The Chinese government has passed a number of new cybersecurity laws to mandate better minimum standards around cybersecurity. Some also give broad powers to law enforcement and intelligence agencies to closely monitor and inspect everything that happens on networks within the country, even those of non-Chinese companies.
The most notable of those in recent years was the Chinese Cybersecurity Law (CSL), a broad piece of legislation that governs almost every aspect of online and network activity and gives law enforcement the authority to inspect and monitor businesses, up to and including in-person inspection on company premises.
Now there is a new version of China’s Multi-Level Protection Scheme law, known as MLPS 2.0, which for years has governed IT security standards for what the government broadly deems critical infrastructure. Under the new version, what constitutes “critical” is widened, and the threshold for requiring government inspection and monitoring is lowered, potentially having repercussions for global companies with Chinese operations.
What is China’s Multi-Level Protection Scheme (MLPS)?
US think tank the Center for Strategic and International Studies (CSIS) claims that China has issued close to 300 new national standards related to cybersecurity in recent years. One of the most recent changes is an update to the MLPS.
Under the current MLPS – which has existed since 2008 – network operators (a very broad term that covers any connected computers or systems sending or processing data) are required to classify their network and information systems into different levels and implement security protections accordingly. The scheme ranks information communications technology (ICT) systems on a scale of sensitivity, with 1 being the least sensitive, 5 being the most. The higher the ranking, the more monitoring by the Ministry of Public Security (MPS) that system is subject to as well as third-party certification, source-code delivery, and annual reviews.
According to legal firm Reed Smith, Level 3 -- the point at which self-certification turns into government reviews -- happens when damage to the network would result in “particularly serious damage to the legitimate rights and interests of the Chinese citizens, legal persons and other organizations concerned, or cause serious harm to social order and the public interest, or cause harm to national security.”
How will MLPS 2.0 impact foreign companies operating in China?
The NewAmerica think tank says the new version of MLPS, a draft of which was released last year and which is due to come into effect on December 1, 2019, is a “shift toward more audits rather than self-reporting by companies.”
Under MLPS 2.0, the networks that are subject to scrutiny are expanded to essentially any and all IT systems – what entities count as “critical information infrastructure (CII) operators” and therefore fall under the MLPS is ill-defined. It also will likely lower the level 3 threshold at which increased monitoring is required.
Networks rated level 3 and above are required to put in place policies and procedures many enterprises will be familiar with, such as cybersecurity monitoring, detection and response, and incident notification to relevant bodies. They will be inspected by government officials at least once a year. Level 3 networks must also be technically maintained in China rather than remotely maintained from overseas. If work must be done from overseas, it must be logged in case of inspection.
Networks rated level 2 or higher are required to conduct proper testing and record them in case they are requested by the government. There are also requirements around personal information security protection policies and procedures as well as the need to evaluate the security risks presented by new technologies and applications.
According to the South China Morning Post (SCMP), Guo Qiquan, chief engineer at the Cybersecurity Bureau, has said the main goal of the scheme was “full coverage.”
“It will cover every district, every ministry, every business and other institution, basically covering the whole society,” Qiquan is reported to have said. “It will also cover all targets that need [cybersecurity] protection, including all networks, information systems, cloud platforms, the internet of things, control systems, big data and mobile internet.”
The SCMP also reported that the bureau has recruited a “big data expert” to potentially make sense of all the data the MLPS will be collecting.
Data grab or legitimate effort to improve security?
Much like the CSL, there is a debate whether these new laws exist to elevate the security of local networks, gather intelligence and IP on companies both foreign and domestic, or a combination of the two.
James Andrew Lewis, senior vice president and director, Technology Policy Program at CSIS, says that by and large this latest development is a “legitimate effort” on the Cyberspace Administration of China’s (CAC) part to improve the “atrocious” network security in the country.
“Their intent is not to use it for malicious purposes,” he says. “The CAC knows that the overall network security is bad in China, and they're trying to come up with rules and principles to change that. [The MLPS] is kind of similar to and certainly inspired by the NIST framework, but with additional measures that the Chinese thought would be useful, which is the inspection processes.”
Lewis argues that the MLPS isn’t really intended as a mechanism to steal data, partly because the state has so many alternative methods of attaining data it wants through the likes of state-sponsored APT groups, and this scheme should mostly be taken on face value.
“It's very intrusive, but that's their preferred model: They want to have insight and control into how companies are securing data and networks. The larger issue is, can you trust China? And to that I say no,” Lewis says. “You have to go in there with your eyes open. Know that if they decide they want something from you they'll use any means to get it. The Chinese intelligence services would be unscrupulous if they wanted access to data. They could be very forceful with companies.”
Companies with operations in China should also be aware that the incoming Foreign Investment Law, which comes into force on January 1, 2020, removes special statuses for wholly foreign-owned enterprises (WFOEs) or other foreign-invested enterprises and will lead to them being treated in the same way as domestically owned companies. This could impact the legality of using non-government approved VPNs to connect to other parts of the business outside of China.
Due to internal politics among different government agencies combined with no noticeable increase in staffing or expertise, Lewis predicts the focus will likely still be on domestic businesses for all but the most sensitive or high-interest companies with a presence in the country.
When it comes to the MLPS, however, Lewis says that although it presents another potential avenue for exploitation, companies already making efforts to securely operate in China and also comply with existing cybersecurity laws shouldn’t need to put too many additional controls in place.
“You have to think carefully about what goes to China, what you do in China, because that can always be taken advantage of. If [companies] are already doing a serious effort at cybersecurity, it's largely reformatting it to make it fit the Chinese standards and requirements and just repackaging it for a presentation to the Chinese authorities.”
“You have to ask yourself, if I was asked by the Chinese authorities how I am implementing the regulations or what I've done to improve security in China, you need to be able to answer that question with a straight face,” says Lewis. “You need to have some minimal effort to show you're complying with Chinese law.”