Cyber Podcast

3rd Episode June 2022

Chinese Critical Information Infrastructure and Multi-Level Protection

Marcel and I talk about the regulations that protect Chinese networks and information systems. Two closely connected subsystems of China’s cybersecurity regime aim directly at maintaining security in these areas: critical information infrastructure (CII) and multi-level protection. As its name suggests, the Multi-Level Protection Scheme (MLPS) differentiates among networks by assigning them different levels of sensitivity, and network operators must implement protection measures according to
their sensitivity classification.
Despite their contemporary connection, the MLPS had existed for several years before regulators started to establish the CII Security Protection System. The MLPS requires network operators to engage in various activities (called “security control points”) that contribute to reaching the overall goal of cybersecurity by advancing the realization of intermediate strategic objectives such as secure boundaries, stable operations, sound management structures, secure communication networks, and competent security personnel. These activities include access control, personal information protection, trust validation, training, centralized control, electricity supply, fire prevention, and staffing.
CII protection complements and, in part, is based on multi-level protection. However, one of the central new features of the CII Security Protection System is the requirement to organize a cybersecurity review for network products and services that may impact national security, particularly if they are employed in CII. Compared to multi-level protection, cybersecurity reviews are highly opaque without detailed evaluation standards and guidelines. This black box design facilitates the ad hoc application of cybersecurity reviews in various regulatory areas, including data governance. Accordingly, cybersecurity reviews have become the instrument of choice used by Chinese regulators whenever they believe that interference is necessary, but other cybersecurity subsystems, such as multi-level protection or cross-border data transfer management, lack the regulations required to justify such interference. In general, the reviews pursue a wide range of goals such as preventing or alleviating supply chain disruptions, espionage, the abuse of user dependencies, unapproved data outflows, and the reliance on high-tech imports.
Interestingly, two cooperating and competing government agencies (the Ministry of Public Security and the Cyberspace Administration of China) each promote one of the partially overlapping multi-level protection and cybersecurity review systems. Their bureaucratic wrangling and contesting regulatory approaches continue to slow down the finalization of standards for CII identification. However, high-tech providers operating in China must be prepared to participate in cybersecurity reviews as the latest government publications highlight the CII concept’s broad reach, including public communication and information services, power production, traffic, water resources, finance, public services, e-government, national defense, and other important industries and sectors.

2nd Episode May 2022

Everyone Must Participate in State Surveillance and Content Filtering

In today’s episode, Marcel and I talk about “online content management,” an official term that, from a Western perspective, involves censorship and the dissemination of propaganda. Companies and online users must engage in self-censorship to “purify” China’s online content ecology. Platform managers and software developers use their creativity to anticipate and comply with far-reaching and vaguely formulated censorship demands. They establish keyword blacklists, complaint portals, etiquette tests, and account management systems. In addition, they can seek support from experienced content management providers and network managers to filter out prohibited images, texts, videos, and live streams.
Online content management is one of the origins and an essential element of China’s cybersecurity regime. Since the mid-90s, China’s major internet service providers have supported centralized information monitoring and filtering at their international gateways and other crucial internet hubs. Today, all of the cybersecurity regime’s subsystems, such as cryptography management and multi-level protection, include requirements for online information control.
Over the last decade, regulators have increasingly decentralized censorship by delegating a great deal of online content management responsibility to content service platforms, users of content services, and content producers. Regulatory agencies can label any organization or individual that uses the internet with at least one of these vaguely defined terms. Thus, everybody can face penalties and low credit scores if they do not comply with censorship requirements, which often must be skillfully predicted. Ultimately, Western platform providers and other companies that offer products and services with “public opinion properties” or “social mobilization capabilities” face a choice: comply with Chinese censorship demands or leave.

The actual enforcement of content management requirements depends on the associated political and economic costs. For example, unfettered access to the software development platform GitHub is indispensable for China's high-tech companies. Government attempts to block GitHub caused public outrage and severe R&D disruptions. Although Chinese censors cannot interfere with the content created and exchanged on this platform, GitHub remains accessible to Chinese developers. 

1st Episode February 2022

Marcel and I will talk about how China’s emerging cybersecurity regime impacts high-tech businesses and online users worldwide.

Over the past decade, China has established complex regulatory frameworks that govern networked value creation and other online activities. These frameworks, sometimes aptly referred to as China’s cybersecurity regime, aim to avoid data misappropriation and ensure smooth IT operations. They support the government in maintaining national sovereignty, military power, inner stability, and economic competitiveness in cyberspace.
From a business perspective, the cybersecurity regime requires companies operating in China to comply with a host of laws and regulations. The rules of China’s emerging cybersecurity regime also significantly affect high-tech companies located in the West that maintain close business relationships with Chinese suppliers and customers. As a consequence, the costs of complying with burdensome and sometimes intrusive cybersecurity demands have increased drastically in many sectors. Managers and entrepreneurs must be willing to defray these costs if they want to profit from China’s rapidly growing IT market. Western companies must develop a profound understanding of Chinese cyber regulation as the People’s Republic has already become an indispensable source of revenue for many foreign high-tech products and services providers.
My recently published book “Chinese Industry 4.0” makes its readers more alert to the impact of Chinese cyber policy on high-tech businesses and online users worldwide. It guides Western companies in the design of cybersecurity-compliant Sinocentric high-tech solutions to improve their chances of succeeding in one of the world’s largest and most dynamic high-tech markets.