The new year marked the beginning of yet another Chinese cybersecurity law that could have a big impact on U.S.-based technology companies.
Known as the “Public Internet Cybersecurity Threat Monitoring and Mitigation Measures,” the rules call on private companies conducting business in China to report and hand over cyberthreat information to the government’s Ministry of Industry and Information Technology (MIIT).
China founded the MIIT in 2008 in order to regulate the country’s burgeoning information technology industry.
The law instructs companies to turn over information regarding both cyberattacks they’ve faced and also any “cyberthreat intelligence” they own. Cyberthreat intelligence is typically collected by cybersecurity firms and software giants like Microsoft and used to strengthen security operations.
The regulation states: “after cybersecurity threats are discovered by relevant professional organizations, basic telecommunication enterprises, cybersecurity enterprises, Internet companies, domain name registration management and service organs … information shall be submitted to MIIT, provincial, autonomous region, and municipal communications authorities in a timely manner and in according with the content, indicators, and format of relevant regulations.”
This continuous stream of data would be fed into a centralized, national “cyberthreat database” partially managed by the Chinese Computer Emergency Response Technical Team/Coordination Center (CN-CERT), according to other recently uncovered Chinese policy documents.
It’s unclear how the Chinese government would use the database.
Impacted companies range from internet service providers to larger commercial technology platform developers. Those that fail to comply could find themselves subject to hefty fines or worse.
“Where a basic telecommunications companies, internet companies, domain name registration management and service organ, etc. fail to take measures to deal with cybersecurity threats in accordance with notified requirements … the telecommunications departments shall … arrange questioning, issue warnings, institute fines, and other administrative penalties,” the legislation notes.
Despite the deadline, experts believe there won’t be immediate enforcement in order to encourage some level of voluntary participation.
“So far the vast majority of enforcement actions on the cybersecurity law have focused on content violations—by domestic Chinese companies,” said Samm Sacks, a senior fellow in the Technology Policy Program at the Center for Strategic and International Studies. “I have not seen the government start to enforce parts of the cybersecurity law where there is still lack of internal consensus about scope/implementation.”
The overarching policy plan, if successful, could one day provide the Communist Party of China (CPC) with a wealth of active intelligence about hackers, data breaches, software vulnerabilities and other digital threats.
The policy is unlike anything currently in place between the U.S. government and private companies. While the U.S. government regularly cooperates cybersecurity firms and major technology companies to investigate cyber crimes, it does so without the same sort of leverage.
This “regulation is the latest example in a series of moves by the Chinese government designed to guard network infrastructure and private enterprises against large-scale cyberattacks,” explained Paul Triolo, head of the geo-technology practice at the Eurasia Group. “The fact that these regulations are published by the MIIT suggests that they are laying down a bureaucratic marker on their authority.”
The policy is companion legislation for China’s historic “Cybersecurity Law” that went into effect in June, experts say.
Although the law’s enactment concerned American business executives, it has been difficult to gauge whether its had an effect on companies’ bottom line.
Premier U.S. technology brands such as Facebook, Apple, Microsoft, Cisco and Google, each of whom currently do business in China, could be impacted by the newly launched MIIT policy. All five companies did not respond to multiple requests for comment.
Read the law below.