The history of information security in China: we begin to deal with laws and regulation
In 2016, China introduced a modern version of the national cybersecurity strategy. His main message is the use of any means to ensure the sovereignty of national cyberspace. In a new series of articles, we will talk about exactly which tools China uses to ensure information security in the country.
We begin with a general overview of the various classifications and laws.
/ The Flickr / Surian Soosay / CC
In 2007, China updated its “Multilevel Security System Classification” (MLPS). It underlies laws covering the field of cybersecurity. For example, in accordance with MLPS, decisions are made on the level of admission of foreign products to a particular sphere or system. MLPS gives five levels of IS in terms of potential consequences:
1. Damage to IP harms the rights of citizens and organizations.
2. Here, to paragraph 1, damage to public order is added.
3. In addition to paragraph 1 and paragraph 2, there is also damage to national security.
4. Significant damage to all three levels (paragraph 1 - paragraph 3).
5. Critical damage at the level of national security.
Relying on MLPS and legislation, authorities require access to encryption protocols and a large part of the source code from companies working in finance, telecom, medicine, education and energy. The higher the potential threat, the higher the requirements.
An important element of ensuring information security in China is the regulation of everything related to encryption. One of the first directives in this regard came out in 1999.
She regulated the work with thematic software and hardware - it became possible to produce and sell encryption products in the commercial sector only with the permission of state bodies and in accordance with established rules. So, cryptographic strength could not exceed the level set by the state. Authorities later clarified that these rules apply to products whose main function is encryption. For example, for custom gadgets this is a secondary function, and the ban does not apply to them.
In the following years, authorities developed the idea of controlling encryption tools and developed national standards. For example, in 2003, the government made WAPI mandatory for any wireless product sold in China. The IEEE 802.11 set of standards was temporarily banned, but in the process of dialogue with the International Organization for Standardization (ISO), the restriction was relaxed, and a number of vendors went on the road to compromise. For example, Apple with WAPI support as part of the 3GS iPhone.
/ Flickr / Jessica Spengler / CC
In 2009, a catalog of encryption product importers appeared in China. Its composition was revised later. For example, in 2013, smart cards for digital TV and Bluetooth modules left the list. Judging by the draft new encryption law, Chinarejects strict requirements for foreign companies and seeks to unify regulation.
In September last year, the State Council of the PRC adopted a decision that exempts manufacturers and users of encryption products from the need to obtain permission for supply and distribution, but still requires certification. Without it, no company or individual will be able to sell commercial encryption products in China.
In 2014, two years before the publication of the modern version of the national cybersecurity strategy in China, the first meeting of the Security and Informatization Group was held . At it, President Xi Jinping gave parting words to make IT security a priority for the country. This decision was dictated by the fact that a year earlier, China was among the countries that suffered the greatest losses from cybercrime in the world.
In 2015, China adopted a new national security law. Its provisions extended to a wide range of areas, and emphasized the need to strengthen the protection of national IT systems and establish the sovereignty of cyberspace in China. In more detail these questions were disclosed by the draftCybersecurity law. Among other things, he assumed mandatory registration in Internet services, especially messengers, under real names, involving operators in government investigations, major investments in cyber security, and the introduction of an obligation to store PD in China.
In 2016, the law was finally adopted, and in 2017 entered into force . The law focuses on the collection, storage and use of PD by Chinese citizens and information related to national security. Such information should be kept domestically.
Cybersecurity Act appliesto all operators and enterprises in critical sectors, and in fact to any systems consisting of computers and related equipment that collects, stores, transmits and processes information. The regulation also provides for mandatory testing and certification of equipment of network operators and prohibits the export abroad of economic, technological or scientific data that pose a threat to national security or the public interest.
The latter situation caused an ambiguous reaction. More than 50 American, European and Japanese companies signed a collective letter addressed to Prime Minister Li Keqiang back in June 2016. They argued that new legislation would impede the operation of foreign companies in China. Already after the adoption of US lawpublished an official appeal to China asking them to prevent the full introduction of new rules, as they impede the international exchange of information.
/ Flickr / ChiralJon / CC
Meanwhile, the law continues to take effect in stages. The process is expected to end by the end of 2018. In May this year, China will discuss the specification of PD proposed in January.
It will be an important addition to the law. The specification clarifies the definition of personal data and introduces various components of such information - financial, identification information and so on. The document contains specific requirements for the collection and use of PD depending on their purpose.
This is not the end of the topic of legal protection of information security in China. In the following parts, we intend to acquaint you with the technological nuances of this topic.
Other content from our corporate blog:
Our Network-digest on Habr — 20 materials about networks and battle for Net Neutrality.
We begin with a general overview of the various classifications and laws.
/ The Flickr / Surian Soosay / CC
Multilevel Security System
In 2007, China updated its “Multilevel Security System Classification” (MLPS). It underlies laws covering the field of cybersecurity. For example, in accordance with MLPS, decisions are made on the level of admission of foreign products to a particular sphere or system. MLPS gives five levels of IS in terms of potential consequences:
1. Damage to IP harms the rights of citizens and organizations.
2. Here, to paragraph 1, damage to public order is added.
3. In addition to paragraph 1 and paragraph 2, there is also damage to national security.
4. Significant damage to all three levels (paragraph 1 - paragraph 3).
5. Critical damage at the level of national security.
Relying on MLPS and legislation, authorities require access to encryption protocols and a large part of the source code from companies working in finance, telecom, medicine, education and energy. The higher the potential threat, the higher the requirements.
Encryption regulation
An important element of ensuring information security in China is the regulation of everything related to encryption. One of the first directives in this regard came out in 1999.
She regulated the work with thematic software and hardware - it became possible to produce and sell encryption products in the commercial sector only with the permission of state bodies and in accordance with established rules. So, cryptographic strength could not exceed the level set by the state. Authorities later clarified that these rules apply to products whose main function is encryption. For example, for custom gadgets this is a secondary function, and the ban does not apply to them.
In the following years, authorities developed the idea of controlling encryption tools and developed national standards. For example, in 2003, the government made WAPI mandatory for any wireless product sold in China. The IEEE 802.11 set of standards was temporarily banned, but in the process of dialogue with the International Organization for Standardization (ISO), the restriction was relaxed, and a number of vendors went on the road to compromise. For example, Apple with WAPI support as part of the 3GS iPhone.
/ Flickr / Jessica Spengler / CC
In 2009, a catalog of encryption product importers appeared in China. Its composition was revised later. For example, in 2013, smart cards for digital TV and Bluetooth modules left the list. Judging by the draft new encryption law, Chinarejects strict requirements for foreign companies and seeks to unify regulation.
In September last year, the State Council of the PRC adopted a decision that exempts manufacturers and users of encryption products from the need to obtain permission for supply and distribution, but still requires certification. Without it, no company or individual will be able to sell commercial encryption products in China.
Cybersecurity law
In 2014, two years before the publication of the modern version of the national cybersecurity strategy in China, the first meeting of the Security and Informatization Group was held . At it, President Xi Jinping gave parting words to make IT security a priority for the country. This decision was dictated by the fact that a year earlier, China was among the countries that suffered the greatest losses from cybercrime in the world.
In 2015, China adopted a new national security law. Its provisions extended to a wide range of areas, and emphasized the need to strengthen the protection of national IT systems and establish the sovereignty of cyberspace in China. In more detail these questions were disclosed by the draftCybersecurity law. Among other things, he assumed mandatory registration in Internet services, especially messengers, under real names, involving operators in government investigations, major investments in cyber security, and the introduction of an obligation to store PD in China.
In 2016, the law was finally adopted, and in 2017 entered into force . The law focuses on the collection, storage and use of PD by Chinese citizens and information related to national security. Such information should be kept domestically.
Cybersecurity Act appliesto all operators and enterprises in critical sectors, and in fact to any systems consisting of computers and related equipment that collects, stores, transmits and processes information. The regulation also provides for mandatory testing and certification of equipment of network operators and prohibits the export abroad of economic, technological or scientific data that pose a threat to national security or the public interest.
The latter situation caused an ambiguous reaction. More than 50 American, European and Japanese companies signed a collective letter addressed to Prime Minister Li Keqiang back in June 2016. They argued that new legislation would impede the operation of foreign companies in China. Already after the adoption of US lawpublished an official appeal to China asking them to prevent the full introduction of new rules, as they impede the international exchange of information.
/ Flickr / ChiralJon / CC
Meanwhile, the law continues to take effect in stages. The process is expected to end by the end of 2018. In May this year, China will discuss the specification of PD proposed in January.
It will be an important addition to the law. The specification clarifies the definition of personal data and introduces various components of such information - financial, identification information and so on. The document contains specific requirements for the collection and use of PD depending on their purpose.
This is not the end of the topic of legal protection of information security in China. In the following parts, we intend to acquaint you with the technological nuances of this topic.
Other content from our corporate blog:
- Cases , webinars and performances of VAS Experts
- Internet to the village - we are building a radio relay Wi-Fi network
- Effective Bandwidth Allocation Methods
- Basic services in the networks of the Internet provider
- The future of telecom services
Our Network-digest on Habr — 20 materials about networks and battle for Net Neutrality.