provided via communication networks (such as Internet) will fall under “network service.” It is also unclear how many users will constitute a “significant number of users,” thus triggering the regulatory requirements. Yet another example is the concept of “important,” used to define the terms “important information systems” and “important industries” in the definition of “key information infrastructure facilities.” Since there is no definition, or indication of what systems qualify as “important information systems” in the “important industries,” it is at the discretion of the regulatory authorities on a case-by-case basis.
The Draft introduces new standards and requirements for ensuring the integrity of both network infrastructures and the people who are essential to the operation of those networks.
Article 28 of the Draft provides that key information infrastructure facilities operators must set up specialized internal security management divisions and assign appropriate person(s) responsible for security management. Additionally, these operators must conduct background checks on the person(s) responsible for security management and on personnel in critical positions.
Article 30 of the Draft provides that when operators of the key information infrastructure facility purchase network products or services that may affect or involve national security, the operator must pass a security examination jointly arranged by the national network and information authority and the relevant government departments. Essentially, Article 30 provides that when a key information infrastructure facilities purchasing activity may affect national security, the national security examination process, as outlined in Article 59 of the NSL, will be triggered.
Under the Draft, we anticipate that foreign businesses who may be seen as “key information infrastructure operators” will need to carefully consider the effects of these new, stricter regulations, as it will likely raise the bar of entry into the effected industries.
Network Data Security
Data security is also a critical aspect of cyber security. In order to address the government’s concerns regarding the privacy of personal and sensitive information, the Draft proposes new regulations on data storage. Under these proposed rules, when information collected or generated by the key information infrastructure facilities is deemed “important” or “critical” by the Chinese government, such information must be stored exclusively within mainland China; the exceptions to this policy are narrow and vague.
Article 31 provides that the operators of key information infrastructure facilities must store important data collected and generated, including citizens’ personal information, exclusively within the territory of the People’s Republic of China (in practice, this will be interpreted as mainland China). If, for legitimate business reasons, the data needs to be stored abroad, or data must be provided to a foreign organization or person, the entity must complete a security evaluation according to the measures issued by the national network and information authority and the relevant departments of the State Council.
In practice, however, many companies store information on offshore servers for any number of reasons (e.g. for better storage service, to back up data, or to store the data in their offshore headquarters). If this provision comes into effect, companies with such practices will need to reconsider their data management protocols, their relevant operational mode, and their IT infrastructure deployment, generally. Cloud service providers may also encounter difficulties, given the inherently amorphous nature of cloud server structures and locations. Article 31 also contains ambiguities. For instance, the Draft does not provide criteria for determining how information qualifies as “important.” Moreover, “security evaluation” is also left undefined. Will the principles for national security examinations also be applicable for security evaluations? Since this is not discussed in the current version of the Draft, the answer to this is uncertain.
Network Information Security
The Draft provides powerful methods for maintaining network information security and sets increasingly more stringent requirements for network operators. Instead of a purely top-down approach to regulating the dissemination of information within China’s networks, the new Draftimposes duties on network operators and service providers. As a result, it is now not only the government’s responsibility to regulate the spread of illicit information, but also the responsibility of network operators and service providers as well.
Article 65 of the Draft provides that “network operator” includes network owners or administrators and network service providers who use networks owned or administrated by others to provide relevant services. This includes, but is not necessarily limited to, basic telecommunication operators, network information service providers, and important information system operators. In practice, network information service providers may include the operators of social community services (like Weibo), search engines (like Baidu, Sogou, Bing), video websites (like Youku, Tudou, LeTV), e-commerce platforms (like Taobao, JD), the sites of corporations, and even some non-commercial websites that publish information, like university websites.
Draft Article 40, and the second paragraph of Article 41, establish censorship duties for network operators, including digital information distribution service providers and application software download service providers. When these operators notice a prohibited publication, or the transmission of illicit information, they must promptly stop transmitting the information and take measures necessary to prevent the spread of that information. Operators must maintain a record of these incidents when they occur and report them to the competent authorities.
Draft Article 43 provides relevant subjects with solid legal authorities who are empowered to take measures to cut off any transmission(s) of prohibited information on communication networks. Upon finding prohibited information, those authorities will require that the network operators stop the transmission and take the necessary measures to remove any prohibited content. Where the above prohibited information comes from outside the territory of China, these authorities may request that all related institutions to take necessary measures to stop the flow of prohibited information. If theDraft comes into effect with Article 43 unchanged, the currently obscure landscape of cyber censorship mechanisms will become clearer.
The Chinese government is determined to assert a tighter grip over China’s networks in order to increase national security and stability. With broad reaching implications, the Draft Cybersecurity law proposes to accomplish that through strict regulation of network operation and network information security.
Under the current Draft, some network operators (e.g. those network service providers who have significant number of users) will be deemed as the operators of the key informational infrastructure facilities and will be required to adhere to the new key informational infrastructure facilities regulations. Network information security will be regulated under both a top-down and bottom-up regulatory structure which holds network operators responsible for controlling the publication of information on their networks and platforms.
Currently, the Draft is open to public discussion and comments until 5 August 2015. Once adopted, it will almost certainly have significant influence on all sectors of business in China. Especially given China’s broader Internet+ strategy, adoption of the Draft would have broad and fundamental effects on Chinese society. We will follow the legislative process on this Draft closely.