Late last year, the Chinese government introduced a new cybersecurity law, the so-called Multi-Level Cybersecurity Scheme (). The law, which took effect in December, effectively means the government has unlimited access to all data within the country, regardless of whether it is stored on Chinese servers or transmitted through Chinese networks.
This means that there will be no anonymous VPNs (and many popular VPNs are owned by Chinese companies). No private or encrypted messages. No anonymous online accounts or sensitive data. Any data will be accessible and open to the Chinese government, including data of foreign companies on Chinese servers or passing through China, law firm Reed Smith. In a sense, MLPS 2.0 and accompanying laws can be compared to the Russian “Yarovaya Law Package”.
Everything is exactly as bad as it seems, and it's getting worse. MLPS 2.0 is supported by two additional pieces of legislation, both of which eliminate any protections, safeguards, or loopholes that might once have been used to maintain the integrity of corporate data. Both took effect earlier this month. CSOnline.
The first is the new Foreign Investment Law, which treats foreign investors in the same way as Chinese investors. While this was billed as a means to simplify the investment process, in practice it deprives foreign investors of many of the rights they previously enjoyed.
The second establishes a new set of guidelines regarding encryption. Again, at first glance they appear to have been proposed with the common good in mind. The laws were passed by the Ministry of Public Security formally to protect network infrastructure from “damage” and external threats. It is only upon closer inspection that side effects begin to appear.
Under the current MLPS, which has been in place since 2008, network operators (a very broad term that covers any connected computers or systems sending or processing data) are required to classify their networks and information systems into different layers and apply appropriate security measures. The scheme ranks information and communications technology (ICT) systems on a scale of sensitivity: 1 - least sensitive, 5 - most sensitive. The higher the rating, the more stringent control the system is subject to by the Ministry of Public Security (MPS). The third level is the point at which self-certification turns into government verification. This level is reached when damage to the network will result in “particularly serious harm to the legitimate rights and interests of Chinese citizens, legal entities and other interested organizations, or cause serious harm to public order and public interests, or harm national security.”
Analytics company NewAmerica that MLPS 2.0 represents a "shift toward more verification." Under MLPS 2.0, the networks subject to inspection are expanded to essentially any and all IT systems.
Data localization requirements
According to the new cryptography law, the development, sale and use of cryptographic systems “must not be detrimental to national security and public interests.” Additionally, cryptographic systems that have not been “verified and authenticated” are also outlawed. In general, if your business tries to hide information from the government, you can and will be punished.
Moreover, if your data center uses, for example, a Chinese software service, then all data stored and managed by this service may be seized. This includes trade secrets, financial information and more. Likewise, if you keep any assets domestically, you do not have complete control over them; they can be confiscated by the government at any time and with minimal justification.
Data localization requirements included in the new legislation also greatly harm cloud security. Experts explain that where data is stored is less important than where it is stored. How they are stored. Thus, localization does very little to protect sensitive information while creating easily targeted data storage locations that are easy to hack.
China has never been shy about neglecting privacy and data security. These new rules are simply a formalization of what has long been the norm within the country. But this doesn’t make it any easier for companies.
Problems for foreign companies
The American think tank Center for Strategic and International Studies (CSIS) claims that China has released new national standards related to cybersecurity. One of the latest changes is the MLPS update.
The new laws are especially problematic for data centers that are owned by foreign companies.
In fact, they are left with two options.
The first is to simply stop doing business in China, including through partnerships. In theory, if enough companies follow this path, it could put pressure on the Chinese government to repeal the law.
The second is to accept reduced privacy and security as the cost of doing business in China.
We can say that foreign companies in Russia still have the same two options.
I would like to think that through joint efforts they will follow the first path. Unfortunately, in reality the second option is more likely to be chosen. Because for many, this price of doing business is acceptable.
Source: habr.com