What are the new China Cybersecurity Law provisions? And how CISOs should respond

New provisions to the China Cybersecurity Law allow the Chinese government access to enterprise networks operating in the country. Although the security risk that presents is unclear, CISOs can take steps to minimize the impact.

CSO slideshow - Insider Security Breaches - Flag of China, binary code
BirgitKorber / Getty Images

Chinese Cybersecurity Law definition

China’s CyberSecurity Law (CSL), passed in 2016, is broad legislation that dictates how companies should approach security and privacy within the country. It includes strict controls around online activities and provisions around storing data locally, having joint venture partners, and in some cases registering network assets. It also has mandatory requirements around breach notification, appointing a head of cybersecurity, incident response plans, and more.

Additional provisions – known as the Regulations on Internet Security Supervision and Inspection by Public Security Organs – were passed in November 2018 and outline how the country’s main domestic security agency, the Ministry of Public Security (MPS), can conduct both onsite and remote inspection of computer networks, which are generally defined in the CSL as five or more computers connected to the internet.

Onsite inspections require at least two police officers to be present and show both identification and inspection certificates. The MPS may go into business premises, computer rooms and workplaces and “copy information related to internet safety supervision and inspection.”

Recorded Future’s analysis of the legislation says information that could be copied includes “any and all user information, technical measures for the network, and information security protection, hosting, or domain name information, as well as any content distribution the organization may be conducting.”

To continue reading this article register now

The 10 most powerful cybersecurity companies