MSS’ interpretation on Cybersecurity Law highlights prioritization of critical information infrastructure
Published: Mar 18, 2024 12:49 PM
A concept photo of cybersecurity Photo: VCG

A concept photo of cybersecurity Photo: VCG

China’s Ministry of State Security (MSS) on Monday released an interpretation on the country’s Cybersecurity Law in terms of four highlights in the first basic law in China that regulates cybersecurity management, specifying the prioritization of the protection of critical information infrastructure. 

Coming into effect on June 1, 2017, the country’s Cybersecurity Law was formulated to safeguard cybersecurity, maintain the sovereignty of cyberspace and national security, protect the public interest, and safeguard the legitimate rights and interests of citizens, legal persons, and other organizations. It is of great significance for improving the robustness of China’s cybersecurity and enhancing awareness of cybersecurity among the general public. 

According to the MSS, the Cybersecurity Law sets the tone in the first article by explicitly stating the need to safeguard the sovereignty of China’s cyberspace. 
Cyberspace sovereignty refers to the natural extension of national sovereignty into the digital world. It represents the supreme authority domestically over its domestic network infrastructure, network entities, network activities, and related network data and information, as well as an independent authority internationally.

The Cybersecurity Law stipulates that this law applies to the construction, operation, maintenance, and use of networks within the territory of China, as well as the supervision and the management of cybersecurity. 

According to MSS, Article 5 and 75 of the Cybersecurity Law stipulate that key information infrastructure shall be subject to priority protection. Individuals or organizations from overseas which engage in activities such as attacking, intruding, interfering with, or damaging key information infrastructure in China, which results in serious consequences, shall be held legally responsible. Relevant departments can also decide to freeze their assets or take other necessary sanctions against such institutions, organizations, or individuals. 

Article 37 of the Cybersecurity Law stipulates that the operators of key information infrastructure shall store the personal information and important data collected and generated during operation within China’s territory. 

If it is necessary to provide such information or data overseas due to business requirements, a security assessment shall be conducted in accordance with the methods formulated by the competent authorities of the country’s cyberspace administration departments in conjunction with relevant departments of the State Council. 

According to the MSS, critical information infrastructure refers to important network facilities, information systems, and other infrastructure and information systems in key industries and sectors such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, which, once damaged, functionally impaired, or data leaked, may severely endanger national security, national economy and people’s livelihood, and public interests. 

In recent years, overseas forces have intensified their efforts to probe and collect data on China’s critical information infrastructure, posing a realistic threat to China’s national security. Clarifying the rules for the cross-border transmission of sensitive data is essential to provide effective protection for the security of China’s critical information infrastructure, the MSS said. 

Article 24 of the Cybersecurity Law stipulates that when network operators handle network access procedures for users or provide services to users, they shall require users to provide genuine identity information. If users fail to provide genuine identity information, network operators shall not provide relevant services to them. 

According to MSS, a real-name network registration policy is conducive to building a sound online order and a secure, stable, and prosperous cyberspace is of great significance to economic development and social stability. 

Some ill-intentioned individuals disguise themselves with sock puppets, using virtual identities to fabricate and distort facts, maliciously manipulate public opinion, and spread rumors to discredit others, whereas the real-name registration is akin to a “monster-revealing mirror” that leaves them with nowhere to hide, the MSS said. 

The Cybersecurity Law grants individuals and organizations the right to report actions that jeopardize cybersecurity to the relevant authorities as well as stipulates that individuals and organizations have the responsibility and obligation to safeguard national security. 

According to the MSS, safeguarding cyberspace security requires the participation of multiple parties. The Cybersecurity Law encourages government departments, network constructors, network operators, network service providers, relevant organizations in the network industry, and citizens to participate in cyberspace security governance according to their respective roles. 

The MSS noted that any individual or organization using the internet shall abide by the Constitution and laws, refrain from compromising network security, and refrain from engaging in activities that jeopardize national security, honor and interests by using the internet. Citizens and organizations shall assist and cooperate with national security agencies in safeguarding national security and investigating criminal activities in accordance with the laws. 

Global Times