The Cyber Defense Agency is taking steps to enhance protections against Chinese intrusion by implementing strict cybersecurity rules for individuals and organizations engaging in restricted transactions with Chinese firms. The goal is to prevent Beijing from accessing sensitive, identifiable, or easily decrypted data.
Recently, the Cybersecurity and Infrastructure Protection Agency (CISA) issued a final rule that requires individuals involved in restricted transactions to adhere to stringent cybersecurity measures. These measures include maintaining updated inventories of system assets, developing incident response plans, collecting logs for covered systems, and implementing processes to prevent unauthorized hardware from connecting to covered assets.
The final rule specifies that covered systems are those that handle sensitive data in bulk, excluding systems that primarily interact with individual user data without bulk interaction. Additionally, any systems that interact with government-related data are considered covered systems, including data containing the geolocation of national security or military facilities, or data containing links to government employees and contractors.
This new cybersecurity requirement follows a February executive order from President Joe Biden, which identified adversary countries’ access to Americans’ bulk sensitive personal data as a national security concern. The concern over the weaponization of data has grown with advancements in machine learning and artificial intelligence, coupled with China’s longstanding interest in acquiring bulk data on Americans.
The final CISA rule includes revisions from an earlier draft to facilitate compliance, such as softened requirements on network visibility, removal of mandatory firmware updates, and adjusting access revocation timelines. The agency aimed to balance regulatory burden, technical feasibility, and flexibility with national security needs.
Additionally, CISA introduced a new approach requiring organizations to address known exploited vulnerabilities in internet-facing systems through a risk-based strategy. Critical assets are prioritized, and remediation must occur within 45 days. The agency also revised its password rule, lowering the minimum password length for systems without multi-factor authentication.
These final rules come in response to a series of Chinese-linked cyberattacks targeting U.S. critical infrastructure and federal agencies. Recent incidents include breaches of the Treasury Department’s sanctions office and hacking of telecommunications firms across the country.
As the Cyber Defense Agency and the Department of Justice work to strengthen cybersecurity defenses against Chinese intrusion, it is crucial for individuals and organizations to comply with the new rules and take proactive measures to safeguard sensitive data from malicious actors. Both agencies did not immediately respond to requests for comment on the new regulations.