Our Blog

What Does China’s Cryptography Law Mean to Developers?

Jan 15, 2020 Shin-Ming Liu

The China ‘Cryptography law’ was endorsed by China’s top legislature in October 2019 and came into effect on January 1st, 2020. It applies to the transformation of information to a form that is protected and secure through the use of cryptology, when it is being transmitted from one place to another or being stored. For most organisations, the law means that technical assessments must be conducted to ensure compliance. The law provides for any company to be subject to national security reviews as certain government departments have the right to conduct random inspections. Overall, this law is a positive step for boosting commercial encryption and setting legal norms. However, today only the regulatory framework exists, and much is missing in terms of the detailed specifics regarding the scope and measures that organisations must take. This will of course become clearer over time as the relevant government bodies organize the formulation of national and industrial standards. But what can be done in the meantime without these explicit guidelines?

Before we answer this question, let’s take a closer look at the law. In general, the cryptography law refers to what must be done in the public sector to protect state secrets (core and common cryptography) and the commercial sector which is for the protection of information that does not contain state secrets, and can be used by citizens, legal persons and organisations. The law marks another step in the Chinese government’s effort to legislate key areas of the internet and make sure that overarching legislation related to core online infrastructure align.

When developing software applications in the commercial sector, the need to utilize cryptology is key to defend against malicious attacks that tamper with data. For example, code injections which are at the top of the OWASP threat list are commonly used for unauthorised access and the retrieval of sensitive information from a system. The business impacts of broken cryptography can include privacy violations, information theft, code theft, intellectual property damage and reputational damage. For the commercial aspect of the new law, failure to comply can result in large fines to your organisation of up to RMB1 million. Application Security, which refers to building in secure code at the coding phase of software development through the use of tools such as static code analysis, has never been more important than now.

The use of code review tools is now par for course in many parts of the world, notably Europe where data privacy laws have been introduced and the EU is actively penalizing large and small businesses. Static code analysis alongside peer to peer code reviews are crucial components for monitoring and ensuring source code quality. We all know it is impossible to eliminate all attacks as malicious hackers become more sophisticated day by day. However, if an organisation does not address known software vulnerabilities that have been identified by software development communities, they are without a doubt failing to meet their ethical and now legal obligations. The use of static code analysis to identify vulnerabilities including where encryption is not being used is essential.

So, to answer the question about what can be done whilst waiting for detailed guidelines about the encryption law, it is clear that as well as assessing existing software applications, new applications should be analysed too. This should happen whilst they are being developed by tools that can identify broken and weak encryption points. Xcalibyte’s static code analysis tools help developers build and deploy high quality, compliant and vulnerability-free source code. As part of our ruleset, we actively scan for weak cryptography and lack of encryption where encryption is required which provides an efficient way of ensuring that your legal requirements are being met for the cryptography law. We will be keeping a close eye on the standards implemented by government and ensure that our solutions can help our clients adhere to them. Take action now and don’t wait to be randomly selected for a government inspection.