Since the beginning of the new century, the information technology revolution represented by the Internet has been rapidly popularized and applied globally, promoting the digital transformation of the economy and society and bringing new liberation and leaps in productivity. The security protection of critical information infrastructure has become an important guarantee for countries to promote the development of the digital economy and participate in international competition. The important instructions of General Secretary Xi Jinping pointed out the direction for us to build the national critical information infrastructure security system. The world today is undergoing major changes unseen in a century, the international environment is becoming increasingly complex, and the instability and uncertainty are obviously increasing. The security of critical information infrastructure is related to national network security and data security, and has increasingly become the core and key to national cyberspace security capacity building.
Recently, the State Council officially announced the “Regulations on the Security Protection of Critical Information Infrastructure” (hereinafter referred to as the “Regulations”). The “Regulations” are my country’s specialized administrative regulations for the security protection of critical information infrastructure, and it is also a basic administrative regulation that guides the country’s network security work. Conscientiously studying and comprehending the content of the “Regulations” is of profound significance for promoting the construction of critical information infrastructure security assurance capabilities and safeguarding national cyberspace sovereignty and security interests.
1. Understanding of the legislative background of the “Regulations on the Security Protection of Critical Information Infrastructure”
Critical information infrastructure plays an important role and plays a key role in the national economy and social services. With the comprehensive advancement of my country’s national economy and social informatization, traditional social activities continue to extend to the cyberspace, and the economy and national security are highly dependent on key information infrastructure. Improving the legal system for the protection of critical information infrastructure and comprehensively enhancing the awareness, capability and level of security protection of critical information infrastructure has become the key to winning the cybersecurity game.
Since the 18th National Congress of the Communist Party of China, the Party Central Committee with Comrade Xi Jinping at its core has attached great importance to the security protection of critical information infrastructure, and has made a series of major decisions and deployments to strengthen the security protection of critical information infrastructure. At the first meeting of the Central Network Security and Informatization Leading Group, General Secretary Xi Jinping pointed out that laws and regulations such as the protection of critical information infrastructure should be improved. At the 2016 cybersecurity and informatization work symposium, General Secretary Xi Jinping clearly requested that “accelerate the construction of a security assurance system for critical information infrastructure”. In 2021, my country’s “The Fourteenth Five-Year Plan for National Economic and Social Development of the People’s Republic of China and the Outline of Long-Term Goals for 2035” issued by China clearly emphasized the need to “establish and improve the protection system of critical information infrastructure, enhance security protection and maintain political security capabilities.” . As an important regulation issued in the first year of the “14th Five-Year Plan”, the “Regulations” is another important measure and achievement to promote the rule of law in my country’s cyber security, and it is a milestone for the establishment and improvement of my country’s critical information infrastructure security protection system. Meaning. The “Regulations” proceed from three aspects: highlighting key protections, insisting on problem orientation, and effectively linking with existing relevant laws and regulations, scientifically sum up the practical experience of network security work, and upgrade it to a legal system to provide legal protection for the security protection of critical information infrastructure.
2. Understanding of the key contents of the “Regulations”
In terms of content, the “Regulations” adhere to the overall national security concept and General Secretary Xi Jinping’s important thoughts on cyber power, adhere to the guidelines of safe development, reform and innovation, and problem-oriented, adhere to comprehensive coordination, division of labor, protection according to law, and give full play to administration. The leading and promoting role of laws and regulations has accelerated the construction of a security assurance system for critical information infrastructure. Specifically, the main content of the “Regulations” has the following highlights:
One is to clarify the definition of key information infrastructure, and to scientifically define the scope of key information infrastructure around the three elements of key, information, and foundation in accordance with the idea of focusing on key points and ensuring key points. The “Regulations” clearly define the scope of critical information infrastructure from the perspective of the overall national security concept, which is conducive to better promoting the construction of national cyberspace security core capabilities and building a national cyberspace security barrier.
The second is to clarify the responsibilities of the protection work department. Under the premise of fully considering the particularity and professionalism of key industries, field businesses and network security requirements, the competent regulatory department in the industry field is clarified as the key information infrastructure security protection department, and the organization leadership and Supervise and manage the security protection of key information infrastructure in this industry and this field.
The third is to strengthen the safety management of operators, with particular emphasis on the establishment of a “first-in-command responsibility system”, clarify that the main responsible persons of the operators are responsible for the overall responsibility, and effectively guarantee the input of human and property, and provide legal protection for the material basis of safety protection.
The fourth is to stipulate national safeguards and promotion measures. The “Regulations” clarified the establishment of a cyber security information sharing mechanism, the improvement of monitoring and early warning and emergency response systems, the organization of inspection and testing, the priority protection of energy and communication services, the strengthening of security and the prevention and combating of illegal crimes, and the introduction of corresponding standards and guidelines. safety measures. In order to reflect the key national support, the “Regulations” proposes promotion measures in seven aspects, including personnel training, finance, technological innovation, industrial development, military-civilian integration, commendations and rewards, and publicity and education.
Fifth, a supervision and management system has been established. The “Regulations” stipulate that under the overall coordination of the national cybersecurity and informatization departments, the public security department of the State Council is responsible for guiding and supervising the security protection of critical information infrastructure; Responsible for security protection and supervision and management within the scope of responsibilities; relevant departments of the provincial people’s government implement security protection and supervision and management of key information infrastructure according to their respective responsibilities.
3. Thoughts on the key tasks of the security protection of critical information infrastructure
Against the background that cyber security threats and risks are becoming increasingly prominent, and the security situation facing critical information infrastructures is becoming increasingly severe, the promulgation of the “Regulations” is at the right time and does not wait. After the “Regulations” are formally implemented, my country’s critical information infrastructure security protection work will enter a new stage of development. The key tasks of future related work mainly include the following considerations:
(1) Critical information infrastructure is the core and cornerstone of the national cyber security assurance work, which requires overall national deployment and overall coordination.
Critical information infrastructure carries or supports key businesses in important industries and fields, and has become a key node on which the operation system of all industries depends. Once it is destroyed, it will be gradually transmitted through related industries and fields, which will cause a chain for the national economy and national security. Serious consequences of contiguous influence. As the nerve center of economic and social operations, key information infrastructure is increasingly playing a basic, overall, and supporting role, “moving the whole body when it is driven.” Therefore, to improve our country’s cyber security assurance capabilities, build a strong national cyber security barrier, and maintain national cyberspace sovereignty and national security, we must earnestly grasp the “bull nose” of key information infrastructure security.
As the core and overall work of national cybersecurity assurance, the security protection of critical information infrastructure must adhere to the overall deployment. In this sense, under the leadership of the Central Cyber Security and Informatization Commission, the national cybersecurity and informatization department should perform its overall coordination function and continuously strengthen the top-level design, overall layout, overall coordination, and overall advancement of key information infrastructure security protection work. The public security department of the State Council has strengthened its guidance and supervision of the safety protection of critical information infrastructure. The competent telecommunications department of the State Council and other relevant departments shall implement security protection and supervision and management in accordance with their responsibilities stipulated in the “Regulations.”
(2) Continuous capability assessment is the guidance and direction for improving the security protection of critical information infrastructure.
By summarizing my country’s critical information infrastructure protection practice experience and the protection requirements of relevant laws and policies, in the “14th Five-Year Plan” period, it is of great practical significance to propose a critical information infrastructure security protection capability evaluation system suitable for my country. Security capability assessment is an important link in the security protection of critical information infrastructure. The results can directly reflect the security protection status of critical information infrastructure, find existing weaknesses, and provide a basis for critical information infrastructure security rectification and subsequent security planning. From a long-term perspective, continuous capability assessment provides a direction for the construction, operation and maintenance management of key information infrastructure, and can play a role in promoting construction, management, and reform through evaluation.
(3) To do a good job in the security protection of critical information infrastructure, we must earnestly utilize the advantages of my country’s system and gather forces from all walks of life.
The first is to give full play to my country’s institutional advantages of concentrating resources on major events, further strengthen government-enterprise cooperation, military-to-government coordination, and give full play to its policy advantages. It is necessary to transform from self-protection to joint protection of the state, industry and operators, and form a joint work force to jointly promote the key. Information infrastructure security protection work to deal with risks and challenges. The second is to continue to expand and strengthen my country’s cybersecurity industry, cultivate a group of leading brand companies with outstanding independent core technologies, obvious economic benefits, and remarkable ecological leadership capabilities, and to ensure the healthy growth of small and medium-sized enterprises with technical characteristics and good growth potential , Relying on its advantages in technology, products, manpower and services, integrate shared resources, promote the intensification, specialization and normalization of security protection, and better provide support for the security of critical information infrastructure. The third is to give full play to the role of industry organizations as a bridge and link, actively connect the actual needs of key information infrastructure operators, network security technology, and service providers to the actual needs of both the supply and demand sides, and strongly support key information infrastructure security protection technology innovation and industrial development. The fourth is to continue to do a good job in the promotion and implementation of relevant policies for the security protection of critical information infrastructure. It is recommended that the study of relevant laws and regulations on the security protection of critical information infrastructure be incorporated into the cyber security awareness training of leading cadres and responsible comrades of relevant enterprises, and they will be implemented. The situation is gradually incorporated into the assessment of departments and agencies responsible for the security protection of critical information infrastructure at all levels, and through normalized cybersecurity publicity and education activities such as the National Cybersecurity Publicity Week, the whole society is mobilized to participate and effectively improve the key information of the entire society Infrastructure security protection awareness forms a strong cohesion and centripetal force for national cyber security.
The “Regulations” provide a strong legal backing for my country to create an open, safe and healthy digital ecology, consolidate the national network security protection foundation, and strengthen the security protection capabilities of digital resources. It also provides a scientific and systematic security protection work for critical information infrastructure. And refined work guidelines. Looking forward to the “14th Five-Year Plan” period, with the implementation of the “Regulations”, my country’s cyber security work will surely take advantage of the trend and continue to move forward courageously towards the realization of the strategic goal of a cyber power.