(Ed. note: This article originally appeared in Compliance Review)
Under China’s Cyber Security Law (“CSL”), there are compliance obligations or privileges. Obligation means the basic requirements to meet, any short of which will subject you to punishment. Privilege means the extra benefits nice to have, any short of which could make you less competitive.
Tiered protection (“TP”) is a mechanism that is both obligation and privilege. To be certified under TP, you would have prima facie evidence that your network system meets the basic safety requirements under the CSL. You can even use the TP certification to fend off some possible investigation or punishment. On the other hand, TP can help check out the vulnerabilities of a network system to the effect that loopholes can be effectively plugged up. However, TP does not go without “shortcomings”, one of which is that you must not store your data outside China – it could be a problem for many MNCs.
How is tiered protection conducted?
Under the TP, computer info systems are categorized from Level 1 to Level 5. The higher the level, the more requirements in compliance. The government-appointed inspection entities (which need a license) do inspection and decide which level a network system is at, and advise where is vulnerability. Then consultation entities would help take remedial actions totackle vulnerabilities in IT and internal control. Although a consultation entity does not need a license as the inspection entity does, the consultation entity has to have capacity in both IT and risk management.
We might be the first (and/or only) bunch of lawyers in providing TP related consultation services.
Why is tiered protection important?
Why is TP important? Simply, TP can help plug loopholes and tackle vulnerabilities. We may learn the importance of TP from the opposite cases below.
In February of 2018, Code repository GitHub was hit by a distributed denial of service (DDoS) attack which peaked at 1.35Tbps via 126.9 million packets per second.
According to a statement the incident occurred on February 28 and persisted for around nine minutes and originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.
“The first portion of the attack peaked at 1.35Tbps [between 17:21 and 17:30 UTC] and there was a second 400Gbps spike a little after 18:00 UTC,” said Sam Kottler, manager of Site Reliability Engineering.
This attack registered even larger than the peak of the attack on Dyn in 2016, according to Wired.
By the end of February of 2018, there were 25,000 Memcached servers inChina exposed on the Internet. A practical solution against mass-infiltration of Memcached servers would be nothing but TP under CSL. In 2015, Fiat Chrysler issued a safety recall affecting 1.4 million vehicles in the US,after security researchers showed that one of its cars could be hacked.
The hackers had taken control of a Jeep Cherokee via its internet-connected entertainment system. As a result, Chrysler issued a voluntary recall to update the software in affected vehicles.
From the cases above, you may realize that TP is not just something nice to have. It is an insurance or a golden shield to manage risks and fend off liabilities.
In addition, TP is just threshold for network safety. Different network systems may have some peculiar features. TP for a code repository like GitHub should be different from TP for autonomous driving in many dimensions such as how to determine levels and how to deal with vulnerabilities.For the next step, it might be necessary to develop some TP guidance for some special sectors such as autonomous driving.
Is tiered protection compulsory?
The answer is yes for a critical information infrastructure (“CII”). CSL provides for a compulsory TP inspection for CII once a year.
CSL defines CII as the network system in the sectors of public telecommunication and information service, energy, communication, water resource, finance, public service and electronic public service. Once a CII is sabotaged, great and irreparable damages could be caused. China is drafting implementation rules for CSL which will provides a detailed description of what a CII is.
TP is not compulsory for non-CII – some non-CII takes TP as the privilege for extra protection especially for those which rely on the Internet in delivery of products and services, which could be then punished for not doingwell under TP. For example, the network system of an information technology company was assessed at Level 3 in 2015 and then put into use thereafter. A Level 3 system (and above) must be inspected every year. However, the information technology company did not go through a fresh inspection in 2016 and thus got punished (with an official reprimand and theorder to take remedial action).
Where is the place to store data?
According to CSL, CII must store its personal identifiable information (“PII”) and important data in nowhere but China. CSL does not provide such requests to non-CII. However, in order to get certified under CSL for TP, a company (CII or not) will have to move back its data from outside China into China. Otherwise, the company could not get certified under the CSL for TP.
This practice has made non-CII not distinguishable from CII in relation to where to store PII or important data. What is more important, a company (especially an MNC) having data move in and outside of China must plan well between business and compliance with CSL.