The history of information security in China: starting to deal with laws and regulations
In 2016, China presented a modern version of the national cybersecurity strategy. His main message is the use of any means to ensure the sovereignty of national cyberspace. In the new series of articles we will talk about exactly what tools China uses to ensure information security in the country.
Let's start with a general review of various classifications and laws.
/ Flickr / Surian Soosay / CC
')
In 2007, China updated its “multi-layered protection system classification” (MLPS). It underlies the laws covering cybersecurity. For example, in accordance with the MLPS, decisions are made about the level of admission of foreign products into a particular area or system. MLPS provides five levels of information security in terms of potential consequences:
1. Damage to IP damages the rights of citizens and organizations.
2. Here to item 1 is added damage to public order.
3. In addition to paragraph 1 and clause 2 - also damage to national security.
4. Significant damage to all three levels (p.1 - p.3).
5. Critical damage at the level of national security.
Relying on MLPS and legislation, the authorities require access to encryption protocols and a significant portion of the source code from companies operating in the areas of finance, telecom, medicine, education and energy. The higher the potential threat, the higher the requirements.
An important element of information security in China is the regulation of everything related to encryption. One of the first directives in this regard came out in 1999.
It regulated work with thematic software and hardware - it became possible to produce and sell encryption products in the commercial sector only with the permission of state bodies and in accordance with established rules. So, cryptographic strength could not exceed the level set by the state. The authorities later explained that these rules apply to products whose main function is encryption. For example, for user gadgets, this is a secondary function, and the prohibition does not apply to them.
In the following years, the authorities developed the idea of ​​controlling encryption and developed national standards. For example, in 2003, the government made WAPI mandatory for any wireless product sold in China. The set of IEEE 802.11 standards was temporarily banned, but in the process of dialogue with the International Organization for Standardization (ISO), the restriction was relaxed, and a number of vendors took the path of compromise. For example, Apple with WAPI support within the 3GS iPhone.
/ Flickr / Jessica Spengler / CC
In 2009, a catalog of importers of encryption products appeared in China. Its composition was revised later. For example, in 2013, smart cards for digital TV and Bluetooth modules left the list. Judging by the draft law on encryption, China waives strict requirements for foreign companies and seeks to unify regulation.
In September last year, the State Council of the People's Republic of China made a decision that frees manufacturers and users of encryption products from the need to obtain permission to ship and distribute, but still requires certification. Without it, no company or individual will be able to sell commercial encryption products in China.
In 2014, two years before the publication of the modern version of the national cybersecurity strategy in China, the first meeting of the Security and Information Systems Group was held. President Xi Jinping instructed her to make IT security a priority for the country. This decision was dictated by the fact that a year earlier, China was among the countries that suffered the greatest losses from cybercrime in the world.
In 2015, China adopted a new law on national security. Its provisions extended to a wide range of areas, and emphasized the need to strengthen the protection of national IT systems and establish the sovereignty of cyberspace in China. In more detail, these questions are disclosed in the draft of the Law on Cyber ​​Security. Among other things, he suggested compulsory registration in Internet services, especially in instant messengers, under real names, attracting operators to participate in government investigations, making major investments in cybersecurity, introducing an obligation to store AP in China.
In 2016, the law was finally adopted, and in 2017 it came into force . The law focuses on the collection, storage and use of PD by Chinese citizens and information related to national security. Such information should be stored domestically.
The cybersecurity law applies to all operators and enterprises in critical sectors, and in fact to any systems consisting of computers and related equipment that collects, stores, transmits and processes information. The regulation also provides for mandatory testing and certification of equipment of network operators and prohibits the export abroad of economic, technological or scientific data that pose a threat to national security or public interests.
The latter situation caused a mixed reaction. More than 50 American, European and Japanese companies signed a collective letter addressed to Prime Minister Li Keqiang back in June 2016. They argued that the new legislation would impede the work of foreign companies in China. After the adoption of the law, the United States published an official appeal to China with a request to prevent the introduction of new rules, as they impede the international exchange of information.
/ Flickr / ChiralJon / CC
In the meantime, the law continues to take effect step by step. It is expected that the process will be completed by the end of 2018. In May of this year, China will discuss the specification of PD proposed in January.
It will be an important addition to the legislation. The specification specifies the definition of personal data and introduces various components of such information - financial, identification information and so on. The document contains specific requirements for the collection and use of PD depending on their purpose.
With this we do not finish the topic of the legal protection of information security in China. In the following sections, we will enclose you with the technological nuances of this topic.
Other materials from our corporate blog:
Our Network Digest on Habré —20 materials about networks and the battle for Net Neutrality.
Let's start with a general review of various classifications and laws.
/ Flickr / Surian Soosay / CC
')
Multi-level security system
In 2007, China updated its “multi-layered protection system classification” (MLPS). It underlies the laws covering cybersecurity. For example, in accordance with the MLPS, decisions are made about the level of admission of foreign products into a particular area or system. MLPS provides five levels of information security in terms of potential consequences:
1. Damage to IP damages the rights of citizens and organizations.
2. Here to item 1 is added damage to public order.
3. In addition to paragraph 1 and clause 2 - also damage to national security.
4. Significant damage to all three levels (p.1 - p.3).
5. Critical damage at the level of national security.
Relying on MLPS and legislation, the authorities require access to encryption protocols and a significant portion of the source code from companies operating in the areas of finance, telecom, medicine, education and energy. The higher the potential threat, the higher the requirements.
Encryption Regulation
An important element of information security in China is the regulation of everything related to encryption. One of the first directives in this regard came out in 1999.
It regulated work with thematic software and hardware - it became possible to produce and sell encryption products in the commercial sector only with the permission of state bodies and in accordance with established rules. So, cryptographic strength could not exceed the level set by the state. The authorities later explained that these rules apply to products whose main function is encryption. For example, for user gadgets, this is a secondary function, and the prohibition does not apply to them.
In the following years, the authorities developed the idea of ​​controlling encryption and developed national standards. For example, in 2003, the government made WAPI mandatory for any wireless product sold in China. The set of IEEE 802.11 standards was temporarily banned, but in the process of dialogue with the International Organization for Standardization (ISO), the restriction was relaxed, and a number of vendors took the path of compromise. For example, Apple with WAPI support within the 3GS iPhone.
/ Flickr / Jessica Spengler / CC
In 2009, a catalog of importers of encryption products appeared in China. Its composition was revised later. For example, in 2013, smart cards for digital TV and Bluetooth modules left the list. Judging by the draft law on encryption, China waives strict requirements for foreign companies and seeks to unify regulation.
In September last year, the State Council of the People's Republic of China made a decision that frees manufacturers and users of encryption products from the need to obtain permission to ship and distribute, but still requires certification. Without it, no company or individual will be able to sell commercial encryption products in China.
Cyber ​​Security Act
In 2014, two years before the publication of the modern version of the national cybersecurity strategy in China, the first meeting of the Security and Information Systems Group was held. President Xi Jinping instructed her to make IT security a priority for the country. This decision was dictated by the fact that a year earlier, China was among the countries that suffered the greatest losses from cybercrime in the world.
In 2015, China adopted a new law on national security. Its provisions extended to a wide range of areas, and emphasized the need to strengthen the protection of national IT systems and establish the sovereignty of cyberspace in China. In more detail, these questions are disclosed in the draft of the Law on Cyber ​​Security. Among other things, he suggested compulsory registration in Internet services, especially in instant messengers, under real names, attracting operators to participate in government investigations, making major investments in cybersecurity, introducing an obligation to store AP in China.
In 2016, the law was finally adopted, and in 2017 it came into force . The law focuses on the collection, storage and use of PD by Chinese citizens and information related to national security. Such information should be stored domestically.
The cybersecurity law applies to all operators and enterprises in critical sectors, and in fact to any systems consisting of computers and related equipment that collects, stores, transmits and processes information. The regulation also provides for mandatory testing and certification of equipment of network operators and prohibits the export abroad of economic, technological or scientific data that pose a threat to national security or public interests.
The latter situation caused a mixed reaction. More than 50 American, European and Japanese companies signed a collective letter addressed to Prime Minister Li Keqiang back in June 2016. They argued that the new legislation would impede the work of foreign companies in China. After the adoption of the law, the United States published an official appeal to China with a request to prevent the introduction of new rules, as they impede the international exchange of information.
/ Flickr / ChiralJon / CC
In the meantime, the law continues to take effect step by step. It is expected that the process will be completed by the end of 2018. In May of this year, China will discuss the specification of PD proposed in January.
It will be an important addition to the legislation. The specification specifies the definition of personal data and introduces various components of such information - financial, identification information and so on. The document contains specific requirements for the collection and use of PD depending on their purpose.
With this we do not finish the topic of the legal protection of information security in China. In the following sections, we will enclose you with the technological nuances of this topic.
Other materials from our corporate blog:
- Cases , webinars and speeches VAS Experts
- Internet to the village - we build radio-relay Wi-Fi-network
- Ways to efficiently allocate bandwidth
- Basic services on the ISP
- The future of carrier services
Our Network Digest on Habré —20 materials about networks and the battle for Net Neutrality.
Source: https://habr.com/ru/post/353516/
All Articles