By Nick Marro and Jake Parker
Regulators are actively setting the groundwork for implementation of China’s Cybersecurity Law, releasing a series of industry development plans that seek to bolster the enforcement of this sweeping legislation.
Industry Development Plans
In the months immediately following the publication of the Cybersecurity Law, Chinese regulatory agencies published a series of five-year development plans that tie industrial policy to China’s cybersecurity goals and build a broad framework for Cybersecurity Law implementation:
- 13th Five-Year Plan (13FYP) on National Informatization Released by the State Council on December 27, 2016, this plan includes numerous references to establishing “secure and controllable” and “secure and reliable” products and services, as well as improving indigenous innovation in cybersecurity, linking China’s cybersecurity goals to international competition objectives, securing and promoting indigenous innovation and core technology for cybersecurity purposes, promoting the revised MLPS scheme, and establishing an implementation catalogue for critical information infrastructure (CII) and CII safeguard measures.
- Information Industry Development Guidelines Released by the Ministry of Industry and Information Technology (MIIT) and the National Development and Reform Commission (NDRC) on January 17, 2017, the plan outlines the creation of a CII cybersecurity protection pilot zone restricted to using only “secure and controllable” products. The list of CII industries is expected in the coming months. The document also addresses global competition in a discussion promoting “secure and controllable” information technology industry development, stressing the lack of security of foreign products, and calling for substitution with domestic products.
- 13FYP for Big Data Industry Development Released by MIIT on January 17, 2017, the plan stresses the application of big data security products to support cybersecurity objectives.
- 13FYP for Information and Communications Technology (ICT) Development Released by MIIT on January 17, 2017, the plan notes that ICT development under the 12th FYP period failed to consider the relative weakness of domestic core technology and the need to upgrade critical products based on their levels of “securitye and controllability.” The plan also calls for strengthening “secure and controllable” technologies related to Internet of Things (IoT), big data, and cloud computing, as well as creating a “secure and reliable” content delivery network (CDN), and actively promoting “secure and controllable” new energy and energy-saving technology. The plan states China should implement a cybersecurity review mechanism conducted on an industry basis.
- 13FYP for Software and Information Technology Services Development Released by MIIT on January 17, 2017, the plan says information security technology and related industries should develop “secure and controllable” core technology to support China’s cybersecurity goals. In addition, the plan says a “secure and trusted” cloud computing system for smart manufacturing should be developed via pilot innovation zones that promote research and development, design, production manufacturing, marketing services, testing, and examination procedures.
Implementing Agencies
The 13FYP on National Informatization details the following implementation responsibilities:
- Cybersecurity review implementation The portion of the plan that details the division of work notes that implementation of this review will be led by the Cyberspace Administration of China (CAC), the Ministry of Public Security (MPS), MIIT, the Ministry of State Security (MSS), the Ministry of Science and Technology (MOST), and the State Administration of Science, Technology, and Industry for National Defense.
- CII security measures implementation The construction of CII safeguarding systems will be led by CAC, MPS, the State Encryption Management Bureau (SEMB), the General Office of the State Council, NDRC, MIIT, MSS, the Ministry of Finance (MOF), the State Administration of Science, Technology, and Industry for National Defense, and the Office of State Commercial Cryptography Administration (OSCCA).
- Cross-border security audit MPS will lead several agencies in establishing a security audit for the cross-border flow of data, with input from CAC, MIIT, GAC, OSCCA, and the State Administration of Science, Technology, and Industry for National Defense.
- Indigenous innovation implementation NDRC, MIIT, MOST, MOF, CAC, and MPS are tasked with improving indigenous innovation in cloud computing.
Regulations on foreign investment MOFCOM, SAIC, CAC, MIIT, and MPS will regulate work regarding foreign investment and reforming the internet and telecommunications industries.
About the authors: Jake Parker is the vice president of the China offices of the US-China Business Council, a private, nonpartisan, nonprofit organization of more than 200 American companies that do business with China. Nick Marro was a business advisory services manager for USCBC.
