Sept. 25, 2020
This translation is part of the DigiChina Project, based at the Stanford University Cyber Policy Center and a joint effort with New America.
Since the emergence of China’s broad cybersecurity framework, which began evolving in earnest after the Cybersecurity Law took effect in June 2017, there has been a core tension in the country’s regime around IT and data security.
At the time of the promulgation of the Cybersecurity Law, a decade-old regime called the Multi-Level Protection System (MLPS), a compliance regime run by the Ministry of Public Security (MPS), was already in place. MLPS works by ranking communications networks according to their level of sensitivity and potential harm to national security if penetrated or damaged, and requiring tougher cybersecurity standards on more sensitive networks, particularly those run by the government and military (Level 4 and 5).
With the Cybersecurity Law, China introduced a number of rules around so-called “critical information infrastructure” (CII)— networks supporting key industrial sectors in the national economy, such as finance, transportation, and energy that would be subject to new requirements around data and cybersecurity practices. Rather than being dominated by one ministry, the CII protection authorities were designed to be overseen by the Cyberspace Administration of China (CAC), a new entity created in 2014 to coordinate China’s cyber interagency, working with sectoral regulators.
But the MPS never fully transferred its cybersecurity elements to CAC, nor did it end up playing a subordinate role in China’s cyber interagency. This led to extended bureaucratic wrangling between MPS, CAC, and others over the lead role in setting cybersecurity standards and implementing reviews of network products and services as called for under the Cybersecurity Law. The relationship between the MLPS and CII protection in the overall Cybersecurity Law regimewas therefore long unclear, as was the balance of power in cybersecurity rules for network products and services. MLPS has now fully updated its regime, at the same time as the definitions of CII and required protections around CII have also gradually come into focus.
The Guiding Opinions translated by DigiChina below point to a joining of MLPS and CII protection rules under MPS and Communist Party leadership—with few mentions of the CAC itself or the broader cyberspace regulatory establishment. This suggests that the MPS gained significant ground within the Chinese cyber interagency, and the MPS now primarily owns the CII protection issue, along with a key role in reviewing and certifying network products and services used in CII networks. The ministry’s power is not absolute, however. The CAC still administers supply chain–oriented security reviews in IT procurement under rules finalized this year, and both those rules and the new Guiding Opinions point to local and sectoral regulators as helping define which entities fall under the CII protection regime. –Graham Webster and Paul Triolo
Date: Sept. 22, 2020
Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System
The cybersecurity multi-level protection system (MLPS) and the critical information infrastructure (CII) security protection system are basic systems determined in relevant Party Center documents and the Cybersecurity Law" In recent years, all work units and all departments have, according to the Center's cybersecurity policies and requirements, as well as the provisions of laws and regulations such as the Cybersecurity Law, comprehensively strengthened cybersecurity work, and forcefully safeguarded the security of national CII, important networks, and data. But along with the rapid development of information technology, cybersecurity work still faces a number of new circumstances, new tasks, and new challenges. In order to deeply implement the MLPS and the CII security protection system, to complete and perfect the national cybersecurity comprehensive defense and control system, effectively guard against cybersecurity threats, forcefully deal with cybersecurity incidents, strictly attack unlawful and criminal activities harming cybersecurity, and realistically ensure national cybersecurity, the following guiding opinions are formulated.
I. Guiding concepts, basic principles and work objectives
(1) Guiding concepts
With Xi Jinping Thought on Socialism with Chinese Characteristics for a New Era as guidance; according to the policy decisions and arrangements of the Party Center and the State Council; with the comprehensive national security concept in command, earnestly implement the cyber superpower strategy, and comprehensively strengthen overall planning of cybersecurity work; with implementing the MLPS and CII security protection system as basis; with protecting the security of CII, important networks, and data as focal points; comprehensively strengthen cybersecurity defense management, monitoring and early warning, emergency response, investigation of attacks, intelligence and information and all other such work items; promptly monitor and deal with cybersecurity risks and threats as well as sudden cybersecurity incidents; protect CII, important networks, and data from attack, intrusion, interference, and destruction; punish unlawful and criminal online activities according to the law; realistically raise cybersecurity protection capabilities; vigorously build the comprehensive national cybersecurity defense and control system; realistically safeguard national cyberspace sovereignty, national security, and society’s public interest; protect the lawful rights and interests of the masses; and ensure and stimulate the healthy development of economic and social informatization.
(2) Basic principles
- Persist in hierarchical protection and focusing on prominent issues. On the basis of the degree of importance of networks (including network infrastructure, information systems, data resources, etc.) in national security, economic construction, and social life, as well as factors such as the degree of harm after they are damaged, etc., scientifically determine the security protection level of networks, implement hierarchical protection, hierarchical supervision and management, and focus on ensuring the security of CII and MLPS Level 3 and above networks.
- Persist in vigorous defense and comprehensive protection. According to laws, regulations, and relevant national standards and norms, fully use artificial intelligence, big data analysis, and other such technologies; vigorously implement cybersecurity management and technological protection measures; strengthen cybersecurity monitoring, situational awareness, notification and early warning, emergency response, and other such key work points; comprehensively adopt cybersecurity protection, defense, and safeguard measures; guard against and contain the occurrence of major cybersecurity risks and incidents; and protect the security of new technology applications and new business models such as cloud computing, the Internet of Things, the new-type Internet, big data, smart manufacturing, etc.
- Persist in protection according to the law, and creating joint forces. According to the provisions of the Cybersecurity Law and other such laws and regulations: public security bodies are to implement cybersecurity protection, supervision, and management duties according to the law; competent authorities for the cybersecurity sector (including supervision and management departments, similar hereafter) are to implement cybersecurity management and supervision responsibilities according to the law; strengthen and implement the primary protection responsibilities of network operators; and fully give rein to and muster forces from all sides of society, cooperate and coordinate, work as a team, and create joint forces for cybersecurity protection work.
(3) Work objectives
- Deeply implement the cybersecurity MLPS. MLPS level filing, multi-level monitoring and assessment, security construction, inspection, and other such basic work items are to be deeply advanced. The "three changes and six defenses" measures of "actualization, systematization, regularization" [the “three changes”] and "dynamic defense, active defense, deep defense, precision defense, overall defence, joint defense" [the “six defenses”] in cybersecurity protection are to be effectively implemented, a desirable ecosystem for cybersecurity protection to be basically established, and national comprehensive cybersecurity defense capabilities and levels to markedly increase.
- Establishment and implementation of the CII security protection system. Central elements of CII are to be clarified, security protection bodies to be completed, responsibilities to be determined, and protection to be powerful. On the foundation of implementing the MLPS, security protection measures for CII-related critical personnel management, supply chain security, data security, emergency response, and other such focus points are to be effectively implemented, and CII security protection capabilities to be strengthened notably.
- Markedly increasing cybersecurity monitoring, early warning, and emergency response capabilities. A three-dimensional intersectoral, interdepartmental, and interregional cybersecurity monitoring system and cybersecurity protection platform is to be basically completed; and cybersecurity situational awareness, notification, early warning, incident detection and processing capabilities to rise markedly. Cybersecurity preparatory plans are to be scientific and fully completed, emergency response mechanisms to be perfected, emergency response drills to be launched on a regular basis, and major cybersecurity incidents to be effectively prevented, contained, and dealt with.
- Basically creating a comprehensive cybersecurity protection and control system. Cybersecurity protection work mechanisms are to be completed and perfected—a cybersecurity work structure with Party Committees in the comprehensive lead, all departments taking responsibility according to the division of work, and social forces from many sides participating to be further perfected. Cybersecurity responsibilities are to be effectively implemented, cybersecurity management and defense, supervision and guidance, investigation of attacks and other such capabilities to increase markedly, and an integrated "attack, defense, management and control" comprehensive cybersecurity prevention and control system to be basically created.
II. Deeply implementing the cybersecurity multi-level protection system
According to the requirements of the national MLPS, all work units and all departments will, under the guidance and supervision of public security bodies, earnestly organize and deeply conduct cybersecurity multi-level protection work, establish a desirable cybersecurity protection ecology, realistically implement their main responsibilities, and comprehensively enhance cybersecurity protection capabilities.
(1) Deepening network multi-level protection recording work. Network operators shall completely comb through the basic situation of all kinds of networks in their work unit, especially cloud computing, Internet of Things, new-type Internet, big data, smart manufacturing, and other such new technology applications, and, on the basis of network functions, service scopes, service counterparts, processed data, and other such circumstances, scientifically determine the security protection level of networks. Level 2 and higher neworks are to be filed with public security bodies according to the law, and filed with sectoral competent departments. For newly built networks, the security protection level shall be determined in the planning and design stage. Public security bodies will examine and verify the filing materials submitted by network operators, and the network’s security protection grading, and will promptly issue cybersecurity multi-level protection filing certification for those whose grading result is rational and whose filing materials conform to requirements. Sectoral competent authorities may, on the basis of the national standard "Cybersecurity Multi-Level Protection Grading Guidelines," and in combination with the characteristics of the sector, formulate sectoral cybersecurity multi-level protection grading guidance opinions.
(2) Regularly conducting cybersecurity grading assessments. Network operators shall, on the basis of relevant standards and norms, conduct monitoring and assessment of the security of graded and filed networks, and search for cybersecurity issues and hidden dangers that may exist. Level 3 and higher network operators shall entrust a grading monitoring and assessment body conforming to relevant national regulations with conducting cybersecurity grading monitoring and assessment once per year, and will timely submit the grading monitoring and assessment report to the public security body and sectoral competent department that received the filing. Newly-built Level 3 and higher networks shall enter operations after passing monitoring and assessment. Network operators must, in the process of undergoing monitoring and assessment services, sign a security confidentiality agreement with the monitoring and assessment body, and conduct supervision and management over the monitoring and assessment process. Public security bodies must strengthen supervision and management over grading monitoring and assessment bodies within their localities, establish systems to examine the background of monitoring and assessment personnel and personnel examination and verification, and ensure that the grading monitoring and assessment process is objective, fair, and secure.
(3) Scientifically conducting security construction and rectification. Network operators shall, in the process of network construction and operations, simultaneously plan, simultaneously build, and simultaneously apply relevant cybersecurity protection measures. They shall, on the basis of national standards such as the "Basic Requirements for Cybersecurity Multi-Level Protection," the "Technological Requirements for Cybersecurity Multi-Level Protection Secure Design," etc., and on the foundation of existing security protection measures, comprehensively comb through and analyze security protection requirements and, in combination with issues and hidden dangers discovered in the process of grading monitoring and assessment, according to the requirements of "one center" (security management center) and "three major protections" (secure telecommunications networks, secure domain boundaries, and secure computing environments), earnestly conduct cybersecurity construction, rectification and consolidation, and comprehensively implement technical security protection measures. Network operators may move networks into the cloud, or outsource cybersecurity services, fully using cloud service providers and cybersecurity service providers to enhance their cybersecurity protection capabilities and levels. They shall comprehensively strengthen cybersecurity management; establish and perfect management systems for personnel management, education and training, systems security construction, operational maintenance, etc.; strengthen security management of machine rooms, equipment, and media; strengthen the protection of important data and personal information; formulate operational standards and workflows; strengthen daily supervision and assessment; and ensure the effective implementation of all management measures.
(4) Strengthening security responsibility implementation. Sectoral competent departments and network operators shall, on the basis of the "Cybersecurity Law" and other such laws and regulations, as well as relevant policy requirements, according to the principle of "whoever manages is responsible, whoever operates is responsible," clearly delineate cybersecurity protection boundaries, clarify security protection work responsibilities, establish cybersecurity multi-level protection work responsibility systems, implement responsibility investigation and punishment systems, ensuring "there is responsibility to protect the territory, and the responsibility to protect the territory is discharged." Network operators must regularly organize specialized forces to conduct cybersecurity self-inspection, monitoring, and assessment. Sectoral competent departments must organize risk assessment, promptly discover hidden cybersecurity dangers and weak segments, and rectify them, constantly raising cybersecurity protection capabilities and levels.
(5) Strengthening supply chain security management. Network operators shall strengthen critical network personnel security management. Level 3 and higher network operators shall strengthen management over entities and persons providing design, construction, operational maintenance and technical services, evaluate security risks that may exist in the service process, and adopt corresponding management and control measures. Network operators shall strengthen network operational maintenance management. Where it is necessary for business purposes to conduct remote operational maintenance through the Internet, they shall conduct assessment and demonstration, and adopt corresponding management and control measures. Network operators shall purchase and use network products and services conforming with the requirements of national laws, regulations， and relevant standards and norms, and Level 3 and higher network operators shall actively use secure and trustworthy network products and services.
(6) Implementing encryption security protection requirements. Network operators shall implement the provisions of the Encryption Law and other relevant laws, regulations, standards, and norms related to encryption use. Level 3 and higher networks shall correctly and effectively adopt encryption technology to conduct protection, and use encryption products and services that conform with relevant requirements. Level 3 and higher network operators shall, in a network’s planning, construction, and operation stages, according to encryption use security assessment management measures and related standards, conduct encryption use security assessment simultaneously with cybersecurity grading monitoring and assessment.
III. Building and implementing the CII security protection system
Public security bodies guide and supervise CII security protection work. All work units and all departments shall strengthen the construction of legal systems, policy systems, standards systems, protection systems, defense systems, and safeguard systems for CII security, establish and implement CII security protection systems, and on the foundation of the MLPS, give prominence to protecting focus points, strengthening protection measures, and realistically upholding CII security.
(1) Organizing the designation of CII. On the basis of relevant regulations by the Party Center and the Ministry of Public Security, the competent and supervising departments of important sectors and areas such as public telecommunications and information services, energy, transportation, water works, finance, public services, e-government, national defense science, technology, and industry, etc. (hereafter designated together as “protection work departments”), shall formulate CII designation regulations for their own sectors and areas, and report them to the Ministry of Public Security for filing. Protection work departments are responsible, on the basis of designation regulations, for organizing the designation of CII within their sector or area, and will promptly notify related infrastructure operators about designation results and report them to the Ministry of Public Security. They will list important protection subjects meeting designation conditions such as basic networks, large-scale specialized networks, core business systems, cloud platforms, big data platforms, the Internet of Things, industrial control systems, smart manufacturing systems, the new-type Internet, and novel communication facilities as CII. The CII list is subject to dynamic adjustment mechanisms; if major changes occur in relevant network facilities or information systems, that may influence their designation result. Operators shall timely notify the relevant circumstances to the protection work department, and the protection work department shall organize re-designation, notify the operator about the designation result, and report the matter to the Ministry of Public Security.
(2) Defining CII security work functions and work divisions. The Ministry of Public Security is responsible for the top-level design and planning arrangements of CII security work, and completes and perfects CII security protection systems and structures together with relevant departments. Protection work departments are responsible for organizational leadership over CII security protection work within their sectors and their areas, on the basis of requirements of national cybersecurity laws and regulations, as well as relevant standards and norms, they formulate and implement general CII security plans and security protection policies for their sectors or their areas, and carry out responsibilities for guiding and supervising cybersecurity in their sectors or areas. CII operators are responsible for establishing specialized security management bodies, organizing and conducting CII security protection work, and the main responsible person bears overall responsibility for CII security protection within the work unit concerned.
(3) Implementing CII focus protection measures. CII operators shall, on the basis of cybersecurity multi-level protection standards, conduct security construction and conduct grading monitoring and assessment; discovered problems, risks and hidden dangers must be promptly rectified; on the basis of CII security protection standards, they shall strengthen security protection and measures, and conduct security monitoring and assessment. They must comb through network assets; establish asset files; strengthen focus protection measures for core personnel management, overall defense, monitoring and early warning, emergency response, data protection, etc.; rationally divide zones and divide areas; reduce the surface exposed to the Internet; strengthen cyber attack and threat management and control; strengthen deep defense; vigorously use new technologies to conduct cybersecurity protection; build a cybersecurity protection system with encryption technologies, trustworthy computing, artificial intelligence, big data analysis, etc., at the core; and continuously enhance the inherent security, active immunity, and active defense capabilities of CII. Operators meeting conditions shall establish their own security service bodies, undertaking CII security protection duties. They may also raise cybersecurity specialization and intensification safeguard capabilities through migration to the cloud or purchasing security services, and other such methods.
(4) Strengthening important data and personal information protection. Operators shall establish and implement important data and personal information security protection systems, create disaster-proof backups of important networks and databases in CII, and adopt identify recognition, access control, encrypted protection, security auditing, security segregation, trusted verification, and other such crucial technology measures to realistically ensure the security of important data across its entire lifespan. Operators shall store within the territory personal information and important data collected or created during operations within the territory; where it is truly necessary due to business requirements to provide it abroad, relevant regulations shall be followed, and security assessment shall be conducted.
(5) Strengthening security management of personnel in core positions, products, and services. It is necessary to conduct background security inspections of persons responsible for specialized security management bodies and personnel in core positions, and to strengthen management. It is necessary to implement security management over CII design, construction, operation, maintenance, and other such services, to purchase secure and trustworthy network products and services, and to ensure supply chain security. Those purchasing products and services that may influence national security shall, according to relevant state regulations, undergo security inspection. Public security bodies will strengthen security management over CII security service bodies and provide support for operators conducting security protection work.
IV. Strengthen coordination and cooperation in network security protection work
Industry authorities, network operators, and public security agencies shall: work closely together to vigorously carry out work related to security monitoring, notification and early warning, emergency response, and threat intelligence; implement normalized measures; and improve the ability to respond to and deal with cybersecurity emergencies and major risks.
(1) Strengthening the construction of a three-dimensional network security monitoring system. All units and departments must: comprehensively strengthen network security monitoring; conduct real-time monitoring of CII, important networks, etc.; detect network attacks and security threats; immediately report to the public security organs and relevant departments; and take effective measures to deal with them. It is necessary to strengthen the research and application of new network technologies, study and draw cyberspace geographic information maps (network maps), and track progress via flow charts. Industry authorities and network operators must build their own industry and unit network security protection business platforms, build platform smart brains, rely on the platform and big data to carry out real-time monitoring, notification and early warning, emergency response, security protection, command and dispatch, etc., and link up to public security organs’ relevant security platforms, to form a comprehensive prevention and control grid that includes compartment integration, vertical and horizontal communications, and coordinated linkages. Key industries, network operators, and public security agencies must build network security monitoring and command centers, implement a 24/7 on-duty system, and establish normalized and actualized network security work mechanisms.
(2) Strengthen network security information sharing and notification and early warning. Industry authorities and network operators shall rely on the national network and information security information notification mechanisms to strengthen the construction of their industry or field’s network security information notification and early warning capabilities, conduct timely collection, summary, and analysis of network security information from all parties, strengthen threat intelligence work, organize the conduct of network security threat analysis and situation research and judgment, and do timely reporting of early warning and [incident] handling. Level 3 and above network operators and CII operators shall carry out network security monitoring, early warning, and information reporting, receive and process in a timely manner information from national, industry, and local network security early warning notifications, report to industry authorities and public security authorities. In accordance with regulations, they should submit network security monitoring and early warning information and network security incidents to industry authorities and public security organs for recording. Public security organs shall strengthen the construction of network and information security information notification and early warning mechanisms and capacity building, and continuously improve their network security notification and early warning capabilities.
(3) Strengthening the construction of network security emergency response mechanisms. Industry management authorities and network operators shall formulate network security emergency plans in accordance with relevant national requirements, strengthen network security emergency response force construction and emergency resource reserves, and work closely with public security agencies to establish cybersecurity incident reporting systems and emergency response mechanisms. CII operators and Level 3 and above network operators should carry out emergency drills on a regular basis to effectively deal with network security incidents, and promptly rectify, reinforce, and improve protective measures in response to major problems and vulnerabilities discovered during emergency drills. Industry management authorities and network operators should cooperate with the network security supervision and inspections and adversarial exercises organized by the public security organs each year to continuously improve their security protection capabilities and countermeasure capabilities.
(4) Strengthening network security incident handling and case investigation. When major cybersecurity threats and incidents occur in CII and Level 3 and above networks, they should be jointly handled by industry management authorities, network operators, and public security agencies. Telecommunications business operators and network service providers shall provide support and assistance. Network operators should cooperate with public security organs in cracking down on illegal and criminal activities online. When they discover evidence of illegal or criminal activities, major cybersecurity threats and incidents, they should promptly report to the public security organs and relevant departments and provide necessary assistance
(5) Strengthening the supervision of the rectification and reform of hidden network security problems. The public security organs have established a listing supervision system to address network operators’ ineffective network security work, major security problems that have been delayed for a long time, or instances when there are major network security risks or major network security incidents occur; in accordance with the prescribed authorities and procedures, with industry management departments, they will conduct interviews with relevant persons in charge, compile lists for supervision, strengthen supervision and inspection and administrative law enforcement, and impose administrative penalties in accordance with laws and regulations. Network operators should take measures in accordance with relevant requirements, make timely rectifications, and eliminate major hidden risks. In the event of a major cybersecurity incident, the industry management authority shall organize the entire industry to carry out rectification and redress.
V. Strengthen safeguards in cybersecurity work
(1) Strengthening organizational leadership. All units and departments shall attach great importance to the MLPS and the work of CII protection. Organizations should prioritize this task, and strengthen overall leadership, planning, and design of this work. Organizations should earnestly study and address network security organizational issues, and staffing and funding challenges, and take proper safety protection measures, among other important issues. Industry management authorities and network operators must assume primary responsibility for network security and assign a member of the leadership team to be in charge of network security work. Organizations should establish a specialized network security mechanism, clarify the division of tasks, and ensure full implementation at every level.
(2) Strengthening funding support. All units and departments must use existing funding channels to ensure CII protection as well as Level 3 and above network level evaluation, risk assessment, encryption application security testing, cybersecurity drill competitions, security rectification, security protection platform construction, encryption safeguard system construction, operation, and maintenance, supervision and inspection, education and training, etc. CII operators should ensure sufficient investment in network security. Network security management personnel should be involved in network security and information technology deployment-related decision making processes. Relevant departments should support critical cybersecurity technology industries and projects, foster research and development and innovative applications of cybersecurity technologies, and promote the healthy development of the cybersecurity industry. Public security organs should work with relevant departments to facilitate the implementation of the "One Belt One Road" cybersecurity strategy, support the “go global” initiatives of cybersecurity companies, and share China's cybersecurity protection experience with relevant countries.
(3) Strengthening assessment and evaluation. All units and departments shall further improve the network security assessment and evaluation system, clarify assessment indicators, and organize assessments. The public security organs should incorporate cybersecurity work into the evaluation of comprehensive social security governance. Public security organs should organize annual evaluation of cybersecurity for each region, and select organizations with high performance in MLPS and CII security protection annually, and report such results to the party committee and government, including the cybersecurity and informatization departments.
(4) Strengthening technical research. All units and departments shall fully mobilize cybersecurity companies, scientific research institutions, experts, and other social forces to actively participate in the research of core cybersecurity technologies. Strengthen network security collaboration and coordination, encourage shared governance, sharing, collective governance, and collective defense. The public security organs shall, in conjunction with relevant departments, strengthen the establishment of standards for MLPS and CII security protection, issue guidelines for standards application, enhance public awareness and implementation of standards, establish pilots for demonstration, and promote the healthy development of the domestic cybersecurity industry and companies.
(5) Strengthening personnel training. All units and departments should strengthen information exchange regarding MLPS and CII security protection, through competitions and other forms, identify and select technical talent, build a talent pool, establish and improve talent identification, training, selection, and use mechanisms to guarantee the supply of talent for cybersecurity work.