China’s New Cybersecurity System: There is NO Place to Hide

Our China data privacy lawyers  have been getting a steady stream of questions regarding our recent post, China’s New Cybersecurity Program: NO Place to Hide, regarding the Chinese government’s rolling out a new system for monitoring company data.

These questions are coming from our readers, our clients and the media. Most are seeking answers to the following two questions:

  1. In the post, I referred to a “roll-out” of this new monitoring system on December 1, 2019 and people what to know exactly what will be rolled-out.
  2. In the post I stated that the PRC government will have access to and be able to take whatever information it wants. We are being asked whether I say this based on written Chinese law or on my on the ground experience with China.

This post answers both questions.

First, the “program” that will be rolling is the Cybersecurity Multi-level Protection Scheme (“MLPS 2.0”) and that is set to come into effect on December 1, 2019. This scheme sets out the technical and organizational controls all companies and individuals in China must follow to comply with MLPS-related Internet security obligations mandated by China’s Cybersecurity Law. All companies and individuals must abide by the following three standards:

  1. GB/T 22239 – 2019 Information Security Technology – Baseline for Multi-level Protection Scheme
  2. GB/T 25070 – 2019 Information Security Technology – Technical Requirements of Security Design for Multi-level Protection Scheme.
  3. GB/T 28448 – 2019 Information Security Technology – Evaluation Requirements for Multi-level Protection Scheme.

The Chinese language versions of these standards can be found here; we are not aware of any English language translation of these standards.

My personal file on the laws and regulations relating to the MLPS 2.0 system consists of 800+ pages of very technical Chinese. But even this vast documentation is not sufficient to fully understand the function of the system. To fully understand, one must also consider the objectives of other key Chinese government planning documents, such as the national artificial intelligence program, the Internet+ program, the social credit system for individuals and businesses (See China’s New Company Tracking System: Comply, Comply, Comply), and various other network/Internet/data gathering and surveillance programs being implemented in China.

When one examines all of these various different programs together, it becomes apparent that the MLPS 2.0 system is the “hardware” component of a comprehensive data gathering, surveillance and control program. China’s plan is to create a system that covers every form of network activity in China: Internet, mobile phone, WeChat type social networks, cloud systems, domestic and international email. China’s goal is not to create a commercial system where individual players can participate and make money. It’s goals are surveillance and control by the PRC government and the CCP.

To achieve those goals China is creating a system to achieve two ultimately contradictory objectives: the system will be closed against intrusion by “bad actors” (foreigners and internal dissidents), but completely transparent to the Ministry of Public Security and other internet security agencies of the PRC government and the CCP. Transparency to the Ministry of Public Security means what it says: No technology that blocks access by the Ministry of Public Security is permitted. No VPN, no encryption, no private servers. If the Ministry of Public Security is required to install back doors or other message/data interception devices or systems to achieve full access, then China Telecom and Chinese based ISPs are required to comply. But because providing open access to the Ministry of Public Security directly conflicts with the goal of hardened security from intrusion, how to mediate between these conflicting goals is chief reason for the length and complexity of the MLPS 2.0 standards.

Second, the legal basis for allowing China’s Ministry of Public Security to access networks and data comes from a regulation not included within the MLPS 2.0 standards. As I noted above, full understanding requires pulling together all the applicable regulations. This is just one example of this. The written regulations that give the Ministry of Public Security the right to just “take it” are the Regulation on Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定). This regulation was promulgated on September 15, 2018 and came into effect on November 1, 2018. My references to this regulation below are to the articles of the Chinese language version published by the Chinese government. It is important to base comments on the Regulation to what was actually adopted, not to earlier discussion drafts containing provisions that were not adopted.

As a preliminary issue, a key matter confirmed by the Regulation on Internet Security Supervision and Inspection by Public Security Organs is that the Ministry of Public Security has lead authority to take on the front line enforcement duties related to the Internet and to network security in China. This means that MIIT (China Telecom), CAC, CNNIC and the alphabet soup of other Chinese agencies that sought a role in cybersecurity administration have been pushed aside in favor of the Ministry of Public Security. This means enforcement will be handled by the police rather than by local bureaucrats. This decision on enforcement has real meaning for foreign companies doing business in China and for its foreign employees who live and work there. When a Chinese bureaucrat shows up to your door asking for information, you can perhaps send that bureaucrat on his or her way. But when two or more uniformed police officer show up at your door, you pretty much have no option but to comply.

The Regulation on Internet Security Supervision and Inspection by Public Security Organs provides for two levels of inspection of networked servers: on-site inspection and offline, remote access. See Article 13. When an on-site inspection is conducted, a minimum of two local police officers must be present. See Article 14. The police officers will be accompanied by local government agency staff who are charged with Internet security. If local government agency staff are not sufficient, the Ministry of Public Security may employ independent contractors to do the work.

The inspection team has complete access to the network system. Inspection can cover both the technical aspects of the network system and the  data/information maintained on the servers. See Article 10. The inspectors can fully access the system and they are permitted to copy any data they find. See Article 15. The only restriction on the inspectors copying the data in your company’s system is that the inspectors must provide you with a receipt. Though Article 10 “restricts” access to matters involving national security, the definition of national security in China is so broad that there is no real limitation on what can be accessed, copied and removed.

In cases where the Ministry of Public Security determines there is an Internet security issue, it has the right to perform a remote access inspection. the scope of which is set out in Article 10. Prior notice of remote access is required. There are two issues related to such notice: First, the purpose of the notice is not to protect the rights of the party being inspected. Rather, the purpose of the notice is to ensure that the server has been completely opened to access by the Ministry of Public Security. Second, for servers maintained by a cloud provider, it is not clear whether notice goes only to the cloud provided or to both the cloud provider and the customer of the cloud provider as. That is, it is not clear whether the cloud customer will ever receive notice that its server and data were viewed and copied by the Ministry of Public Security. Time will tell on this, but my guess is that the cloud customer will never know unless its cloud provider tells them.

This off site access rule is awkward to manage. The structure of the MLPS 2.0 standards suggest that the Ministry of Public Security plans to work with cloud providers and Managed Service Providers to get them to install systems that will allow the Ministry of Public Security easy off site access at any time, without need to go through an incident by incident prior notice then access procedure. However, this type of constant access system is not contemplated by the Regulation. However, even if the Regulation on Internet Security Supervision and Inspection by Public Security Organs is strictly followed there is no getting around the fact that it provides for China’s Ministry of Public Security to have essentially unfettered access to all servers and data. Referring to this as “cybersecurity” is fundamentally misleading. As the Regulation itself states, this is regime for inspecting and controlling by the Chinese government. It really has nothing to do with cybersecurity as normally considered in the open Internet world.

The key issue then becomes what happens to the data collected by China’s Ministry of Public Security? Your company’s data, for instance. The Ministry is permitted to copy and remove virtually any information or data it finds on the servers it inspects. What about the confidentiality of that information? Article 5 of the Regulation on Internet Security Supervision and Inspection by Public Security Organs addresses this issue : “The personal information, privacy, trade secrets and state secrets that the public security organs and their staff members are aware of in the fulfillment of the duties of Internet security supervision and inspection shall be strictly kept confidential and shall not be disclosed, sold or illegally provided for others.” This provision must be read carefully because it provides for “confidentiality with Chinese characteristics”.

The key point is that the term “others” does not include any agency of the Chinese government or of the CCP. In other words, it does not include universities and other research centers operated or controlled by the Chinese government. It also does not include the Chinese military or Chinese arms manufacturers. It also does not include China’s State Owned Entities (SOEs). Though not clear, the term “others” also probably does not include nominally private entities controlled by the Chinese. See e.g., Huawei.

So again, what does this confidentiality provision mean? As applied in China, the confidentiality rule of Article 5 is intended to prevent Ministry of Public Security officers from doing two things: selling data to Chinese or foreign companies for personal profit and two, disclosing data to foreign agents (spies). This rule is not intended to prevent the Ministry from sharing the data it collects with the insiders described above. In fact, such sharing is mandated as part of the data needs of the entire Chinese government and the CCP. The Ministry of Public Security is not permitted to hoard the data; it is required to spread it around.

This result then leads to the key issue. Confidential information housed on any server located in China is subject to being viewed and copied by China’s Ministry of Public Security and that information then becomes open to access by the entire PRC government system. But the PRC government is the shareholder of the State Owned Entities (SOEs) which are the key industries in China. The PRC government also essentially controls the key private companies in China such as Huawei and ZTE and more recently Alibaba and Tencent and many others. See China is sending government officials into companies like Alibaba and Geely and China to place government officials inside 100 private companies, including Alibaba. The PRC government also either owns or controls China’s entire arms industry.

Simply put, the data the Ministry of Public Security obtains from foreign companies will be available to the key competitors of foreign businesses, to the Chinese government controlled and private R&D system, and to the Chinese arms industry and military.

The negative consequences of this should be obvious. But the critical issue is that the consequences go far beyond just the commercial impact. China’s new Systems will become a matter of national security for the U.S. and other governments. This then sets up a conflict that private companies will not be able to avoid. Do they make their data available to China’s Ministry of Public Security as required by Chinese law or do they keep that data from the Ministry (and in turn the Chinese Military) as required under the laws of their home country? In other words, do they simply stop using or providing data to their China operations?

The final result will be that as far as China is concerned, “free trade” in the critical areas of technology will end up being severely curtailed. Welcome to the New Normal.