In this podcast Dr. Michael D Frick and I talk about the regulations that protect Chinese networks and information systems. Two closely connected subsystems of China’s cybersecurity regime aim directly at maintaining security in these areas: critical information infrastructure (CII) and multi-level protection.
As its name suggests, the Multi-Level Protection Scheme (MLPS) differentiates among networks by assigning them different levels of sensitivity, and network operators must implement protection measures according to their sensitivity classification.
Despite their contemporary connection, the MLPS had existed for several years before regulators started to establish the CII Security Protection System. The MLPS requires network operators to engage in various activities (called “security control points”) that contribute to reaching the overall goal of cybersecurity by advancing the realisation of intermediate strategic objectives such as secure boundaries, stable operations, sound management structures, secure communication networks, and competent security personnel. These activities include access control, personal information protection, trust validation, training, centralised control, electricity supply, fire prevention, and staffing.
Critical Information Infrastructure (CII) protection complements and, in part, is based on multi-level protection. However, one of the central new features of the CII Security Protection System is the requirement to organise a cybersecurity review for network products and services that may impact national security, particularly if they are employed in CII.
Compared to multi-level protection, cybersecurity reviews are highly opaque without detailed evaluation standards and guidelines. This black box design facilitates the ad hoc application of cybersecurity reviews in various regulatory areas, including data governance.
Accordingly, cybersecurity reviews have become the instrument of choice used by Chinese regulators whenever they believe that interference is necessary, but other cybersecurity subsystems, such as multi-level protection or cross-border data transfer management, lack the regulations required to justify such interference.
In general, the reviews pursue a wide range of goals such as preventing or alleviating supply chain disruptions, espionage, the abuse of user dependencies, unapproved data outflows, and the reliance on high-tech imports.
Interestingly, two cooperating and competing government agencies (the Ministry of Public Security and the Cyberspace Administration of China) each promote one of the partially overlapping multi-level protection and cybersecurity review systems. Their bureaucratic wrangling and contesting regulatory approaches continue to slow down the finalisation of standards for CII identification.
However, high-tech providers operating in China must be prepared to participate in cybersecurity reviews as the latest government publications highlight the CII concept’s broad reach, including public communication and information services, power production, traffic, water resources, finance, public services, e-government, national defence, and other important industries and sectors.
In our 5 minuted 06_2 interlude we make a quick detour and talk about China’s difficult relationship with Github: on one hand, the intrinsic nature of open source code shared via Github – let alone the fact that Github allows all sorts of other information to be shared – can easily undermine the Online Content Management (read ‘censorship’) policies which are part of China’s Cybersecurity regime, while on the other hand, access to standard libraries and the ability to collaborate on software projects is a key enabler – arguably a necessity – for most software development.
Michael holds a doctorate in Business Economics and a master’s in Modern Sinology. He works as consultant advising businesses on Chinese regulatory aspects.