.jpg)
24 July, 2017
Long-awaited Draft Rules Leave Many Questions Unanswered.
Rules for Protection of Critical Information Infrastructure (Draft for Discussion) (关键信息基础设施安全保护条例(征求意见稿))
Introduction
On 10 July 2017, the Cyberspace Administration of China (“CAC”) released draft rules (“Draft”) on critical information infrastructure (“CII”) with a consultation period of one month. The Draft enunciates certain principles for the identification of CII and obligations of operators of CII. Whilst the Draft seeks to clarify certain aspects of the 2016 Cyber Security Law (“CSL”), it still largely repeats the CSL’s broad principles, and paves the way for detailed guidance to be separately issued following publication of the final rules.
Scope Of CII
The Draft defines the overall scope of data network infrastructure that could be protected as CII, but leaves the specific identification of CII within this scope to be set out in separate guidance (to be drafted by the CAC, in consultation with the Ministry of Industry and Information Technology, the Public Security Bureau and other authorities). The guidance, when issued, is to form the basis for industry regulators to identify CII within their sectors. Expert opinions are to be sought with a view to ensuring that the guidance is appropriately applied.
The existing test clarified
The overall scope of CII is defined by two tests, both of which must be satisfied:
Test 1: it must be operated or administered by a participant in one of a (non-exhaustive) list of sectors in the PRC, as follows:
- Government agencies, energy, finance, transport, water, healthcare, education, social security, environmental protection and public services;
- Telecommunications networks, TV and broadcasting networks, internet and other information networks, and providers of cloud, big data and other large-scale public information network services;
- Research or production in defence, heavy equipment, chemicals, food or drugs;
- TV channels, radio channels, news agencies and other news services;
- Other important identified businesses.
Test 2: any damage, loss of functionality or data breach experienced by the relevant infrastructure could severely threaten the national security, national economy, people's livelihood or public interest.
Although a more precise test would have been preferable, one useful clarification is the application of Test 2 to all infrastructure falling within the overall scope of CII. This clarifies the CSL which, on a broad reading, could otherwise be interpreted to mean that all network infrastructure in certain sectors (such as finance) is automatically considered as CII.
As detailed above, the Draft proposes to extend the range of CII sectors contemplated in the CSL to include healthcare, education, social security and environmental protection and the group of industries in the third bullet point under Test 1, and sets out (in the second and fourth bullet points under Test 1) a more precise scope of the term “public communications and information” found in the corresponding CSL definition.
New CII Obligations
Whilst under the CSL a CII operator is already required to have a dedicated network security management department and security officer, the Draft proposes several additional requirements relating to network security personnel.
Key responsibilities
The Draft sets out the security officer’s responsibilities including setting cybersecurity procedure, organising cybersecurity skills assessments and training, handling cybersecurity threats and contingencies (including prompt rectification of cybersecurity defects), and reporting material cybersecurity issues to the regulators (for example, under the CSL any breach or possible breach of personal data must be promptly reported, and the Draft provides that material cybersecurity defects in network products and services discovered by the CII operator must also be promptly reported).
The proposed net of individuals responsible for cybersecurity is widely drawn. The Draft provides that the “chief responsible person” of a CII operator has primary responsibility for the security of its CII (including security responsibility systems and their implementation). The term “chief responsible person” is not defined in the Draft, but references in the CSL suggest it could include the legal representative and the chief officer responsible for cybersecurity.
The Draft proposes that all CII should undergo security assessment before being put into operation or implementing any material changes (in addition to the annual assessment already provided under the CSL), and all new construction and suspension of, and material changes to, CII must be reported to the industry regulators.
Proposed licensing regime
All “specialised technical personnel” holding key network security posts with a CII operator (“Key Network Personnel”) must hold a licence. The licensing requirements are to be separately developed by the Ministry of Labour and Social Security in consultation with the CAC and other departments.
Training
All professional staff of a CII operator must undergo at least one working day of cybersecurity training per year (three working days in the case of Key Network Personnel). In addition to the general security procedures and technical measures mentioned in the CSL, the Draft requires the use of identity verification and levels of authorisation to further protect CII security.
Control Obligations
The Draft proposes to require CII operators to complete security assessment of any outsourced systems and software, and any network products obtained free of charge, before the relevant items are used online. It is also proposed that CII must, as a general principle, be operated and maintained onshore, unless the CII operator has given prior notice to the industry regulator that its business needs require remote maintenance of the CII from an offshore location.
It is also proposed that service providers (which could include both onshore and offshore entities) conducting security assessments on CII, providing information on system bugs, computer viruses, cyberattacks and other security threats to CII or providing cloud computing or IT outsourcing services to CII are to be required to comply with certain rules, to be developed by CAC in consultation with other government departments.
Overview
The Draft proposes several new obligations aimed at better management and control of CII by CII operators. However, it does not fully address the central question of what could be defined as CII. The full impact of the new legislation on CII is thus subject to further guidance, as well as other key laws and regulations (such as those on security review of network products and services, cross-border data transfer and cryptography.
For further information, please contact:
Jian Fang, Partner, Linklaters
jian.fang@linklaters.com
