China revises law to include certain cyberattacks as ‘acts of espionage’

The Chinese government passed an expansion of its counterespionage law on Wednesday that would, among other things, allow people to be charged as spies if they target critical infrastructure or government bodies with cyberattacks.

The revised version of the 2014 law was passed by China's Standing Committee of the National People's Congress (NPC), state media outlet Xinhua reported, and will go into effect on July 1.

According to a translation of the most recent draft version of the law, “acts of espionage” now formally include “Network attacks [or] intrusions … targeting state organs, units involved with secrets, or critical information infrastructure” perpetrated or funded by spying organizations and affiliated agents.

More broadly, the espionage law also applies to “agencies, organs, individuals, or other collaborators domestically or outside” China who are involved in cyberattacks.

During a press briefing last week, NPC legislative affairs spokesperson Zang Tiewei called the “counter-espionage struggle … extremely grim,” according to Bloomberg.

“Various espionage activities are becoming more complex in more areas and targets more diverse, with measures increasingly covert,” he told state media.

The expanded law stipulates that government bodies must report cybersecurity incidents “to relevant departments,” which can then order telecommunications companies or internet service providers to repair vulnerabilities, suspend service, delete programs and restrict content, among other measures.

“Where after related measures have been employed, the information content or risks described above have already been eliminated, the state security organs and relevant departments shall promptly make a decision to restore relevant transmission and services,” the law states.

The expanded cyberespionage law comes at a time of mutual suspicion around cyber interference between the United States and China, as well as of foreigners working within China. In March, Chinese authorities detained an employee of a Japanese pharmaceutical company on suspicions of espionage, as well as five employees of the due diligence firm Mintz Group.

Since September 2022, the Chinese government has repeatedly accused the U.S. National Security Agency of hacking into the network of the government-backed Northwestern Polytechnical University, stealing data on “sensitive identities” within China.

In February, Cybersecurity and Infrastructure Security Agency chief Jen Easterly warned of “China’s massive and sophisticated hacking program,” saying the country faced cyber intrusions by the Chinese government “every day.”

“This is hacking on an enormous scale, but unlike the spy balloon, which was identified and dealt with, these threats more often than not go unidentified and undeterred,” she said.