The history of information security in China: we begin to deal with laws and regulations

In 201? China presented a modern version of the national strategy on cybersecurity. Its main message is the use of any means to ensure the sovereignty of national cyberspace. In the new series of articles we will tell you about which tools China uses to ensure information security in the country.
 
 
Let's start with a general overview of the various classifications and laws.
 
 
The history of information security in China: we begin to deal with laws and regulations

 
/Flickr / Surian Soosay / CC
 
 

Multilevel protection system


 
In 200? China updated its "multi-level defense system" (MLPS) classification. It underlies laws covering the scope of cybersecurity. For example, in accordance with MLPS, decisions are made on the level of admission of foreign products to a particular sphere or system. MLPS provides five levels of information security in terms of potential consequences:
 
 
1. Damage to IP harms the rights of citizens and organizations.
 
 
2. Here, damage to public order is added to item 1.
 
 
3. In addition to paragraph 1 and 2 - also damage to national security.
 
 
4. Significant damage to all three levels (paragraph 1 - item 3).
 
 
5. Critical damage at the national security level.
 
 
Relying on MLPS and legislation, the authorities require access to encryption protocols and a large part of the source code from companies working in finance, telecom, medicine, education and energy. The higher the potential threat, the higher the requirements.
 
 

Encryption control


 
An important element in ensuring information security in China is the regulation of everything related to encryption. One of the first directives in this regard came out in 1999.
 
 
It regulated the work with thematic software and hardware - it was possible to produce and sell encryption products in the commercial sector only with the permission of state bodies and in accordance with established rules. Thus, the cryptographic strength could not exceed the level established by the state. Later, the authorities explained that these rules apply to products whose main function is encryption. For example, for custom gadgets, this is a secondary function, and the ban does not apply to them.
 
 
In the following years, the authorities developed the idea of ​​controlling encryption facilities and developed national standards. For example, in 200? the government made WAPI mandatory for any wireless product sold in China. The set of IEEE ??? standards was temporarily banned, but in the process of dialogue with the International Organization for Standardization (ISO), the restriction was relaxed, and a number of vendors took the path of compromise. For example, Apple with WAPI support within the 3GS iPhone.
 
 
 
/Flickr / Jessica Spengler / CC
 
 
In 200? China introduced a catalog of importers of encryption products. Its composition is revised later. For example, in 201? the smart card for digital TV and Bluetooth-modules left the list. Judging by the draft of the new law on encryption, China refuses from strict requirements for foreign companies and seeks to unify regulation.
 
 
Last September, the State Council of the People's Republic of China adopted a decision that exempt manufacturers and users of encryption products from the need to obtain permission for supply and distribution, but still requires certification. Without it, no company or individual can sell commercial encryption products in China.
 
 

Law on Cybersecurity


 
In 201? two years before the publication of a modern version of the national cybersecurity strategy in China, the first meeting of was held. Groups on security and informatization. On it, President Xi Jinping gave a farewell make IT security a priority for the country. This decision was dictated by the fact that a year earlier China came in among the countries that suffered the greatest losses from cybercrime in the world.
 
 
In 201? China adopted a new law on national security. His provisions extended to a wide range of areas, and stressed the need to strengthen the protection of national IT systems and establish the sovereignty of cyberspace in China. For more details, see Draft The Cyber ​​Security Act. Among other things, he envisioned mandatory registration in Internet services, especially in instant messengers, under real names, involvement of operators in government investigations, major investments in cybersecurity, and the imposition of an obligation to store AP in China.
 
 
In 201? the law was finally adopted, and in 201? came into force . The law focuses on the collection, storage and use of PD by Chinese citizens and information relevant to national security. Such information should be kept at home.
 
 
The Cyber ​​Security Act is used. to all operators and enterprises in critical sectors, and in fact to any system consisting of computers and related equipment that collects, stores, transfers and processes information. Regulation also provides for mandatory testing and certification of network operators' equipment and prohibits the export of economic, technological or scientific data abroad that pose a threat to national security or public interest.
 
 
The latter situation caused an ambiguous reaction. More than 50 American, European and Japanese companies signed a collective letter to Prime Minister Li Keqiang in June 2016. They argued that the new legislation would hamper the work of foreign companies in China. Already after the adoption of US law have published a formal appeal to China with a request not to allow the full introduction of new rules, as they prevent the international exchange of information.
 
 
 
/Flickr / ChiralJon / CC
 
 
Meanwhile, the law continues to gradually enter into force. It is expected that the process will be completed by the end of 2018. In May this year, China will discuss the specification of the PD, proposed in January.
 
 
It will be an important addition to the legislation. The specification clarifies the definition of personal data and introduces the various components of such information - financial, identification information and so on. The document contains specific requirements for the collection and use of APs, depending on their purpose.
 
 
This is not the end of the topic of legal protection of China's information security. In the following parts, we will put you in touch with the technological nuances of this topic.
 
 
Other materials from our corporate blog:
 
 
 
Case , webinars and performances of VAS Experts
 
Internet in the village - we build a radio relay Wi-Fi-network
 
Methods for efficient allocation of the bandwidth.
 
The main services in the networks of the Internet provider
 
The future of services of communication operators
 
 
Our Network digest on Habré -20 materials about the networks and the battle for Net Neutrality.
+ 0 -

Add comment