The State Council Information Office held a briefing, and the heads of 5 departments answered questions related to the “Regulations on the Security Protection of Critical Information Infrastructure”

On the afternoon of August 24th, the State Council Information Office held a regular briefing on State Council policies. Sheng Ronghua, Deputy Director of the State Internet Information Office, Sun Weimin, Director of the Cybersecurity Coordination Bureau of the State Internet Information Office, Sui Jing, Director of the Cybersecurity Administration of the Ministry of Industry and Information Technology, Wang Yingwei, director of the Cyber ​​Security Bureau of the Ministry of Public Security, and Zhang Yaoming, head of the Legislative Bureau of the Ministry of Justice, attended the briefing, introduced the “Regulations on the Security Protection of Critical Information Infrastructure” (hereinafter referred to as the “Regulations”), and answered questions from reporters.

The following is based on the live transcript of the briefing:

Sheng Ronghua, deputy director of the State Internet Information Office, introduced the background of the “Regulations”

Critical information infrastructure is the nerve center of economic and social operation and the top priority of network security. Ensuring the security of critical information infrastructure is of great significance to safeguarding national network security, cyberspace sovereignty and national security, safeguarding the healthy development of the economy and society, and safeguarding public interests and the legitimate rights and interests of citizens.

The Party Central Committee and the State Council attach great importance to the legislative work of critical information infrastructure security protection. rights and interests”. The Cybersecurity Law of the People’s Republic of China clarifies that the state implements key protections for critical information infrastructure, and the specific scope and security protection measures for critical information infrastructure are formulated by the State Council.

To implement the important instructions of General Secretary Xi Jinping and the decision-making and deployment of the Party Central Committee and the State Council, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security have drafted the “Regulations (Draft for Review)” on the basis of in-depth research and full demonstration in the early stage. “. The Ministry of Justice, together with relevant departments, has repeatedly studied and revised, and has twice solicited the opinions of relevant central units, local people’s governments, relevant associations, enterprises and institutions, experts and scholars on a large scale, and formed the “Regulations (Draft)”. On April 27, 2021, the “Regulations” were deliberated and adopted at the 133rd executive meeting of the State Council. On July 30, Premier Li Keqiang signed State Council Order No. 745 to announce the “Regulations”. The “Regulations” will be officially implemented on September 1. .

The introduction of the “Regulations” is a specific measure to implement General Secretary Xi Jinping’s important thought on strengthening the country through the Internet, and it is also an institutional improvement of the successful experience of national network security and informatization work in recent years. The attention and appeal of China will provide a strong legal guarantee for my country’s in-depth development of critical information infrastructure security protection.

The “Regulations” has six chapters and 51 articles, mainly including six aspects: First, it clarifies the scope of critical information infrastructure and the principles and objectives of protection. The second is to clarify the supervision and management system. The third is to improve the key information infrastructure identification mechanism. Fourth, the responsibilities and obligations of operators are clarified. Fifth, the guarantee and promotion measures have been clarified. Sixth, the legal responsibilities of all aspects are clarified.

We believe that with the strong leadership of the CPC Central Committee and the State Council, with the “Regulations” as legal weapons, and with the joint efforts of relevant departments, operators and all sectors of society, the security protection of key information technology facilities will surely achieve greater results.

CCTV reporter from China Central Radio and Television Station: What are the current situations and problems facing the security protection of critical information infrastructure? What is the overall thinking and responsibility system for protection work established by the Regulations?

Sheng Ronghua, Deputy Director of the Cyberspace Administration of China: At present, the cybersecurity situation facing critical information infrastructure is still very severe and complex, and the deterrence of cyberattacks has increased, especially since the outbreak of the new crown pneumonia, advanced persistent threats, cyber extortion, data theft, etc Incidents occur frequently, jeopardizing the stable operation of the economy and society, and there are still some shortcomings in network security protection work. Some of our shortcomings. We need to establish a special system to further clarify the responsibilities of all parties and accelerate the improvement of the ability to protect critical information infrastructure. In terms of the overall thinking of the protection work of the Regulations, the main points are to grasp the following points:

One is to stick to problem orientation. In view of the shortcomings and weak links in the security protection of critical information infrastructure, on the basis of refining the relevant provisions of the Cybersecurity Law of the People’s Republic of China, some practices that have proven mature in practice have been upgraded to laws and regulations. Work provides legal protection.

The second is the compaction of responsibility. Consolidate the responsibilities of all aspects, including the main responsibility of the operator, the coordination and supervision and management responsibility of the protection department, and the coordination and supervision responsibility of all aspects of the society. What is particularly emphasized and clarified here is the main responsibility of the operator, which is the foundation and the key. When the operator’s main responsibility is well implemented, the work of critical information infrastructure security protection can be done better.

The third is to do a good job of coordinating with relevant laws and administrative regulations. Under the general framework established by the Cybersecurity Law, we have refined relevant institutional measures and handled the relationship with other relevant laws and administrative regulations.

To implement the spirit of General Secretary Xi Jinping’s important instructions on “building a strong network security defense line, improving network security assurance capabilities, and strengthening the protection of key information infrastructure”, the “Regulations” further clarified the responsibilities of relevant parties. One is that operators of critical information infrastructure must fulfill their main responsibilities. It is a principle that “whoever operates is responsible”. In the general part of the “Regulations”, we have stipulated in principle the responsibilities of operators, and there are special chapters that detail the relevant regulations and requirements. The second is to protect the responsibility of the work sector. Implementing the principle of “who is in charge, who is responsible”, the “Regulations” clarifies the responsibilities of the protection work department for the security protection, supervision and management of key information infrastructure in the industry and this field. The third is the responsibility of the relevant functional departments of the state. For example, the public security department is responsible for guiding and supervising the security protection of critical information infrastructure. The competent telecommunications department and other relevant departments shall, in accordance with these Regulations and relevant laws and regulations, be responsible for the work of security protection and supervision and management within the scope of their respective duties. The “Regulations” also clarified that the relevant departments of the provincial people’s government, according to their respective responsibilities, should also implement security protection and supervision and management of critical information infrastructure, and put forward a series of guarantee and promotion measures.

In general, the top, bottom, left and right must jointly build a responsibility system for the security protection of critical information infrastructure, so as to build a strong national network security barrier.

Economic Daily reporter: The Regulations further improve the system of my country’s cybersecurity laws. What are the main considerations in the legislative process?

Sun Weimin, director of the Cybersecurity Coordination Bureau of the Cyberspace Administration of China: In recent years, the national cybersecurity and informatization department, together with the Ministry of Industry and Information Technology, the Ministry of Public Security and other departments, has comprehensively promoted the national cybersecurity assurance system and capacity building, and has carried out a series of solid and effective work. It has laid a solid foundation for the security protection of critical information infrastructure.

After the implementation of the “Regulations” on September 1, we will focus on the following aspects:

First of all, operators must fully implement the main responsibility for security protection, mainly from five aspects: First, establish and improve the network security protection system and responsibility system, implement the top-level responsibility system, and ensure the investment of human, financial and material resources. The second is to set up a special security management agency to participate in the decision-making of network security and informatization, and perform the 8 work responsibilities stipulated in the “Regulations”. The third is to carry out network security testing and risk assessment, and make timely rectification. Fourth, establish and implement a reporting system for cybersecurity incidents and cybersecurity threats. Fifth, give priority to purchasing safe and reliable network products and services, and apply for network security review in accordance with regulations.

Second, the protection work department must do a good job in safety protection and supervision and management, focusing on the following six aspects: First, formulate identification rules and organize identification. The second is to formulate a safety plan, clarifying the protection objectives, basic requirements, work tasks and specific measures. The third is to establish and improve the network security monitoring and early warning system, early warning and notification of network security threats and hidden dangers, and guide the security prevention work. Fourth, establish and improve emergency plans for network security incidents, and organize emergency drills on a regular basis. Fifth, instruct operators to do a good job in responding to cybersecurity incidents, and provide technical support and assistance as appropriate. Sixth, organize and carry out network security inspections and inspections, and guide supervisory operators to make timely rectifications.

Third, relevant national functional departments, under the overall coordination of the national cybersecurity and informatization department, perform their respective responsibilities, divide labor and cooperate, and work together to do a good job in the security protection of critical information infrastructure. The national cybersecurity and informatization department will take the lead and work with relevant departments to formulate and improve critical information infrastructure security regulations and standards. The second is to coordinate network security inspections and inspections to avoid unnecessary inspections, cross inspections, and repeated inspections. The third is to establish an approval mechanism for key information infrastructure vulnerability detection and penetration testing activities. Fourth, establish a sound network security information sharing mechanism. Fifth, strengthen the construction and management of network security service institutions. The sixth is to promote the formation of a benign ecology of talent training, technological innovation and industrial development.

The Ministry of Public Security is responsible for guiding and supervising the security protection of critical information infrastructure. The Ministry of Industry and Information Technology strengthens the security protection and supervision and management of basic telecommunication networks and important Internet infrastructure. State security organs, secrecy administrative departments, password management departments, etc. carry out relevant security protection work according to their responsibilities. The relevant departments of the provincial people’s government shall implement security protection and supervision and management of the key information base according to their respective responsibilities, and they shall carry out relevant work with reference to the supervision and management system at the central level.

Zhang Yaoming, head of the Legislative Bureau of the Ministry of Justice: At the end of last year, the Central Committee of the Communist Party of China issued the “Implementation Outline for the Construction of a Rule of Law Society (2020-2025)”, which proposed to improve the supporting regulations and standard system of the Cybersecurity Law, establish and improve the security protection of key information infrastructure, Network security management systems such as data security management and network security review. The State Council’s legislative work plan for this year also includes the Regulations on the Security Protection of Critical Information Infrastructures into the administrative regulations to be formulated and revised. In order to thoroughly implement the decision-making and deployment of the Party Central Committee and the State Council on the legislative work on the security protection of critical information infrastructure, the State Council recently announced the “Regulations”, which further complements and strengthens a key part of my country’s network security legal system, and provides my country’s in-depth development. The security protection of critical information infrastructure provides a solid legal guarantee.

In the process of promoting the promulgation of the “Regulations”, the Ministry of Justice focuses on handling the following aspects:

First, properly handle the relationship between security and development. The “Regulations” insist on paying equal attention to security protection and promotion of development. While clarifying the security protection supervision and management system for critical information infrastructure, improving the identification mechanism for critical information infrastructure, and strengthening the cybersecurity responsibility of critical information infrastructure operators, it proposes to cultivate and develop cybersecurity specialties. Talents, promote key information infrastructure security protection technology innovation and industrial development, and improve the guarantee and promotion of the capacity level of network security service agencies.

The second is to properly handle the relationship with the Cybersecurity Law and related legislation. Under the institutional framework established by the Cybersecurity Law, the Regulations further refine the specific institutional requirements for the security protection of critical information infrastructure. At the same time, attention should be paid to the connection and coordination with relevant laws and regulations such as the Data Security Law, the Personal Information Protection Law, the Law on Guarding State Secrets, and the Regulations on the Security Protection of Computer Information Systems in terms of system design and terms and conditions.

The third is to properly handle the relationship between overall planning and responsibility and co-management and co-governance. The construction of the Internet rule of law in my country adheres to the idea of ​​transforming from supervision and management to comprehensive governance, and adheres to the governance principles of comprehensive co-governance and multiple coordination. The “Regulations” not only reflect the concept of comprehensive coordination and division of responsibilities in the system design, but also pay attention to give full play to the roles of critical information infrastructure operators, government departments and all aspects of society to jointly protect the security of critical information infrastructure.

The fourth is to properly handle the relationship between laws and regulations, technical standards and other measures. While strengthening the network security protection obligations of key information infrastructure operators, key information infrastructure protection departments and other relevant subjects, the Regulations also propose to formulate and improve key information infrastructure security standards, adopt technical protection measures and other necessary measures , to further standardize and improve the security protection of critical information infrastructure.

Reporter from China Radio and Television: According to the “Regulations”, what are the responsibilities and tasks of the public security organs, and what aspects will the public security organs plan to strengthen in the next step to strengthen the security protection of key information infrastructure?

Wang Yingwei, Director of the Cyber ​​Security Bureau of the Ministry of Public Security: The Ministry of Public Security attaches great importance to the security protection of critical information infrastructure. In recent years, on the basis of in-depth implementation of the network security level protection system, the Ministry of Public Security has organized the national public security organs to continuously strengthen network security protection work, effectively safeguarding the security of the country’s key information infrastructure. There are five main tasks involving public security organs in the “Regulations”: The first is to guide and supervise the security protection of critical information infrastructure. The second is to organize and guide the protection work department to formulate and record the rules for the identification of critical information infrastructure, and guide the identification of critical information infrastructure. The third is to monitor and dispose of major cybersecurity incidents or major cybersecurity threats to critical information infrastructure, provide technical support and assistance to protection departments, and assist operators in conducting security background checks on core personnel. Fourth, conduct network security inspections and inspections on critical information infrastructure in accordance with the law, and manage activities such as vulnerability detection and penetration testing that may affect or endanger the security of critical information infrastructure. Fifth, in accordance with statutory duties, strengthen the security of critical information infrastructure, and prevent and combat illegal and criminal activities that target and utilize critical information infrastructure.

In the next step, the public security organs will thoroughly implement the “Regulations” on the basis of the previous work, earnestly perform the statutory duties of the public security organs, and make every effort to ensure the security of key information infrastructure. First, under the overall coordination of the Cyberspace Administration of China, together with relevant departments, we will continue to improve and improve the critical information infrastructure security protection policy and standard system. At the same time, organize the national public security organs to strengthen the guidance and supervision of the security protection of critical information infrastructure. The second is to continue to organize and carry out the identification of critical information infrastructure in accordance with the “Regulations”. Strengthen dynamic management and lay the foundation for the security protection, protection and assurance of critical information infrastructure. The third is to strengthen the security supervision and inspection of key information infrastructure, strengthen administrative law enforcement, and urge key units to fulfill their security protection responsibilities and obligations in accordance with the law. In response to the outstanding security problems of key information infrastructure, special rectifications were organized to investigate and rectify potential security risks and improve security protection capabilities. Fourth, relying on the national network and information security information notification mechanism, strengthen network security monitoring, notification and early warning, and emergency response to prevent network security incidents and threat risks. Fifth, strengthen the investigation and handling of critical information infrastructure security incidents and case investigation, and severely crack down on illegal and criminal activities that endanger the security of critical information infrastructure.

Xinhua News Agency: The “Regulations” specifically refers to the provisions on basic telecommunications network security, and proposes that the state should take measures to give priority to ensuring the safe operation of key information infrastructure such as energy and telecommunications. What considerations does the country have in ensuring the security of basic telecommunication networks?

Sui Jing, Director of the Network Security Administration of the Ministry of Industry and Information Technology: Network facilities in the telecommunications industry, such as basic telecommunications networks and important Internet infrastructure, are not only key information infrastructure in themselves, but also provide network communication and information services for key information infrastructure in other industries. , once it is attacked and destroyed by the network, it will bring serious impact. Therefore, Article 3 of the “Regulations” stipulates that the competent telecommunications department of the State Council shall be responsible for the security protection, supervision and management of key information infrastructure in the telecommunications industry in accordance with the provisions of these Regulations and relevant laws and administrative regulations. Article 31 stipulates that activities such as vulnerability detection and penetration testing on basic telecommunication networks shall be reported to the competent telecommunication department of the State Council in advance. Article 32 stipulates that the state shall take measures to give priority to ensuring the safe operation of key information infrastructure such as energy and telecommunications. The Ministry of Industry and Information Technology, as the competent department of the telecommunications industry, supervises and manages the security protection of key information infrastructure in the telecommunications industry in accordance with laws and regulations in the joint efforts to promote the security protection of critical information infrastructure, focusing on the following aspects:

The first is to perform duties earnestly. For the security protection and supervision and management of basic telecommunications networks and important Internet infrastructure, the Ministry of Industry and Information Technology will strictly implement the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and the Regulations on the Security Protection of Critical Information Infrastructures. The “Administrative Measures for the Security Protection of Communication Networks” and other relevant provisions of laws, regulations and departmental rules shall effectively perform the responsibilities of the protection work department and consolidate the main responsibility of operators of key information infrastructure in the telecommunications industry.

The second is to strengthen relevant supervision and management work, continue to improve the security supervision and management mechanism of the telecommunications industry, and improve the industry network security standard system. Strengthen the construction of technical capabilities such as network security protection, data security protection, monitoring and early warning, and emergency response, carry out security inspections, urge operators to implement rectification, and strengthen the support of the network security industry. Especially considering the extreme importance of basic telecommunication networks in national economic and social activities and the extremely high stability requirements of public communication and information services, our ministry will strengthen supervision and management, and strictly regulate the vulnerability detection and penetration of basic telecommunication networks test activity.

The third is to do a good job in priority guarantees and key guarantees. The Ministry of Industry and Information Technology will work with relevant departments to increase capital investment, technological innovation, and talent cultivation, and give priority to ensuring the safe operation of key information infrastructure in the telecommunications industry. At the same time, the Ministry of Industry and Information Technology will also actively take measures to provide key guarantees for the safe operation of key information infrastructure in other industries and fields, and provide timely technical support and assistance according to the needs of protection departments.

Cover reporter: The “Regulations” clarifies how to define critical information infrastructure. What is the significance of this for subsequent security protection work? What are the core criteria for recognition?

Wang Yingwei, director of the Cyber ​​Security Bureau of the Ministry of Public Security: Identifying and identifying critical information infrastructure is the premise of security protection work. The “Regulations” proceed from my country’s national conditions and learn from common foreign practices to stipulate the definition, scope and identification procedures of critical information infrastructure. It is helpful for the state to clarify the key targets of network security protection, and take effective measures to implement key protection. At the same time, it also lays a foundation for the subsequent implementation of the responsibility for the security protection of critical information infrastructure, strengthening the security protection of critical information infrastructure, and ensuring and promoting the security of critical information infrastructure.

For the identified core standards, according to the “Regulations”, three factors are mainly considered: First, network facilities and information systems play a fundamental supporting role in the industry and key core businesses in this field. Second, once network facilities, information systems, etc. are damaged, lose their functions, or leak data, it may seriously endanger national security, national economy, people’s livelihood, and public interests. The third is to have an important impact on other industries and fields. The critical information infrastructure protection department will focus on the above factors, and in light of the actual situation in the industry and field, formulate rules for the identification of critical information infrastructure, report it to the public security department of the State Council for the record, and organize key information in the industry and field according to the identification rules. Infrastructure certification.

Hong Kong China Review Press: How will the relevant departments do a good job in the export supervision of important data in critical information infrastructure? What responsibilities and obligations do operators need to perform?

Sun Weimin, director of the Cybersecurity Coordination Bureau of the Cyberspace Administration of China: Article 37 of the Cybersecurity Law of the People’s Republic of China stipulates that the personal information and important data collected and generated by operators of critical information infrastructure during their operations within the territory of the People’s Republic of China shall be kept within the territory of the People’s Republic of China storage. If it is really necessary to provide it overseas due to business needs, a security assessment shall be conducted in accordance with the methods formulated by the national cybersecurity and informatization department in conjunction with the relevant departments of the State Council; if there are other provisions in laws and administrative regulations, such provisions shall be followed.

Since the beginning of this year, the newly promulgated “Data Security Law of the People’s Republic of China” and “Personal Information Protection Law of the People’s Republic of China” have made continuous provisions on the export system of personal information and important data involved in critical information infrastructure. Among them, Article 31 of the “Data Security Law of the People’s Republic of China” stipulates that “the security management of the exit of important data collected and generated by operators of critical information infrastructure during their operations within the territory of the People’s Republic of China shall be governed by the “Network Security Law of the People’s Republic of China”. Article 40 of the “Personal Information Protection Law of the People’s Republic of China” stipulates that “critical information infrastructure operators and personal information processors whose processing personal information reaches the number specified by the national cybersecurity and informatization department shall The personal information is stored in China. If it is really necessary to provide it overseas, it should pass the security assessment organized by the national network information department; if the laws, administrative regulations and the national network information department stipulate that the security assessment may not be carried out, the regulations shall be followed.”

The Paper: Chapter 3 of the Regulations specifically clarifies the responsibilities and obligations of operators. What new requirements do these responsibilities and obligations place on operating units?

Sui Jing, director of the Cyber ​​Security Administration of the Ministry of Industry and Information Technology: In recent years, the Ministry of Industry and Information Technology has conscientiously implemented the “Cybersecurity Law”, successively issued a number of departmental regulations such as the “Administrative Measures for the Protection of Communication Network Security”, and issued the “Public Internet Network Security”. Nearly 20 normative documents, including the Measures for Threat Monitoring and Handling, and the Emergency Response Plan for Public Internet Network Security, have promulgated and implemented more than 300 network and information security standards, and have continued to organize and carry out network security supervision and inspections in the telecommunications and Internet industries. Improve network infrastructure security protection capabilities.

In the next step, the Ministry of Industry and Information Technology will conscientiously implement the “Regulations”, further clarify the main responsibilities of key information infrastructure operators in the industry, and focus on improving the industry supervision mechanism, improving the technical capability system, strengthening supervision and inspection, and strengthening the network security industry. In terms of support and other aspects, urge operators to effectively implement the responsibility requirements.

First, improve the safety supervision and management mechanism. The Ministry of Industry and Information Technology will speed up the revision of the “Administrative Measures for Security Protection of Communication Networks”, and do a solid job in the connection and implementation of industry policy systems and regulations. Improve the industry network security standard system, formulate and issue a series of standards for the security protection of key information infrastructure in the industry, and promote the implementation. Continue to promote the identification and identification of key information infrastructure in the industry.

The second is to improve the safety technology capability system. Organize the construction and operation of technical measures such as network security protection, data security protection, monitoring and early warning, and emergency response for key information infrastructure in the industry, build and improve security monitoring and incident handling mechanisms, and promote the enhancement of collaborative security risk prevention capabilities.

The third is to strengthen industry safety supervision and inspection. Supervise and manage the industry’s key information infrastructure operators to implement the main responsibility for security, improve the network security supervision and inspection mechanism for the industry’s key information infrastructure, carry out in-depth inspections and inspections of the industry’s key information infrastructure security protection, and urge the rectification of hidden network security issues.

The fourth is to strengthen the support of the network security industry. Carry out pilot demonstrations of network security technology application, and support the innovative application of security technology for critical information infrastructure. Improve the supply level of network security products and services, hold multi-level network security skills competitions, and strengthen the support and guarantee of talent teams.

The Links:   LQ064V3DG06 RM500HA-24