In recent years, with the rapid development of network and information technology, cyberspace has been deeply integrated into all aspects of economic and social development, people’s lives and social governance, which has greatly influenced and changed the mode of social production activities. At the same time of progress, network security issues, especially critical information infrastructure network security issues, are becoming more and more serious. The identification and protection of critical information infrastructure has increasingly become the focus and research focus of all parties in the industry. After joint research, discussion and practice by many parties, the “Regulations on the Security Protection of Critical Information Infrastructures” (hereinafter referred to as the “Regulations”) were finally officially released and came into effect on September 1.
I. Correctly understand the significance of the promulgation of the Regulations
(1) The promulgation of the “Regulations” is an important measure to implement the decision-making of the Party Central Committee
In his speech on April 19, 2016, General Secretary Xi Jinping put forward the requirement of “speeding up the construction of a critical information infrastructure security system”; the Cybersecurity Law has a chapter dedicated to “operational security of critical information infrastructure”. Clarify the scope of critical information infrastructure, and put forward security assurance technology and management requirements; the “14th Five-Year Plan” outline also clarifies “establishing and improving the protection system for critical information infrastructure, improving security protection and maintaining political security capabilities”. The promulgation and implementation of the “Regulations” is an important measure to implement the decision-making and deployment of the Party Central Committee and the overall national security concept, and effectively promote the construction of a critical information infrastructure protection system.
(2) The promulgation of the Regulations is an urgent need to maintain the security of critical information infrastructure
my country’s critical information infrastructure is developing rapidly, and it is also one of the countries most severely threatened by cybersecurity in the world. More specific and clear regulations are urgently needed to clarify the responsibilities and institutional requirements of all parties for the security protection of critical information infrastructure, and to clarify the main body of the operator. Responsibility and security promotion requirements, guide the implementation of work related to the protection of critical information infrastructure, improve the responsibility awareness and protection capabilities of relevant units, build a security system, and ensure the construction of a network powerhouse.
(3) The promulgation of the “Regulations” is a legal guarantee to safeguard the vital interests of the broad masses of the people
The incidents of power outages and disconnections after the “flood” in Zhengzhou and the leakage of important government information in recent years show that the safe and stable operation of key information infrastructure is related to the vital interests of the general public and national security. The general public is very concerned about the security of critical information infrastructure. The “Regulations” are issued to actively respond to the demands of the public, protect the fundamental rights and interests of the general public in cyberspace, and ensure economic development and national security.
2. Clarify the scope of key information infrastructure, and promote the rule of law to go deeper into practice
As the basic law in the field of cybersecurity, the Cybersecurity Law is mostly based on basic and principled provisions. The promotion and implementation of related work such as data cross-border and cybersecurity review are highly dependent on the critical information infrastructure framework. For example, the “Cyber Security Law” clearly requires that the personal information and important data collected and generated by critical information infrastructure operators in my country’s domestic operations should be stored in China; the “Network Security Review Measures (Draft for Comments)” covers: “Key information infrastructure operators purchase network products and services, and data processors carry out data processing activities that affect or may affect national security, and shall conduct a network security review in accordance with these Measures.” The “Regulations” will accelerate the promotion of critical information infrastructure identification and clarify the work basis for the implementation of relevant work practices. It is an extension and improvement of the “Cybersecurity Law” series of regulations. Chapter 2 clarifies that the protection work department is the organization department for the identification of critical information infrastructure. Considering the importance of the critical information infrastructure to the business, the degree of damage after being destroyed, and the relevance to other industries, the identification rules of the industry are considered. Critical information infrastructure, and clarified the process requirements for result notification, pointing out the direction for the identification of critical information infrastructure.
3. Build a comprehensive management system for division of labor and coordination, and clarify protection responsibilities and obligations at all levels
The “Regulations” clarify the responsibilities and obligations of each role in the protection of critical information infrastructure from four levels: operators, protection departments, competent regulatory authorities, and countries. The first is to clarify the main responsibility of the operator. The third chapter clarifies the “three synchronizations” requirements for operators’ security protection, the guarantee requirements for people, finance, materials, institutions, and systems, security testing and evaluation requirements, network security review requirements, major threats, and practice reporting requirements. Highlight safeguard promotion at the industry and national levels. Critical information infrastructure is related to national security, national economy and people’s livelihood and public interests, so it must be guaranteed at the industry and national levels. The Regulations contain a total of 22 clauses concerning the protection requirements of the protection work department and the competent supervisory department, clarifying the requirements for network security information sharing, monitoring and early warning systems, emergency response, regular inspection and rectification, and priority guarantee for energy and telecommunications. It highlights the “critical” requirements for security protection measures for critical information infrastructure; the third is to clearly establish a management system of “up and down linkage, left and right coordination”. Article 4 of the “Regulations” emphasizes that security protection adheres to the working principle of “comprehensive coordination, division of responsibilities, and legal protection”, and involves as many as 18 work clauses that require cooperation at all levels, such as “guidance, cooperation, support, assistance, and notification”. Covering the identification rules and results determination, personnel security background review, network security information sharing, inspection and testing, etc., the responsibilities of the department are clearer, the work process is clearer, and the protection measures are more operable. The protection work mechanism of coordination and cooperation of various units.
4. Establish a specific and clear closed loop of security protection work, and implement the concept of network security
The “Regulations” fully embody the important concepts of General Secretary Xi Jinping’s view on network security, from multiple perspectives such as identification rules and results determination, critical information infrastructure security protection, detection and risk assessment, information sharing, monitoring and early warning, emergency and event notification, etc. , established a closed loop of identification, protection, monitoring, inspection, rectification, and emergency response. First, network security is holistic, not fragmented. The “Regulations” regard the security protection of critical information infrastructure as a whole of business dependence, and carry out overall protection from four levels, including the state, competent regulatory authorities, industries, and operators. Article 4 clearly puts forward the requirement of “joint protection”. Emphasize the unity and integrity of work. Second, network security is dynamic, not static. The “Regulations” emphasize dynamic management based on changes in key elements of critical information infrastructure to achieve the “optimal state” of security management. For example, Article 11 emphasizes that major changes in critical information infrastructure need to be reported, and Article 21 emphasizes operation Changes in information need to be reported. Article 26 emphasizes the regular organization of inspections, inspections and rectifications, which all reflect the real-time status monitoring of key information infrastructure and dynamic management based on status changes. Third, network security is common, not isolated. Articles 31 to 38 of the Regulations clarify the requirements for combating cybercrimes, strengthening talent education, technological innovation, industrial development, building security standards, and strengthening military-civilian integration, fully embodying that cybersecurity depends on the people , fully mobilize the government, enterprises, and the general public to jointly participate in the security protection of critical information infrastructure.
V. Reflections on several key tasks
The first is to give full play to the effectiveness of inspection, detection and risk assessment. The “Regulations” all put forward requirements for the inspection and testing of key information infrastructure carried out by operators, protection departments, national network information departments, and relevant departments such as public security, security, confidentiality, and passwords. As an important link in the dynamic management process, it is necessary to do a good job in the management of inspection and testing institutions, coordinate inspection and testing, information communication and supervision, fully integrate various inspection and evaluation work in the security field, reduce the operator’s burden of inspection, and promote inspection and testing institutions. Improve technical service capabilities, do a good job in information aggregation and sharing management of inspection results, and ensure that inspection and testing work is effective.
The second is to promote the improvement and implementation of the critical information infrastructure security standard system. At present, a number of relevant security standards for critical information infrastructure are under research. The next step is to sort out the critical information infrastructure standard system and plan a blueprint for the construction of the security standard system; accelerate the release and pilot demonstration of relevant standards, and encourage industry authorities Work with research institutions to formulate industry-level accreditation rules and emergency-related standards based on the actual situation of the industry, further refine the implementation of system requirements, and provide technical support and methodological guidance for critical information infrastructure protection practices.
The third is to give full play to the role of the protection department. According to the relevant requirements of Chapter 4 “Guarantee and Promotion” of the “Regulations”, in the process of promoting the protection of critical information infrastructure, the protection work department needs to connect upward to understand the requirements at the national level, connect information sharing and incident reporting channels, and on the other hand On the other hand, it is necessary to combine industry requirements and industry norms to guide operators to implement them, and play an important role in “connecting the previous and the next”. A regular mechanism for coordination and exchange of protection work departments should be established to ensure that protection work departments promote system construction, platform construction and capacity building in a timely manner.
Under the increasingly severe and complex security situation, the promulgation and implementation of the “Regulations” is a major measure to guide and improve the construction of my country’s key information infrastructure system, and has great practical significance. The “Regulations” will surely become a milestone in the protection of my country’s critical information infrastructure. As an important regulation of my country’s network security protection, it will become an important link in the network security protection system and an important cornerstone of governing the network according to law.