The Impact of the new Chinese Cybersecurity Law
    CISO Insights Blog

    Risk Management

    The Impact of the new Chinese Cybersecurity Law

    18 November 2019

    That is the question business leaders are asking themselves across the world in light of the new version of China’s Multi-Level Protection Scheme law, known as MLPS 2.0, another Chinese cybersecurity regulation that comes into effect December 1, 2019. An expansion on the existing cyber security laws in China today, this regulation mandates greatly enhanced monitoring and inspection powers by Chinese government officials for all businesses in China, irrespective of ownership makeup, by widening the scope of what constitutes as “critical” and lowering the threshold for requiring government inspection and monitoring.

    While this regulation does not guarantee any business will be purposely breached, it does impose a number of concerning controls for non-Chinese entities who seek to maintain confidentiality of their IP and supply chain. By example, while non-Chinese government owned VPN’s have been considered illegal for some time, the rule has not been effectively enforced. Under the MLPS 2.0 it is expected that all businesses connecting out of the country will have to use a Chinese government approved VPN. This one change indicates the government’s willingness to seriously inspect any and all traffic entering or leaving the country, no matter how potentially business sensitive it is.
    Previous protections that applied to foreign owned entities have been repealed; this new law applies to virtually all businesses operating in China. With this new business reality, organizations who operate in China, or who rely on supply chain partners who operate in China, have new decisions to make when it comes to managing their Intellectual Property, customer data, and data privacy risks.
    For some time, many organizations have accepted the risks of operating in China as the cost of doing business because the threat of government inspection was less likely to apply to a foreign entity. Under the new law, all entities are covered and will likely be “inspected” by local officials who have this new sweeping power and authority. With requirements like complete access included to encrypted or sensitive data, this could effectively mean the end of confidentiality and competitive advantage for many organizations operating in China today.
    So, while confidentiality may be much more difficult to maintain, new protection will require an adept cyber security strategy that considers all geolocation and geopolitical considerations.
    Organizations should engage in a China specific risk assessment if they or their supply chain operate in China and have access to confidential or sensitive business data. With that said, the exercise will be a muscle building experience as China will not be the last country to exert this new power. There are several nation states who are looking to ramp up their surveillance capabilities.