China hopes new cyber law fends off hackers, terrorists

China hopes new cyber law fends off hackers, terrorists

Siddharth Srivastava

China’s new cyber security law, which takes effect in June 2017, provides a new legal framework to fight cyber attacks, illegal acquisition of personal information and dissemination of information promoting terrorism.

“This is China’s first attempt to comprehensively regulate the obligation of major actors in the internet area,” said Ronald Cheng, partner at the international law firm of O’Melveny & Meyers, from his office in Hong Kong. To do so, “the law imposes certain obligations on service providers and entities that maintain internet systems.”

In draft regulations released in April 2017, the Cyberspace Administration of China (CAC) cites two main objectives for formulating these new cyber security norms.

The first is to safeguard personal information and other crucial data from cyber threats. In a country with more than 700 million people accessing the internet and more than 400 million using smartphones to make the bulk of their payments, CAC estimates that more than 10,000 cyber attacks occur in China every month.

The second objective is what the CAC calls internet sovereignty and national security. It has raised concerns that it could allow the government to launch cyber intrusions on companies or people who disagree with it. The underlying objective, the government contends, is to use the internet as an instrument to protect the local information database and secure network infrastructure.

“Any business transferring data of over 1,000 gigabytes or affecting over 500,000 users will be assessed on its security measures,” said Giovanni Carlo Pisacane, managing partner at Greatway Advisory in Shanghai, “and on the potential of the data to harm national interests, as shown in the draft from the CAC.”

The new law mandates that domestic and overseas software companies, network-equipment manufacturers and technology suppliers reveal their proprietary source code, the core element and intellectual property driving their software, to demonstrate that their products are protected.

Unlike the U.S., which lacks a blanket legal code for cyber security and instead relies on various legal precedents and less formal guidelines, Cheng explained, China’s new law specifically imposes penalties on those who violate it and is rooted in the national security law. That law covers borders, counterterrorism and acts against the state, but regarding the internet, it calls for a secure and controllable network.

“One of the concepts that comes through in this strategy is the idea of sovereignty in cyberspace and specifically Chinese sovereignty in cyberspace,” Cheng said.

In particular, the Chinese government will require firms that operate in “critical” areas to store any personal information or important data that they gather within China’s borders. (Pictured: A worker is silhouetted against a computer display showing a live visualization of online phishing and fraudulent telephone calls across China during an internet security conference in Beijing.)

Pisacane views the law’s data localization requirement as a potential hindrance to transnational business. “One restrictive aspect about this is that if operators need to provide data and information for overseas use due to business needs, they will need to carry out a security evaluation first, that will slow down all the processes connected.”

In addition to some restrictive disadvantages, he also sees benefits coming from the law.

“All activities that advocate terrorism and extremism are prohibited, including ethnic hatred and discrimination, spreading violence and obscene information,” he said.

Siddharth Srivastava is a freelance journalist based in New Delhi, India. He wrote this article while on assignment in Beijing, China.