isaca - china cybersecurity law presentation - kyle lai - v3.2
TRANSCRIPT
China Cybersecurity Law -Its Impact on Global Businesses
Kyle Lai, CISO & CPO, Pactera Technologies
January 2017
for
Introduction©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 2
• Kyle Lai
• Chief Information Security and Privacy Officer (CISO, CPO) & Head of Security Services of Pactera
• CISA, CISSP, CSSLP, CIPP/US, CIPP/G, ISO 27001 Lead Auditor
• 20+ years experience in CyberSecurity, Application Security, Privacy, 3rd Party Risk, Security Governance
• Pactera Technologies - Provides Exceptional IT, Development ,Cybersecurity and Privacy Consulting
• US Headquarters in Redmond, WA – Microsoft Vendor of the Year
• Global Headquarters in China
• Global Presence in US, Hungary, Spain, India, Japan, Singapore, Malaysia, Hong Kong, Australia
• Clients include 90+ of Fortune 500
• 25,000 Employees
• Global 100 IT Outsourcing
• Sister Company of Ingram Micro (under HNA Group – Fortune 343 Firm in 2016)
Agenda©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 3
China’s State of Cybersecurity
What is the China Cybersecurity Law?
What is the impact to Global Businesses?
How can Global Businesses Prepare for Compliance?
Cybersecurity Threats in China©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 5
• Foreign Nation States Cyber Attacks
• Critical Infrastructure Cyber Attacks
• Posting of Censored information
• Theft of Personal Information (Privacy)
• Cybercrime (e.g. Business Email Compromise (BEC), Ransomware)
Cybersecurity Incidents & Threats in China©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 6
• 969% Increase from 2014 to 2016!
• China is experiencing similar threats that the US and other Countries experience
Source: PWC Global Security Survey
Why Does China Need a Cybersecurity Law?©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 7
• 700 million Chinese netizens use the Internet to study, work and access public services
• China’s Cyberspace is:
• Suffering frequent attacks and compromises
• Exposing critical infrastructure to attack
• Experiencing serious threats
• Illegal activities in Cyberspace Result in:
• Damage to Basic Rights of Society and Individuals
• Theft of Personal Identifiable Information
• Infringement of Intellectual Property
• Threat of Anti-Government Messages within Cyberspace including:
• Spread of Terrorism and Extremist Ideology
• Messages against, and for overthrowing, China’s sovereignty
• Messages that Threaten National Security
China Cybersecurity Law Structure©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 9
• Issued on 11/7/2016
• Takes effect on 6/1/2017
• Contains 7 Chapters, 79 Articles
• Purpose:
• Sovereignty in Cyberspace
• National Security
• Rights of Citizens (Both Chinese & Non-Chinese)
• Plan to roll out measures:
• Monitor, Defend, and Handle Cybersecurity Risks & Threats
• From within China and Oversea Sources
• Protect Critical Information Infrastructure from Attack, Intrusion, Disturbance and Damage
• Early Warning System for Incident Response
China Cybersecurity Law Focus©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 10
• Focus on:
• Network Operations Security
• Network Products & Services
• Network Operators
• Critical Information Infrastructure
• Network Information Security
• Personal Information
• Important Information (not clearly defined)
• Monitoring, Early Warnings and Emergency Responses
• Cybersecurity Incident Response Readiness
Definitions from the China Cybersecurity Law©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 11
Term Definition
Network A system which is composed of computers and other information terminals and associated equipment, which collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures.
Network Operator A network owner / manager or a network service provider.
Network Security "Network Security" refers to taking necessary measures to prevent network attacks, intrusions, interference, destruction and any unlawful use, as well as unexpected accidents; to put the networks in a state of stable and reliable operation, as well as ensuring the capacity for network data to be complete, confidential and usable.
Network Data All kinds of electronic data collected, stored, transmitted, processed, and produced through networks.
Personal Information “Personal Information" refers to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person's identity, including, but not limited to, natural persons' full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.
Critical Information Infrastructure
Information infrastructure, which, if sabotaged or suffering from malfunction or data leakage, could seriously harm national security, governmental strategies, people’s livelihood, or public interests. This includes but is not limited to public telecommunication and information services, energy, transportation, water conservancy, and irrigation, financial, public services, and electronic communication.
China Cybersecurity Law Structure - Summary©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 12
Cybersecurity Law
General Provisions
Support and Promotion of Network Security
Network Operations Security
Network Information Security
Monitoring, Early Warnings and Emergency Responses
Legal Responsibility
Supplemental Provisions
Focus on
When responding to major public security incidents, the State Council can approve to take temporary measures such as network communications restriction in certain regions.
Network operators shall require users to provide real identity information when signing service agreements with users.
Personal information and other important data gathered or produced by critical information infrastructure operators during operations within mainland China, shall store it within mainland China. Before transmitting this information outside of China, businesses must obtain Cyberspace Administration's certification.
Support network technology development, the training of new talents and the creation of products and services benefiting minors.
Specified punishments for foreign organizations and individuals attacking and damaging critical information infrastructure.
Who Will be Impacted©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 13
• Network Operators
• Network Product and Services Provider
• Critical Information Infrastructure Operator
• Organizations inside and outside of China
• Individual (Chinese and non-Chinese citizen) uses / manages regulated network
Sovereignty in Cyberspace©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 14
• Absolute power and right to safeguard the cyberspace of China
• Regulate the construction, operation, maintenance and use of networks in China
• Chinese government may claim sovereignty over a network if…
…all, the majority of, or the core functional servers and equipment that constitute the network are located in China
Special Protection of Critical Information Infrastructure (CII)©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 15
• Data Localization
• Personal information and important data must be stored in China
• Important data is NOT defined
• National Security Procurement Review (by Cyberspace Administration)
• CII operator’s procurement of network products and related services must be
certified and are subject to national security review
• Background Checks
• Target: persons in charge of network security and in critical positions
Special Protection of Critical Information Infrastructure (CII) Cont.©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 16
• Vendor Confidentiality Agreement
• Imposes specific security and confidentiality obligations on vendors’
supply of products and services
• Annual Security Risk Assessment
• Can be run either by the CII operator or by a third party network security
service provider
• The risk assessment report, together with any corresponding improvement
plans, must be submitted to the responsible authority
Network Operations©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 17
• Network operators shall perform the security protection duties according to the requirements of the tiered network security protection system to ensure the network avoids interference, damage or unauthorized visits, and to prevent network data leaks, theft or falsification:
• Establish an Information Security Management System (ISMS)
• Adopt technologies to prevent virus attacks and network intrusion
• Adopt technological measures for monitoring and recording network operational statuses and network security incidents, and follow relevant provisions to store network logs for at least six (6) months
• Establish technical controls such as data classification, backup of important data, and encryption
• The Network Information Dept. and State Council jointly release a catalog of critical network equipment and specialized network security products, and promotes reciprocal recognition of safety certifications and security inspection results
Applicability to Non-Chinese Citizens & Organizations©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 18
• Cybersecurity Law protects not only Chinese citizens (Personal Information) but also Non-Chinese citizens who use the services provided by the regulated networks
• Cybersecurity Law does not limit its enforcement and penalty-issuing authority solely to network security violations committed by network operators in China, but rather extends this authority to operators of regulated networks where the operators reside outside of China
• Article 75 – Legal action will be pursued against foreign institutions, organizations, or individuals that engage in attacks, intrusions, interference, damage or other activities endangering the critical information infrastructure of the People's Republic of China, and cause serious consequences
• International exchange and cooperation activities to fight against international
cybercrime
• Freeze assets, or take other necessary sanction measures
Personal Information (Privacy) Protection©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 19
• Keep collected personal information strictly confidential
• A foreigner’s personal information is not excluded
• Network Operators must disclose the method of collection, the purpose, the scope of the collection and use of personal information
• Network Operators must not disclose, tamper with, or destroy personal information they gather; also, must not provide personal information to others unless the user gives the consent
• Sharing of de-identified information is allowed
• Individual has the rights to access his/her own personal information
• Request to delete their personal information
• Request to correct inaccurate information
Information Censorship©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 20
• Network operators must censor the information posted on their websites or transmitted through their systems
• Must remove or stop the transmission of illegal information
• Must maintain records and report to the government
• Network operators must establish and maintain a special channel for public complaints and reports of any compliance issues or violations and must process received complaints in a timely manner
• (Whistleblower Protection) Relevant departments shall preserve the confidentiality of the informants' information and protect the lawful rights and interests of the informant
Technical Support and Assistance©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 21
• In the name of National Security, Network Operators must provide technical support and assistance to national security agencies when investigating criminal cases or activities to safeguard national security
• It is unclear what type of technical support and assistance will be required
• It is also unclear whether there will be compensation for such support and assistance
Additional Notable Clauses©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 22
• Network Products and Services Compliance Requirements
• Conform to the mandatory national standards
• Key network equipment and network security specialty products must pass the security certification or inspection
• Real Name Authentication
• All network operators must obtain true identity from users before providing network services to them
• Specific measures for real name authentication are not stipulated
• Emergency (Incident Response) Planning
• Prepare practical and comprehensive plans to deal with security incidents
• Conduct an periodic incident response exercise
• Temporary Restrictions on Network Communications
• State Council may decide to take temporary measures to restrict the network communications in a specific region
China Cybersecurity Law Structure – Summary Recap©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 23
Cybersecurity Law
General Provisions
Support and Promotion of Network Security
Network Operations Security
Network Information Security
Monitoring, Early Warnings and Emergency Responses
Legal Responsibility
Supplemental Provisions
Focus on
When responding to major public security incidents, the State Council can approve to take temporary measures such as network communications restriction in certain regions.
Network operators shall require users to provide real identity information when signing service agreements with users.
Personal information and other important data gathered or produced by critical information infrastructure operators during operations within mainland China, shall store it within mainland China. Before transmitting this information outside of China, businesses must obtain Cyberspace Administration's certification.
Support network technology development, the training of new talents and the creation of products and services benefiting minors.
Specified punishments for foreign organizations and individuals attacking and damaging critical information infrastructure.
Road to Compliance©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 24
• Build an adequate customer data and privacy information protection program
Personal information must be securely managed and stored
• Update the overall IT strategy and equipment / software procurement program
Business considered as Critical Information Infrastructure must utilize Government approved equipment, software
• Establish a solid incident response plan
• Establish a Business Continuity PlanGovernment may temporarily shutdown or restrict regional
Internet connection due to major incident
• Establish a sound Risk and Vulnerability Management program
Government has the authority to conduct a security risk assessment on business’ product and services to identify
threats such as product vulnerabilities and backdoors
• Establish a self-assessment and internal Certification program
Business considered as Critical Information Infrastructure must coordinate with the certifying authority to complete
security certification process at defined frequency
Regulatory Requirements Regulatory Compliance Readiness
Sample Action Plan©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 25
Inventory – Identify businesses, systems, applications that may be impacted by China Cybersecurity Law. Don’t forget the 3rd party service providers.
Training your staff about China Cybersecurity Law
Conduct Business Impact Analysis and Privacy Impact Assessment on the inventory of systems and applications
For impacted systems and applications, conduct security risk assessment, and identify whether there are equipment and software that are not certified by Government. If yes, establish a replacement plan
Review the Personal Information (Privacy) Protection Program, to ensure the existing practice meets the regulatory compliance, especially on data localization within China. Make proper adjustment on the IT environment as necessary prior to June 1, 2017 Deadline
Review Incident Response Plan to ensure the plan is adjusted to the realistic requirements, then conduct training to your staff
Review and ensure network systems are logging for a minimum of 6 months as required
Company’s Responsibilities - Summary©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 26
- Assign an Individual Responsible for Security
- Security Policies
- Define Responsibilities
Management System
- Malware
- Network Intrusion
- Data Leak
- Cyber Crime / Fraud
Prevention Controls
- Network & System Monitoring
- Root Cause Analysis
- Incident Investigation & Remediation
- Periodic Incident Response drill
Monitoring & Incident Response
Readiness for
- Natural & Human Disaster Recovery
- Performing Backups
- Communications During a Disaster
Business Continuity / Disaster Recovery
- Protect Personal Information
- Protect Important Information
- Disclose Info Management Policy
- Keep Regulated Info within China
Information Protection
- Certification & Audit
- Security & Risk Assessment
- Issue Remediation
- Continuous enhancement
Certification / Risk Assessment
- Conduct Network Security Training
- Conduct Security Awareness Training
- Confidential Information Protection
- Skill Evaluation on Employees
Security Awareness Training
References - English©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 27
• China Cybersecurity Law (中华人民共和国网络安全法) (Official)
• http://www.cac.gov.cn/2016-11/07/c_1119867116.htm (Chinese)
• China Cybersecurity Law (Unofficial) Translation
• http://www.chinalawtranslate.com/cybersecuritylaw/?lang=en#PohPuA0mSpIRCx0t.99 (English)
• China adopts law on cybersecurity• http://english.gov.cn/news/top_news/2016/11/08/content_281475486222054.htm (English)
• China announces cybersecurity strategy• http://english.gov.cn/state_council/ministries/2016/12/27/content_281475526667672.htm (English)
• Government stats on increase of Cybersecurity complaints - up 129% in 2015 in China• http://english.liuzhou.gov.cn/news/world/201605/t20160526_881725.htm (English)
References - Chinese©
Pactera. SEC
CO
E Co
nfid
ential. A
ll Righ
ts Reserved
. 28
• China Cybersecurity Law (中华人民共和国网络安全法) (Official)
• http://www.cac.gov.cn/2016-11/07/c_1119867116.htm (Chinese)
• Cyberspace Administration of China (国家网信)
• http://www.cac.gov.cn/ (Chinese)
• Tiered Security Certification (中国网络安全等级保护)
• http://www.djbh.net/webdev/web/HomeWebAction.do?p=init (Chinese)
• National Information Security Standard Council (全国信息安全标准化技术委员会)
• http://www.tc260.org.cn/zqyj.jsp (Chinese)
• China’s National Cyber Space Security Strategy (国家网络空间安全战略)
• http://www.tc260.org.cn/zdetail.jsp?id=20161227164432 (Chinese)
• China’s National Computer Virus Emergency Response Center (国家计算机病毒应急处理中心) & Anti-Virus Products Testing and Certification Center(计算机病毒防治产品检验中心)
• http://www.cverc.org.cn/index.htm (Chinese)
Thank You!
Kyle LaiCISO, CPO, Head of Security ServicesPactera Technologies N.A.
[email protected]://linkedin.com/in/kylelai
Security Services Contact:Mike [email protected]