Cybersecurity is a major global issue. Increasingly countries are acting to strengthen their own cybersecurity through legislation. In October this year the Australian Government released the Security of Critical Infrastructure Bill for comment, and this is expected to be enacted into law in 2018.
Australian businesses however cannot limit their attention to domestic law; the laws of our trading partners and neighbours not only could influence Australia's future policy, but they may directly apply their laws to Australian entities that operate within their territory.
We've already considered the effect of Singapore's draft laws on Australian entities; now it's China's turn, with its Cybersecurity Law coming into force on 1 June 2017 after a long period in draft form.
In this article we'll compare China's regime with the proposed laws in Australia, and the extra layers of liability that network operators and critical information infrastructure operators need to understand to avoid penalties.
China's Cybersecurity Law at a glance
While the final version of the Cybersecurity Law is available in English, the draft regulations (which clarify aspects of this law) have been released for comment, but not all of them have yet been translated into English.
Ostensibly the Cybersecurity Law establishes a collaborative framework for ensuring the safety of data in China, but at the same time it contains a suite of strict (albeit vaguely expressed) obligations as well as harsh penalties. The law applies to foreign entities operating in China, and to the broadly defined categories of "network operators" and "critical information infrastructure operators" (CII operators), and is being enforced by various state bodies.
In its current form, the draft Australian legislation does not go as far as the Chinese Cybersecurity Law in the obligations it imposes in relation to Critical Infrastructure Assets (CIAs). However the scope for Ministerial directions to be made increases the potential application of this law. It remains to be seen whether a more stringent regime is required in order to effectively safeguard cyberspace.
Obligations on network operators
Under the Chinese Cybersecurity Law, network operators are defined as network owners, managers and network service providers. "Networks" are broadly defined as:
"systems comprised of computers or other information terminals and related equipment that follow certain rules and procedures for information gathering, storage, transmission, exchange and processing."
Network operators carrying out business and service activities are subject to the requirements of the Cybersecurity Law regime, and have the following obligations:
- To implement measures to protect the security of their networks by formulating appropriate security systems, establish dedicated roles with responsibility for network security and technological measures to prevent viruses, monitor and record security status and data management.
- To formulate an appropriate emergency response plan in case their network is affected by a security risk or incursion.
- If the network operator provides certain services to users including mobile phone use or instant message services, they must obtain real identity information from users before providing them with the services. This information must be truthful, and it must be kept confidential unless the user consents to disclosure.
- To monitor information published by users and to the extent that this information violates any law or regulation, stop this information from being transmitted via their network and report this to the relevant department.
- To establish systems where complaints and reports about network information security can be made. Where appropriate, network operators should relay these complaints to the relevant departments.
- To assist and provide technical support to prescribed state organs and departments as required for them to perform their investigatory roles, and preserve national security.
In contrast, the Australian Bill does not apply to a similarly general category of entity such as network operators. Instead, its focus is on critical infrastructure assets, and it is entities related to these assets who have obligations under that law.
Obligations on CII operators
The Cybersecurity Law also contains obligations on CII operators. These parts of the Chinese regime are most comparable to the Australian Bill, which focuses on infrastructure. CII is not defined in the Cybersecurity Law. The draft Chinese regulations on Protection of Critical Information Infrastructure Security go some way towards clarifying this, defining CII as including entities where a change or threat to functioning may create serious harm for national security. The following examples are listed:
- Government organs in the areas of energy, finance, transport, water conservancy, health, education, social security, environmental protection, public utilities and the like;
- Information networks including telecommunications, radio and television;
- Internet sites;
- Providers of cloud computing, big data and large scale public information network services;
- Scientific research and production units in industries including defence, large equipment, chemicals, food and drugs;
- News units including radio stations, television stations and other news services.
Clearly this is a very broad definition. Conversely, the Australian Bill contains a less comprehensive definition of CIAs in its current form. The Australian definition captures critical electricity assets, ports, water assets or assets declared to be critical to Australia's economic and social stability interests, defence or national security. Presumably Australia would deal with those entities not captured under the definition of CIA, such as providers of cloud computing and news units, by way of regulations or rules made once the Bill is enacted into law. Nonetheless they are notable omissions from the Australian Bill.
Critical information infrastructure operators' obligations
Under the Cybersecurity Law, CII operators have the following obligations, some of which are similar to those of network operators:
- To establish security management bodies and conduct background checks for the senior persons in those bodies;
- Conduct training and skills evaluations for employees, conduct backups of key systems and databases, formulate emergency response plans for network security incidents and organise drills;
- When purchasing network products and services which may impact national security, comply with the relevant review processes before purchasing;
- After purchasing, the CII operator must sign a confidentiality agreement with the provider of the products or services;
- To the extent that CII operators gather personal information in the course of operating within the mainland territory of the PRC, this information must be stored within the mainland. If business requirements dictate that this information must be stored elsewhere, the measures formulated by the relevant state departments must be followed before the data is stored offshore;
- To inspect and assess their network's security at least once per year personally or by retaining a professional.
Again these obligations go further than those proposed under the Australian Bill, which essentially imposes only reporting requirements on entities which are reporting entities for CIAs. The draft rules made under the Australian Bill presently do not contain any of the additional requirements that exist under the Chinese law. Some of these omissions are significant when compared with the Chinese regime. For example, the requirement for compliance with review processes before purchasing additional services for critical infrastructure is not captured by the definition of "operational information" in section 7 of the Australian Bill. Presumably such things will ultimately be regulated by rules made under the Australian Bill once it becomes law, if at all.
When will foreign entities be considered to be critical information infrastructure operators
Another notable difference between the Chinese Cybersecurity Law and the Australian Bill is that some parts of the Cybersecurity Law apply generally to foreign institutions, organisations or individuals who are not necessarily included in the definitions of network operator or CII operator. For example, article 48 provides that application software provided by individuals or organisation must not install malicious programs or contain information that is prohibited under laws or administrative regulations. This is aimed at protecting China from cyber threats generally. The Australian Bill does not have a similar specific wide ranging application in the face of general threats, although there is power to prescribe assets and to declare assets (see sections 9, 49 and 57) which might be used to expand the reach of the Bill. If the Chinese Law requirements are breached, harsh penalties may result for the foreign entity, including in addition to general legal responsibility, the freezing of assets and other "necessary punitive measures".
Against this background it is significant that the United States and China have made a public agreement not to infringe each other's cybersecurity at the US-China Law Enforcement and Cybersecurity Dialogue in October 2017.
Breaches of obligations under the Cybersecurity Law can be subject to harsh penalties, including fines for both the entity, and the individuals who occupied the key management positions at the time. Generally, the relevant departments responsible for enforcement will issue a warning. If these warnings are not complied with, or if the breach is serious, fines will result.
For network operators a breach of the Cybersecurity Law can lead to fines of between RMB 10,000 and 500,000 (approx. AU$2,000-100,000) for the network operator depending on the breach, and for the directly responsible management personnel between RMB 5,000 and 100,000 (approx. AU$1,000-20,000) depending on the breach. There may also be other punishments for some breaches, such as suspension of operations and having the relevant business licenses and permits cancelled.
Breaches of obligations by CII operators are subject to harsher penalties than breaches by network operators under the Cybersecurity Law. Where a breach has occurred, the same process is followed: a warning is issued, then fines, with personal fines for those in key positions at the time. A CII operator can be fined between RMB 50,000 and 1,000,000 (approx. AU$ 10,000 and 200,000) depending on the breach, and responsible management personnel fined between RMB 10,000 and 100,000 (approx. AU$ 2000 and 20,000). In addition depending on the breach, a CII operator may have to suspend operations or have relevant licenses or permits revoked.
The Australian Bill does not provide for the same "double punishment" for infringements at the entity and individual level as the Chinese law does. Rather, fines will only result where there has been illegal disclosure of sensitive information or where the reporting requirements are not complied with. The penalties themselves are relatively low - 25 penalty units or AU$5250. However of more concern under the Australian Bill is the Minister's power to issue directions to CIAs, which is broadly expressed in section 30. If the Minister's directions are not complied with, a CIA entity could face penalties as high as $52,500. The scope of the Minister's power in this regard may broaden the operation of the Australian Bill in practice.
The way forward for cybersecurity here and in China
If you are a network operator or involved in CII in China, ensure that the requirements of the Cybersecurity Law and associated regulations (when finalised) are being complied with in order to avoid heavy penalties and fines. From the Chinese perspective they want a law to safeguard cyberspace, with a focus on network security within the mainland territory.
While the broad and sometimes vaguely expressed obligations with harsh penalties for breaches under the Chinese regime are concerning for operators in China, the provision for Ministerial directions under the Australian Bill also has the potential to have a wide-ranging operation, at least in relation to some CIAs. It remains to be seen whether there should be a preferred approach to regulating cybersecurity. We will be monitoring the application of the Chinese legislation with interest.