Strengthening the Protection of Key Information Infrastructure Legislation and Regulatory Infrastructure | Key | Information
[Counselor's Office]
Author: Zhou Hui
With the widespread application of new generation information technology represented by digitization, networking, and intelligence in various fields of the economy and society, key information infrastructure in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, and public services has become the nerve center of economic and social operation, and its security protection has become the top priority of network security protection. Against the backdrop of the expanding scope and increasingly severe impact of global cyber attacks, many countries and regions have successively adjusted and improved their existing strategies for protecting critical information infrastructure through legislation, strengthened their responsibility for protecting critical information infrastructure, and promoted supply chain security. Based on the new situation and grasping the new trends, it is necessary to further promote the legislation and supervision of key information infrastructure protection, and enhance the ability and level to shape the network security situation.
Key information infrastructure protection faces new challenges
The current challenges facing the protection of critical information infrastructure are multifaceted and multi angle: there are both online security threats from the cyberspace and offline security threats from the real world; We need to consider both natural disasters and unexpected events, as well as changes in international relations and supply chain disruptions. The harm caused by critical information infrastructure security incidents is no longer limited to network communication damage and data leakage, but will further spread and lead to a chain reaction in traditional industries such as energy and electricity, public services, healthcare, transportation, etc., affecting national security.
Firstly, the role of key information infrastructure operators in the security protection system is becoming increasingly prominent. Key information infrastructure operators not only need to continuously strengthen security protection measures, develop security plans, and improve security protection systems, but also need to have closer communication and cooperation with public security, network information departments, etc. to cope with constantly changing security risks. It is understood that some countries have imposed or are imposing more obligations on similar entities within their countries, such as requiring critical infrastructure operators to report network incidents and ransomware attacks to designated departments within a specified period of time; Expand the scope of responsible parties, propose more specific security measures, and allow for stricter supervision and law enforcement; Require key network system operators to develop security protection plans within the prescribed period and submit them to regulatory authorities.
Secondly, network resilience has become a key focus for protecting critical information infrastructure. The focus of network resilience construction is not on risk prevention and control in advance, but on response and recovery during and after the event. Operators are required to have the ability to minimize the impact of network security incidents and restore the normal operation of core businesses at the minimum cost and in the shortest time after the event occurs. The development momentum of China's digital economy is strong, and the scale of internet users and the level of network infrastructure construction are among the top in the world. Once critical information infrastructure is affected by network security incidents and cannot be restored in a timely manner, the losses caused are immeasurable. The construction of network resilience has become an important practical direction for the protection of key information infrastructure in the international community. For example, the "Network Resilience Act" drafted by the European Union in 2022, as well as the recently passed "Digital Operations Resilience Act" and the "Directive on Restoring the Resilience of Critical Infrastructure", all contain content to improve the network resilience of critical entities or their network software and hardware, requiring them to prevent, resist destructive events, and recover in a timely manner. Some countries have also taken the initiative to plan and implement network resilience construction plans, including issuing guidelines, assisting operators in risk assessment, and simulating security exercises. The purpose is to improve the ability to track, respond quickly, and defend against network attacks, and to assist key information infrastructure operators in evaluating and enhancing network resilience levels.
Thirdly, sufficient attention should be paid to external risks in the supply chain of critical information infrastructure. If the supply of core technologies, products, and services cannot be independently controlled, the relevant industries will have an unstable foundation, and there is a risk of being cut off and "choked" at critical moments. Referring to the latest trends in supply chain security protection practices outside the domain, the following practices can be used for reference: firstly, it is required that key information infrastructure operators should enhance their ability to identify and reduce risks in the supply chain or third-party products and services they use; Secondly, it is required that operators should pay attention to improving the full lifecycle security of critical information infrastructure and other equipment with high dependence on daily activities; The third requirement is to achieve domestic substitution of software, hardware, and services used for important objects of critical information infrastructure, ensuring the autonomy and controllability of the supply chain.
Enhancing the Protection Capability and Level of Key Information Infrastructure in China
China attaches great importance to the protection of critical information infrastructure. The Decision on Amending the Cybersecurity Law of the People's Republic of China, which was released in September 2022, also aims to increase the illegal liability of operators of critical information infrastructure. The national standard for the security protection requirements of key information infrastructure in information security technology was officially implemented on May 1st this year. In the face of new trends in technological innovation and international competition, we should take the overall national security concept as a guide, further strengthen legislation and regulation, and enhance the protection capacity and level of China's key information infrastructure.
Firstly, refine legal rules to better adapt to the security protection needs in various scenarios. Targeted specific protection requirements are established for key information infrastructure in different industries and fields to enhance compliance expectations and law enforcement operability. For example, based on Article 18 of the Regulations on the Security Protection of Key Information Infrastructure, further clarify the time limit, procedures, and platform for mandatory reporting of network security incidents.
Secondly, improve regulatory level and enhance the effectiveness of safety supervision. By comprehensively utilizing various regulatory measures such as planning early warning, attack and defense drills, inspection and punishment, and warning notifications, we aim to strengthen the main responsibility of operators who have been identified as key information infrastructure, and guide, guide, and empower them to adopt corresponding security strategies for each different key information infrastructure. Develop applied regulatory technology and enhance the ability to manage technology through technology.
Thirdly, focus on supply chain security and network resilience, and enhance the protection capability of critical information infrastructure. Innovate through application, ensure security through innovation, enhance the autonomy and controllability of key technology equipment and products, improve the ability of domestic substitution of software and hardware, and ensure the full industry chain and lifecycle security of important equipment and products in critical information infrastructure. Improve the security control capabilities of key information infrastructure operators, effectively respond to the adverse effects of security incidents, and ensure the ability to quickly restore stable operations.
Fourthly, we must adhere to universal security, actively and prudently respond to international changes, track and evaluate the legislative and policy trends related to key information infrastructure overseas, and improve blocking mechanisms and effectively respond to unreasonable measures implemented under the pretext of security in accordance with the law. While opposing the establishment of "small circles", we should enhance international cooperation in the protection of critical information infrastructure through bilateral and multilateral frameworks. Encourage key information infrastructure operators and producers of related product equipment to actively participate in the development of international technical standards based on China's practical experience. To provide the international community with mutually beneficial, secure and efficient Chinese standards and solutions in relevant fields, contribute Chinese strength to maintaining the security of key information infrastructure supply chains, and jointly build a community with a shared future in cyberspace.
Guangming Daily