Embed Size (px)
Citation preview
WEBINAR | 07.12.2018
CYBERSECURITY IM DIGITALEN CHINA
Mit freundlicher Unterstützung von:
2
I. Introduction
II. Legal Base for Localization
III. Addressee of the CSL
IV. Relevant Data
V. Export
VI. Penalties
VII. Encryption
AGENDA
5 of 17
6 of 17
7 of 17
8 of 17
Machine
Data Export?
Headquarter
Central Server in cloud
collects data from various
sensors
I. INTRODUCTION
HR Local Server
Server Location?
II. LEGAL BASE FOR LOCALIZATION
• According to Cyber Security Law (“CSL”):
— Basic rule for data localization
Personal information and important data collected by critical
information infrastructure (“CII”) shall be stored in China!
— Exception:
Where it is necessary to provide such information and data abroad due
to business needs, a security assessment shall be carried out!
— Questions:
▪ Who is addressed and what is CII?
▪ What are important data?
▪ What are personal information?
▪ If and how is export allowed?
III. ADDRESSEE OF THE CSL
• What is CII? No definition in CSL, just examples like:
— public communication and information services,
— energy, communication,
— water conservation,
— finance,
— public services and
— e-government affairs as well as
— national security,
— people´s livelihood and public interest
3. Step: Classification e.g.: Incident results in 5 death or more
than 50 persons heavily injured
How to identify CII? By the operational guidance for national
network security check:
1. Step: Identification of industry and the critical business (table –
see example)
2. Step: Specification of industry information system or industrial
control system
Example:
Industry Production (raw
material, equipment,
consumables, electronic
production)
• Operation management
• Intelligent Production Systems
(Industrial Internet, IoT, Intelligent
equipment)
• Production and processing of dangerous
chemicals as well as control and storage
(chemicals / nuclear)
• Administration and control of High risk
industrial facilities
1. Step
Choose Field
of Industry
2. Step
Choose
specification
3. Step
Choose Classification
(not in Table)
III. ADDRESSEE OF THE CSL
III. ADDRESSEE OF THE CSL
• Will the data localization rule be limited to CII?
— May expand to all network operators according to Draft Security
Protection Regulation for CII (July 10, 2017)
— Definition: Network Operator any operator of 2 or more devices
connected, details unclear
IV. RELEVANT DATA
• What are important data? Not defined in CSL, but draft
guideline provides examples, e.g.:
— Data that is closely related to national security,
— economic development and
— supposed societal and public interests
Example: Technical information regarding ventilation systems used in
CII:
Ventilation controlled by Network used in metrosystem
= CII related information
IV. RELEVANT DATA
• What is personal information? According to CSL:
Personal Information refers to various types of information that can be
used separately or in combination with other information to identify a
natural person
V. EXPORT
• When is export of relevant data allowed? According to draft
guides and national standards:
― Never allowed to leave the country, e.g.:
▪ Personal data without informed consent of the person
▪ Information which threaten the political, economical, scientific
or military safety or public order
▪ Others (new rules and regulations/authority discretion)
― With authority assessment and subsequent permission, e.g.:
▪ threshold reg. relevant data (to be determined)
▪ Any data regarding failure of data protection or security problems
― Other relevant data with self assessment and no objection by
authorities
VI. PENALTIES
Correction or
warning
Fine of up to
RMB 500,000
for Company
Suspension of
relevant
business
Close
website
Revoke
business
license or
other
permission
Example: Operator of CII stores network data
(relevant data) overseas
Fine up to RMB
100,000.- to
person in
charge or
responsible
Confiscate
illegal gains
VII. ENCRYPTION OF COMMUNICATION
• Virtual Private Networks (“VPN”)
— Unlicensed VPN has never been permitted
— Since January 2017 “crack down”
— Crack down mainly against providers
— VPN may become slower and less reliable, due to closer scrutiny
• Other encryptions: Encryption Law from 1999 - latest valid version –
new draft 2017, but not released
• Current status (examples):
— Import has to be registered
— Only registered encryptions permitted
— Key shall be provided for criminal investigation and national security
— Registered encryptions can be found at the website of State Code
Administration: http://www.oscca.gov.cn/sca/index.shtml
Freudenberg IT Asia
Cyber Security im digitalen ChinaShanghai, December 7th 2018 / Reto Bless
Freudenberg IT Asia
About us (Freudenberg and Freudenberg IT)
… driven in a car?
… used a laptop?
… eaten candies?
… eaten with a fork?
IT Infrastructure Projects
Consulting Services
AMS (Application Management Support)
Client Services
Managed Services
Have you ever ...
If one yes, you most probably
were in touch with a Product of
Freudenberg
Founded in 1995 (spin off)
Headquarter: Weinheim
Employees: ~ 850 global
175 m€ Net Sales, thereof >85%
outside Freudenberg
>2,000 managed SAP systems on
over 4,500 servers
FIT in China
Webinar | Cyber Security im digitalen China
Webinar | Cyber Security im digitalen China
Overview Cyber Security Law
Under the coordination of our corporate legal department in China we made some investigations and talked to other foreign
Companies with a similar setup as Freudenberg. The China Executive Team has decided to go for a common approach amongst
the Business Groups in China:
A) Doing nothing is not an option
B) We will assign a legal firm to support the procedure (Knowledge about the law, self assessment, documentation)
Fields of action:
1. Perform a cyber security assessment with legal support
2. Assign a Cyber Security Officer
3. Run awareness campaign for the employees
4. Establish a cyber security handbook/policy (in each Business Group, given they operate in different businesses)
What we do as Freudenberg Group
Webinar | Cyber Security im digitalen China
Overview Cyber Security Law
What we observe so far
# Industry Approach
1 Car Manufacturer All SAP system were moved from the HQ in Europe to China
2 Component Manufacturer Decision to run everything separated in China. SAP: create a copy to China (separate
company code on premise in their location)
3 Car component Manufacturer Executed already in 2014. All SAP system has been consolidated to the HQ in Europe.
4 Manufacturing Company Plan for 2018: Consolidation to the HQ in Europe, no dedicated SAP system in China
anymore
5 Door systems manufacturer Dedicated SAP system for China instead of using central SAP system for SAP rollout
CSL is only relevant for Mainland China (Hong Kong, Taiwan, Macau are excluded)
There are different motivations behind the companies decisions. Some are influenced by a local, others by a global view.
There is no absolute clarity about the consequences given by the new regulation
We recommend:
Local legal support from law firm being familiar with the new regulation
There are companies, which can provide a CSL assessment (technical and legal)
Webinar | Cyber Security im digitalen China
Overview Cyber Security Law
What we do as Freudenberg IT
FIT Management Service for Connectivity FIT Managed Services
FIT * Link Managed Microsoft Applications
FIT Management for WAN Multi Cloud Orchestration
Partnership with certified MPLS provider Private, Public, Hybrid Cloud
FIT as single point of contact Managed SAP Applications
National and international scope Remote Management Services
Freudenberg IT Asia
How to reach us?
Webinar | Cyber Security im digitalen China
No. 720 Pudong Avenue
International financial & shipping
Building
Suite L/M, Floor 14th
200120 Shanghai, P.R. China
@
+86 186 1630 2266
www.freudenberg-it.com
General Manager
Reto Bless
Thank you
for your attention
• Self-assessment – ask yourself!
— Are you or your customers CII?
— Where is your data located?
— Which data is exported?
• Prepare local data storage and contingency plan for temporary
data exchange stop
• Despite of open questions: Action is better than reaction!
CONCLUSION
DISCLAIMER
Please note that the Information and definitions in this presentation
are preliminary and often based on draft laws. All information and
definitions may be considered differently by the authorities of the
People´s Republic of China or change at any time!
Please note that there are special definitions for state secrets.
The above is for your information only and does not contain any
specific statements to individual cases or replaces any legal
consultation. Burkardt & Partner therefore assumes no liability for
the content of the presentation or the application on any
individual case.
Considerations are partly based on drafts and not on existing laws.
The information herein are not concluding.
CONTACT
Copyright Notice: All rights, including copyright, in these materials are owned by Burkardt & Partner (“B&P”) and may only be
used for personal/non-commercial purposes. Reproduction is subject to prior permission from, and attribution to, B&P.
BURKARDT & PARTNER
Room 2507, 25/F, Bund Center
222 Yanan Road East
Shanghai 200002, PR China
中国上海延安东路222号外滩中心2507室 200002
T +86 (21) 6321 0088
F +86 (21) 6321 1100
www.BKTlegal.com
Note: This presentation is for your information only and does not contain any specific statements to individual cases.
Burkardt & Partner therefore assumes no liability for the content or the application on any individual case.
29
WEBINAR | CYBERSECURITY IM DIGITALEN CHINAQ & A Session – gerne beantworten wir Ihre Fragen!
Mit freundlicher Unterstützung von:
Über Ihre Fragen freuen wir uns!
Mag. Christina Schösser
Die österreichische Wirtschaftsdelegierte
AußenwirtschaftsCenter Shanghai
T +86 (21) 6289 7123
W wko.at/aussenwirtschaft/cn
