最优秀的中国互联网法律律师事务所之一

Designing Risk-based Critical Information Infrastructure Protection In China

Dr. HONG Yanqing   2018-01-22 19:49
Critical information infrastructure (CII) bears significant implications to national security and people's daily works and life, is the corner stones of the country. Hence, its security has always been the most important issue. China's Cybersecurity Law for the first time provides protection for CII in the form of legislation, and clarify the regulatory requirements for CII protection. The recently published Critical Information Infrastructure Security Regulations (draft) are intended as an important measure to implement Cybersecurity Law and to clarify the specific requirements of CII security work in China. On the issue of co-ordinating the design of critical information infrastructure protection work, and how to effectively improve the implementation of the Critical Information Infrastructure Security Regulations, industry experts are actively expressing their views and contributing their wisdom.
General Secretary Xi Jinping, at the [April] 2016 Cybersecurity and Informatization Work Conference noted that "critical information infrastructure is the nerve center of country’s economic and social operations, and is the top priority for cybersecurity, and a target that is likely to draw most advanced attacks". Therefore, the security protection system for CII, compared to the protection systems of ordinary network operators, requires new approaches and additional requirements, otherwise how are we to carry out and implement the important instructions and requirements from General Secretary with regards to "taking effective measures to do a good job of national critical information Infrastructure security protection.’
In the author's view, the Critical Information Infrastructure Security Regulations (hereinafter referred to as "the Regulations") recently issued by the Cyberspace Administration of China (CAC) provide a clear answer in terms of “new approaches and additional requirements”, which put in place a risk-based approach to critical information infrastructure protection with comprehensive, scientific, and advanced institutional designs. This is discussed in the following in terms of four main aspects.
1. The logical starting point for critical information infrastructure protection is the importance of assets
Effective and complete identification of critical information infrastructure is the logical starting point for CII protection works. In this regard, Article 18 of the Regulations extends the provisions of the Cybersecurity Law, using "asset importance" as a criterion for determining critical information infrastructure, that is, " systems that once they experience damage, loss of function or data leakage, may be seriously harmful to national security, the people's livelihood, or the public interest, should be included within the scope of critical information infrastructure protection. "
Such a judgment standard is in line with international practices. In the case of recent foreign legislations, the German Internet Security Act, which came into effect on July 25, 2015, defines the critical infrastructure as "vital to the public" and for which once there is a "breakdown or impairment",” this would result in a "significant supply shortage for a significant number of users". In order to further identify critical infrastructure, the German Interior Ministry issued decrees in May 2016 and June 2017, respectively, that defined CII in industries and sectors such as energy, information technology and communications, water and food, health, finance and insurance, transport and transportation. As to the scope of critical infrastructure, the above two decrees use the "asset importance" as the criteria for judging: first, determine the critical services in each industry and sector; second, identify what facility categories are essential for the critical services; third, the law specifies thresholds above which different types of facility categories for critical services are included within the scope of critical information infrastructure. For example, in the field of clinical care, the threshold values is the number of inpatients accepted annually.
Recently, Singapore announced its Cybersecurity Law (Draft). In this Law, critical information infrastructure is defined as "a computer or computer system necessary to support the continued supply of essential services on which the country depends", where the basic service means "once lost or damaged this will pose a serious threat to national security, defense, diplomatic relations, economic, public health, public safety or the public order ". It can be seen that Singapore also follows the identification criteria of  "asset importance.”
Since critical information infrastructure is so important to the state, society, and people, the level of protection should clearly be higher. From this point of view, a tiered protection system (等保制度) is very suitable, because its distinctive feature is a protection classification level (保护等级)based on the "importance of assets,” and according to the classification level requires operators to establish a matching security protection capability. It is precisely because of this that the Cybersecurity Law and Regulations both stipulate that the protection of critical information infrastructure should be based on the network security multi-level protection system (MLPS, 网络安全等级保护制度).
But at the same time, the Cybersecurity Law and Regulations  also provide that "key protection (重点保护) should be implemented on the basis of the MLPS." How we should understand the concept of so-called "key protection" will constitute the remainder of the main content of this article.
2. Key protection of critical information infrastructure requires co-ordination through risk management 
In fact, in his April 19 [2016] speech, General Secretary XI, on the importance of risk management for the protection of critical information infrastructure, conducted a very systematic discussion. One of the most important contents of this discussion is implementing “key protection” using risk management approach to co-ordinate all aspects of protection work for critical information infrastructure.
Generally speaking, a complete set of risk management processes consists of four steps: the first is to identify the risk; the second is to assess the risk; the third is to deal with the risk; the fourth step is to continuously monitor the environment and the changes in risks. These four steps constitute a feedback loop to continuously improve the level of organizational management of risk.
First, identifying risks and assessing risks, are both of paramount important for cybersecurity work and for protecting critical information infrastructure. As General Secretary Xi Jinping has pointed out, “Know the enemy and know yourself, and you can fight a hundred battles with no danger of defeat(知己知彼,才能百战不殆)”,"to ensure cybersecurity, we must first know where the risk is, what kind of risk there is, and when there is risk"; "without realizing risk is actually the greatest risk"; the consequences of not understanding risk can only be "no one knows who came in, no one knows whether he is enemy or friend, no one knows what he did."
Second, with regard to risk, there is a distinction between internal risk and external risk. In accordance with the words of General Secretary Xi, identify and assess the internal risks will enable us to "find out the real situation", "find out what the vulnerabilities are", "report the results", "supervise the rectification." Identify and understand the external risks will let us know when "if people are using aircraft artillery, and we are only using swords and spears here."
Third, in the overall management for network security work, resource allocation is of overall and basic guiding significance. General Secretary Xi has pointed out that "cybersecurity is relative rather than absolute. There is no absolute security, we must base our security protection on national basic conditions. To pursue absolute security without taking into the cost that will incur will not only carry a heavy burden, and may even be misplacing the emphasis." Therefore, under resource constraints, risk management is the best guide for determining the priorities, and achieving the scientific and efficient distribution of network security forces. General Secretary Xi noted that only by identifying and assessing the risks, will it be possible to "have a clear account" - that is, "know what aspects must be heavily guarded, and defended to the last, and which can be handled through local government protection, with moderate precautions, and which aspects can be protected through market forces.”
In fact, risk management is not only one of the basic guidelines for cybersecurity, but also a guideline for all national security work. The National Security Law  in Chapter 4, the National Security System, uses two articles ("Intelligence Information" and "Risk Prevention, Assessment and Early Warning") to specify detailed stipulations for risk management for national security.
To use one sentence for summary, adhering to the idea of risk management in critical information infrastructure protection work is capable of going beyond the single dimension of "protection of the important  assets", will transcend the compliance-oriented approach that focuses on bottom-line-and-static type of box-tickings, and effectively grasp "offensive and defensive capability at both ends" with contrast changes, and realizes the scientific and efficient allocation of limited security resources and forces, and then  win the initiative to achieve actual security  in a dynamic confrontation security races.
3. The Regulations take risk management to lead the overall institutional designs
The implementation of risk management concepts in the  Regulations, is mainly reflected in the following aspects.
First, the Regulations implement the requirements of the General Secretary XI on the establishment of a "24-hour all-round cybersecurity situational awarness system (全天候全方位网络安全态势感知体系)." Articles 36 and 37 of Chapter 6, "Monitoring, Early Warning, Emergency Handling, and Assessment", respectively, require national cybersecurity and informatization departments and national industry supervisory and regulatory bodies to establish a national level, and industry and sectoral level monitoring and early warning systems, and carry out the cybersecurity information collection, analysis and investigation and notification work in a timely manner. In addition, Article 38 also requires the national cybersecurity and informatization departments to coordinate the establishment of a cybersecurity information sharing mechanism between the government, enterprises, and research institutions. The Regulations through the establishment of a cross-public and private sector, rich layered, interconnected cybersecurity information sharing network, will ultimately achieve the comprehensive use of all aspects of data resources, and enable better awareness of the effectiveness of the cybersecurity risk situation.
Second, Article 40 of the Regulations requires the national industrial supervisory and regulatory  authorities to regularly organize random inspections of industry, sectoral, and critical information infrastructure security risks and how operators are fulfilling their security obligations. Unlike the previous "compliance tick" security inspection and checks, the inspection envisioned by the Regulations has been essentially different.  Now industry regulatory or supervisory departments in their daily work not only grasp the cybersecurity risk situation of the industry and sector, but also through the monitoring and early warning system established by national cybersecurity and informatization departments, grasp the national cybersecurity risks.  Therefore with this risk understandings and knowledge, during security checks and testing, it will be possible to effectively guide and urge the operators to find the problem in time and put forward security measures commensurate with the current risk situation. Therefore, through the regular random inspections by the supervisory and regulatory departments, the perception of risk can become inputs to decision-makings in security protection, and changes in the external situation can be matched by the new security requirements, and then implemented.
Third, Article 39 of the Regulations provides that national cybersecurity and informatization departments guide the relevant departments to organize cross-industry, cross-regional cybersecurity emergency drills, while industry supervisories or regulators regularly organize exercises to enhance industry and sector’s cybersecurity response and disaster recovery capabilities. In the same way, with a comprehensive grasp of the momentary changes in the risk of the situation based on the development of emergency drills, no doubt it will, to greatest extent, avoid a "racking your brain" situation, making the exercises have a direct relevance and timeliness to the realities.
Combining these three aspects above, the Regulations will establish a three-dimensional, cross-network security situational awareness system for critical information infrastructure nationwide, and through government departments spot checks, tests, exercises and other actions, real-time risk perception and analysis will be translated into dynamic, targeted security requirements. In this respect, the security obligations of the critical information infrastructure operators under Articles 23 and 24 of the Regulations should be understood from the perspective of risk management and the security protection strategy being adjusted in a timely manner in accordance with changes in the risk situation should be the key content of the security protection obligations for critical Information infrastructure operators..
And through the above-mentioned system arrangements of the Regulations, the government's perception of risk being translated into new security requirements can not only avoid the operator's "seeing the trees but missing the forest" in the risk management of the critical information infrastructure, but also effectively avoid the situation where operators,  in order to develop business, deliberately and selectively ignore the risks.
4. The concept of risk management and international practice and standards
Using risk management to co-ordinate critical information infrastructure security work, is in fact, the core concept for the United States, the European Union and other countries and regions in the latest cybersecurity legislation, policies, and standards.
US President Barack Obama's Executive Order 13636, Improving Critical Infrastructure Cybersecurity, issued in 2013, explicitly requires the US National Institute of Standards and Technology (NIST) to develop a risk-based Cybersecurity Framework as one of the core measures to protect critical  US infrastructure. At present, the NIST-developed Cybersecurity Framework has been favored by a number of regulatory authorities in the US, such as the US Securities and Futures Commission, the US Federal Trade Commission, the Department of Homeland Security, the Energy Department, etc. using the Framework as the core regulatory object for risk management.
In the EU, the Network and Information Security Directive (NIS Directive), which was adopted in 2016 specifically for "essential" networks and information systems, advocates the creation of a "risk management culture": "essential" networks and information systems should carry out a risk assessment and take security measures that are "appropriate to" or "proportionate" to the risks they face. Article 32 of the General Data Protection Regulation (GDPR), which was also adopted in 2016 [but does not go into effect until May 2018], provides for the security protection obligations of individual information controllers: taking into account the "nature of the data", the most advanced security measures and the cost, the personal information controller should take technical and management measures commensurate with the security risks it faces.
In fact, many experts and scholars have pointed out that although the United States and the European Union in terms of legal systems have significant differences, their approaches to cybersecurity issues is gradually converging, that is, with risk management as the core, and urging operators to adjust the security precautions taken to the changing network risks.
A report of the US Committee for Promoting Cybersecurity, established by former US President Barack Obama in December 2016, pointed out that cyber and physical systems in the world are becoming increasingly convergent, interconnected, interdependent and are transcending borders.  This means that cybersecurity needs to be coordinated at all levels, including international, national, organizational, and individual. The recent outbreak of the Wannacry, and NotPetya viruses is the best example. With the Regulations establishing risk management as a guideline for the co-ordination of critical information infrastructure protection in China, China, the United States and Europe now have a common language and a common basis for international cooperation on the protection of critical information infrastructure.
In short, critical information infrastructure protection in China is based on the network security multi-level protection system (MLPS), and implements key protection upon the MLPS. Not only does this put forward new security protection obligations for critical information infrastructure operators, more importantly, it requires the national cybersecurity and informatization departments, and supervisory or regulatory authorities to take the initiatives to grasp the security risk situation, and to lead the specific protection work. Critical information infrastructure protection aims to form a system with risk management as the core, with a multi-linked and sustainable upgrade of the security system to better cope with the increasingly serious security situation on the Internet, and effectively protect national security, the national economy and the public interest. 
(This article was published in the China Information Security magazine, 2017, No. 8 in the Cyberspace Strategy Forum)