Skip to content

Does the new Chinese Cybersecurity law Increase Your Manufacturing or Supply Chain Risk?

That is the question business leaders are asking themselves across the world in light of the new version of China’s Multi-Level Protection Scheme law, known as MLPS 2.0, another Chinese cybersecurity regulation that comes into effect December 1, 2019. An expansion on the existing cyber security laws in China today, this regulation mandates greatly enhanced monitoring and inspection powers by Chinese government officials for all businesses in China, irrespective of ownership makeup, by widening the scope of what constitutes as “critical” and lowering the threshold for requiring government inspection and monitoring.

While this regulation does not guarantee any business will be purposely breached, it does impose a number of concerning controls for non-Chinese entities who seek to maintain confidentiality of their IP and supply chain. By example, while non-Chinese government owned VPN’s have been considered illegal for some time, the rule has not been effectively enforced. Under the MLPS 2.0 it is expected that all businesses connecting out of the country will have to use a Chinese government approved VPN. This one change indicates the government’s willingness to seriously inspect any and all traffic entering or leaving the country, no matter how potentially business sensitive it is.

Previous protections that applied to foreign owned entities have been repealed; this new law applies to virtually all businesses operating in China. With this new business reality, organizations who operate in China, or who rely on supply chain partners who operate in China, have new decisions to make when it comes to managing their Intellectual Property, customer data, and data privacy risks.

For some time, many organizations have accepted the risks of operating in China as the cost of doing business because the threat of government inspection was less likely to apply to a foreign entity. Under the new law, all entities are covered and will likely be “inspected” by local officials who have this new sweeping power and authority. With requirements like complete access included to encrypted or sensitive data, this could effectively mean the end of confidentiality and competitive advantage for many organizations operating in China today.

So, while confidentiality may be much more difficult to maintain, new protection will require an adept cyber security strategy that considers all geolocation and geopolitical considerations.

Organizations should engage in a China specific risk assessment if they or their supply chain operate in China and have access to confidential or sensitive business data. With that said, the exercise will be a muscle building experience as China will not be the last country to exert this new power. There are several nation states who are looking to ramp up their surveillance capabilities.

Posted in

Dave Tyson

Dave Tyson is the Managing Partner of CISO Insights Cyber Security Risk Advisory. Tyson has served as CISO and security leader at organizations including SC Johnson, Nike, PG&E, eBay, and as chairman and president of ASIS. Contact: Dave@cisoinsights.com, (408) 464-5310.

Leave a Comment





Ready to Get Started?

Click on the button below to take the first step towards securing your organization against cyber security threats.

Does the new Chinese Cybersecurity law Increase Your Manufacturing or Supply Chain Risk?

That is the question business leaders are asking themselves across the world in light of the new version of China’s ...
Read More
Marketing Meeting

The Top 3 Cyber Security Risks Every Chief Marketing Officer Should Care About

The Chief Marketing Officer (CMO in many organizations) is on the front lines of two of the largest battle fronts ...
Read More
Castle

Digital Comes of Age

For the past millennia or so, the traditional approach to securing assets has been the utilization of a castle mentality. ...
Read More
Paradigm Shift

A True Paradigm Shift in Security Management

"Cyber Security 1.0" was vulnerability based, and has what I would argue limited and decreasing levels of success as public breaches ...
Read More
Geek Shall Inherit the Earth

The Geek Shall Inherit the Earth………..

At least according to Microsoft a few years ago, and if that’s true then the earth will be led by ...
Read More
IT Security for Physical Security Pro

IT Security for the Physical Security Professional

One of the greatest challenges for a CISO is helping traditional security professionals believe they can learn information security fundamentals ...
Read More
Scroll To Top