Open a new stage in the security protection of critical information infrastructure

First, legislation on the security protection of critical information infrastructure is an important part of each country's cybersecurity strategy

(1) The complex and grave global cyber security situation poses new challenges to the security and protection of critical information infrastructure in all countries. Recently, the infrastructure and important information systems of many countries have been subjected to cyber attacks, causing global shock and posing huge risks to national security and stability. In particular, in 2021, the largest fuel pipeline operator in the United States and the world's largest meat processing enterprises were shut down due to hacker attacks, resulting in damage to infrastructure affecting the operation of the national and even global economy, having a chain impact on the whole industrial chain, and triggering global thinking on strengthening the security protection of critical information infrastructure. Recently, major countries and regions in the world have strengthened the security protection of critical infrastructure. The United States not only significantly increased funding for critical infrastructure cybersecurity, but also proposed a number of bills and official guidelines to strengthen critical infrastructure cybersecurity and prevent ransomware attacks. The EU has also made improving the protection and resilience of critical infrastructure a top priority for cybersecurity over the next five years in the EU Security Union Strategy.

(2) Major countries and regions in the world have taken critical infrastructure legislation as the most critical link in cybersecurity legislation. The United States and Europe started earlier in critical infrastructure legislation. The United States promulgated the Critical Infrastructure Protection Act of 2001 as early as 2001, followed by the Executive Order on Improving Critical Infrastructure Network Security and the Executive Order on Enhancing Federal Government Network and Critical Infrastructure Network Security. With the increasingly severe cybersecurity situation, the United States has actively adjusted its cybersecurity protection strategy, and recently issued the Interim National Security Strategic Guideline for 2021 and the Executive Order on Strengthening National Cybersecurity for 2021. The EU has introduced several pieces of legislation related to the protection of critical infrastructure, including the 2008 EU Directive on the Identification and Security Assessment of Critical Infrastructure and the 2016 Directive on Network and Information Security. Russia enacted the Federal Critical Information Infrastructure Security Act in 2017, and Australia enacted the Critical Infrastructure Security Act in 2018. In addition, the United Kingdom, Germany, Japan and other countries have also introduced relevant legislation and policies for the protection of critical infrastructure.

(3) China's cybersecurity Law emphasizes a higher level of protection for critical information infrastructure. On the basis of clarifying the basic system of national network security, China's cybersecurity Law introduced in 2016 stipulates a higher level of security protection requirements for critical information infrastructure. The Cybersecurity Law provides for the key protection of critical information infrastructure, and in Chapter 3, "Network Operation Security", a single section is set up to specifically provide for the security protection of critical information infrastructure. Higher requirements are put forward for security management measures such as technical measures, personnel mechanisms, data security, and risk assessment involved in the security protection of critical information infrastructure, and it is emphasized that the security protection system of critical information infrastructure should be further improved through supporting legislation, highlighting the important position of critical information infrastructure in the overall national network security system.

The Regulations establish specific institutional requirements for the security protection of China's critical information infrastructure

The Cybersecurity Law makes general provisions on the relevant implementation objects, responsibility subjects, and work contents of the security protection system for critical information infrastructure. As an important supporting regulation of the Cybersecurity Law, the Regulations are implemented based on work and define a series of basic elements related to the security protection of critical information infrastructure such as the scope of application, regulatory subjects, and assessment objects. Security protection requirements and security measures are put forward to ensure specific objects, clear rights and responsibilities, and clear tasks, and to provide systematic guidance and work compliance for security protection work.

(1) Determine the scope of protected objects. Article 2 of the Regulations gives a clear definition of critical information infrastructure, Article 9 puts forward the key considerations for the protection work department to formulate identification rules, and determines that the protection work department is responsible for formulating the identification rules and lists of critical information infrastructure in the industry and the field. On the one hand, the formation process of the identification rules and lists must be based on the reality, fully combined with the characteristics and importance of the industry and the field of business, and achieve the accurate definition of the scope of the list on the basis of quantitative index parameters; On the other hand, the list should be dynamically adjusted and updated along with the development of national cybersecurity and informatization.

(2) Clarify the division of oversight responsibilities. In order to ensure the smooth development of the security protection of critical information infrastructure, the Regulations set up a scientific and rigorous supervision and management mechanism. At the national level, the national network information department is responsible for overall coordination, the public security department of The State Council is responsible for guidance and supervision, and the telecommunications department of The State Council and other relevant departments are responsible for the security protection, supervision and management of key information infrastructure of the industry; At the local level, the relevant departments of the provincial people's governments are responsible for the security protection, supervision and management of critical information infrastructure. It not only effectively ensures the unified, orderly and coordinated promotion of the security protection of critical information infrastructure, but also gives full play to the professional advantages of specific industry sectors to improve the security protection of critical information infrastructure.

3. Strengthening primary responsibility for security. The Regulations emphasize that critical information infrastructure operators (hereinafter referred to as operators) assume the main responsibility for the security protection of critical information infrastructure, and set strict requirements for the operators' own security management mechanism. The first is to emphasize the responsibility of the main person in charge, and make it clear that the main person in charge of the operator is responsible for the security protection of critical information infrastructure. The second is to require the establishment of a special security management organization, which is specifically responsible for the security protection of the critical information infrastructure of the unit. The third is the implementation of security background checks for personnel in key positions, including the person in charge of the operator's special safety management agency and the personnel identified as key positions. The fourth is to ensure the operation of the special safety management agency, and provide funds and professional personnel protection for the special safety management agency of the unit.

(4) Detailed security protection requirements. The Regulations strengthen the security protection of critical information infrastructure and put forward higher security protection requirements for operators on the basis of the Network Security Law. The first is to implement the "three synchronization" requirements, requiring security protection measures and critical information infrastructure synchronous planning, synchronous construction, synchronous use, critical information infrastructure from the date of inclusion in the list of key information infrastructure, in the design and construction (expansion), operation and maintenance, emergency recovery, decommissioning and waste stages, should ensure the implementation of security protection covering the whole life cycle. The second is to carry out regular security testing and risk assessment, and the operator must carry out network security testing and risk assessment at least once a year, which can be carried out by itself or commissioned by network security service agencies. The third is to fulfill the obligation of reporting security incidents and threats, in the event of a major cybersecurity incident or the discovery of a major cybersecurity threat, the operator shall report to the relevant departments. The fourth is to implement the requirements of network security review, operator procurement of network products and services may affect national security, should be in accordance with the national network security provisions for security review. Fifth, to strengthen monitoring and early warning and information sharing, the Regulations propose to establish and improve the network security monitoring and early warning system for critical information infrastructure, accurately grasp the operation of critical information infrastructure, and promote network security information sharing.

5. Strengthening key security guarantees. First, the implementation of vulnerability detection, penetration testing and other activities for critical information infrastructure should be approved by the national network information department, the public security department of The State Council, or authorized by the protection department and the operator. Activities such as vulnerability detection and penetration testing of basic telecommunications networks shall be reported to the competent department of telecommunications under The State Council in advance. Second, the energy and telecommunications industries provide important support and resource guarantee for the stable operation of key information infrastructure in finance, water conservancy, transportation and other industries, and the basic telecommunications network is also basic and global, carrying other key information infrastructure. The state will take measures to give priority to the safe operation of key information infrastructure such as energy and telecommunications. The energy and telecommunications industries will provide key guarantees for the safe operation of critical information infrastructure in other industries and fields.

Third, the new stage of critical information infrastructure security protection

1. Improving the system of supporting standards and regulations. First, accelerate the formulation and introduction of national standards around the common security needs and baseline security requirements of critical information infrastructure. Second, the protection work department focuses on the actual conditions and characteristics of the industry, deeply promotes the construction of key information infrastructure standards in the industry, and organizes the implementation. The third is to carry out in-depth research on the management mechanism in key aspects such as operators' responsibilities and obligations, information sharing mode, collaborative disposal mechanism, and security protection capability identification.

(2) Deepening the implementation of industry supervision responsibilities. The first is to guide and supervise the industry operators to implement the main responsibility of security, and do a solid job in the security protection of key information infrastructure such as network security threat monitoring and disposal, network security review. The second is to improve the supervision and inspection mechanism, and strengthen the security protection inspection and risk assessment of key information infrastructure in the industry. The third is to build and improve the emergency support system, establish technical support means such as situational awareness and emergency command, organize and carry out scenario-based, thematic and joint emergency drills, and build a team of experts.

3. We will strengthen demonstrations of the application of new technologies and models. First, strengthen research on innovation and development, and actively use new technologies such as cloud computing, big data, and artificial intelligence to enhance the cybersecurity capabilities of critical information infrastructure. The second is to establish an innovation incentive mechanism, deepen the innovative application and pilot demonstration of advanced cybersecurity technologies, gather the strength of the cybersecurity industry, and strengthen the supply of cybersecurity capabilities for critical information infrastructure. The third is to carry out the assessment and continuous optimization of the network security capability of critical information infrastructure, and objectively assess the level of network security capability. Choose the direction of improving security capability in a scientific way.