China’s new cyber-security law, in effect since June 1st, contains vague and onerous language that authorities could invoke to compel security checks, forcibly demand data or to inspect proprietary technology.
Unlike the western hemisphere, where new regulations are being set in place to protect data both for the customer and for the companies that process it – in essence, putting the people first – the eastern parts of the world (Russia, China, et.al) are enforcing new legislation focused on serving the state’s needs first – and quite visibly so.
Whereas the Kremlin has demanded that messaging services like Telegram hand over data that may be concern national security, China is going to even greater lengths to control information flow, both domestically, and beyond the Great Firewall.
The Republic’s new cyber-security law targets organizations defined as “network operators” by the China Information Technology Evaluation Center (CNITSEC) – a division of the Ministry of State Security. Network operators are subject to national security review, according to the law.
Audit and advisory firm KPMG has conducted an analysis of the law and found that China essentially regards network operators as any enterprise or institution that provides services or conducts business through “networks.”
These include traditional telecom operators and Internet firms, financial institutions that collect citizens’ personal information and provide online services (banking institutions, insurance companies, securities companies, and any type of foundation), as well as enterprises that have websites and provide network services. Cyber-security companies, and even fast-food delivery firms, are in the same boat, because of the sheer amount of customer data they handle daily.
‘Critical information infrastructure’
Network operators are further required to hand over user data if authorities suspect national security could be compromised. The terms describing the circumstances in which such data should be handed over would be considered vague, to say the least, by western customers. These include “rumors,” “social order,” and “insults,” all labeled “internet-related crimes,” under the law.
“Critical information infrastructure” operators are regulated even more tightly.
“Public communication and information services, power, traffic, water, finance, public services, electronic government (e-gov), and other critical information infrastructure that if destroyed, lost functionality, or leaked data, might seriously endanger national security, the national economy and the people’s livelihood, or the public interest,” the law stipulates.
Such operators are subject to regular national security reviews by default. The Chinese government can request source code and gain insight into proprietary technology or intellectual property.
CNITSEC also runs the nation’s information security assessment center, the China National Vulnerability Database of Information Security (CNNVD). Both CNITSEC and CNNVD are under the Ministry of State Security (MSS), forming an intelligence agency not unlike the infamous CIA.
Threat-intelligence experts warn that the ministry “is using the broad language and new authorities in China’s cybersecurity law to possibly gain access to vulnerabilities in foreign technologies that they could then exploit in their own intelligence operations.”