Standards, Regulations & Compliance
Cyber Defense Agency Aims to Strengthen Protections Against Chinese Intrusion
New regulations mandate that Americans involved in selling or sharing sensitive bulk data with Chinese firms comply with stringent cybersecurity measures aimed at preventing Beijing’s access to sensitive and identifiable information.
The Cybersecurity and Infrastructure Protection Agency (CISA) recently published a final rule establishing these requirements just following the Department of Justice’s announcement of regulations to curb bulk data transfers to nations deemed adversaries, specifically targeting China, Russia, and Venezuela. This is part of an ongoing effort to enhance data privacy and national security.
Under the new cybersecurity framework, U.S. individuals participating in restricted transactions are tasked with maintaining routinely updated inventories of their systems and implementing incident response plans. They must also collect logs for covered systems and ensure that unauthorized devices are not connected to these critical assets. Covered systems will mainly focus on those managing sensitive data “in bulk,” but do not include systems that primarily process individual user data in less extensive manners.
This regulatory move strongly reflects a high-level concern within the federal government regarding adversaries’ access to bulk personal data of Americans, as addressed in a recent executive order issued by President Biden.
The implications of such vulnerabilities prompted by the rise of machine learning and artificial intelligence have fueled fears around data weaponization. Moreover, there has been longstanding interest from Beijing in acquiring extensive data on American citizens, underscoring the necessity of rigorous cybersecurity measures.
The finalized rule also includes modifications aimed at easing compliance burdens. Notably, some originally stringent requirements around network visibility have been relaxed, along with the elimination of mandatory firmware updates, and a delay in mandatory access revocation from “immediate” to “prompt.” CISA emphasized that it calibrated these requirements thoughtfully, aiming to balance national security imperatives with regulatory feasibility.
Moreover, CISA has implemented a fresh approach to managing known vulnerabilities in internet-facing systems, urging organizations to adopt a risk-based strategy focusing on critical assets and ensuring rectification of vulnerabilities within a 45-day timeframe. Changes to password regulations have also been introduced, where the minimum character length has been adjusted from 16 to 15 for systems not utilizing multi-factor authentication, promoting stronger password hygiene across IT systems.
This regulatory action comes at a time when U.S. entities face a wave of cyberattacks linked to Chinese cyber operatives, particularly against critical infrastructure and federal agencies, such as the recent breach of the Treasury Department’s sanctions office and the infiltration of multiple telecommunications firms. CISA and the DOJ have yet to respond to inquiries for more information.
