Key Information Infrastructure Ushers In Strong Regulation Or New Security Industry

The formal implementation of the "key information infrastructure security protection regulations" is approaching, and related discussions are also continuing.

Recently, the State Council promulgated the regulations on the security and protection of key information infrastructure (hereinafter referred to as the regulations), which will come into force on September 1, 2021. As the first administrative regulation for the security protection of key information technology facilities in China, it is also an important supporting regulation of the network security law of the people's Republic of China. The regulations put forward specific requirements for each responsibility subject, as well as the scope of responsibilities and legal obligations of each role in the security protection of key information infrastructure.

The purpose of defining the scope and defining the rights and responsibilities is to build a systematic defense line. At the regular briefing of the State Council on the "Regulations on the security and protection of key information infrastructure" on August 24, Sheng ronghua, deputy director of the state Internet Information Office, pointed out that there are problems in the current network security protection work, such as scattered resources and insufficient support from the technology industry. Therefore, it is necessary to establish a special system to further clarify the responsibilities of all parties.

"Generally speaking, the top, bottom, left and right should jointly build a responsibility system for the security protection of key information infrastructure, so as to build a strong national network security barrier." Sheng ronghua said.

Maintain network security

At the briefing, Sheng ronghua stressed that the regulations were not aimed at foreign trade and overseas listing, but were aimed at ensuring the security of key information infrastructure and maintaining network security.

In fact, it is necessary to pay attention to this field at present. According to the data of the national industrial information security development research center, in 2020, there were nearly 800 major industrial information security risks identified by artificial intelligence, involving manufacturing, transportation, municipal and other industries, and the proportion of high-risk vulnerabilities remained high.

However, before the regulations, there was no clear legal or administrative basis for the definition of "critical information infrastructure", while the regulations made a clear determination for the first time.

According to the regulations, key information infrastructure refers to important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, as well as other important network facilities that may seriously endanger national security, national economy and people's livelihood, and public interests in case of damage, loss of function or data disclosure Information system, etc.

"The introduction of the regulations has made clear the importance of the security of key information infrastructure, which is a wake-up call for practitioners in information security, network security, data security and other industries." In an interview with the 21st century economic reporter, Zhang Xudong, chairman and CEO of Huakong qingjiao, analyzed and said, "at the same time, the regulations also clearly stipulate how to measure and identify the key information infrastructure, and the identified rights and responsibilities will further promote the development of the industry."

Wang Rendong, vice president of Huawei's security products field, told reporters of the 21st century economic report that as employees of the security industry, they have always had very high expectations for the promulgation of the regulations“ At present, with the change of the international situation, cyberspace has become the fifth dimensional space of confrontation, especially for the key information infrastructure of the country, which is related to the national economy and people's livelihood. It is urgent to have a clear and clear security protection guideline to guide the operators of key information infrastructure to carry out security protection construction. "

It should be noted that the areas listed in the regulations are not static《 According to Article 9 of the regulations, the protection department shall, in light of the actual situation of the industry and field, formulate rules for the identification of key information infrastructure and report them to the Public Security Department of the State Council for the record.

According to Yang Bo, the strategic planning and consulting department of Qianxin group, such provisions indicate two points: "first, the industry authorities have important decision-making power in determining the identification of key information infrastructure. Whether it belongs to key information infrastructure or not depends on whether the business is important; Second, the scope of critical information infrastructure will change with the impact of business. With the development of information technology, it will certainly expand year by year. "

New market space?

Another highlight of the regulations is that the responsibilities of different subjects are clearly defined.

Among them, the state network and information department is responsible for overall coordination, the public security department is responsible for guiding and supervising the security protection of key information infrastructure, and the competent telecommunications department and various industry authorities are responsible for the security protection, supervision and management of key information infrastructure within their responsibilities. The operator is responsible for the management system, resource guarantee, personnel management, organization setting, assessment and evaluation, product procurement, etc.

Behind the clear rights and responsibilities is the possibility of collaborative sharing《 Article 23 of the regulations specifically stipulates that the state network and information department shall establish a network security information sharing mechanism, timely collect, study, judge, share and release information on network security threats, loopholes and events, so as to promote the sharing of network security information among relevant departments, protection departments, operators and network security service agencies.

"By clarifying the responsibilities at all levels, the regulations have formed a multi-level three-dimensional coordinated comprehensive prevention and control system of the state's overall planning and supervision departments, industry protection departments and operators." Yang Bo pointed out to the reporter of the 21st century economic report that "no matter from the perspective of network security theory or practice, attacks can not be completely avoided. Therefore, we can only prolong the successful time of attack as far as possible through the improvement of security protection ability, and at the same time, we can speed up the time of risk detection and risk disposal as far as possible through the collaborative mechanism."

Many respondents said that such synergy will further promote the development of the industry. Zhang Xudong analyzed that in the past, the network security industry in China was more in the form of dots with a single enterprise as the node, resulting in the fragmented distribution of industry formats, few large giants were seen, and the industrial scale remained stagnant for a long time.

"If the independent and controllable network security is not promoted to a certain height, individual enterprises will not make excessive investment, which is a complementary relationship." "At the same time, since there was no reference to the key information infrastructure in the past, people's understanding of the relevant fields was also partial," Zhang said

Therefore, in Zhang Xudong's view, with the introduction of the "Regulations" and the implementation of the "network security law", all walks of life will have a more complete understanding of network security, and put together the scattered "jigsaw" of the past into the strategic objectives and implementation methods of the overall national network security. At the same time, as a practitioner in the data security industry, Zhang Xudong believes that this will also lay the foundation for the construction of safe and reliable data circulation network.

In addition, the implementation of the regulations is expected to open up new space in the network security market. According to Wang Rendong's analysis, the regulations put forward responsibility requirements for security product providers and security service providers. Security products should be trusted, network security incidents in key information infrastructure should be identified, and the responsibilities of security service agencies should be identified. "This will promote the continuous improvement of the credibility of security products and the security service technology of the whole security industry, To meet the protection requirements of critical information infrastructure, which will promote the healthy development of the entire industry. "

Not only will it help to increase the investment of enterprises in the field of security, from another perspective, the network security industry will usher in a new round of development opportunities. According to an analysis to the 21st century economic reporter, the implementation of the regulations may lead to the development of some new security industries, such as the artificial intelligence security industry represented by privacy computing and algorithm attack and defense.

?