China announces an overhaul of its cybersecurity regulations

China's government has introduced rules for the protection of critical information infrastructure.

An announcement by the Cyberspace Administration of China (CAC) said that cyber-attacks are currently frequent and the security challenges facing critical information infrastructure are severe. The announcement, therefore, defines infosec regulations and responsibilities.

The CAC said: "The regulations clarify that important network facilities and information systems in key industries and fields belong to critical information infrastructure," wrote the CAC in its announcement (as translated from Mandarin), adding that the state was adopting measures to monitor, defend and handle network risks and intrusions, originating domestically and globally."

The regulations themselves are lengthy and detailed, but the main theme is that all Chinese enterprises whose operations depend on networks must conduct annual security reviews, report breaches to the government, and establish teams to monitor security constantly. This is a major step-up in the regulations from the central government and is a response to a perceived increasingly sophisticated cyber threat to the state and its functions.

Those teams get to develop emergency plans and carry out emergency drills on a regular basis, in accordance with disaster management national plans. If an incident is ever discovered, reporting and escalation to national authorities are mandatory. Therefore, the state will be able to identify and manage threats in a more consistent and logical manner.

The lengthy document also details a variety of organisational and logistical 'clarifications', while also outlining the state's ability to adjust identification rules dynamically, how safeguarding measures can be implemented, and legal responsibilities and penalties for negligent parties. It does not, however, offer specific technical advice.

China's not alone in responding dynamically to the increasing cyber threat. The USA's (Cybersecurity Information Sharing Act ), which came into law in December 2015, is broad. It was designed to allow companies to share cyberattack information with the government and other companies but was considered by some as bad on the privacy front.

Last month, a bipartisan effort in the US introduced the Cyber Incident Notification Act of 2021. The Act requires federal agencies, government contractors and critical infrastructure owners to report attacks to CISA within one day of their occurrence, granting limited immunity to those reporting a breach and allowing data protection procedures to move ahead.

An immediate example of the new system in action was the new regulations issued to the Chinese automobile industry. There are new rules required of its autonomous and networked vehicle builders.

Data security is front and centre in the rules, with manufacturers required to store data generated by cars – and describing their drivers – within China. Data is allowed to go offshore, but only after government scrutiny.

Manufacturers are also required to name a chief of network security, who gets the job of ensuring autonomous vehicles can't fall victim to cyber-attacks. Made-in-China auto-autos are also required to be monitored to detect security issues.