The Cyberspace Administration of China (CAC) is the central Internet regulator, censor, oversight and control agency for the People's Republic of China.
China defines National critical information infrastructure as: The national critical information infrastructure refers to the information facilities concerning the national security, the national economy and the people's livelihood, which may seriously damage the national security and the public interest if the data is divulged, destroyed or lost, including but not limited to providing public communications, broadcasting and television transmission and other services, information networks, energy, finance, transportation, education, scientific research, water conservancy, industrial manufacturing, medical and health, social security, public utilities and other important information systems and important Internet applications.
On 27 April 2020, the Cyberspace Administration of China (CAC) together with 11 other government departments published the Cybersecurity Review Measures, which applies to critical information infrastructure operators or CII Operators.
CII includes network operators in the areas of public communications, information services, energy, transportation, water utilities, finance, public services, e government, telecommunications, radio and television, postal services, emergency management, health, social security and national defense technology industry.
• Government, energy, finance, transport, water-resources, healthcare, education, social security, environmental protection and public utilities;
• Information networks (including telecommunications, broadcasting networks, and the internet) and large public information network service providers (including cloud service and big data providers);
• Research institutions and manufacturers in the defence, large equipment, chemical engineering, food and pharmaceuticals sectors;
• News media, including radio and TV stations and news agents; and
• Other facilities.
• Before executing a procurement agreement, the CII operator should conduct a self-assessment to predict the national security risks associated with the use of the network products or services.
• If the self-assessment flags national security risks, the CII operator should submit the required documents, including procurement agreements and risk assessment report, to the CAC for a cybersecurity review.
• if the risk arising from the use of the network products or services will cause CII operators to be unlawfully manipulated, interfered or destroyed, or lead to the leak, loss, or damage of important data;
• if there will be continuous damages to CII’s business due to supply disruptions of the products or services;
• the security, openness, transparency and diversity of sources, reliability of supply channels, and any risk of supply disruptions resulting from “political, diplomatic, and trade” factors; and
• if the product or service provider is in compliance with Chinese regulations. In addition to these four factors, the Measures also provide a catch-all provision covering all other situations that could endanger CII security and national security. Based on this catch-all provision, it seems that the CAC will have ample discretion in determining potential risks in a particular procurement.
Requirements for designated personnel. Each operator of CII must appoint a designated person to be in charge of cyber security management and who is responsible for:
• Formulating internal cyber security regulations and operation manuals and supervising their implementation;
• Organising testing of the technical skills of key technical personnel;
• Organising and implementing cyber security education and training programmes;
• Organising cyber security inspections and contingency drills and dealing with cyber security incidents; and
• Reporting important cyber security issues and incidents to competent authorities.
Protecting critical information infrastructure is a common responsibility of government, businesses and the entire society. Controlling and operational work units and organizations must:
• According to the requirements of laws, regulations, rules and standards, adopt the necessary measures to ensure the security of critical information infrastructure.
• Expand input in areas such as management, technology, talent and finance, synthesize measures and policies according to the law
• They should realise that evaluation happens first, and application afterwards.
• Strengthen risk assessment of critical information infrastructure.
• Strengthen security protection in Party and government bodies, as websites in focus areas, grass-roots Party and government bodies’ websites must be built, operated and managed according to the intensification model.
• Focus on identification, prevention, monitoring, early warning, response, handling and other such segments.
• Establish orderly cybersecurity information sharing mechanisms for government, sectors and enterprises, and fully give rein to the important role of enterprises in protecting critical information infrastructure.