The weight given to security, not only to privacy, is evidently shifting. In the book “Click Here to Kill Everybody” released in September 2018, the world class security champion, Bruce Schneier, argues that governments must step in now to force companies make security a fundamental design priority. This is already the case in China! June 1st, 2017, marked the start of China’s rule of law in cyberspace. Lawmakers in China are taking away from companies and business executives the freedom to prioritize security to their discretions.
What is China Cyber Security Law (CCSL)?
The China Cybersecurity Law (CCSL) is the umbrella law to safeguard the country’s national security and sovereignty in cyberspace. CCSL stipulates a comprehensive set of requirements on network operators. In the law, network operators are defined as the owners and administrators of networks, and network service providers; thus, CCSL applies to anyone running a digital business in China. It came into effect almost a year earlier than the EU GDPR and boldly made security a top priority. As such, violations may lead to fines, revocation of licenses, shutdown of businesses in China and progressively even a personal liability to the chief executives for Critical Information Infrastructure Operators.
In this blog, I sidestep the legal details as much as possible and focus on the security perspective of the law. I sketch the overall picture with its challenges and share some best practices.
The main protection under CCSL
According to Fang Binxing, considered the father of China’s great firewall, the cyberspace is made of carriers, resources, subjects of network activities, and network activity nodes. In plain English: facilities, data, users, and operations. The data is either important data or personal data. Novelty is with the newly coined term important data: it encompasses personal, business or any data when the data can harm national security. To secure these elements in the cyberspace, CCSL imposes various security obligations on network operators. In a nutshell, these obligations are classified as
- the Cybersecurity Multiple Level Protection Scheme (MLPS), a much broader variation of OWASP’s Application Security Verification Standard (ASVS) to guarantee “data security properties”, such as integrity, confidentiality and availability at a technical and organizational level.
- the Personal Information Security Specification, much more consent-based in its specification, still asks for the common data protection requirements on the collection, processing & usage, storage, rectification, deletion and security breach on personal and sensitive personal information.
- the cross-border data transfer, which is a methodology to force network operators to implement a minimum level of protective measures for building trust at the data subject and the state in that data transfer outside China is secure. When trust cannot be built, the data needs to remain in China. Keeping data in China, better known as data localization, provides data subject and the state better regulatory control over these data especially in case forensic analysis ends up needed.
- the consumers trust in the authenticity of the data from data subjects and network operator for setups varying from services handling network access to providing users with information publication or instant messaging services. These obligations permit to CCSL to build a foundation for a liability and accountability framework around social platforms.
The Critical Information Infrastructures (CII)
Daily, security blogs such as thehackernews.com and talosintelligence.com headline about dozens of breaches from small to large enterprises and more frequently on government institutions. While there are no clear reports on how many lives have been lost from a direct security breach, genuine horror scenarios are plausible for systems used as infrastructure for critical businesses. In those cases, leakage of millions of personal data that could be misused for identity theft suddenly become only a moderate impact. Around the globe security standards for CII exist but are very expensive to implement. Therefore, systems that implement these protective measures end up gaining in security and often hindering with user experience, such as performance and usability. Given that a hundred percent secure system is a myth, the importance dedicated to the definition of CII sparks.
In CCSL, the definition of CII is still in draft and the guide to identify CIIs has not reached its final version. The protective measures for CII operators are set to be the ones of MLPS Level 3+ and a strong focus to localize productive data in China and exceptionally allow maintenance to be remote.
Best practice sharing from SAP
Internally, SAP established a cross-functional global project team from security, legal, business and government relations experts. This team reports to SAP’s board members and senior executives and therefore is mandated to create CCSL content for all products, services teams, internal systems, internal processes and to help in assessing progress regularly. We have established a two-way communication methodology that starts with policy alerts when new legal and technical documents are released. The documents are studied by SAP legal and security experts and then mapped to SAP internal security standards and solutions. Use cases and feedback are collected from impacted units to improve the analysis work.
The CCSL has been passed and as a direct effect security is prioritized as mandatory even for the small businesses. Since parts of CCSL are still being defined incrementally, companies, therefore, need to adapt their operations to the requirements as they are introduced.
CCSL is a law and as such it is about compliance and about security. How to balance between these two where security experts advocate that companies should no longer be judged on if they get hacked but when they get hacked how fast they get back up and running! It will be close to an art to properly balance between affordable businesses, secure cyberspace given the gap in status quo and the danger of accidently punishing exemplary network operators in the burden of policing.
At SAP we have addressed the EU GDPR (General Data Protection Regulation) since its start with the upmost importance and this has given us a jump start on how to address CCSL organizationally and content wise. We will continue our efforts on CCSL similarly to EU GDPR as clearly Europe, China and many more countries will be adopting new regulations and strengthening our best practice can only help SAP and its customers.