The Cyberspace Administration of China (“CAC”) published the National Cyber Incident Response Plan (the “Plan”) on 27 June 2017.
The Plan is formulated in accordance with the general principles of the PRC Cybersecurity Law. Its main legislative purpose is to establish and improve the national cybersecurity incident response mechanisms, to improve the capability of dealing with cybersecurity events, to prevent and reduce the damage caused by cybersecurity incidents, and to protect the public interest, national security, and social order.
Under the Plan, “Cybersecurity Incidents” refer to the incidents that (i) are caused by man-made reasons, defects or malfunctions of hardware and software, or natural disasters, (ii) cause damage to networks, information systems or the data involved therein, and (iii) cause negative effects to the society. Cybersecurity Incidents can be categorised into harmful programme incidents, cyber-attack incidents, information or data breach incidents, information or content security incidents, device and equipment malfunctions, disaster incidents and other incidents. Appendix I of the Plan provides further description of each category of incidents.
Cybersecurity Incidents are divided into four levels, i.e. extraordinarily significant, significant, relatively significant and general. The factors deciding the level of a Cybersecurity Incident include (i) damages caused to critical networks and information systems (e.g. such as if damages paralyse the systems or result in the loss of business processing capabilities). Appendix III of the Plan further specifies how the level of damage can be measured; (ii) threats to national security and stability of society which are caused by the loss, theft or tampering with of national secrets, important and sensitive information, and critical data; and (iii) other impacts on national security, social order, economic development and public interests.
The CAC (and the Emergency Response Office to be established under the CAC) will coordinate with other relevant government authorities including the Ministry of Industry and Information Technology, the Ministry of Public Security, the National Administration for the Protection of State Secrets, the government authorities in charge of each specific sector or industry, as well as their relevant local branches (collectively, the “Response Authorities”) to handle Cybersecurity Incidents.
The relevant Response Authorities will monitor the Cybersecurity Incidents within their own jurisdictions. Depending on the specific level of a Cybersecurity Incident, the Response Authorities will publish alerts (red, orange, yellow and blue) and take corresponding response actions (level I to IV). The Plan does not specify the particular measures that the Response Authorities are required to take when a Cybersecurity Incident occurs. The Plan only sets out general principles including that the Response Authorities should react in time, assemble necessary administrative resources and social resources and put in place proper remedial and mitigation measures.
The Plan also outlines, at a very general level, the Response Authorities’ various other responsibilities, which include organising drills, providing training, improving internal management policies, recruiting qualified personnel, increasing international cooperation, and following up on post-incident measures taken in practice. On the whole, this Plan focuses on establishing the national framework concerning Cybersecurity Incident responses.
One provision of the Plan does provide that the organisation which suffers or is affected by a Cybersecurity Incident, must immediately implement response plans, take necessary measures and report the relevant information in time. The Plan, however, does not provide any further explanation as to what response plans are required, what measures should be taken, or how reports should be made. In the implementation rules implemented following the PRC Cybersecurity Law, there may be further requirements and more detailed explanations.
Please click here to read the full text (Chinese only) of the Plan.