China announces an overhaul of its cybersecurity regulations

In response to increased global cyber threats, China has announced a major review of its critical information and communication operators structures.

China's government has introduced rules for the protection of critical information infrastructure.

An announcement by the Cyberspace Administration of China (CAC) said that cyber-attacks are currently frequent and the security challenges facing critical information infrastructure are severe. The announcement, therefore, defines infosec regulations and responsibilities.

The CAC said: "The regulations clarify that important network facilities and information systems in key industries and fields belong to critical information infrastructure," wrote the CAC in its announcement (as translated from Mandarin), adding that the state was adopting measures to monitor, defend and handle network risks and intrusions, originating domestically and globally."

The regulations themselves are lengthy and detailed, but the main theme is that all Chinese enterprises whose operations depend on networks must conduct annual security reviews, report breaches to the government, and establish teams to monitor security constantly. This is a major step-up in the regulations from the central government and is a response to a perceived increasingly sophisticated cyber threat to the state and its functions.

Those teams get to develop emergency plans and carry out emergency drills on a regular basis, in accordance with disaster management national plans. If an incident is ever discovered, reporting and escalation to national authorities are mandatory. Therefore, the state will be able to identify and manage threats in a more consistent and logical manner.

The lengthy document also details a variety of organisational and logistical 'clarifications', while also outlining the state's ability to adjust identification rules dynamically, how safeguarding measures can be implemented, and legal responsibilities and penalties for negligent parties. It does not, however, offer specific technical advice.

China's not alone in responding dynamically to the increasing cyber threat. The USA's (Cybersecurity Information Sharing Act ), which came into law in December 2015, is broad. It was designed to allow companies to share cyberattack information with the government and other companies but was considered by some as bad on the privacy front.

Last month, a bipartisan effort in the US introduced the Cyber Incident Notification Act of 2021. The Act requires federal agencies, government contractors and critical infrastructure owners to report attacks to CISA within one day of their occurrence, granting limited immunity to those reporting a breach and allowing data protection procedures to move ahead.

An immediate example of the new system in action was the new regulations issued to the Chinese automobile industry. There are new rules required of its autonomous and networked vehicle builders.

Data security is front and centre in the rules, with manufacturers required to store data generated by cars – and describing their drivers – within China. Data is allowed to go offshore, but only after government scrutiny.

Manufacturers are also required to name a chief of network security, who gets the job of ensuring autonomous vehicles can't fall victim to cyber-attacks. Made-in-China auto-autos are also required to be monitored to detect security issues.


Featured Articles

IT and OT security with Ilan Barda, CEO of Radiflow

Cyber Magazine speaks with Radiflow’s CEO, Ilan Barda, about converging IT and OT and how leaders can better protect businesses from cybersecurity threats

QR ‘Quishing’ scams: Do you know the risks?

QR code scams, or Quishing scams, are rising and pose a threat to both private users and businesses as cyberattacks move towards mobile devices

Zero Trust Segmentation with Illumio’s Raghu Nandakumara

Head of Industry Solutions at Illumio, Raghu Nandakumara, offers insight into the proposed ban on ransom payments and how businesses can utilise Zero Trust

Is the password dead? Legacy technology prevents the shift

Network Security

Fake Bard AI malware: Google seeks to uncover cybercriminals

Technology & AI

Gartner report highlights threat of supply chain attacks

Cyber Security