Law to protect China’s "Information Infrastructure" - A brief analysis of the Regulations on the Security Protection of Critical Information Infrastructure
On August 17, the Regulations on the Security Protection of Critical Information Infrastructure (hereinafter referred to as "the Regulations") were officially announced, providing an important suit of legal armour for China's critical information infrastructure (hereinafter referred to as “CII”), which is related to national security, economic lifelines and social stability.
The Regulations is an important complementary support to the Cyber Security Law, which will implement the relevant requirements of the Law, refine the relevant systems and measures, consolidate responsibilities and improve the legal system of cyber security.
For the cybersecurity industry, the Regulations attaches importance to the important role of cybersecurity service providers, which will be a long-term positive support for the development of the industry.
What is CII?
The CII is the nerve center of economic and social operations, carrying or supporting key businesses in important industries and fields. Once compromised, it can cause a chain reaction and serious consequences to the national economy and national security, affecting the whole country. It is the top priority and key part of network security.
According to the Regulations, CII contains public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry and other important industries and fields, as well as other important network facilities and information systems that may seriously endanger national security, if they are damaged, functions lost or have their data leaked.the people's livelihood、the public interest etc
Why legislate to protect CII?
With the comprehensive advancement of China's national economy and social informatization, traditional social activities are being extended into cyberspace, and economic and national security are highly dependent on critical information infrastructure.
However, the cyber security situation facing critical information infrastructures is becoming increasingly severe, with the threat of cyberattacks on the rise, the frequent occurrence of advanced persistent threats, cyber extortion, data theft and other incidents, the imperfection of relevant regulations and systems, and insufficient technical industrial support.
According to China's network security monitoring data in the "2020 China Internet Network Security Report" released by the National Internet Emergency Response Center, in 2020, the number of malicious program samples captured exceeded 42 million, and the national information security vulnerability sharing platform included a total of 20,704 security vulnerabilities, with an upward trend.
In the same year, 360 received and handled more than 3,800 ransomware attacks in the country. Ransomware is also increasingly targeting government departments and large enterprises, with the more developed the digital economy, the more severe the attack.
It is evident that the legal protection in the field of critical information infrastructure needs to be strengthened, and the protection of cyber security and its supporting legal system will become the key to victory in the cyber security game. It is of great significance to safeguard national cyber security, cyberspace sovereignty and national security and public interest.
Legal Status
1. The Regulations is the subordinate law to the Cyber Security Law.
2. The Cyber Security Law (2017), the Data Security Law (2021) and the Personal Information Protection Law (2021) together constitute the "troika" of China's cyberspace governance and data protection.
3. CII security protection is an important part of each country's cyber security strategy. At present, many countries and regions in the world regard CII legislation as the most critical part in cyber security legislation.
Country/Region | Laws/Regulations |
USA | Critical Infrastructure Protection Act Executive Order on Improving Critical Infrastructure Cybersecurity Executive Order on Enhancing Federal Government Cyber and Critical Infrastructure Cybersecurity Interim National Security Strategic Guidance Executive Order on Enhancing National Cybersecurity |
EU | European Critical Infrastructure Directive Directive on security of network and information systems |
Russia | Federal Law on the Security of the Critical Information Infrastructure of the Russian Federation |
Australia | Security of Critical Infrastructure Act 2018 |
UK | Government Cybersecurity Strategy (2016-2020) |
Germany | Cybersecurity Law of Germany |
Japan | Cybersecurity Basic Law |
In 2021, the largest fuel pipeline operator in the United States and the largest meat processor in the world were both shut down by hacking, resulting in damage to the infrastructure that runs the national and global economy, with knock-on effects across the industry chain.
Who will determine CII?
The authorities and regulators of the industries and sectors involved in CII are responsible for the accreditation of CII.
Step 1: Establish the rules for certification and report them to the public security authorities.
Step 2: Notify the operator of the determination and report it to the public security authorities.
(If there are significant changes to the CII that may affect the outcome of the certification, the certification will be renewed.)
Who are responsible for CII protection?
Department | Role |
Cybersecurity administrative departments | Overall organization - Coordinating the establishment of a cyber security information sharing mechanism - Coordinating network security inspection and testing |
Public security department under the state council | Directing - Filing of determination rules - Receiving CII determinations - Receiving reports of significant cyber security incidents or threats - Conducting cyber security inspection tests on CII - Providing support and assistance to the protection sector |
Protection sector | Determination and protection of CII - CII determination and notification - Development of CII security rules - Establishing a CII cybersecurity monitoring and early warning system - Establishing and improving CII network security incident emergency plan and organize emergency drills - Conducting regular network security inspection and monitoring |
| Telecommunications authorities under the State Council/Other departments | Safety protection and supervision |
Provincial governments | Safety protection and supervision |
CII operators (i.e. owners, managers and network service providers of CII) have the following obligations.
1. System construction. Establish a network security protection system and ensure investment in human and material resources.
2. Institutional set-up. Set up a special security management agency to carry out the whole process of protection work, such as planning, assessment, rehearsal, and training.
3. Risk assessment. Commission service agencies to regularly assess network risks and rectify them in a timely manner.
4. Risk reporting. Timely reporting of major security incidents.
5. Security-trustworthy priority. Prioritize the procurement of secure and trustworthy products and services.
Priorities in CII
As the energy and telecommunications sectors are both CII themselves and provide important support and resources for the stable operation of CII in other sectors, priority is given to ensuring the safe operation of CII such as energy and telecommunications.
Market opportunities
In terms of the Regulations, CII security protection technology innovation and industry development, network security testing and risk assessment service providers, and secure and trustworthy network products and services will all become commercial categories explicitly supported by the country, and their business potential continues to increase.
With the recent intensive introduction of cyber security policies and regulations, cyber security has been transformed from consensus into action. New product forms are emerging and the cyber security industry is booming.
Driven by policies, market demand and other factors, IDC expects China's network security market to usher in a period of rapid development, with investment in China's network security market reaching US$9.78 billion in 2021 and expected to increase to US$18.79 billion in 2025. In July 2021, the Ministry of Industry and Information Technology released the "Three-Year Action Plan for the High-Quality Development of the Network Security Industry (2021-2023) for Public Opinion Draft", proposing that by 2023, the scale of the network security industry will exceed 250 billion yuan, and the proportion of investment in network security in key industries such as telecommunications will reach 10% of investment in information technology. China's network security industry is still in its infancy, and the overall scale is relatively small compared to foreign markets, but the growth potential is huge.
The development path of the network security industry, with the application of emerging technologies such as cloud computing, big data and industrial Internet, as well as the advancement of network security construction, will promote the growth of network security software and services at a higher rate.
At present, the downstream applications of China's information security industry account for a relatively high proportion of the government end, and the high demand for user data and system security in the telecommunications and financial industries has created a relatively large market demand. In addition, critical infrastructure involving the livelihood of society such as education, manufacturing, energy and transportation are also key customers for network security.
Conclusion
China is moving more and more steadily on the track of network security, data security and personal information protection, so that relevant departments and enterprises have laws to follow in actual operation.
Other laws, regulations, departmental rules and local regulations, etc. will continue to be refined under the system composed of these three laws, gradually covering all aspects of the Internet, personal information and data activities.
We will continue to monitor the relevant legislative trends and rules to provide more valuable reference for companies.