China’s President Xi Jinping has made a point of emphasizing the importance of law in China and the promotion of the rule of law at the base of Chinese Communist Party governance and power. Like any law, Chinese law expresses national policy. In China, management and control of cyberspace and law go hand in hand, and cyber law proceeds from the big picture to data security, protection of personal information, and management of network product security vulnerabilities.
China’s legal regime governing cyberspace includes three principal data laws, as well as dozens of administrative guidelines, including the recent Provisions on the Management of Network Product Security Vulnerabilities. Taken together, they reveal a sophisticated and dynamic regulatory system that the Chinese Communist Party will continue to strengthen as it pursues technological supremacy.
Over the last five years, China has produced and revised legislation and administrative regulations governing information communication technologies (ICTs), personal information, data, and cybersecurity. Officials have pushed these regulatory developments as an extension of China’s concentration on technological development and as part of an effort to bring the country’s cyber regulatory regime more in line with international standards, particularly those in Europe. These laws, guidelines, and ordinances govern the ways in which individuals and entities within the PRC may process data, interact with information networks, and engage with developing technologies.
Although some may point to China’s authoritarian nature as a reason to be skeptical of the utility of Chinese law in understanding how the State will manage cyberspace, the Party, particularly under the leadership of Xi Jinping, has made a concerted effort to promote the rule of law and expand law-based government administration. Understanding the legal system in China provides insight into how the Party creates, legitimates, and manages power, and in particular shows how State power is experienced by the majority of Chinese citizens through the law and legal institutions.
China’s Cybersecurity Law (CL), effective June 1, 2017, sits at the center of China’s cyber regulatory regime, governing data management and network security and authorizing State organs to both establish and enforce network security requirements. The Cybersecurity Law imposes network security and data protection requirements on network operators – the owners, managers, and providers of networks – and can apply quite broadly under its stated definition of a network. Operators of critical information infrastructure must adhere to even more stringent demands.
This law further defines networks, network operators, network data, cybersecurity, and related subjects such as “Critical Information Infrastructure” (CII). Like other laws in the cyber domain, it requires operators to take steps, including through inspections, to fulfill their duties with respect to management and security. At the same time, the law makes clear that, on the one hand, Chinese citizens have rights and expectations with regard to the management, maintenance, and security of the network.
On the other hand, those responsible for network operations owe a duty to provide technical support and assistance to public officials responsible for national security and law and order. Therefore, privacy rights and the protection of personal information on the network do not shield one from government surveillance. Quite the contrary, the legal regime provides a basis for widespread surveillance and intrusion on personal privacy.
Data Security Law
Effective September 1, 2021, China’s Data Security Law (DSL) was implemented to govern the collection, transfer, use, and storage of data. The DSL applies to all data handling activities that take place within the mainland territory of the PRC as well as certain listed activities outside the country. Depending on the particular classification of data and its relevance to key State interests, such as national security, State and government authorities, network operators, and data handlers must follow requirements dictating how and when data can be collected, how it can be stored, protected, and managed, and when and to whom it can be transferred.
In particular, this law imposes specific obligations on those who collect, transfer, and store data and penalties for failure to comply, establishing a comprehensive data definition and regulatory system. Government approval is required prior to any transmission of data to foreign law enforcement officials or agencies or indeed any person or entity abroad without a security assessment, although the law is not detailed about what constitutes a satisfactory security assessment. (Detailed information about security assessment requirements is provided by administrative guidelines, such as the Cybersecurity Review Measures.)
Personal Information Protection Law
Often compared to the European Union’s GDPR, China’s Personal Information Protection Law (PIPL), effective November 1, 2021, provides a comprehensive legal framework governing how domestic and foreign companies may collect, process, and transfer personal data. It requires that personal information handlers establish a “clear and reasonable” purpose in order to process personal information and sometimes imposes separate consent requirements as well. The law also lists the responsibilities of data processors when handling personal information, including the principles to which they must adhere, the security measures that must be followed, and the measures organizations must take in the event of a data breach.
The PIPL creates rights for individuals whose personal information may be processed, including rights of amendment and deletion. It imposes obligations on private and government entities, sets limitations on retention and storage location, and prohibits transfers under certain conditions. Additional regulations and guidelines have been clarified and expanded by subsequent publications from regulatory bodies such as the Cyberspace Administration of China.
The PIPL appears to establish a comprehensive, detailed, and deep regime for the collection, storage, dissemination, and protection of personal information. In this respect, it seems to share goals with the EU and other western regimes regulating the same categories of data. Unlike the situation in the EU, however, the PIPL, gives the State broad authority to collect and use personal information as it decides is necessary for national security and in the public interest.
While signage is required to notify people of collection of data in public places, the government may use such information for public security purposes if the individual’s consent is not obtained. Chinese State organs are required to comply with regulations regarding the collection, handling, and storage of such data.
Provisions on the Management of Network Product Security Vulnerabilities
Issued by the Cyberspace Administration of China, the Provisions on the Management of Network Product Security Vulnerabilities (Provisions) regulate the “discovery, reporting, patching, and publication of software security vulnerabilities.” Covering network operators, hardware and software developers, and any relevant companies or individuals, the Provisions prohibit the use, sale, and disclosure of vulnerabilities.
Under these guidelines, those who discover or encounter vulnerabilities must cooperate with State and government authorities. Further they are required to report their discovery to the Ministry of Industry and Information Technology (MIIT) within two days and are forbidden from disclosing this information to anyone else without government permission, although they may reveal the vulnerability to the provider of the product or service where it was discovered.
The Provisions emphasize that knowledge of vulnerabilities is State property, thus tightening the State’s hold over knowledge of their existence and apply to all providers of hardware and software located in the PRC. Any person or organization involved in the “discovery, collection, and publication” of network vulnerability information also are covered and must comply.
Within the government, the CAC has overall planning and coordination responsibility with respect to implementing the Provisions while the MIIT oversees telecommunications and Internet. The Ministry of Public Security (MPS) is responsible for combatting illegal activities that exploit vulnerabilities.
In particular the Provisions prohibit: exploitation or use of vulnerabilities to engage in activities that endanger network security; collecting, selling, or publishing information about network product security vulnerabilities; publication of information about vulnerabilities prior to the patching of the problem by the provider without prior permission of the MIIT and MPS.
Users must not provide information about vulnerabilities in systems in use or exaggerate the hazards and risks of vulnerabilities to extort advantages from vendors. In short, those who discover vulnerabilities operate under serious legal restrictions. They are encouraged to contact providers, who then are required to inform the MIIT within two days of discovery.
Frequently Asked Questions
China’s evolving legal and regulatory regime for cyberspace contains a substantial number of prohibitions and reporting requirements, especially with respect to hacking, denial of service, phishing, malware, and cybercrime tools, and related information. Further, the law on Guarding State Secrets creates a wide net for activities bearing on State security and national interests. One result is a likely prohibition on notifying foreign companies about foreign government exploitation of vulnerabilities of Chinese network products.
Even though this regime has been quite specific, there are a number of questions that remain, including:
Is hacking a crime?
The unauthorized access of a computer information system is a crime under Art. 285 of the Criminal Law. A person who violates this provision will face different penalties depending on what kind of computer information system they intruded upon. The Public Security Administration Punishments Law also allows a person to be detained when they invade a computer system in such a way that causes harm to the system (Art. 29). Art. 27 of the Cybersecurity Law prohibits individuals and organizations from illegally intruding into other parties’ networks, disrupting the normal function of the network, or stealing network data.
Denial of service attacks could violate Art. 286 of the Criminal Law (sabotaging a computer information system), Art. 29 of the Public Security Administration Punishments Law (“deleting, changing, increasing or interfering with the functions of a computer information system, which makes it impossible for the system to operate normally”), and Art. 27 of the Cybersecurity Law.
Similarly, a person engaging in phishing, infecting IT systems with malware, distributing or possessing tools to commit cybercrime, participating in identity theft, conducting unsolicited penetration testing, or playing a role in any other activity that “adversely affects or threatens the security… of any IT system” could face penalties under the Criminal Law, the Public Security Administration Punishments Law, and the Cybersecurity Law, in addition to several other rules and regulations.
Note that according to China’s Criminal Law, a crime is committed within the territory of China when “the criminal act or its consequences take place within the territory of China.” Thus, the law could apply to Chinese citizens who commit prohibited crimes outside China’s territory or to foreigners who commit crimes outside of China against the State or Chinese citizens.
Is there a legal basis for obtaining vulnerabilities or offensive cyber capabilities from outside the country?
Art. 7 of the National Intelligence Law obligates Chinese citizens and organizations to “support, assist, and cooperate with national intelligence efforts,” which may include the discovery, disclosure, or exploit of vulnerabilities. Intelligence agencies may also request that organizations and citizens assist them in their intelligence efforts (Art. 14). Art. 10 of the same law permits “national intelligence work institutions… to use the necessary means, tactics, and channels to carry out intelligence efforts, domestically and abroad.”
Similarly, the Counter-espionage Law, currently under revision, imposes a duty on PRC citizens to “preserve national security, honor and interests.” Per Art. 20, citizens and organizations cannot refuse to facilitate and provide assistance to government and State counter-espionage efforts.
The Data Security Law requires organizations and individuals to cooperate with requests by public security and national security authorities to obtain “data as necessary to safeguard national security or investigate crimes in accordance with law” (Art. 35). The Personal Information Protection Law requires concerned parties to provide assistance and cooperate with government departments “fulfilling personal information protection duties” and forbids such parties from obstructing or impeding these departments in any way (Art. 63).
Art. 7(2) of the Provisions on the Management of Network Product Security Vulnerabilities require organizations operating within China to report any known software vulnerabilities to the Ministry of Industry and Information Technology within two days of discovery.
While these laws do not create an explicit legal basis for obtaining vulnerabilities or offensive cyber capabilities from outside the country, they do create legal obligations for Chinese citizens and organizations to comply with government requests for data, which can include sharing vulnerabilities or other offensive cyber capabilities that individuals or entities discover.
If China finds a vulnerability being used against its own government, can they legally keep it a secret and use it against other people (e.g., their own citizens or other governments)?
The Law of the People’s Republic of China on Guarding State Secrets defines state secrets as “matters that have a vital bearing on State security and national interests and, as specified by legal procedure, are entrusted to a limited number of people for a given period of time.” These matters are not limited to those related to the military, national security, law enforcement, and foreign affairs, but can also include matters involving “the national economy, social development, science and technology” and anything else Chinese authorities classify as a state secret.
A network vulnerability being used against the Chinese government would almost certainly “have a vital bearing on State security and national interests,” and authorities would likely be able to qualify designating it a state secret. The question of whether or not China could then use that vulnerability against other people is less clear, but the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, in addition to other regulations, all provide the State with broad leeway to exercise authority in matters of national security and the public interest.
There is some evidence to suggest that the Ministry of State Security (MSS) delays publishing software vulnerabilities in the National Vulnerability Database (CNNVD) in order to review “high-threat CVEs…for their operational utility.” In one instance examined by Recorded Future’s report, the CNNVD delayed publishing a vulnerability until 57 days after it was disclosed. This vulnerability had been used by, among others, a suspected Chinese threat group to target telecommunication industry analysts and financial firms in Russian and Central Asia. The publication of another vulnerability was delayed for 236 days after disclosure; these backdoors have been connected to Chinese government surveillance of cell phones and internet use.
What is the legal basis for disclosing vulnerabilities to the government before some other entity?
Article 7 of the Provisions on the Management of Network Product Security Vulnerabilities requires organizations to report information about vulnerabilities to the MIIT within two days. The Provisions also prohibit disclosing vulnerabilities to parties beside the network provider of the product where the vulnerability was discovered without government approval.
Other laws impose similar reporting requirements on Chinese citizens. The Counter-espionage Law, for example, requires citizens and organizations that discover espionage to promptly report the activity to State security organs (Art. 21).
If a citizen of a foreign government sells an exploit that's used against China (which the citizen is unaware of), have they technically committed a crime in China? Do they risk being arrested if they ever visit China after?
Article 27 of the Counter-espionage Law imposes criminal liability on any extraterritorial institutions, organizations, or individuals that “carry out, or instigate or fund others in carrying out espionage activities.” (For a definition of “espionage conduct,” see Art. 38). Likewise, when domestic institutions, organizations, or individuals that are linked to foreign entities conduct espionage activities, they may also be subject to criminal penalties. Foreign personnel that violate the Counter-espionage Law may be required to leave the country or be deported (Art. 34). The law does permit some leniency for violators who turn themselves in and/or make meritorious services. Those who were coerced or induced to participate in espionage activities may avoid prosecution by “promptly and truthfully” reporting the circumstances to a state or public security organ.
A person selling an exploit unknowingly used against China could face imprisonment under China’s Criminal Law, insofar that selling the exploit could constitute providing “special programs or tools specially used for intruding into or illegally controlling computer information systems” (Art. 285). The sale of vulnerabilities could also arguably constitute intentionally “spread[ing] programs such as the computer viruses, thus affecting the normal operation of the computer system,” violating Art. 286 of the law.
Can Chinese intelligence or private industry warn American companies (e.g., Apple) about in-the-wild exploits being used by the American government they've discovered?
Likely not, unless the exploit has already been publicly disclosed or they have the permission of State authorities. The Provisions on the Management of Network Product Security Vulnerabilities require almost immediate disclosure to public authorities and forbid premature disclosure of exploits. Moreover, Art. 9 prohibits anyone from sharing information about an undisclosed vulnerability to “overseas organizations or individuals.” If, however, the vulnerability was discovered within the American company’s product, then the provisions allow for disclosure only to the product’s manufacturer.
Download the full 30 page report below: