China announces an overhaul of its cybersecurity regulations

In response to increased global cyber threats, China has announced a major review of its critical information and communication operators structures.

China's government has introduced rules for the protection of critical information infrastructure.

An announcement by the Cyberspace Administration of China (CAC) said that cyber-attacks are currently frequent and the security challenges facing critical information infrastructure are severe. The announcement, therefore, defines infosec regulations and responsibilities.

The CAC said: "The regulations clarify that important network facilities and information systems in key industries and fields belong to critical information infrastructure," wrote the CAC in its announcement (as translated from Mandarin), adding that the state was adopting measures to monitor, defend and handle network risks and intrusions, originating domestically and globally."

The regulations themselves are lengthy and detailed, but the main theme is that all Chinese enterprises whose operations depend on networks must conduct annual security reviews, report breaches to the government, and establish teams to monitor security constantly. This is a major step-up in the regulations from the central government and is a response to a perceived increasingly sophisticated cyber threat to the state and its functions.

Those teams get to develop emergency plans and carry out emergency drills on a regular basis, in accordance with disaster management national plans. If an incident is ever discovered, reporting and escalation to national authorities are mandatory. Therefore, the state will be able to identify and manage threats in a more consistent and logical manner.

The lengthy document also details a variety of organisational and logistical 'clarifications', while also outlining the state's ability to adjust identification rules dynamically, how safeguarding measures can be implemented, and legal responsibilities and penalties for negligent parties. It does not, however, offer specific technical advice.

China's not alone in responding dynamically to the increasing cyber threat. The USA's (Cybersecurity Information Sharing Act ), which came into law in December 2015, is broad. It was designed to allow companies to share cyberattack information with the government and other companies but was considered by some as bad on the privacy front.

Last month, a bipartisan effort in the US introduced the Cyber Incident Notification Act of 2021. The Act requires federal agencies, government contractors and critical infrastructure owners to report attacks to CISA within one day of their occurrence, granting limited immunity to those reporting a breach and allowing data protection procedures to move ahead.

An immediate example of the new system in action was the new regulations issued to the Chinese automobile industry. There are new rules required of its autonomous and networked vehicle builders.

Data security is front and centre in the rules, with manufacturers required to store data generated by cars – and describing their drivers – within China. Data is allowed to go offshore, but only after government scrutiny.

Manufacturers are also required to name a chief of network security, who gets the job of ensuring autonomous vehicles can't fall victim to cyber-attacks. Made-in-China auto-autos are also required to be monitored to detect security issues.


Featured Articles

AWS launches 2023 European Defence Accelerator for startups

AWS is launching its European Defence Accelerator, open to startups interested in doing business with defence and national security organisations

Gartner unveils top cybersecurity predictions for 2023-2024

Half of CISOs will formally adopt human-centric design practices into their cybersecurity programmes, while adoption of zero trust architecture will rise

DDoS protection market to grow amid increase in attacks

According to research by Cloudflare, DDoS attacks increased by 109% last year, with the last 12 months seeing some of the largest attacks the world

The impact data poisoning has on cyber and AI

Cyber Security

Five innovative ways AI can help prevent cyber attacks

Cyber Security

SailPoint delivers new non-employee risk management solution

Cyber Security