In the year since China’s Cybersecurity Law was released in its full form and the six months since it went into effect June 1, the Chinese government and the Communist Party have significantly clarified their approach to cyberspace and information and communications technology (ICT). Developments range from well-reported media control moves to early enforcement actions on data protection and still-evolving frameworks affecting foreign companies doing business in China. This interlocking matrix of regulations and standards associated with the new law is already shaping China’s political and economic digital reality.
In fact, the Cybersecurity Law hasbeen only the most visible document in a wider Chinese effort to governcyberspace and secure the country’s digital infrastructure. The 19th PartyCongress, where Xi Jinping’s leading position was renewed and solidified, putICTs front and center in economic development and emphasized the importance ofcybersecurity as threats and risks proliferate. Chinese policy thinkers andofficials are eyeing the global stage and may announce new internationalproposals as soon as at the Chinese-hosted World Internet Conference (WIC) inWuzhen, Zhejiang, opening next week.
National plans—which can be at onceaspirational and quite concrete—set ambitious goals for artificial intelligenceand high-tech development, and surging public and private investment in a largeand protected market raise expectations of success. Taken together, theseefforts arguably constitute the most comprehensive framework for ICT governancecurrently underway globally.
Even if it’s easy to see the forestof Chinese official efforts to shape the digital world, it can be hard tonavigate the trees of implementing regulations, standards, and review regimes.Here, after a year working with the Cybersecurity Law’s text and half a yearnominally under its effect, we offer a guide to the emerging regime and identifysome areas to watch for the most consequential developments yet to come.
The Players
Developing such a comprehensiveframework naturally gave rise to much bureaucratic tumult, given the number ofChina’s government ministries, commissions, and standards bodies involved, andthe heavy input—positive and negative—the process has seen from domestic andforeign ICT players. The uncertainty and delays in the framework’s legislativeprocess reflects the complexity involved with balancing these different forceswithin the Chinese political system. The laws deliberately contain broad,high-level principles to accommodate competing regulatory actors.
In this jousting for influence, theprimary government players are:
- Cyberspace Administration of China (CAC) — A relatively new agency seeking to assert its authority over cybersecurity and informatization (i.e. digital economy and the ICT industry), CAC draws its authority from its status as the office of a Xi-led Leading Small Group. CAC is the lead convener of the WIC, now in its fourth year, and its centrality appears intact even as its former leader Lu Wei faces investigation by Party authorities.
- Ministry of Public Security (MPS) — Responsible for running the so-called “Great Firewall of China” system that blocks Chinese access to portions of the global Internet, MPS had primary responsibility for critical infrastructure protection until the new law. Now CAC also has part of that portfolio, but the division of roles, especially over new security reviews, is not yet clear.
- Ministry of Industry and Information Technology (MIIT) — A major developer and manager of digital strategies and plans, MIIT has significant mandates to regulate ICT sector industrial policy. The China Academy of Information and Communications Technology (CAICT), a think tank subordinate to MIIT, also plays a role in ICT policies and standards development. CAICT has been an important interlocutor for foreign ICT firms on these issues.
- National Information Security Standardization Technical Committee (Technical Committee 260, or TC260) — Though sometimes caught between the three big players above, TC260 has been in hyperdrive since August 2016, cranking out detailed new standards that make elements of the new framework more concrete. TC260 includes participation by experts from outside officialdom, including domestic and foreign companies.
- Military and intelligence establishment — Though the evolving framework is largely civilian in nature, decisions related to what qualifies as national security will remain intertwined at top levels of the Chinese government with the military and intelligence establishment, and experts from that world play a role in developing security review systems and advocating for Chinese priorities internationally.
Outside the government, the mainplayers include:
- Chinese industry associations and alliances — Industry groups, for example the CyberSecurity Association of China (CSAC) and China Artificial Intelligence IndustryDevelopment Alliance, are made up of dozens of Chinese ICT company members and act as intermediaries between government and the privatesector. They serve as transmission belts in both directions for policy ideas,trust, and support.
- Baidu, Alibaba, Tencent (“the BATs,” or now sometimes “BATJ” to include JD.com) — As China’s largest and most influential ICT companies, the BATs are on the front lines of Beijing’s global tech ambitions and also have a voice shaping ICT policies. Their affiliated research institutes in Beijing have gained more influence in recent years on public policy debates for emerging technologies. The BATs also wield tremendous power shaping next-generation technology by investing in and acquiring smaller, emerging companies.
The Framework
As the Cybersecurity Law frameworkdevelops, what has emerged is a system with several top-level guiding documentsand six major systems of increasingly concrete policy, each with its ownbureaucratic champions, enforcement mechanisms, and implications for China’sdigital life. Top-level strategies or passages of the Cybersecurity Law providea blueprint for the Xi administration’s cyberspace governance priorities, whilesupporting regulatory documents flesh out details for implementation and hashout conflicts in the bureaucracy. Still, the documents and regulatory moves donot align in a tidy hierarchy, but must be understood as an interconnectedmatrix.
Broad Statements of Principle and Ambition
While the Cybersecurity Law ishighly central for ICT governance, other laws, especially the new NationalSecurity Law and Counterterrorism Law, also feed into the cyberspace governanceframework. Reinforcing the logic of the Xi-era dictum that “withoutcybersecurity there is no national security, and without informatization thereis no modernization,” these security-focused laws further mesh withdevelopment-focused national strategies that provide a touchstone as officialsdevelop regulations and standards. They include:
- National Cyberspace Strategy (2016);
- International Strategy for Cooperation in Cyberspace (2017);
- 13th Five-Year Plan for Informatization (2016);
- 13th Five-Year Plan for Major Science and Technology Projects (2016);
- National People’s Congress Standing Committee Regulations on Strengthening Network and Information Protection; and
- Technology-specific plans, e.g. for big data, semiconductors, cloud services, and with great fanfare, artificial intelligence. (SeeDigiChina’s translation and analysis ofthe AI plan.)
Six Systems
In effect, as of late 2017, thelaws, strategies, regulatory documents, and governing actions can be viewed asoperating in six systems, which together constitute an evolving framework forgoverning ICT use in China. They are: the Internet Information ContentManagement System; the Cybersecurity Multi-Level Protection System; theCritical Information Infrastructure Security Protection System; the PersonalInformation and Important Data Protection System; the Network Products and ServicesManagement System; and the Cybersecurity Incident Management System. Below arebroad-strokes summaries of the status and interconnected nature of thesesystems.
I. The Internet Information Content Management System
The Party leadership is expandingthe legal tools at its disposal to monitor and control information disseminatedonline. Technological developments are allowing individuals more channels tocommunicate outside of officially sanctioned media outlets, compelling thegovernment to play “catch up” with new Internet media platforms.
Party monitoring and control ofonline information content is certainly not new in China. But a spate of newregulations enhance the government’s ability in this regard.
First, this batch of regulationsprovides new requirements related to real-name registration for Internet users.Although the government has tried to introduce real-name requirements foryears, with a mixed record of enforcement, the latest requirements may havemore teeth behind them, since they are now backed by a high-level framework forbolstering security controls. Moreover, the real-name registration system isnow closely connected to other account-based services in which the Internet isnot merely a publishing medium, but a platform for all aspects of living(payments, travel, entertainment, work, etc.). The regulations also lay thefoundation for the government to aggregate online data on individuals to feedinto a “social credit” system, although the government has a long way to go insetting up mechanisms to coordinate and process data.
Second, the regulations place anemphasis on “self-regulation” by operators and service providers. Thegovernment has outsourced regulatory responsibility to businesses for a longtime, but now there is a shift in focus from regulating production toregulating access. Now those found in violation face restrictions in access to Internetcontent and services. Assigning responsibility to online intermediaries helpsthe government leverage more resources while gaining buy-in from companies tothe cybersecurity framework.
II. The Cybersecurity Multi-Level Protection System (MLPS)
Originallylaunched in 2006, the Multi-Level Protection System (MLPS, also translated asthe “Multi-Level Protection Scheme”) is an element of the MPS criticalinfrastructure protection system that ranks networks by sensitivity on a scaleof one to five, with stricter security requirements for networks ranked athigher levels, Level 1 being the highest. Even as the Cybersecurity Law andrelated documents established new elements of a regime for “criticalinformation infrastructure” (CII) and new procedures for reviewing networkproducts and services (both of which are discussed below, under III and V), the MLPS was reinforced in the law.
MLPS developer and proponent GuoQiquan has emphasized that, according to the Cybersecurity Law: “MLPS shall beused as a basic regime and national policy for cybersecurity in the new era.New laws, policies, standards, technical support, talent, education andtraining, and guarantee systems will be built.” Guo holds that the MLPS is a broaderregime than the two new systems and that MLPS and CII protection are on two inseparablesides of the cybersecurity equation.
The exact breakdown in scope betweenthe MLPS and the new Cybersecurity Review Regime (CRR, see V below) remains unresolved and is a major issue that must beclarified between CAC and MPS. This issue likely accounts for the current delayin implementation of the CRR. One major difference appears to be that the CRRincludes examining the background and supply chains of network and productservice providers, focusing on risk management, whereas MLPS is more aboutcompliance.
III. The Critical Information Infrastructure Security Protection System
Soon after the final text of theCybersecurity Law was made public, analysts in China and abroad identified“critical information infrastructure” (CII) as one of the law’s mostconsequential concepts. It both reinforced and stood apart from previous effortsto protect “critical infrastructure,” and if an entity was to be classified asa CII operator, it would be subject to some of the law’s most novel andpotentially burdensome requirements. The question of what is and isn’t CII,then, became crucial.
The law itself identifies sectorslike “public communication and information services, power, traffic, waterresources, finance, public service, and e-government,” and draft regulations inJuly (translated and analyzed byDigiChina) added news media, healthcare, and, significantly, cloud computingand big data providers. Nonetheless, the specific boundaries of CII remainindistinct.
Also in question is who hasresponsibility for regulating various areas of CII. Sectoral regulators areclearly assigned responsibility to ensure security of CII in their areas ofauthority, but some may lack existing competencies in cybersecurityadministration. The MLPS, discussed above in III, may apply in an overlapping way.
Standards developed by TC260 andupdated regulations can be expected to provide some further clarity, butregulators appear to maintain significant freedom to interpret the reach ofCII—likely in a very broad way. That means a wide variety of organizations willat least consider the Cybersecurity Review Regime in procurement, and domesticstorage of data may emerge as a default procedure. This will likely createchallenges for foreign suppliers and Chinese firms operating across borders,both of whom maintain some voice in how the details take shape over time.
IV. The Personal Information and Important Data Protection System
As Chinese regulators cope with alively proliferation of online platforms and services, developing protectionsfor the great volume of data produced by and collected on users or businessesis a major challenge. The Cybersecurity Law calls for several forms ofregulation, including: requirements to store certain information inside Chinaand at certain levels of security; procedures before transferring certaininformation out of China; and consent requirements when collecting personaldata.
Each of these requirements hinges ondefinitions of the data covered, i.e. whether it is either “personalinformation” or “important data.” (See DigiChina’s analysis of theevolving Chinese controversy over how to implement cross-border data flow regulations,and of the overlap between“personal information and important data” and CII.)
At the center of this system is thedefinition of personal information, which will be used to determine whether anorganization must conduct a security review of the data it holds. The scope ofthe definition of personal data was clarified somewhat in the second draft ofthe Personal Information Security Specification (draft), released in earlySeptember 2017. There has been significant change in the content of thisdocument since a first draftwas released earlier this year. The most important changes include greaterclarity in the requirements for how data collectors handle user consentrequirements.
CAC, MIIT, MPS, and TC260 havealready teamed up for an early effort to shape how Internet companies inform usersof their privacy practices by examining the practices of 10 prominentservices—including Alibaba’s Taobao, Tencent’s Wechat, and the ride-hailinggiant Didi Chuxing—and convening their representatives to promote bestpractices. Authorities consider this a type of enforcement, even short offinalized standards and detailed definitions.
V. Network Products and Services Management System
The Network Products and ServicesManagement System, because it interlocks with the CII and MLPS systems, highlightsthe way in which the framework is best understood as a matrix. On May 2, CACreleased the SecurityReview Measures for Network Product and Service Security Inspection (Interim). Themeasures, which establish the Cybersecurity Review Regime (CRR) discussed underII and III above, require network products and services used in criticalinformation infrastructure (CII) to undergo a cybersecurity review administeredby CAC. The final definition of CII is still pending, and the full criteria forassessments and list of those conducting them are unknown. Without these piecesof the puzzle, the practical implications of this system remain murky.
The government has started to issueseveral other documents meant to provide more clarity on the scope of the newreview regime. These include the “Public Announcement on Issuing Network KeyEquipment and Cybersecurity Special Product List (First Batch),” which outlinesa list of products and services subject to the review and certification. Thereare also at least three relevant standards by TC260 that have not yet beenofficially published.
Yet, the follow-on product list andstandards do little to narrow the far-reaching scope of the CRR. That isbecause the “interim” document establishing the CRR states that, in addition tosome specifics, the review will focus on “other risks that could harm nationalsecurity”—essentially preserving government authority to interpret the scope ofreviews however it wants.
With the creation of the CRR, thelist of security reviews for the ICT sector is growing. In addition to theMLPS, ICT companies also must undergo security reviews associated withdifferent parts of the cybersecurity framework, including cross-border datatransfer assessment and separate CII security evaluations. The government hasyet to work out coordination among the different review bodies and agencies,increasing risks of regulatory gridlock and turf battles.
VI. The Cybersecurity Incident Management System
An evolving system for coordinatingChina’s public and private sector response to cybersecurity incidents is builton a number of measures and draft standards related to incidents, definitions,and cyber threat information sharing. It includes standards from TC260addressing cybersecurity incident response exercises and developing acybersecurity vulnerability discovery and reporting management system. MIIT hasa major role in this effort, as it oversees the current incident responsesystem run by the National Computer Network Emergency Response Technical Team(CNCERT).
MIIT in August issued the PublicInternet Cybersecurity Threat Monitoring and Mitigation Measures, which callfor: the development of a cybersecurity threat information sharing platform;unified collection, storage, analysis, and notification; the release of networksecurity threat information; the formulation of relevant interfacespecifications; and the development of interoperability with relatedcybersecurity monitoring platforms. CNCERT is responsible for platformconstruction and operational and maintenance work.
The August document references theCybersecurity Law, which among other things places heavy requirements on “networkoperators,” which it says “shall formulate emergency responseplans for cybersecurity incidents, promptly addressing system vulnerabilities,computer viruses, cyber attacks, network incursions, and other suchcybersecurity risks.”
As in several areas of the evolvingframework, it remains unclear whether foreign companies will eventually bedesignated as network operators with the associated responsibilities. Foreigncompanies providing telecommunications or cloud services in China, in any case,will almost certainly be required to step up participation in the evolvingincident management system and provide incident reports to MIIT/CNCERT and CAC.
The Continuing Search for Clarity
Over the next six months and beyond,Chinese regulators will work to refine the key implementing regulations thatremain in interim form. They will continue to release new drafts of standardsassociated with these six systems, some for public comment and others initiallyshared only with industry groups and domestic and foreign companies that areparticipants in TC260 working groups. This suggests that CAC, MPS, and MIIT areattempting to engage in a real dialogue with industry, though it remains shortof the type of intense and extended level of collaboration between regulatorsand stakeholders that is typical of U.S. and EU regulatory development. Chineseregulators will continue to seek a better interoperability with global bestpractices in key areas such as cross-border data flows, and are likely tocarefully study how companies are preparing to comply with the Europe’s General Data Protection Regulation (GDPR) and how regulatorsreact to major emerging issues such as the Uber data breach.
Regulators will also face a lack of capacity and shortage ofpersonnel to support the implementation of this framework. For example, itremains unclear which organizations will be designated to conduct securityreviews of the many sectors, products and services, and personal and importantdata sets. CAC’s Cybersecurity Review Office is staffed by personnel secondedfrom other agencies. The office has already done a series of informal reviewsof a small number of foreign products, but it is not clear whether it couldfacilitate reviews of large numbers of products across multiple and largesectors designated as CII. No sectoral regulators have put in place adequateimplementing regulations or a transparent system for conducting reviews.
Big questions remain around China’s participation in globalcyberspace governance. The Chinese government’s robust development of adomestic regulatory regime that affects both those operating online in Chinaand Chinese companies operating globally has already made Chinese cyberspacepolicy relevant worldwide. Chinese ideas and proposal in international discussionsare also relevant in addressing concerns the status quo does not—even if from adifferent ideological starting point. Many governments have long been contentto dismiss Chinese ideas such as cyber sovereignty as the work of an “enemy ofthe global Internet” seeking to undermine a functional and virtuous model. Inthe coming months, governments and civil society are likely to discover aboutInternet governance what companies have already learned about the digitaleconomy: Chinese initiatives are evolving, have appeal to some actors, createproblems for others, and absolutely cannot be ignored.