With only a few months left before the enforcement of the Cybersecurity Law (CSL) on 1 June 2017, questions are multiplying on the effective scope of the CSL, on its content and on the various effects it will have on the Chinese digital economy. Most of the points of the CSL currently discussed are focusing on the definition of Critical Information Infrastructure as per Article 31, the doctrine behind the definition of personal information as per Article 76.5 or even the enforcement mechanisms of the law. However, the underlying effects of the CSL are globally uncovered and may lead to major surprise at the time of enforcement and risks of non-compliance risks for numerous companies. Today we will cover in this article the obligation set in Article 21.3 of the CSL on network monitoring and logging and its effect on Shadow IT.

How the monitoring of the networks will predate Shadow IT

To understand the effect of Article 21.3 on the Shadow IT, we need to clearly define what are the networks covered by the CSL along with what is the definition of Shadow IT within this article. According to the CSL, networks are defined by Article 76.1 as "systems constituted by computers or others information terminals and relevant equipment to collect, save, transmit, exchange, and process information".

Networks are further defined in Article 9 as having the requirement to be part of a Network Operator's business and service activities to fall under the scope of the law. As such we must understood networks covered by the CSL as any:

  • electronic means of data transmission (i.e., Wi-Fi, Bluetooth , Ethernet )
  • connections between two or more information terminals (i.e., computers, smartphones, smart devices)
  • equipment that contribute to the Network Operators' business and service activities

The effect of such understanding of the notion of network under the CSL leads to an extensive application of the CSL on Network Operators, both on their internal and external networks. For example, would an employee access his corporate mailbox from his/her own smartphone, such connection would fall under the definition of network as it constitutes an electronic mean of data transmission between two terminals or more (the smartphone and the mail server among others) and is used to contribute to the Network Operator's business and service activities as the access to the corporate mailbox is required for the employment function of the employee.

Since Article 21.3 requires the monitoring of the networks, the problem that immediately arises for IT specialists is that the known and already monitored network is only a fraction of the real network used by employees. Similar to an iceberg, the network of a company has a "tip" that is known and approved and a submerged part that is unknown and/or unapproved by the relevant stakeholder: the Shadow IT. While a clear definition is yet to be reached concerning Shadow IT, we will in this article define Shadow IT as any IT solution or device that is unapproved or unknown by the relevant department of a company.The core of the problem is how Network Operators are supposed to monitor and record network logs of networks whose mere existence is unknown or unapproved?

How would a Network Operator monitor access to its internal Wi-Fi if multiple rogue hotspots are created by the users to "ease" the use of such network among their devices? While the question can be variated in a multitude of forms, the answer remains the same: it simply cannot be done. As such only one path is then left open to Network Operators willing to comply with their obligation to monitor their networks and record their logs, predating the Shadow IT.

Remedies for compliance

Essentially, compliance is the best solution to avoid the trouble of having an uncontrolled network that could lead to RMB100,000 fines according to Article 59, or worst would be having a network used for cybercriminal activities with punishments of up to RMB1,000,000, 15-day detention and the confiscation of the illegal gains according to Article 63. A strict monitoring and management of the network is required for any entity in China that corresponds to the definition of Network Operators in order to predate its Shadow IT, but it would not prove to be enough.

While a strict and automated monitoring of the network could prevent some formation of Shadow IT, it has to be reminded that most Shadow IT formation cannot be fully monitored due to the fact that they avoid traditional communication channels monitored by the Network Operator, such as 3G and 4G. As such it could not only lead to non-compliance with Article 21.3, but with non-compliance with other provisions of the CSL such as the ones on data protection set by Article 41 would the data transfer made through the Shadow IT contains personal information (i.e., an employee uploading client information to a third party SaaS without the client's consent). As such it is critical for Network Operators to conduct regular training among its employees to improve their understanding of their IT rules and the value of cybersecurity (along with the risks of acting in a non-compliant way) through education.

Those training should be strengthened, depending on the Network Operators' internal policies on the use of information devices, with a Bring Your Own Device (BYOD) policy that would allow the employees to use their own devices under certain specific conditions set by the IT department (i.e., remote wiping and basic security measures on the devices). BYOD policy gives employees greater flexibility and allows the IT departments to have a clear list of the devices and potential networks to monitor, which is needed for the creation of a data inventory (that could then be used for the contingency plan required by Article 25). Would employees bring their own devices to work without proper vetting, the IT department could have difficulties assessing the vulnerabilities of the networks, and in the worst case scenario, unable to prevent data breach from their employees using devices that are already loaded with a payload, due to the lack on intelligence on the devices composing the network.

Ultimately, if taken seriously, the CSL will have a major effect on how Shadow IT will be handled and taken care of by Network Operators. Such overhaul of the relationship between Network Operators, their employees and compliance could have a great impact on employees' cybersecurity and data protection awareness, leading to a better understanding of the importance of the protection of the network. We strongly believe that this strong stance for a better understanding of Network Operators' network will lead to a reduction of Shadow IT out of needs to control such network, which could either result in better relation with their employees, or the development by employees of new obfuscation techniques to bypass Network Operators' restrictions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.