为了加强网络安全体系,中国修改了其等级保护制度(“等保”),并于2019年12月1日生效。修改后的等保制度适用中国国内所有的科技、媒体和电信(TMT)公司。为了符合新出台的规定,许多企业已经开始着手准备升级其在线安全系统;在日益严格的监管环境下,预计还需要开展更多的工作。
根据2017年6月生效的《网络安全法》(“《 网安法》”),等级保护制度(“等保”)规范中国的信息技术安全标准,是一项适用范围广泛的立法,管理中国的网络空间。为了防止未经授权的访问、数据泄漏和篡改等安全问题,《网安法》要求网络运营商根据等保制度的要求,遵守有关规则建立、监控、检查其安全系统。
等保制度于2007年正式颁布;中国公安部于2018年发布了《网络安全等级保护条例(征求意见稿)》,旨在推出等保2.0,方达律师事务所合伙人尹云霞(Kate Yin)对ALB表示。公安部门尚未出台该保护条例的最终版本,等保2.0作为几项国家标准之一于2019年12月生效,她强调说。
等保2.0扩大了法律适用范围,提高了安全标准;表明监管机构致力于完善并严格执行数据隐私监管制度。
更广泛,更严格
网络安全专家们指出了等保2.0国家标准的几个重点。
“等保2.0主要专注于网络的保护,而等保1.0主要关注信息系统的保护。”方达的尹律师说。除了术语上的改变之外——从“信息系统安全”更改为“ 网络安全”,等保2.0的适用范围扩展到云计算平台、大数据、物联网、工业控制系统和移动互联网等网络。
处罚也更加严厉。根据等保2.0,无论网络等级如何,任何网络运营商如果未能遵守相关等保要求都将面临法律后果。与等保1.0相比,该项要求更加严格。在等保1.0下,只有第三级的企业才需要面对法律后果;而现在,第三级以上的网络运营商如果涉及违规行为,甚至可能面临更加严厉的处罚。
尹律师还指出,企业还需要采取更加积极主动的保护措施,因为等保2.0要求对网络进行主动防御,而不是仅仅依靠被动防范措施。
“等保2.0对安全措施和管理措施有更全面的要求,包括主动防御和被动防范措施,事件应对措施,以及对措施有效性的审计和评估。”她解释说。
尹律师提醒TMT公司,另一点需要注意的是等保2.0中潜在的本地化要求。根据等保2.0国家标准,网络运营商应要求云存储提供商满足各种安全和管理措施,包括在中国设有云服务基础设施。如果数据完全在中国境外托管,且在中国没有核心的信息技术基础架构,那么根据等保2.0,这类网络运营商很有可能无法完成相关手续。
“因此,网络运营商可能不可避免地需要将其业务所需的设施进行本地化,例如在中国设立服务器、数据库以及网络和安全设备,从而通过等保2.0的分级和备案.”她说道。
同时,企业还必须密切关注《等保2.0条例》将对其产生哪些影响。预计该条例有望于今年正式颁布。
首先,分级和备案程序可能会发生变化。根
据等保1.0,企业应进行自我评估并对信息系统进行分级,但新的《等保2.0条例》可能会缩小网络运营商为自己的信息系统分级的空间。尹律师提醒第二级以上的网络运营商,应该组织专家组来对其信息系统进行分级。
她还预测,会有更多的公司被列入第三级及以上的等级。当前的网络分为五个安全保护等级——第一级是最低级别,属于一般网络,第五级是最高级别,属于极其重要的网络。根据新条例,第三级网络是“一旦受到破坏会对相关公民、法人和其他组织的合法权益造成特别严重损害,或者会对社会秩序和社会公共利益造成严重危害,或者对国家安全造成危害的重要网络”,而这类网络在等保1.0下可能被列入第二级网络。
科技网络公司的负担?
环球律师事务所合伙人王筱东(Vincent Wang)也认为在等保2.0下评级为第三级以上的企业等保合规负担将会增加,但与尹律师预测的相反,他认为科技网络公司(尤其是在中国的外国科技网络公司)不会被列入这么高的等级。
他还认为,就现阶段而言,只要企业自身不选择过度合规,等保2.0的实施并不会显著增加中国境内科技网络企业的等保合规负担。
“在法律层面,实施等保2.0的基本行政法规和规章的暂时缺位,等保2.0的法律行政监管体系和要求尚未完全成形,基于法律的强制性要求需要落实的工作还不多。”他对ALB说。
“在技术层面,虽然等保2.0国家标准于2019年12月1日正式开始实施,但由于其中大部分的等保技术要求是基本的安全要求,特别是对于第一级和第二级的网络科技企业来说,这些技术要求的实施并不会显著增加他们的技术合规负担。”他进一步解释道。
但是方达的尹律师表示,无论怎样,负担是存在的。她认为,即使等保制度没有进行修改,中国的科技网络公司也将不可避免地需要升级其保护措施,以应对其处理的数据所带来的风险以及其使用的网络所带来的风险,因为公众和监管机构对于数据保护和网络安全方面的期望在逐年增长。
她认为,等保2.0无疑给科技网络公司带来了新的挑战。
尹律师解释说:“要求云服务提供商的基础设施本地化意味着,为了通过等保2.0的分级,许多TMT公司将不得不考虑那些在中国设有数据中心的云服务提供商。”
不过,她预计,鉴于许多知名的云服务提供商都将在中国本地化其服务和基础设施,因此数据本地化可能是一种选择,而不是一种负担,尽管从短期来看,对于IT和信息安全部门来说可能会涉及成本和工作量的增加。
另一个挑战是,在中国的科技网络公司将不得不“补足”许多安全措施和管理措施,因为目前关于其信息系统和网络的等级,他们几乎没有争论的余地。对于外资科技网络公司来说尤其如此,因为在中国,第三级以上的网络必须进行技术维护。
拥抱改变
对于许多科技网络公司而言,新的规章制度给他们在安全维护和人力资源方面带来了巨大的变化,他们纷纷迅速采取行动以应对这些改变。
北京的科技公司京东数字科技集团数据合规部
门的专家与ALB分享了他们是如何应对这些改变的。
他们告诉ALB:“我们的信息安全团队、安全合规团队、审计团队形成了公司网络安全的三道防线,层层管控网络安全合规风险。”
“安全合规团队积极参与监管部门组织的法规标准的制定和研讨,对等保2.0政策法规进行详细解读,对标合规要求提出改进建议;信息安全团队落实等保2.0的安全控制措施;审计团队对等保2.0的执行情况进行审计检查,形成了网络安全合规风险的闭环管理机制。”他们解释说。
京东数科内部有约200人的安全团队,立体全维度的对包括数据安全、系统安全等角度进行保护。技术上,公司自研Web应用安全防火墙、主机入侵检测、 DDoS攻击防护、移动安全平台、漏洞扫描平台等安全产品,构建主动安全防御体系。
他们坚决遵守《网络安全法》的规定,即:网络运营者应当按照网络安全等级保护制度的要求,履行下列安全保护义务:保障网络免受干扰、破坏或者未经授权的访问,防止网络数据泄露或者被窃取、篡改。
他们再次表示:“作为数字科技行业的代表性企业,合规工作是公司发展的生命线。我们对网络安全能力是在等保2.0的基础上做了更加严格的要求。等保2.0不会成为京东数科的‘负担’,而将成为企业的竞争优势所在。”
京东数科所采用的积极策略也是法律专家们对其他科技网络公司的建议。
方达的尹律师说:“行动起来,不要等。如果你只看法律规定的可能的法律后果,你可能会认为:‘我们可以等监管机构要求我们采取行动纠正不合规情况。’但是,在政府开展此类调查的情况下,我们可能无法在公安部门规定的纠正期限内完成所有或实质上的整改行动。”
她还提醒TMT公司,如果等保2.0不合规风险仍未得到解决,那么则需要考虑到其他的影响;如果未能遵守政府发出的等保2.0整改令,造成严重损害,则可能导致刑事责任。
关于如何为等保2.0做好准备,尹律师给TMT公司提供了两个技巧,特别是在评级方面。
“首先,盘点支持不同业务线的信息系统,从而帮助确定需要分级的信息系统;其次,就评级问题咨询有关专家,为等保2.0做好准备.”她说。
环球律师事务所的王律师还提醒TMT公司要更多地采取主动措施,提高合规意识,确定自身的优势,积极应对等保2.0带来的新变化。
对于在华的外国TMT公司,他说,他们可以以更友好的方式履行其多级保护义务。
“等保服务机构未列入外商投资禁止和限制清单。因此可以预期将来会有更多的外资公司在中国为外资科技网络公司提供安全等级评估服务。”王律师说。
Enhanced Security
As China aims to strengthen its cybersecurity regime, it recently updated its Multi-Level Protection Scheme (MLPS) for data security. The updated scheme applies to all technology, media and telecommunication (TMT) companies in the country. Several firms had already started preparing for the new requirements by strengthening their online security systems, and more work is expected to come under the heightened regulatory landscape.
The Multi-Level Protection Scheme (MLPS) governs the IT security standards of China. It is required under the Cybersecurity Law (CSL), which became effective in June 2017, as a broad piece of legislation to govern China’s cyberspace. To prevent security issues such as unauthorised access, data leaks, and falsifications, CSL obliges network business operators to comply with rules on establishing, monitoring and inspecting their security systems according to the requirements of the MLPS.
After the introduction of the MLPS in 2007, China’s Ministry of Public Security released the draft Regulation on the Cybersecurity MLPS last year intending to make it MLPS 2.0. As the public security authorities have yet to finalise the draft, what is referred to as “MLPS 2.0” for now is several national standards that became effective in December, says Kate Yin, partner at Fangda Partners.
MLPS 2.0 extends the scope of law application and enhances security standards. It is seen as an effort to make its data privacy regulatory regime increasingly comprehensive and strictly enforced.
WIDER AND STRICTER
Cybersecurity experts point to several highlights of MLPS 2.0 national standards.
“MLPS 2.0 focuses on protection of network while MLPS 1.0 focused primarily on protection of information system,” says Yin. Besides a change in terminology from the term of “information system security” to “cybersecurity”, MLPS 2.0 widens its application to the network that ranges from cloud computing platforms to big data, the Internet of Things, industrial control systems and mobile Internet.
Penalty could also be harsher. All network operators may face the legal ramifications for their failure to comply with relevant MLPS requirements, regardless of the graded level of network. This is a stricter requirement from MLPS 1.0, under which only companies graded as level 3 would face so. And for now, the operators of network graded as level 3 or above may even face a more severe penalty for their incompliance.
Yin also points out that more proactive protection measures are required, saying that MLPS 2.0 requires proactive protection of the network instead of purely relying on preventive measures.
“MLPS 2.0 takes a holistic view on the security measures and management measures, including proactive and preventive measures, response to incident and audit and evaluation of effectiveness of the measures,” she explains.
Another note to take is the potential localisation requirement in MLPS 2.0, Yin reminds the TMT companies. According to MLPS 2.0 national standards, a network operator would need to require the cloud storage provider to meet various security and management measures, including having cloud services infrastructure in China. If the data is hosted entirely outside China and there is no core IT infrastructure in China, there is a high likelihood that such network operator may not be able to complete relevant processes under MLPS 2.0.
“Therefore, the network operators may inevitably localise the facilities necessary for its business, such as server, database, as well as network and security equipment in China to pass MLPS 2.0 grading and filing,” she explains.
And companies will have to keep an eye out on how MLPS 2.0 Regulations, which is expected to be finalised this year, will impact them.
Firstly, there could be a change in the grading and filing process. Under MLPS 1.0, the companies shall conduct self-assessment and grade the information systems, but the new MLPS 2.0 Regulations might give less room for the network operators to grade their information systems. Yin reminds the network operators that are graded as level 2 or above will need to organise a panel of experts to grade their information systems.
She also predicts that more companies will fall into level 3 and above. While adopting the current five-level scheme - scaling from level 1 as the least critical to level 5 as the most important, the new regulations proposed to expand the scope of level 3 to include the information systems that will cause particularly serious damage to the legal rights of citizens, legal persons, and other organisations when damaged, which could have been graded as level 2 under MLPS 1.0.
A BURDEN?
While agreeing that the compliance burden of companies graded as level 3 or above will increase under MLPS 2.0, Vincent Wang, partner of Global Law Office, does not expect most TMT companies, especially foreign TMT companies in China, to be graded at such high levels, contrary to what Yin predicts.
He also believes that the implementation of MLPS 2.0 will not add too much of a burden to the TMT companies, if they do not opt for over-compliance strategies voluntarily.
“From the perspective of law, MLPS 2.0 Administration is not finalised yet, and relevant laws and regulations under MLPS 2.0 are not complete. So, there is not yet much legal compliance work required by mandatory laws and regulations,” Wang tells ALB.
“And from the perspective of technical requirements, although the new MLPS 2.0 standards came into force on Dec. 1, 2019, most technical requirements are only basic requirements for TMT companies, especially companies graded as level 1 and level 2. Such requirements will not significantly increase their technical compliance burdens,” he further explains.
But Fangda’s Yin believes that the burden is there anyhow, arguing that even without the revamped regime of MLPS, TMT companies in China will inevitably have to upgrade their measures to protect in line with the risks of data that they process and risk of network they use. It is simply because the expectation of the public and the regulators on data protection and network security has been increasing over the years.
And MLPS 2.0 is certainly bringing new challenges to the TMT companies, she believes.
“The requirement on localising the cloud services providers’ infrastructure in China would mean that many TMT companies will have to consider those cloud services providers with data centre in China, for these TMT companies to pass MLPS 2.0 grading,” Yin explains.
However, she expects that data localisation may be a choice instead of a burden given that many renowned cloud services providers are localising their services and infrastructure in China, although in short term it may be seen as costs and excessive workload for the IT and information security department.
Another challenge is that TMT companies in China would have to “top up” a lot of security measures and management measures, as now they have little room to argue on their grading of the information system and network. This is particularly the case for foreign-invested TMT companies, as the technical maintenance of the network graded as level 3 or above will have to be conducted in China.
EMBRACING CHANGES
For many TMT companies, the new regulations bring a huge change in their security maintenance and human resources, and they are getting their acts together quickly to respond to the changes.
Experts from the data compliance department of JD Digits, a Beijing-based technology company, tell Asian Legal Business how they have responded accordingly.
“Our information security team, security compliance team and audit team have formed the three lines of defence for cybersecurity to manage cybersecurity risks at all levels,” they add.
“The security compliance team actively worked with the regulators to formulate and discuss regulatory standards, while studying MLPS 2.0 in-depth and giving suggestions for improvement. The information security team implemented the measures outlined in MLPS 2.0. Meanwhile, our audit team performed cybersecurity compliance audits on our implementation of MLPS 2.0, establishing a closed system for managing compliance risks,” they explain.
The company’s security team now consists of 200 members, who carry out comprehensive protection for its data and systems. On the technical front, they have developed a range of security products, such as a web application firewall, a host-based intrusion detection system, DDoS attack prevention, a mobile security platform, and a vulnerability scanning platform to enable active defence.
They do so with a committed mindset that network operators must ensure the network is free from interference, damage, or unauthorised access, and to prevent network data leaks, theft, or falsification according to the requirements of the MLPS.
“As a lead player in the digital technology industry, JD Digits sees regulatory compliance as a lifeline for the company’s development,” they reiterate. “We have implemented stricter requirements for cybersecurity based on MLPS 2.0, and MLPS 2.0 will only drive our competitiveness instead of being our burden.”
The proactive strategy adopted by JD Digits is also what legal experts would suggest to other TMT companies.
“Take action and no waiting,” Fangda’s Yin says. “If you only look at the legal ramification provided at law, you may think that: ‘well we can wait until the regulators ask us to take action as rectification of incompliance.’ However, in the event of such government investigation, the period of rectification designated by the public security authorities may not be sufficient for completing all or materially all of the actions.”
She also warns the TMT companies to consider other implications if the risk of non-compliance with MLPS 2.0 remains unaddressed. Failure to comply with the rectification order from the authorities to comply with the MLPS may result in criminal liability, if such failure has resulted in serious damage.
She offers two tips for TMT companies to prepare for MLPS 2.0, especially when it comes to grading.
“Firstly, take inventory of the information systems that support a different line of business to help identify the information systems that require grading. Secondly, consult with experts in the grading and get ready for MLPS 2.0,” she says.
Global Law Office’s Wang also reminds the TMT companies to take more initiatives by raising awareness of compliance and identifying their strengths to respond actively to the new changes brought by MLPS 2.0.
And for foreign TMT companies in China, “Grading assessment industry is not listed in the prohibited and restricted list for foreign investors. It is anticipated that there can be more foreign firms providing security grading assessment services for foreign TMT companies in China,” Wang says.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.