The Cyberspace Administration of China (the “CAC”) published the Draft Security Protection Measures for Critical Information Infrastructure (the “Draft Measures”) on 11 July 2017 to solicit public opinions. The Draft Measures have been formulated in accordance with the PRC Cybersecurity Law, and apply to the planning, establishment, operation, maintenance and use of critical information infrastructure (“CII”) within China, as well as the security protection of CII.
According to the Draft Measures, if a network facility or information system is operated and managed by an entity falling into any of the following areas, and has the potential to seriously endanger national security, national economy, people’s livelihoods or public interests, it shall fall into the scope of CII: (i) government department, or an entity in the sector of energy, finance, transportation, water conservancy, health and medical services, education, social insurance, environmental protection, or public affairs; (ii) information network including telecom network, broadcast network, and internet; provision of cloud computing, big data and other large-scale public information network service; (iii) scientific research or manufacturing entity in the industry of science and technology for national defence, large equipment, chemicals, and food and medicine; (iv) press units such as broadcasting station, TV station and news agency; (v) other important entities.
The government will formulate a “Guide for Identifying CII”, in accordance with which the various sectoral government authorities will identify the CII within their respective administrative jurisdictions and report the results. Instead of a specific catalogue listing the scope of CII, this sector-by-sector identification mechanism gives sectoral authorities large discretion and this could lead to some inconsistencies.
The operators of CII will have the primary security protection responsibilities for their CII. In addition to the cybersecurity obligations applicable to general network operators as provided by the PRC Cybersecurity Law (e.g. formulating internal policies and procedures, and taking necessary technical measures), a CII operator must also appoint qualified staff to handle cybersecurity matters, organise training and drills, formulate cyber incident response plans, back-up important databases, and conduct security assessments periodically. In addition, the Draft Measures restate that personal information and important data collected or generated by a CII operator during its operations in China must be stored within China. If a CII operator wants to transfer such data to an overseas country, it must pass the security assessment unless otherwise provided by law.
If any products or services used by a CII operator could affect national security, such products and services must pass security reviews and the operator must sign security confidentiality agreements with the suppliers. Before any outsourced or donated systems or software are used by a CII operator, such systems and software must pass security examinations. In addition, the operating maintenance of CII must be conducted within China. If it is necessary to conduct the maintenance in an overseas country due to business needs, the relevant sectoral authorities and the Ministry of Public Security must be notified in advance.
The government authorities will periodically organise security assessments on CII. The specific measures that they can take include (i) requesting the relevant staff to provide explanations; (ii) gathering, reviewing or copying documents and records relevant to security protection; (iii) checking the status of how security protection measures are formulated and implemented; (iv) using examination tools or engaging service institutions to conduct technical examinations; and (v) other necessary measures agreed by the CII operator. When a cybersecurity incident occurs, the government authorities will react and take measures in accordance with the National Cyber Incident Response Plan.
According to the Draft Measures, no one is allowed to (i) attack, intrude, disturb or damage any CII; (ii) illegally obtain, sell or provide to others any technical materials or other information that can be used specifically to endanger CII; (iii) conduct any permeable or attractive scanning probe on CII without authorisation; (iv) provide internet access, server hosting, network storage, communication, advertising and marketing, payment and settlement and other services when it knows that the services will be used to endanger CII; or (v) other activities endangering CII. The government authorities will monitor, defend and deal with cybersecurity risks and threats sourced from China and overseas countries.
While the Draft Measures further elaborate on certain requirements under the PRC Cybersecurity Law, many issues still remain unclear. For example, the scope of CII, the specific requirements and procedures for the various security reviews, examinations and assessments mentioned in the Draft Measures, and the technical standards that a CII operator must follow during their operation. The public will have until 10 August to submit comments and opinions.
Please click here to read the full text (Chinese only) of the Draft Measures.