China’s Ambitious Rules to Secure ‘Critical Information Infrastructure’

China’s new
cybersecurity law imposes special requirements when it comes to what it calls
“critical information infrastructure” (CII). For instance, operators of CII are
required to follow special security procedures, to store certain data within
mainland China, and to use a new security review process when buying network equipment
or services. Businesses working in or supplying a wide array of sectors in
China have faced great uncertainty, however, because the law does not
rigorously define what counts as CII and what doesn’t.

What constitutes CII?

This week
China’s State Council issued new draft regulations (translated into English by
us here) that provide the most authoritative look yet at the
definitions of CII and the processes that will govern covered sectors. While
revisions can be expected in response to public and industry comments, these
draft regulations make clear that the reach of CII will be quite expansive. In
addition to sectors previously mentioned in the Cybersecurity Law and other
related measures, Chapter 3 of the new regulations names sectors such as media,
specifically including radio stations, television stations, news agencies, and
other such news work units. It also adds sanitation and healthcare, plus work
units providing cloud computing, big data, and other such large-scale public
information network services.

These specific
sectors join the “public communication and information services, power,
traffic, water resources, finance, public service, and e-government” sectors
already named in the Cybersecurity Law, but the additional designations will
answer only some industry questions. This is particularly true because, while
Article 18 of these draft regulations lists a number of relatively broad
categories to which CII could belong, Article 19 requires a seemingly
discretionary process for identifying and recognizing CII—managed by the
Cyberspace Administration of China (CAC), together with the Ministry of
Industry and Information Technology (MIIT) and the Ministry of Public Security
(MPS). In turn, all line ministries in the Chinese administration will
be required to identify and list the CII within their portfolio, a recipe for
administrative one-upmanship and rent-seeking.

The rising role of
standards

If the new
evidence about how CII will be defined clarifies some matters, the draft regulations
also suggest further clarification is in store by stating that new
cybersecurity standards will be used to guide the work of protecting CII. These
standards are likely under development by the National Information Security
Standardization Committee, known as TC260, which is subordinate to CAC and
appears to now be dominated by CAC priorities. It remains unclear how many
standards related to CII are being developed, but there already appear to be
nearly a dozen, including some that get into more granular detail about how
many users a network operator must have to be considered a CII operator. This
could be important for e-commerce providers among other businesses. It is already
clear, however, that major e-commerce players such as Alibaba, Tencent, and
JD.com are likely to fall under the CII rules. They could be included, for
example, as cloud services and big data providers.

The new draft’s
reference to standards also helps clarify the ways the formally nonbinding
standards are given force through incorporation in regulations, but it remains
to be seen how closely the detailed standards will be applied in practice. The
reference to standards also underlines the interlinked nature of China’s developing
digital policy regime. Laws such as the Cybersecurity Law provide broad
frameworks, while regulations and measures guide implementation and add
specificity, and standards provide more highly technical guidelines that may
clarify otherwise murky principles. In a cross-sectoral and interlocking regime
such as this, decision makers at various levels are likely to maintain
significant discretion.

Visions of a coordinated
cybersecurity ‘early warning system’

Chinese
commentators (for example here) have initially hailed this draft regulation as a key part
of the Cybersecurity Law and a major part of President Xi Jinping’s vision for
a 24-hour cybersecurity situational awareness system for CII. The draft
regulations would guide the establishment of an “early warning system” across a
range of sectors to help operators anticipate threats and more quickly respond
to incidents. They point out that the regulations in Article 38 call for the
establishment of a cybersecurity information sharing system among the
government, the private sector, and academia. The CAC headquarters and its subordinate
cybersecurity and informatization departments at the provincial and more local levels
are given a lead role in a range of actions and system development called for
in the new regulations, such as organizing information sharing systems and
conducting emergency response drills.

Overlapping
responsibilities and uncertainty

Even as
businesses face the challenges a new and changing regulatory environment,
Chinese officials will face broad challenges of their own. Regulators in CII
sectors are given a role in operationalizing and enforcing the regulations once
they are finalized, and some sectoral regulators may prove better prepared than
others. There is also continuing uncertainty in the new draft regulations
regarding the application of the MPS’ decade-old Multi-Level
Protection Scheme (MLPS) that describes levels of critical infrastructure
and comes with its own security reviews, which the Cybersecurity Law references
in relation to some CII operators. With CAC apparently the lead drafter of the
new CII regulation and attempting to assert its primacy in cybersecurity policy
in the context of ongoing struggles with MPS, the new document provides little
clarity about the distinction in practice between reviews under MLPS and under
the new Cybersecurity Review Regime—a separate process called for in the
Cybersecurity Law that has been debated in China in the context of Microsoft’s
Windows 10 China Government Edition. Some foreign cloud services providers, for
example, have received Level 3 certification under the MLPS, and the status of
these certifications remains in doubt under the new framework.

Expanding scope of
sovereignty and local control

The draft
regulations reiterate controversial data localization requirements in the
Cybersecurity Law: Personal information and other “important data”—a still-vague
term that will certainly be clarified in subsequent ministerial regulations and
practice—must remain stored on Chinese territory, with a mandatory outbound data security review process if they are to be exported. The new
draft regulations additionally would require the “operation and maintenance” of
CII to take place on Chinese territory. While this seems self-evident with
regard to infrastructure such as an electric grid that is fixed in place,
Article 18 of the draft regulations defines CII not on the basis of location,
but of ownership. Therefore, for instance, since “research and production”
organizations in sectors including food, drugs, and chemicals may be identified
as CII, their information infrastructure may be required to be operated and
maintained from within China—even if significant activities take place
overseas. The same could be said for any other CII operator. The question of
whether such requirements would violate WTO disciplines may arise, but it is not
so important in the short run: A case is unlikely to be brought any time soon,
and even if China were to lose such a case, the effects in practice would likely
be very limited. These deeper localization provisions may, however, hinder the
internationalization of workflows for companies that China’s government might
see as national champions, and lead to further tensions with international
business associations.

What is next for
Cybersecurity Law implementation?

Article 31 of
the new draft regulations reiterates language in the Cybersecurity Law
requiring that network products and services purchased by network operators
must undergo a cybersecurity review under a new Cybersecurity Review Regime—the
same new regime that may be in tension with the MPS-associated Multi-Level
Protection Scheme as discussed above. The new review regime is awaiting an
important next stage of implementation, including the naming of third-party
review organizations that will evaluate products and the establishment of a Cybersecurity
Review Committee and an associated Expert Committee, as called for in another
recent regulatory document, the Interim Security Review Measures for Network
Products and Services (see full translation here).

The new draft
regulations on CII more explicitly link the Cybersecurity Review Regime to CII
operators, and potentially expand the scope of reviews further down supply
chains, thereby affecting companies that may not in themselves qualify as CII.
That the Security Review Measures were labelled “Interim” highlights that fitting
all the pieces of the ambitious framework being put together under the
Cybersecurity Law is still very much a work in progress.