Lutnick to Lead Commerce, a Final Biden-Xi Meeting, and USCC Supports PNTR Repeal
By Nick Marro
While cybersecurity challenges have long affected foreign companies operating in China and raised concerns about discriminatory treatment of foreign products—particularly China’s recent push for “secure and controllable” technology—the beginnings of this trend can be traced to the early 1990s with China’s adoption of the multi-level protection scheme (MLPS). Today, companies describe an increasingly restrictive environment that is squeezing their market share as regulators increasingly link national and cybersecurity to government procurement, data management, and IT system integration. This squeeze is particularly evident in China’s implementation of MLPS.
MLPS: What is it?
A draft MLPS system was first established in 2007, creating a “grading scale” to protect the information security of “critical infrastructure.” The origins of the MLPS framework can be traced to a government circular describing the construction of a similar system in 1994.
The MLPS sets five levels of information security based on potential consequences of damaged information systems:
An ongoing fundamental challenge for foreign companies is the fact that the term “critical infrastructure,” or “critical information infrastructure,” is undefined, creating uncertainty as to what products and operations are affected by the MLPS regime. Other critical terms, such as “damage” and “serious harm,” are also undefined.
Some language in the regulations, such as the requirement that encryption algorithms be submitted to the State Encryption Management Bureau (SEMB) for review, not only create onerous compliance challenges, but may also violate foreign companies’ internal intellectual property (IP) protection guidelines. Other language suggests an outright discriminatory preference for domestic IT solutions—for example, the requirement that Level 3 or higher information systems use indigenous IP within core IT systems and key hardware components, and undergo testing, certification, and authentication via the China Compulsory Certification for information security products (CCCi). The effect of this requirement is potentially sweeping, since Level 3 information systems may include systems used by commercial customers in sectors such as banking, healthcare, energy, and telecommunications. Other recent draft legislation on information security in these sectors underscores concerns about the potential breadth of Chinese regulations favoring domestic products.
How is MLPS applied?
China has quietly implemented the MLPS framework since 2007, with reports emerging every few years of ramped-up inspections by government authorities. However, conversations with USCBC members indicate that implementation is not uniform. For instance, requirements that core technology components use indigenous IP may only be lightly enforced, or not enforced at all..
Some USCBC members indicate that testing and certification of their IT products and systems has occurred on a de-facto voluntary basis—with the MLPS framework is used as a reference. Other members indicate that as part of China’s quiet implementation of MLPS, operators of any system that might be considered “critical information infrastructure” have been instructed to use this standard. Despite this uneven implementation, the establishment of MLPS has provided a legal framework for authorities to demand compliance, creating uncertainty about how strictly these provisions will be enforced.
A bilateral priority
MLPS is a US priority on the bilateral agenda. At the 2012 Joint Commission on Commerce and Trade (JCCT), the United States announced that China had committed to revise language on indigenous IP requirements. Following the 2015 JCCT, the US fact sheet and the Chinese fact sheet noted that both countries would continue working together to address MLPS-related concerns and challenges.
But despite historically uneven enforcement by China and the high priority of the issue on the bilateral agenda, industry concerns have deepened as language calling for the construction or enhancement of MLPS has become increasingly common in a host of Chinese draft legislation. Companies are concerned that MLPS is taking on a “new life,” as regulators seek to address new security changes caused by technological advances since these regulations were first promulgated years ago. Most prominently, such language emerged in draft regulations on information security in the banking and insurance industries, as well as in China’s draft cybersecurity law. The National Informatization Development Strategy, released by the Cyberspace Administration of China (CAC) on July 28 as a comprehensive guideline for developing the domestic ICT sector, also calls for the creation of an MLPS framework.
Conversations with USCBC indicate that the new MLPS regime is currently under drafting by the China National Information Security Standards Technical Committee (also known as TC260). These new may be extended to explicitly cover areas such as cloud computing and critical information infrastructure (CII), a broad term that has remained undefined.
How are MNCs handling this?
China is not alone in adopting and promoting a framework to protect information security in critical systems. This is a trend increasingly reflected in global practices, and adapting to such frameworks is certainly a task that multinational companies have had to undertake in other markets. For instance, in 2008, both the United States and the European Union created a standard on information security evaluation guidelines adopted by the International Standardization Organization (ISO). China adopted a local version of this ISO standard and incorporated it as one of the standards under the MLPS framework.
In order to ensure compliance when handling data collected in China, foreign companies note the importance of balancing China’s domestic laws—including MLPS, as well as a number of policies restricting data from leaving China’s shores—with their own business needs, which often require the free flow of data between business units in China and overseas global headquarters.
One company noted that they provide IT support and maintenance to customers in China, using data sets mined from hardware located in China to predict, identify, or handle any problems that may arise. Although their local teams can handle many of the issues that arise domestically, severe cases must sometimes be elevated to the global level, requiring input from international teams who are based outside of China. This company must ensure that any data sent being overseas is in compliance with China’s laws and regulations, including compliance under MLPS.
For instance, if this company is monitoring IT systems in hospitals or other public buildings, which may be in sectors considered Level 3 or above, the company must actively filter sensitive data, such as patients’ personal information, so as not to access Level 3 data. By screening this data from its system, this company has the flexibility to provide remote IT support and handle technical issues. The use of a filter allows it to sell products and provide IT maintenance to units otherwise considered Level 3 and off-limits.
However, filtering out data is counter to the mission of companies striving to seize upon the value of big data—such as by collating personal information to identify consumer trends, or using machine data to predict and prevent industrial accidents. These new ways of using big data are fast becoming pillars of the global economy, and will be increasingly important for China’s successful economic transition and continued development.
MLPS and other Chinese cybersecurity policies that run counter to the development of an increasingly connected global marketplace not only present obstacles for China’s achievement of its own economic goals but also create challenges for MNCs seeking to identify and apply best practices for compliance and successful competition in the digital world. It is not clear to industry how MLPS will develop in the future, or if newly constructed MLPS frameworks will complement or supersede the existing framework. But no matter how this system develops, transparency and fair treatment concerns are likely to remain significant issues for some time.