China Cybersecurity Law -Its Impact on Global Businesses

Kyle Lai, CISO & CPO, Pactera Technologies

January 2017

for

Introduction©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 2

• Kyle Lai

• Chief Information Security and Privacy Officer (CISO, CPO) & Head of Security Services of Pactera

• CISA, CISSP, CSSLP, CIPP/US, CIPP/G, ISO 27001 Lead Auditor

• 20+ years experience in CyberSecurity, Application Security, Privacy, 3rd Party Risk, Security Governance

• Pactera Technologies - Provides Exceptional IT, Development ,Cybersecurity and Privacy Consulting

• US Headquarters in Redmond, WA – Microsoft Vendor of the Year

• Global Headquarters in China

• Global Presence in US, Hungary, Spain, India, Japan, Singapore, Malaysia, Hong Kong, Australia

• Clients include 90+ of Fortune 500

• 25,000 Employees

• Global 100 IT Outsourcing

• Sister Company of Ingram Micro (under HNA Group – Fortune 343 Firm in 2016)

Agenda©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 3

China’s State of Cybersecurity

What is the China Cybersecurity Law?

What is the impact to Global Businesses?

How can Global Businesses Prepare for Compliance?

China’s State of Cybersecurity

Cybersecurity Threats in China©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 5

• Foreign Nation States Cyber Attacks

• Critical Infrastructure Cyber Attacks

• Posting of Censored information

• Theft of Personal Information (Privacy)

• Cybercrime (e.g. Business Email Compromise (BEC), Ransomware)

Cybersecurity Incidents & Threats in China©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 6

• 969% Increase from 2014 to 2016!

• China is experiencing similar threats that the US and other Countries experience

Source: PWC Global Security Survey

Why Does China Need a Cybersecurity Law?©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 7

• 700 million Chinese netizens use the Internet to study, work and access public services

• China’s Cyberspace is:

• Suffering frequent attacks and compromises

• Exposing critical infrastructure to attack

• Experiencing serious threats

• Illegal activities in Cyberspace Result in:

• Damage to Basic Rights of Society and Individuals

• Theft of Personal Identifiable Information

• Infringement of Intellectual Property

• Threat of Anti-Government Messages within Cyberspace including:

• Spread of Terrorism and Extremist Ideology

• Messages against, and for overthrowing, China’s sovereignty

• Messages that Threaten National Security

What is the China Cybersecurity Law?

China Cybersecurity Law Structure©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 9

• Issued on 11/7/2016

• Takes effect on 6/1/2017

• Contains 7 Chapters, 79 Articles

• Purpose:

• Sovereignty in Cyberspace

• National Security

• Rights of Citizens (Both Chinese & Non-Chinese)

• Plan to roll out measures:

• Monitor, Defend, and Handle Cybersecurity Risks & Threats

• From within China and Oversea Sources

• Protect Critical Information Infrastructure from Attack, Intrusion, Disturbance and Damage

• Early Warning System for Incident Response

China Cybersecurity Law Focus©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 10

• Focus on:

• Network Operations Security

• Network Products & Services

• Network Operators

• Critical Information Infrastructure

• Network Information Security

• Personal Information

• Important Information (not clearly defined)

• Monitoring, Early Warnings and Emergency Responses

• Cybersecurity Incident Response Readiness

Definitions from the China Cybersecurity Law©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 11

Term Definition

Network A system which is composed of computers and other information terminals and associated equipment, which collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures.

Network Operator A network owner / manager or a network service provider.

Network Security "Network Security" refers to taking necessary measures to prevent network attacks, intrusions, interference, destruction and any unlawful use, as well as unexpected accidents; to put the networks in a state of stable and reliable operation, as well as ensuring the capacity for network data to be complete, confidential and usable.

Network Data All kinds of electronic data collected, stored, transmitted, processed, and produced through networks.

Personal Information “Personal Information" refers to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person's identity, including, but not limited to, natural persons' full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.

Critical Information Infrastructure

Information infrastructure, which, if sabotaged or suffering from malfunction or data leakage, could seriously harm national security, governmental strategies, people’s livelihood, or public interests. This includes but is not limited to public telecommunication and information services, energy, transportation, water conservancy, and irrigation, financial, public services, and electronic communication.

China Cybersecurity Law Structure - Summary©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 12

Cybersecurity Law

General Provisions

Support and Promotion of Network Security

Network Operations Security

Network Information Security

Monitoring, Early Warnings and Emergency Responses

Legal Responsibility

Supplemental Provisions

Focus on

When responding to major public security incidents, the State Council can approve to take temporary measures such as network communications restriction in certain regions.

Network operators shall require users to provide real identity information when signing service agreements with users.

Personal information and other important data gathered or produced by critical information infrastructure operators during operations within mainland China, shall store it within mainland China. Before transmitting this information outside of China, businesses must obtain Cyberspace Administration's certification.

Support network technology development, the training of new talents and the creation of products and services benefiting minors.

Specified punishments for foreign organizations and individuals attacking and damaging critical information infrastructure.

Who Will be Impacted©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 13

• Network Operators

• Network Product and Services Provider

• Critical Information Infrastructure Operator

• Organizations inside and outside of China

• Individual (Chinese and non-Chinese citizen) uses / manages regulated network

Sovereignty in Cyberspace©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 14

• Absolute power and right to safeguard the cyberspace of China

• Regulate the construction, operation, maintenance and use of networks in China

• Chinese government may claim sovereignty over a network if…

…all, the majority of, or the core functional servers and equipment that constitute the network are located in China

Special Protection of Critical Information Infrastructure (CII)©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 15

• Data Localization

• Personal information and important data must be stored in China

• Important data is NOT defined

• National Security Procurement Review (by Cyberspace Administration)

• CII operator’s procurement of network products and related services must be

certified and are subject to national security review

• Background Checks

• Target: persons in charge of network security and in critical positions

Special Protection of Critical Information Infrastructure (CII) Cont.©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 16

• Vendor Confidentiality Agreement

• Imposes specific security and confidentiality obligations on vendors’

supply of products and services

• Annual Security Risk Assessment

• Can be run either by the CII operator or by a third party network security

service provider

• The risk assessment report, together with any corresponding improvement

plans, must be submitted to the responsible authority

Network Operations©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 17

• Network operators shall perform the security protection duties according to the requirements of the tiered network security protection system to ensure the network avoids interference, damage or unauthorized visits, and to prevent network data leaks, theft or falsification:

• Establish an Information Security Management System (ISMS)

• Adopt technologies to prevent virus attacks and network intrusion

• Adopt technological measures for monitoring and recording network operational statuses and network security incidents, and follow relevant provisions to store network logs for at least six (6) months

• Establish technical controls such as data classification, backup of important data, and encryption

• The Network Information Dept. and State Council jointly release a catalog of critical network equipment and specialized network security products, and promotes reciprocal recognition of safety certifications and security inspection results

Applicability to Non-Chinese Citizens & Organizations©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 18

• Cybersecurity Law protects not only Chinese citizens (Personal Information) but also Non-Chinese citizens who use the services provided by the regulated networks

• Cybersecurity Law does not limit its enforcement and penalty-issuing authority solely to network security violations committed by network operators in China, but rather extends this authority to operators of regulated networks where the operators reside outside of China

• Article 75 – Legal action will be pursued against foreign institutions, organizations, or individuals that engage in attacks, intrusions, interference, damage or other activities endangering the critical information infrastructure of the People's Republic of China, and cause serious consequences

• International exchange and cooperation activities to fight against international

cybercrime

• Freeze assets, or take other necessary sanction measures

Personal Information (Privacy) Protection©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 19

• Keep collected personal information strictly confidential

• A foreigner’s personal information is not excluded

• Network Operators must disclose the method of collection, the purpose, the scope of the collection and use of personal information

• Network Operators must not disclose, tamper with, or destroy personal information they gather; also, must not provide personal information to others unless the user gives the consent

• Sharing of de-identified information is allowed

• Individual has the rights to access his/her own personal information

• Request to delete their personal information

• Request to correct inaccurate information

Information Censorship©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 20

• Network operators must censor the information posted on their websites or transmitted through their systems

• Must remove or stop the transmission of illegal information

• Must maintain records and report to the government

• Network operators must establish and maintain a special channel for public complaints and reports of any compliance issues or violations and must process received complaints in a timely manner

• (Whistleblower Protection) Relevant departments shall preserve the confidentiality of the informants' information and protect the lawful rights and interests of the informant

Technical Support and Assistance©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 21

• In the name of National Security, Network Operators must provide technical support and assistance to national security agencies when investigating criminal cases or activities to safeguard national security

• It is unclear what type of technical support and assistance will be required

• It is also unclear whether there will be compensation for such support and assistance

Additional Notable Clauses©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 22

• Network Products and Services Compliance Requirements

• Conform to the mandatory national standards

• Key network equipment and network security specialty products must pass the security certification or inspection

• Real Name Authentication

• All network operators must obtain true identity from users before providing network services to them

• Specific measures for real name authentication are not stipulated

• Emergency (Incident Response) Planning

• Prepare practical and comprehensive plans to deal with security incidents

• Conduct an periodic incident response exercise

• Temporary Restrictions on Network Communications

• State Council may decide to take temporary measures to restrict the network communications in a specific region

China Cybersecurity Law Structure – Summary Recap©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 23

Cybersecurity Law

General Provisions

Support and Promotion of Network Security

Network Operations Security

Network Information Security

Monitoring, Early Warnings and Emergency Responses

Legal Responsibility

Supplemental Provisions

Focus on

When responding to major public security incidents, the State Council can approve to take temporary measures such as network communications restriction in certain regions.

Network operators shall require users to provide real identity information when signing service agreements with users.

Personal information and other important data gathered or produced by critical information infrastructure operators during operations within mainland China, shall store it within mainland China. Before transmitting this information outside of China, businesses must obtain Cyberspace Administration's certification.

Support network technology development, the training of new talents and the creation of products and services benefiting minors.

Specified punishments for foreign organizations and individuals attacking and damaging critical information infrastructure.

Road to Compliance©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 24

• Build an adequate customer data and privacy information protection program

Personal information must be securely managed and stored

• Update the overall IT strategy and equipment / software procurement program

Business considered as Critical Information Infrastructure must utilize Government approved equipment, software

• Establish a solid incident response plan

• Establish a Business Continuity PlanGovernment may temporarily shutdown or restrict regional

Internet connection due to major incident

• Establish a sound Risk and Vulnerability Management program

Government has the authority to conduct a security risk assessment on business’ product and services to identify

threats such as product vulnerabilities and backdoors

• Establish a self-assessment and internal Certification program

Business considered as Critical Information Infrastructure must coordinate with the certifying authority to complete

security certification process at defined frequency

Regulatory Requirements Regulatory Compliance Readiness

Sample Action Plan©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 25

Inventory – Identify businesses, systems, applications that may be impacted by China Cybersecurity Law. Don’t forget the 3rd party service providers.

Training your staff about China Cybersecurity Law

Conduct Business Impact Analysis and Privacy Impact Assessment on the inventory of systems and applications

For impacted systems and applications, conduct security risk assessment, and identify whether there are equipment and software that are not certified by Government. If yes, establish a replacement plan

Review the Personal Information (Privacy) Protection Program, to ensure the existing practice meets the regulatory compliance, especially on data localization within China. Make proper adjustment on the IT environment as necessary prior to June 1, 2017 Deadline

Review Incident Response Plan to ensure the plan is adjusted to the realistic requirements, then conduct training to your staff

Review and ensure network systems are logging for a minimum of 6 months as required

Company’s Responsibilities - Summary©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 26

- Assign an Individual Responsible for Security

- Security Policies

- Define Responsibilities

Management System

- Malware

- Network Intrusion

- Data Leak

- Cyber Crime / Fraud

Prevention Controls

- Network & System Monitoring

- Root Cause Analysis

- Incident Investigation & Remediation

- Periodic Incident Response drill

Monitoring & Incident Response

Readiness for

- Natural & Human Disaster Recovery

- Performing Backups

- Communications During a Disaster

Business Continuity / Disaster Recovery

- Protect Personal Information

- Protect Important Information

- Disclose Info Management Policy

- Keep Regulated Info within China

Information Protection

- Certification & Audit

- Security & Risk Assessment

- Issue Remediation

- Continuous enhancement

Certification / Risk Assessment

- Conduct Network Security Training

- Conduct Security Awareness Training

- Confidential Information Protection

- Skill Evaluation on Employees

Security Awareness Training

References - English©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 27

• China Cybersecurity Law (中华人民共和国网络安全法) (Official)

• http://www.cac.gov.cn/2016-11/07/c_1119867116.htm (Chinese)

• China Cybersecurity Law (Unofficial) Translation

• http://www.chinalawtranslate.com/cybersecuritylaw/?lang=en#PohPuA0mSpIRCx0t.99 (English)

• China adopts law on cybersecurity• http://english.gov.cn/news/top_news/2016/11/08/content_281475486222054.htm (English)

• China announces cybersecurity strategy• http://english.gov.cn/state_council/ministries/2016/12/27/content_281475526667672.htm (English)

• Government stats on increase of Cybersecurity complaints - up 129% in 2015 in China• http://english.liuzhou.gov.cn/news/world/201605/t20160526_881725.htm (English)

References - Chinese©

Pactera. SEC

CO

E Co

nfid

ential. A

ll Righ

ts Reserved

. 28

• China Cybersecurity Law (中华人民共和国网络安全法) (Official)

• http://www.cac.gov.cn/2016-11/07/c_1119867116.htm (Chinese)

• Cyberspace Administration of China (国家网信)

• http://www.cac.gov.cn/ (Chinese)

• Tiered Security Certification (中国网络安全等级保护)

• http://www.djbh.net/webdev/web/HomeWebAction.do?p=init (Chinese)

• National Information Security Standard Council (全国信息安全标准化技术委员会)

• http://www.tc260.org.cn/zqyj.jsp (Chinese)

• China’s National Cyber Space Security Strategy （国家网络空间安全战略）

• http://www.tc260.org.cn/zdetail.jsp?id=20161227164432 (Chinese)

• China’s National Computer Virus Emergency Response Center （国家计算机病毒应急处理中心） & Anti-Virus Products Testing and Certification Center（计算机病毒防治产品检验中心）

• http://www.cverc.org.cn/index.htm (Chinese)

Thank You!

Kyle LaiCISO, CPO, Head of Security ServicesPactera Technologies N.A.

Kyle.lai@Pactera.comhttp://linkedin.com/in/kylelai

Security Services Contact:Mike IrvineSecurityInfo@Pactera.com