China’s Ambitious Rules to Secure ‘Critical Information Infrastructure’

China’s new cybersecurity law imposes special requirements when it comes to what it calls “critical information infrastructure” (CII). For instance, operators of CII are required to follow special security procedures, to store certain data within mainland China, and to use a new security review process when buying network equipment or services. Businesses working in or supplying a wide array of sectors in China have faced great uncertainty, however, because the law does not rigorously define what counts as CII and what doesn’t.

What constitutes CII?

This week China’s State Council issued new draft regulations (translated into English by us here) that provide the most authoritative look yet at the definitions of CII and the processes that will govern covered sectors. While revisions can be expected in response to public and industry comments, these draft regulations make clear that the reach of CII will be quite expansive. In addition to sectors previously mentioned in the Cybersecurity Law and other related measures, Chapter 3 of the new regulations names sectors such as media, specifically including radio stations, television stations, news agencies, and other such news work units. It also adds sanitation and healthcare, plus work units providing cloud computing, big data, and other such large-scale public information network services.

These specific sectors join the “public communication and information services, power, traffic, water resources, finance, public service, and e-government” sectors already named in the Cybersecurity Law, but the additional designations will answer only some industry questions. This is particularly true because, while Article 18 of these draft regulations lists a number of relatively broad categories to which CII could belong, Article 19 requires a seemingly discretionary process for identifying and recognizing CII—managed by the Cyberspace Administration of China (CAC), together with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS). In turn, all line ministries in the Chinese administration will be required to identify and list the CII within their portfolio, a recipe for administrative one-upmanship and rent-seeking.

The rising role of standards

If the new evidence about how CII will be defined clarifies some matters, the draft regulations also suggest further clarification is in store by stating that new cybersecurity standards will be used to guide the work of protecting CII. These standards are likely under development by the National Information Security Standardization Committee, known as TC260, which is subordinate to CAC and appears to now be dominated by CAC priorities. It remains unclear how many standards related to CII are being developed, but there already appear to be nearly a dozen, including some that get into more granular detail about how many users a network operator must have to be considered a CII operator. This could be important for e-commerce providers among other businesses. It is already clear, however, that major e-commerce players such as Alibaba, Tencent, and JD.com are likely to fall under the CII rules. They could be included, for example, as cloud services and big data providers.

The new draft’s reference to standards also helps clarify the ways the formally nonbinding standards are given force through incorporation in regulations, but it remains to be seen how closely the detailed standards will be applied in practice. The reference to standards also underlines the interlinked nature of China’s developing digital policy regime. Laws such as the Cybersecurity Law provide broad frameworks, while regulations and measures guide implementation and add specificity, and standards provide more highly technical guidelines that may clarify otherwise murky principles. In a cross-sectoral and interlocking regime such as this, decision makers at various levels are likely to maintain significant discretion.

Visions of a coordinated cybersecurity ‘early warning system’

Chinese commentators (for example here) have initially hailed this draft regulation as a key part of the Cybersecurity Law and a major part of President Xi Jinping’s vision for a 24-hour cybersecurity situational awareness system for CII. The draft regulations would guide the establishment of an “early warning system” across a range of sectors to help operators anticipate threats and more quickly respond to incidents. They point out that the regulations in Article 38 call for the establishment of a cybersecurity information sharing system among the government, the private sector, and academia. The CAC headquarters and its subordinate cybersecurity and informatization departments at the provincial and more local levels are given a lead role in a range of actions and system development called for in the new regulations, such as organizing information sharing systems and conducting emergency response drills.

Overlapping responsibilities and uncertainty

Even as businesses face the challenges a new and changing regulatory environment, Chinese officials will face broad challenges of their own. Regulators in CII sectors are given a role in operationalizing and enforcing the regulations once they are finalized, and some sectoral regulators may prove better prepared than others. There is also continuing uncertainty in the new draft regulations regarding the application of the MPS’ decade-old Multi-Level Protection Scheme (MLPS) that describes levels of critical infrastructure and comes with its own security reviews, which the Cybersecurity Law references in relation to some CII operators. With CAC apparently the lead drafter of the new CII regulation and attempting to assert its primacy in cybersecurity policy in the context of ongoing struggles with MPS, the new document provides little clarity about the distinction in practice between reviews under MLPS and under the new Cybersecurity Review Regime—a separate process called for in the Cybersecurity Law that has been debated in China in the context of Microsoft’s Windows 10 China Government Edition. Some foreign cloud services providers, for example, have received Level 3 certification under the MLPS, and the status of these certifications remains in doubt under the new framework.

Expanding scope of sovereignty and local control

The draft regulations reiterate controversial data localization requirements in the Cybersecurity Law: Personal information and other “important data”—a still-vague term that will certainly be clarified in subsequent ministerial regulations and practice—must remain stored on Chinese territory, with a mandatory outbound data security review process if they are to be exported. The new draft regulations additionally would require the “operation and maintenance” of CII to take place on Chinese territory. While this seems self-evident with regard to infrastructure such as an electric grid that is fixed in place, Article 18 of the draft regulations defines CII not on the basis of location, but of ownership. Therefore, for instance, since “research and production” organizations in sectors including food, drugs, and chemicals may be identified as CII, their information infrastructure may be required to be operated and maintained from within China—even if significant activities take place overseas. The same could be said for any other CII operator. The question of whether such requirements would violate WTO disciplines may arise, but it is not so important in the short run: A case is unlikely to be brought any time soon, and even if China were to lose such a case, the effects in practice would likely be very limited. These deeper localization provisions may, however, hinder the internationalization of workflows for companies that China’s government might see as national champions, and lead to further tensions with international business associations.

What is next for Cybersecurity Law implementation?

Article 31 of the new draft regulations reiterates language in the Cybersecurity Law requiring that network products and services purchased by network operators must undergo a cybersecurity review under a new Cybersecurity Review Regime—the same new regime that may be in tension with the MPS-associated Multi-Level Protection Scheme as discussed above. The new review regime is awaiting an important next stage of implementation, including the naming of third-party review organizations that will evaluate products and the establishment of a Cybersecurity Review Committee and an associated Expert Committee, as called for in another recent regulatory document, the Interim Security Review Measures for Network Products and Services (see full translation here).

The new draft regulations on CII more explicitly link the Cybersecurity Review Regime to CII operators, and potentially expand the scope of reviews further down supply chains, thereby affecting companies that may not in themselves qualify as CII. That the Security Review Measures were labelled “Interim” highlights that fitting all the pieces of the ambitious framework being put together under the Cybersecurity Law is still very much a work in progress.