17 July, 2017
The Cyberspace Administration of China (“CAC”) released a draft of Regulations on Security Protection of Critical Information Infrastructures (the “Draft”) on July 11, 2017 allowing for one month of public comment to be offered.
The Cybersecurity Law of the People’s Republic of China (the “CSL”) was first to adopt the concept of critical information infrastructure (“CII”). According to Article 31 of the CSL, the concrete scope of CII and security protection rules shall be formulated by the State Council. In the 2016 Legislative Work Plan of the State Council, CAC is designated to draft such regulations. The market has long been anticipating the Draft, and expect it to clarify various issues relating to CII, as one of the most critical issues under the CSL. The Draft incorporates comprehensive requirements and regulations in areas like government coordination and precaution mechanism. Below we only summarize those specific areas which are more closely related to companies’ compliance obligations.
I. Refining the scope of CII
CII is briefly defined in CSL in Article 31 which provides “the State shall carry out important protection of the important industries and fields, such as public communication and information service, energy, transportation, irrigation, finance, public services and e-government affairs, and the key information infrastructures that may endanger national security, people’s livelihood and the public interest in case of damage, function loss or data leakage on the basis of classified protection system for network security. The specific scope of CII and security protection measures shall be formulated by the State Council”. This definition creates two basic criteria in determining a CII: industrial criteria and consequence criteria.
Article 18 of the Draft further elaborates the criteria of the CSL further and adds certain new industries into the industrial criteria: “the network facilities and information systems operated or managed by the following entities, that may endanger national security, people’s livelihood and public interest in case of damage, function loss or data leakage, shall be included into the scope of CII:
1、Government organs, and entities in the industries or fields of energy, finance, transportation, irrigation, healthcare, education, social security, environment protection, public utilities and so forth;
2、Information networks such as telecommunications networks, radio and television networks, and the Internet; and entities providing cloud computing, big data, and other public information network services on a large scale;
3、Scientific research and manufacturing entities in sectors such as national defense and science industry, heavy equipment industry, chemical industry, and food and pharmaceutical industry;
4、News report entities such as radio stations, television stations and news agencies; and
5、Other key entities.”
Firstly, the Draft incorporates in the scope of CII industries such as “national defense and science industry, heavy equipment industry, chemistry industry, food and pharmaceutical industry” and etc. which was not enumerated under the CSL.
Secondly, the Draft refines industries such as “public telecommunications and information services”, “public services” in the CSL. For example, “public services” is further refined as “healthcare, education, social security, environment protection, public utilities”; “public telecommunications and information services” is refined as entities in “telecommunications networks, radio and television networks, Internet, and entities providing cloud computing, big data, and other public information network services on large scales, radio stations, television stations and news agencies”.
According to Article 19 of the Draft, the national cyberspace administration departments, in conjunction with the competent departments for telecommunications and the public security departments, will formulate guidelines for the identification of CII. In practice, although the provisions in the Draft related to the CSL have offered further refinement, the specific scope and standards for determining whether specific facilities would fall into the scope of CII are probably yet subject to identification guidelines to be formulated. The relatively general provisions in the Draft retain to certain extent flexibility for subsequent changes in law enforcement and practice.
II. Reinstating the obligations of CII Operators in Security Protection
Article 31 of the CSL and Article 6 of the Draft both stipulate that the State shall carry out focused protection of CII on the basis of classified protection systems for network security. Operators of CII (the “Operators”) also belong to network operators, they should therefore at the same time observe the security protection requirements imposed on network operators and the Operators in the CSL.
Chapter IV of the Draft repeats the respective provisions in the CSL, which includes requiring the Operators to:
1.formulate internal security management systems and operating procedures, and strictly enforce identity authentication and authority management;
2.employ technical measures to prevent acts endangering network security, and monitor and record network operation status;
3.adopt measures such as data classification, backing up important data, and encryption authentication;
4.set up specific network security administration and personnel responsible for network security management;
5.periodically conduct network security education, technical training and skills evaluations for employees;
6.formulate emergency plans for network security incidents and conduct drills regularly;
7.conduct testing and assessment of security of CII at least once per year;
8.store personal information and important data within the territory of China.
Compared to the CSL, the Draft specifies more detailed requirements, such as, the Operators’ technical specialist should have obtained certain qualification before taking a position (specific details about the qualification have not been released), education and training for employees should last at least one working day per person each year, and last at least three working days each year for professional technical personnel in key positions, the Operators shall conduct security tests and assessments before CII goes live or when major changes are made.
III. Strengthening the inspecting and reporting obligations for network products and purchase of services
In the aspects of network products and security services, the Draft reinstates a number of requirements in the CSL, which include: network products and services shall meet the mandatory requirements of national law; the purchase of network products or services by operators, which might affect the national security, shall pass the security review and the Operators shall sign a security confidentiality agreement with the provider.
The Draft further requires that Operators shall conduct security testing of systems and software developed by third parties, and of donated network products, before using them online (Article 32); Where operators find that network products or services they employ pose risks such as security defects or vulnerabilities, they shall promptly adopt measures to eliminate the threat, and where major risks are involved, they shall report it to the relevant departments in accordance with the provisions (Article 33).
The Draft specifically points out that the operation and maintenance of CII shall be carried out within the territory of China. Where it is truly necessary to carry out remote overseas maintenance due to business needs, this should be reported to the state departments for administration or supervision of the industry and the public security department under the State Council (Article 34). Compared to Article 37 of the CSL, which states that personal information and important data collected and generated by the Operators during their activities within the territory of the PRC shall be stored within the territory, the requirement of the operation and maintenance of CII in the perspective of data access is more stringent in the Draft.
IV. Further clarification for the performance of regulatory responsibilities
The Draft stipulates that the national cyberspace administration department is responsible for coordinating the protection of CII. The national industry administrative or regulatory departments are responsible for instructing and supervising the industry’s security protection of CII.
The Draft also demands that the supervisory authority should conduct supervision on the CII, ranging from monitoring, warning, taking precautionary steps and drills, to testing and conducting safety assessments and so on.
V. Our Observation
The Draft has expanded and refined on the scope and safety protection measures of the CII in the CSL to certain extent. As an administrative regulation, it remains relatively flexible leaving room for interpretation and enforcement by regulators. We also expect a series of detailed rules and standards are to be formulated to address all the issues related in practice to the identification of CII and the specific details of various aspects in security protection measures, procurement and reporting.
