Author: Sara Xia / Source: China Law Blog
China’s Cybersecurity Law (CSL) became effective on June 1, 2017 and it regulates the construction, operation, maintenance and use of networks, as well as network security supervision and management within mainland China. The Cyberspace Administration of China (CAC) is the primary governmental authority supervising and enforcing the CSL.
The CSL regulates cybersecurity from different aspects, including network operation security, network information security, as well as monitoring, early warning, and emergency responses.
- Network Operations Security
Under the CSL, all network operators are required to perform the following duties to protect their networks from interference, damage, or unauthorized visits, as well as to prevent data leaks, thefts or falsification:
- Create internal security management systems and operating policies, appointing dedicated network security persons;
- Adopt technological measures to prevent computer viruses, cyber-attacks, network intrusions and other harmful activities;
- Monitor and record network operational status and network security incidents, and retain relevant network logs for at least six months;
- Take measures to classify data, back up and encrypt important data.
The CSL states that China has (or will have) a tiered network security protection system and network operators must perform the above duties to ensure network security and to meet the requirements of such a system. This indicates network operator obligations vary depending on their tier.
China currently has two existing network security related tiered protection systems. One is the Computer Information Systems Security Tiered Protection (计算机信息系统安全等级保护制度), the other is Telecommunication Networks Security Tiered Protection (通信网络安全分级保护制度), though the contents of these two overlap regarding network security. Both of these protection systems put computer information systems or telecom networks into five levels of protection, depending on a system’s importance in national security, economic development, and social life, and potential damages to these aspects in the event of network interference. Whether the tiered system mentioned in the CSL will be similar to these two existing systems or a completely new one is not yet clear. But these systems and related national standards likely will be helpful guides to understanding the concept of China’s tiered protection system.
Critical Information Infrastructure Operators
Critical information Infrastructure (CII) and CII operators must comply with more stringent requirements on top of those applicable to all network operators. The CSL provides for the State to implement key protections for CII in public communication and information services, power, traffic, water, finance, public service, electronic government affairs, and other CII that may endanger national security, national welfare and the people’s livelihood, or the public interest in the event of destruction, malfunction or data leakage. No clear definition of CII is found in the CSL and the catchall language leaves plenty of room for interpretation.
However, there is a Network Security…
Click here to read more