Reflections on the “Regulations on the Security Protection of Critical Information Infrastructures”

“The key information infrastructure in the fields of finance, energy, electricity, communication, transportation, etc. is the nerve center of economic and social operation, the top priority of network security, and the target of key attacks.” On this basis, the State Council In accordance with the Cybersecurity Law of the People’s Republic of China, the Regulations on the Security Protection of Critical Information Infrastructures (hereinafter referred to as the Regulations) were formulated. Practical standards, etc. still need to be specified by various departments or national standards. This article only compares and interprets the detailed rules of the Cybersecurity Law from the Regulations, so as to provide a reference for your practical operation.

I. Identification of critical information infrastructure

The “Regulations” clarifies the definition of critical information infrastructure, which is “public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, defense technology and industry and other important industries and fields, and other once damaged , loss of function or data leakage, which may seriously endanger national security, national economy and people’s livelihood, important network facilities, information systems, etc.”. The “Regulations” stipulate the critical information infrastructure from three aspects: definition, subject and identification basis, specifically:

(1) Definition

From the provisions of the “Regulations”, we can see that “critical information infrastructure is important network facilities, information systems, etc. in important industries and fields, or other once damaged, lost functions or data leakage, which may seriously endanger national security, Important network facilities and information systems for the national economy and people’s livelihood and public interests”, by definition, not only important industries and fields, but also general industries and fields, as long as their important network facilities and information systems are damaged, it may seriously endanger the three Great interests can also be identified as critical information infrastructure. It should be noted here that whether it is an important industry or field or a general industry and field, what is identified as critical information infrastructure is important network facilities and information systems, not general network facilities and information systems.

(2) The basis for recognition

The “Regulations” identify the competent departments and supervision and management departments of the industry and field as the protection work department, and the protection work department shall formulate the rules for the identification of critical information infrastructure based on the actual situation of the industry and the field, and report it to the public security department of the State Council for the record. What needs to be explained here is that Article 3 of the Regulations authorizes the public security department to be responsible for guiding and supervising the security protection of critical information infrastructure, and it also belongs to the protection department. According to the regulations, the public security department can participate in the identification rules of various industries and fields, but whether the rules formulated by the public security department will involve their own filing. This article believes that the protection work department in Article 9 of the “Regulations” does not include the public security department. Otherwise, there will be a situation where they file for themselves, and they are both referees and athletes.

The “Regulations” stipulate the identification rules for identifying critical information infrastructure, mainly considering the following three aspects: “(1) the importance of network facilities, information systems, etc. to the industry and key core businesses in this field; (2) network facilities, information The degree of harm that may be brought about once the system is damaged, loses its function or data leakage; (3) The related impact on other industries and fields.” Although the identification rule is the basis for consideration by the protection work department, we believe that enterprises can also Taking this as a reference rule for their own compliance, the competent authorities of each industry will also issue detailed identification rules in the industry in the future.

2. The obligations of the operator

The Regulations mainly stipulate six obligations of operators, mainly as follows:

(1) Synchronization of security protection measures

The security protection measures taken by operators for critical information infrastructure shall be planned, constructed and used simultaneously with them. This is the requirement of Article 33 of the “Cyber ​​Security Law”, mainly for critical information infrastructure that has not been built or under construction; for the critical information infrastructure that has been built, compliance rectification should also be carried out with reference to the “Regulations”.

(2) Network security protection system

The “Cybersecurity Law” stipulates the “first-in-command responsibility system”, establishes and improves the network security protection system and responsibility system, and guarantees the investment of human, financial and material resources in this field. Article 13 of the “Regulations” stipulates that “the main person in charge of the operator is responsible for the security protection of critical information infrastructure”. Does the “main person in charge” refer to the leader or the person in charge of a specialized security management organization? It needs to be discussed. We believe that it should be the person in charge of a special security management organization, because this department is mainly responsible for the security protection of the company’s critical information infrastructure.

(3) Set up a special safety management agency

The operator shall set up a special safety management organization, and conduct safety background checks on the person in charge of the organization and personnel in key positions. The specialized security management agency participates in the unit’s decision-making related to network security and informatization, and is also responsible for performing the network security protection responsibilities stipulated in Article 34 of the “Cyber ​​Security Law” and detailed in Article 15 of the “Regulations”, including: :

Establish and improve network security management, evaluation and assessment systems, and formulate critical information infrastructure security protection plans;

Organize and promote the building of network security protection capabilities, and carry out network security monitoring, detection and risk assessment;

According to the national and industrial network security incident emergency plan, formulate the unit’s emergency plan, conduct emergency drills on a regular basis, and deal with network security incidents;

Identify key cybersecurity positions, organize cybersecurity work assessments, and propose rewards and punishments;

Organizing network security education and training;

Fulfill personal information and data security protection responsibilities, and establish and improve personal information and data security protection systems;

Implement security management for services such as key information infrastructure design, construction, operation, and maintenance;

Report cybersecurity incidents and important matters as required.

(4) Security testing and risk assessment

Operators shall conduct network security inspections and risk assessments on critical information infrastructure at least once a year, either by themselves or by entrusting network security service agencies. Safety problems found should be rectified in a timely manner, and the results should be reported to relevant departments as required. What needs to be explained here is that network security inspection and risk assessment are conducted at least once a year, that is, network security inspection and risk assessment are conducted once each, and it is not an “or” relationship.

(5) Timely reporting

Operators should report to protection departments and public security organs as required when major cybersecurity incidents occur in critical information infrastructure or when “major cybersecurity threats” are discovered. In the event of merger, division, or dissolution of the operator, it should also report it in a timely manner and dispose of key information infrastructure in accordance with the requirements of relevant departments to ensure safety.

(6) Procurement of products or services

Operators should “prioritize the procurement” of “safe and reliable” network products and services; what kind of products and services are considered safe and reliable? Is “priority procurement” suspected of violating the procurement spirit of the higher-level law “Bidding Law”? If it may affect national security, it should also pass the security review in accordance with the provisions of the “Network Security Review Measures”. This provision can also be found in Articles 35 and 36 of the Cybersecurity Law. For procurement activities that may affect national security, the results of the security review have not yet been finalized. It is suggested that companies should set up clauses that come into effect with conditions, so that failure to pass the national security review will bring unnecessary losses to the company.

3. Responsibilities of relevant departments

The “Regulations” clarify the division of labor for the protection of key information infrastructure in various national departments. It stipulates that the national network information department is responsible for overall planning and coordination, the public security department of the State Council is responsible for guidance and supervision, and the competent departments of various industries and fields are responsible for security protection and supervision and management within the scope of their duties. , and the relevant departments of the provincial government shall implement security protection and supervision and management according to their duties. The Regulations define the responsibilities of relevant departments from the following four aspects:

(1) Responsibilities for Information

The state establishes a network security information sharing mechanism, and stipulates in Article 30 that the information obtained by state organs and network security service agencies in their work can only be used to maintain network security, and must not be leaked, sold, or illegally provided to others.

(2) Responsibilities for prevention

The protection work department shall establish and improve the key information infrastructure network security monitoring and early warning system and network security incident emergency plan in the industry and field, and regularly organize emergency drills and inspections.

(3) Prohibited items in inspection

Relevant departments should avoid unnecessary inspections and cross-duplicate inspections, and inspections shall not be charged, and operators shall not be required to purchase designated products or services.

(4) Priority protection industries

The state gives priority to ensuring the security of critical information infrastructure in the energy and telecommunications industries, and the energy and telecommunications industries should provide security for the security of critical information infrastructure in other industries.

4. Vulnerability detection, penetration testing approval and authorization

Article 31 of the “Regulations” stipulates that without the approval of the national network information department, the public security department, or the authorization of the protection work department or operator, no organization or individual may conduct vulnerability detection, penetration testing, etc. Activities that endanger their safety. If such activities are carried out on the basic telecommunication network, it shall also be reported to the competent telecommunication department of the State Council in advance. Why does the national cybersecurity and informatization department and the public security department approve it, while the protection work department and the operator authorize it? The relationship between the two is “or”, which means the relationship between the two. As mentioned above, the public security department also belongs to the protection work department, and the Cyberspace Administration of China belongs to the overall coordination department, but it also has some supervision and management powers, whether it also belongs to the protection work department. We believe that the national cybersecurity and informatization department, the public security department and the industry supervision or competent department all belong to the protection work department. The authorization of the protection work department in Article 31 of the Regulations is mainly the industry competent department. Otherwise, there will be conflicts in itself and cannot be implemented . In addition, how to interpret the authorization of the industry competent authority as the protection work department is expected to be further clarified at the practical level.

The Links:   AA057VF02 DD180N16S

Scroll to top