After 5 Years, China’s Cybersecurity Rules for Critical Infrastructure Come Into Focus

Uncertainty about 'critical information infrastructure' suddenly replaced by new procedures

Published

August 18, 2021

Last revised

October 14, 2021

Article Banner Picture

Published

August 18, 2021

Last revised

October 14, 2021


For five years since the finalization of China's Cybersecurity Law, one of the most consequential questions in Chinese technology policy has remained unanswered: How can we know who will be designated as "critical information infrastructure" (CII) operators and subject to some of the farthest-reaching provisions of the law?

The answer got much closer this week when the State Council released the "Critical Information Infrastructure Security Protection Regulations" (full translation here), effective next month. The Regulations provide long-awaited details about how CII operators will be designated and what their responsibilities will be to protect the security of networks that they build and operate.

Since the Cybersecurity Law went into effect in 2017, domestic and foreign companies faced uncertainty about whether they would be deemed CII operators and therefore face regulatory obligations in data security, procurement, cross-border data flows, and other areas.

The category of CII has also been a factor in this year's attention-grabbing government regulatory barrage against ride-hailing giant DiDi Chuxing, which was implicitly declared a CII operator when the government announced it would subject the company to cybersecurity review using rules that only applied to CII.

As the DiDi campaign unfolded, a new draft of those rules was released that, if implemented, would scrutinize CII operators and data handlers that list on foreign stock exchanges. For entities large and small working in China, knowing whether one must comply with CII rules—and if so, how—is crucial for everything from everyday planning to avoiding regulatory crisis.

Critical Bureaucratic Infrastructure

The new Regulations were issued by the State Council and are binding on government ministries and departments at all levels. Their rollout coincides with the Data Security Law (DSL), a wide-ranging law on data handling that takes effect the same day as the CII Regulations, and the Personal Information Protection Law (PIPL), a privacy and personal data protection law expected to be passed this week.

The new Regulations clarify that the Ministry of Public Security (MPS) is to lead CII protection nationally, while sectoral regulators will be responsible for developing rules for designating CII in their areas of responsibility, and the Cyberspace Administration of China (CAC) plays a coordinating role (Article 3). CAC is also to coordinate an interagency cybersecurity information sharing mechanism (Article 23) and is to receive mandatory reports on cybersecurity incidents or threats along with the MPS (Article 18).

If this sounds like a recipe for a bureaucratic tug-of-war, that may be because it's the result of one: Key agencies such as CAC, MPS, the Ministry of Industry and Information Technology (MIIT), and the Ministry of State Security (MSS) have long had different approaches to cybersecurity—a situation that in part led to the original establishment of the CAC in 2014 and years of subsequent legislative efforts.

The new Regulations do not immediately resolve the overlap between the preexisting MPS-administered system for equipment security, known as the Multi-Level Protection System (MLPS, now in the process of revision to MLPS 2.0) and the CII protection regime—one of the biggest sources of confusion for companies navigating cybersecurity compliance in China. The key document underlying MLPS 2.0 remains in draft form, but it will likely deal with compliance around the procurement of approved equipment and software for networks at designated levels of sensitivity, many of which would likely also be designated CII.

The CII Regulations do, however, clarify obligations CII operators will have in performing their cybersecurity duties. They are required to stand up dedicated bodies for security management and staff them with people who have passed background checks assisted by the MPS and MSS security services (Article 14). The dedicated bodies are responsible for plans, assessment, emergency response, data protection, and interfacing with regulators—and CII operators are required to include them in cybersecurity and IT decision-making. The Regulations also institute requirements and approvals around outside cybersecurity services such as penetration testing.

The CII Framework in Context

China's approach to ensuring the cybersecurity of critical infrastructure appears to be much more proactive than similar efforts undertaken in the European Union and the United States. Under a May 2019 U.S. executive order on the security of information technology supply chains, for example, the Commerce Department is establishing a process for reviewing transactions across a broad swath of critical infrastructure sectors, focused on reducing risks around vendors deemed to be at risk of control by “foreign adversaries,” including China. This process is akin to Chinese efforts dating back more than a decade with MLPS to designate levels of concern and ensure operators procure equipment and software deemed less risky.

Neither the United States nor the European Union, however, have put in place a rigorous process of ongoing monitoring and evaluation for operators of critical infrastructure. The U.S. government does participate in threat information sharing among critical infrastructure sectors via public-private partnerships such as Information Sharing and Analysis Centers, but this does not include ongoing monitoring and evaluation of cybersecurity practices—as evidenced by the ransomware operation against Colonial Pipeline earlier this year.

The Chinese Regulations' requirement that vetted and dedicated security staff take part in CII operators' cybersecurity decision-making is in stark contrast to a U.S. approach reliant on the NIST Cybersecurity Framework, a voluntary baseline standard for cybersecurity hygiene that comes with no obligations or enforcement mechanisms, and certainly doesn't dictate who is at the table when decisions are made.

No Rest for the Cybersecurity Field

The CII Regulations were long-awaited, but they are now part of a broad profusion of cybersecurity and digital economy regulatory activity emerging in China that is not limited to the Cybersecurity Law regime itself. The Data Security Law and the Personal Information Protection Law each portend their own array of efforts to implement and make concrete their provisions.

The Regulations also add momentum to a broadening trend of sectoral regulators playing a crucial role in technology rule-making. Just as CII sectoral regulators will work to determine what is critical, data security rules are increasingly sector-specific.

Clarification: This article was edited to clarify that these Regulations issued by the State Council are binding on all levels of government, not just national ministries as had originally been written. [Aug. 19, 2021]