Skip links

China orders annual security reviews for all critical information infrastructure operators

China’s government has introduced rules for protection of critical information infrastructure.

An announcement by the Cyberspace Administration of China (CAC) said that cyber attacks are currently frequent in the Middle Kingdom, and the security challenges facing critical information infrastructure are severe. The announcement therefore defines infosec regulations and and responsibilities.

The CAC referred to critical infrastructure as “the nerve center of economic and social operations and the top priority of network security”. China’s definition of critical information infrastructure can be found in Article 2 of the State Council’s “Regulations on the Security Protection of Critical Information Infrastructure” and boils down to any system that could suffer significant damage from a cyber attack, and/or have such an attack damage society at large or even national security.

“The regulations clarify that important network facilities and information systems in key industries and fields belong to critical information infrastructure,” wrote the CAC in its announcement (as translated from Mandarin), adding that the state was adopting measures to monitor, defend and handle network risks and intrusions, originating domestically and globally.

The regulations themselves are lengthy and detailed, but the theme is that all Chinese enterprises whose operations depend on networks must conduct an annual security reviews, report breaches to government, and establish teams to monitor security constantly.

Those teams get to develop emergency plans and carry out emergency drills on a regular basis, in accordance with disaster management national plans.

If an incident is ever discovered, reporting and escalation to national authorities is mandatory.

The lengthy document also details a variety of organizational and logistical “clarifications”, while also outlining the state’s ability to adjust identification rules dynamically, how safeguarding measures can be implemented, and legal responsibilities and penalties for negligent parties.

It does not, however, offer specific technical advice.

China’s not alone in not not doing so The USA’s (Cybersecurity Information Sharing Act ) [PDF], which came into law in December 2015, is broad. It was designed to allow companies to share cyber attack information with government and other companies, but was considered by some as bad on the privacy front.

Last month, a bipartisan effort in the US introduced the Cyber Incident Notification Act of 2021. The Act requires federal agencies, government contractors and critical infrastructure owners to report attacks to CISA within one day of their occurrence, granting limited immunity to those reporting a breach and allowing data protection procedures to move ahead. ®