Foreign companies in China face cybersecurity crackdown - Financial Times, London, 15 May 2019
China cracks down on foreign firms over cybersecurity, FT says - The Star, Kuala Lumpur, 16 May 2019
The above were two headlines in the mass media on 15th and 16th May 2019 which were totally misleading and can cause confusion to the public. Considering that majority of Malaysians never read beyond the headlines, the above headings could potentially cause confusion and panic especially for those who are in the cybersecurity industry.
Based on our understanding, under China's Cybersecurity Laws (CSL) introduced sometime in 2017, it has this regulation termed Multi Level Protection Scheme (MLPS). The MLPS regime — which reinforces the CSL — includes supervision over technologies including mobile internet, the internet of things, cloud computing, big data and industrial security systems. When the MLPS regime was introduced in 2018, businesses were forewarned to pay attention to them because regulators will expect compliance.
MLPS classifies networks operating in China into five levels (from least to most critical) based on the networks' relative impact on national security, social order, public interest, and individuals' rights if compromised.
It is worth noting that:
'critical information infrastructure', as defined under the MLPS, shall be classified as no lower than Level 3.
Networks that may cause severe damage to the legitimate rights and interests of individuals, legal persons and other organizations are classified as Level 3. Networks operated by multinational corporations (which usually process a lot more personal and business information and data) are also classified as Level 3.
In the above articles, it painted that foreign companies operating in China are coming under investigation over cybersecurity violations whereas a search on the internet will reveal that the authorities are going after all businesses, local and foreign, for non-compliance to the MLPS. An organisation does not violate cybersecurity rules and regulations. They either complied or don't, to standard rules and regulations.
Foreign companies quoted to have said that they expressed concerns with the requirement for them to divulge business critical data to Chinese authorities failed to mention that countries like Thailand, India, Vietnam, Australia and the GDPR in Europe also has the same requirements unless these foreign companies does not operate in any of these places.
This blog is non-partisan but as stated in our vision when we first started this blog, there would always be differences in views and there would never be a know-all or perfect answer or solution to the subject of cybersecurity. Cybersecurity 360 is a space where we aimed to provide alternative and probing views so that visitors to our website and social media obtained views, hopefully, in a fair and balanced fashion.