Companies in China are worried that they may be held accountable for conforming to high-stakes, but voluntary, cybersecurity standards before the specifics of those standards become clear. The new standards can apply to all systems and platforms that deal with data in China.
Put simply, China’s Multi-Level Protection Scheme (MLPS), officially launched in 2004 and overseen by the Ministry of Public Security (MPS), classifies systems based on the damage that a hypothetical failure of the system would have on China’s national and economic security. Rating systems on a 1 to 5 scale, systems ranked at 3 or higher are considered higher-stake, and subject to notably stricter oversight by China’s cyber regulators, including restrictions on how companies are allowed to handle the data they collect.
MLPS 2.0 is not a “new” system, but some of its concepts are
As part of the 2017 Cybersecurity Law’s implementation, the Standardization Administration of China (SAC) released a batch of standards, not uprooting, but expanding the scope of the MLPS. The “MLPS 2.0” is a much-needed update, and now includes cloud computing, mobile networks, internet of things, and other modern technologies. For companies, the expansion is only half of the equation.
China’s Cybersecurity Law introduced several new concepts mentioned in MLPS 2.0 like data localization, personal information, and crossborder data flow, all of which have huge implications for foreign and domestic businesses in China. The big kicker, though, is that MLPS 2.0 is up and running, but the regulations that clarify what these concepts actually mean are still in draft form, leaving companies with little ground to stand on if their compliance comes into question.
MPS is not the only regulator with skin in the game. The Cyberspace Administration of China (CAC) also has its own regime for systems deemed to be “critical information infrastructure” (CII). Though CAC has taken some steps to clarify the definition, in essence, CII is defined roughly as a network that “if destroyed, suffering a loss of function, or experiencing leakage of data—might seriously endanger national security, national welfare, the people’s livelihood, or the public interest.” The overlapping criteria for CII and higher-ranked MLPS systems raise questions about how the two schemes will interact.
Industry insiders seem to think that CII will correlate with a 3 or higher ranking in the MLPS system. Even if this is true, companies may still have to undergo redundant testing while MPS and CAC vie for dominance in this arena.
Some companies unsure of next steps
While some companies have taken the preliminary step of self-evaluating where their systems fall under the MLPS 2.0 system, others have begun filing with MLPS directly. Filing with the MLPS has its benefits; for one, if you are a consulting company, it allows you to advise clients on how to go through the process if you have done it yourself. Filing now could also reduce the risk of being targeted for non-compliance due to politically-motivated factors in the future, an increasing possibility as US-China bilateral tension grows. On the other hand, when companies file in the MLPS system, they open themselves up to the potential for deeper and more frequent probing and inspections by the Chinese government and also the potential for sensitive information to be leaked in the process. Industry sources have reported feeling implicit pressure to file at a higher grade, despite the criteria not being entirely clear.
Until regulations undergirding the MLPS 2.0 standards are finalized, companies have little incentive to comply with a regime perceived as unfinished or subject to change. Any future modification of the requirements could prove costly to a company currently investing resources to be compliant with the current regime.
Companies that have charged forward and begun the process have gotten mixed results. Third-party testing agencies approved by MPS to help companies test the security of their networks based on their MLPS grading level have been known to have a shaky understanding of the regulations themselves. One company reported that a testing agency determined that the company’s system couldn’t be compliant unless the company bought the testing agency’s software, bringing the agency’s partiality into serious question. Given that there are hundreds of qualified testing agencies, it is not surprising to hear companies report varying experiences, but these reports do indicate that it may take some time before all agencies are on the same page as the MLPS 2.0 continues to roll out.
The result? Many companies are taking the wait-and-see approach.
Antonio Douglas is a business advisory services manager at the US-China Business Council based on Beijing. He covers issues in the ICT sector.