Open a new stage in the security protection of critical information infrastructure

First, legislation on the security protection of critical information infrastructure is an important part of each country's cybersecurity strategy

(1) The complex and grave global cyber security situation poses new challenges to the security and protection of critical information infrastructure in all countries. Recently, the infrastructure and important information systems of many countries have been subjected to cyber attacks, causing global shock and posing huge risks to national security and stability. In particular, in 2021, the largest fuel pipeline operator in the United States and the world's largest meat processing enterprises were shut down due to hacker attacks, resulting in damage to infrastructure affecting the operation of the national and even global economy, having a chain impact on the whole industrial chain, and triggering global thinking on strengthening the security protection of critical information infrastructure. Recently, major countries and regions in the world have strengthened the security protection of critical infrastructure. The United States not only significantly increased funding for critical infrastructure cybersecurity, but also proposed a number of bills and official guidelines to strengthen critical infrastructure cybersecurity and prevent ransomware attacks. The EU has also made improving the protection and resilience of critical infrastructure a top priority for cybersecurity over the next five years in the EU Security Union Strategy.

(2) Major countries and regions in the world have taken critical infrastructure legislation as the most critical link in cybersecurity legislation. The United States and Europe started earlier in critical infrastructure legislation. The United States promulgated the Critical Infrastructure Protection Act of 2001 as early as 2001, followed by the Executive Order on Improving Critical Infrastructure Network Security and the Executive Order on Enhancing Federal Government Network and Critical Infrastructure Network Security. With the increasingly severe cybersecurity situation, the United States has actively adjusted its cybersecurity protection strategy, and recently issued the Interim National Security Strategic Guideline for 2021 and the Executive Order on Strengthening National Cybersecurity for 2021. The EU has introduced several pieces of legislation related to the protection of critical infrastructure, including the 2008 EU Directive on the Identification and Security Assessment of Critical Infrastructure and the 2016 Directive on Network and Information Security. Russia enacted the Federal Critical Information Infrastructure Security Act in 2017, and Australia enacted the Critical Infrastructure Security Act in 2018. In addition, the United Kingdom, Germany, Japan and other countries have also introduced relevant legislation and policies for the protection of critical infrastructure.

(3) China's cybersecurity Law emphasizes a higher level of protection for critical information infrastructure. On the basis of clarifying the basic system of national network security, China's cybersecurity Law introduced in 2016 stipulates a higher level of security protection requirements for critical information infrastructure. The Cybersecurity Law provides for the key protection of critical information infrastructure, and in Chapter 3, "Network Operation Security", a single section is set up to specifically provide for the security protection of critical information infrastructure. Higher requirements are put forward for security management measures such as technical measures, personnel mechanisms, data security, and risk assessment involved in the security protection of critical information infrastructure, and it is emphasized that the security protection system of critical information infrastructure should be further improved through supporting legislation, highlighting the important position of critical information infrastructure in the overall national network security system.

The Regulations establish specific institutional requirements for the security protection of China's critical information infrastructure

The Cybersecurity Law makes general provisions on the relevant implementation objects, responsibility subjects, and work contents of the security protection system for critical information infrastructure. As an important supporting regulation of the Cybersecurity Law, the Regulations are implemented based on work and define a series of basic elements related to the security protection of critical information infrastructure such as the scope of application, regulatory subjects, and assessment objects. Security protection requirements and security measures are put forward to ensure specific objects, clear rights and responsibilities, and clear tasks, and to provide systematic guidance and work compliance for security protection work.

(1) Determine the scope of protected objects. Article 2 of the Regulations gives a clear definition of critical information infrastructure, Article 9 puts forward the key considerations for the protection work department to formulate identification rules, and determines that the protection work department is responsible for formulating the identification rules and lists of critical information infrastructure in the industry and the field. On the one hand, the formation process of the identification rules and lists must be based on the reality, fully combined with the characteristics and importance of the industry and the field of business, and achieve the accurate definition of the scope of the list on the basis of quantitative index parameters; On the other hand, the list should be dynamically adjusted and updated along with the development of national cybersecurity and informatization.