The vigorous rise of cyberspace and the widespread application of information technology have greatly promoted economic and social development, but at the same time also brought us complex and ever-changing security risks and challenges. Since the availability, reliability, and security of critical information infrastructure are related to people's lives, property, social order, and national security, they are regarded as important strategic resources of the country.
I. Overview
In recent years, the major economically developed countries in the world have successively started research on the security protection of critical information infrastructure. Among them, the protection of critical infrastructure and critical information infrastructure in the form of legislation has become the core of the construction of cyberspace security systems in all countries content. Below we make a brief comparison of the progress of the five developed countries in the cybersecurity industry, such as the United States, Germany, the United Kingdom, Japan and Russia, on the protection, research and the promulgation of relevant laws and regulations on key information infrastructure:
1. The United
States The United States is the first country in the world to begin research on the protection of critical information infrastructure. As early as 1996, eight areas have been defined for critical infrastructure. In 2002, the Department of Homeland Security of the United States was established. At the same time, the duties of the Department of Homeland Security included the protection of critical infrastructure. In 2006, the US Department of Energy carried out detailed planning and protection of industrial control systems, and in 2011 more new security protection clauses were added. In 2010, the US National Network Infrastructure Protection Act 2010 stipulated that Congress should set up a "security line" in the field of network infrastructure protection to protect the security of the US network infrastructure and establish a network defense between the government and the private sector The alliance ’s partnership promotes information sharing between the private sector and the government on cyber threats and the latest technological information. The Cyberspace as a State-owned Assets Protection Act 2010 authorizes the Ministry of Homeland Security to maintain and supervise the IT systems of state agencies, stipulates that the president may declare an emergency network state, and forces private owners to take remedial measures against key IT systems to protect the interests of the country . In 2013, the Obama Administration formulated "Improving Cybersecurity for Critical Infrastructure", and at the same time required that critical infrastructure be resilient. In 2014, the first comprehensive guidance document "Critical Infrastructure Cybersecurity Framework Specification" was released.
2. Germany
On July 10, 2015, the German Parliament passed the "German Cybersecurity Law", which focuses on strengthening the protection of critical information infrastructure, clarifying the responsibilities of "critical infrastructure" operators, expanding network supervision rights, Determine the network security reporting system and the obligation to add telecom operators. The law specifies that all industries or enterprises that are closely related to the daily lives of German people, including water resources, energy, communications, medical care, transportation, finance, and insurance, are covered by the protection of critical infrastructure. Germany has previously issued a relevant "Strategy" document, which defines the scope of "critical infrastructure", but it is only a development outline issued by the German Ministry of the Interior, and has no legal effect. The "German Cybersecurity Law" that was introduced afterwards absorbed the definition of "critical infrastructure" in the "Strategy", and on this basis, the legal responsibilities of operators of "critical infrastructure" were also clarified. The German Cybersecurity Law sets two specific reporting obligations for operators of critical infrastructure: one is the minimum cybersecurity standard reporting obligation, and the other is the dynamic reporting obligation for cybersecurity incidents. Minimum Cybersecurity Standard Reporting Obligation: Refers to the operators of all critical infrastructures as stipulated in the German Cybersecurity Act. According to the actual situation of this department, a cybersecurity aspect shall be submitted to the Federal Information Security Office (BSI) within the prescribed time. Report, the main content of this report is the situation that the unit installs relevant systems in response to the network GongJi; the network security incident dynamic reporting obligation refers to: telecom operators should actively collect and store users' communication business information, and the storage period should not be less than 6 months. In order to detect crimes, the police can obtain these data from telecommunications operators according to law. In addition, in order to ensure that the user's data information is not illegally used, the "German Cyber Security Law" stipulates that when the link or data information of the telecommunications operator is leaked or abused, the telecommunications operator has the obligation to notify the customer of the unit in time.
3. Britain's
early Internet legislation focused on protecting critical information infrastructure. With the continuous development of the network, the United Kingdom began to emphasize the security of network information while strengthening the protection of information infrastructure. On February 1, 2007, the British National Infrastructure Protection Center (CPNI) was formally established. It is a British government department that provides security consulting and protection for the infrastructure of British companies and organizations. The United Kingdom ’s National Security Advisory Centre merged to reduce the risk of terrorist damage to the UK ’s infrastructure and respond to other threats, and to protect the security of basic services in the UK (communications, emergency services, energy, finance, food, government, medical, transportation and Water). In 2016, the UK's National Cybersecurity Strategy (2016-2021) defined CNI (Critical National Infrastructure), which mainly includes the following 5 aspects: 1. Important enterprises: have achieved great success and are in R & D or intellectual property Enterprises with strong advantages; 2. Personal information data owners: not only large-scale data owners, but also some disadvantaged group information data owners; 3. High-threat targets: such as media; 4. Top digital economy providers Business; 5, insurance, investment, supervision, professional consulting organizations, etc .: organizations that have an impact on improving the network security situation in the field of network economy. The UK ’s definition of critical national infrastructure (CNI) breaks the US ’s conventional practice of dividing critical information infrastructure according to industry characteristics and sectoral attributes, and divides the UK ’s critical infrastructure from the dimensions of digital economy influence and data resource characteristics. Five categories. It is particularly worth noting that the UK even included certain professional consulting organizations or institutions within the scope of CNI, provided that it has a certain impact on the improvement of network security in the entire economic field.
4. Japan
Since the 1990s, Japan has continued to pay attention to the protection of key information infrastructure, and has gradually established a policy and law as the foundation, focusing on the construction of organizational systems, supported by monitoring and early warning and information sharing mechanisms, A key information infrastructure protection system guaranteed by technology, personnel, and financial support. After the amendment of Japan ’s Criminal Law in 2011, it clearly stipulated the elimination of spam, computer viruses and the protection of netizens ’private information, requiring network operators to keep users’ online and communication records for 30 days in principle, and an additional 30 days if necessary. On November 6, 2014, the House of Representatives of the Japanese Parliament voted to pass the "Cybersecurity Basic Law", which stipulates that power, finance and other important social infrastructure operators, network-related enterprises, and local governments have the obligation to cooperate with cybersecurity-related initiatives or provide relevant information to Strengthen the coordination and coordination capabilities of the Japanese government and private forces in the field of cyber security, and better respond to the network GongJi.
5. Russia
The key departments described in Russia's information security policy document in 2009 mainly refer to departments such as science and technology, national defense, communications, justice, and emergency response departments. The “Russian Federation Critical Network Infrastructure Security” issued in 2013 stipulates that the HeiKe of RuQin transportation, municipal and other national key department information systems can be sentenced up to 10 years in prison. This is in fact the integration of transportation, government, etc. into the country's key network infrastructure. In addition, Oleg Demidov, an expert on cyber security issues at the Russian Political Research Center, pointed out that Russia ’s information security strategy puts more emphasis on content-level control, and attaches great importance to Internet information dissemination to traditional culture, citizen morality and The impact of values, at the infrastructure level, there is almost no specific description, just a general representation of the protection of critical information infrastructure. To sum up, there are 7 types of key information infrastructure clearly or implicitly defined by Russian government departments, namely science and technology, national defense, communications, justice, emergency response departments, transportation and government departments.
2. Comparative analysis
The five countries of the United States, Germany, the United Kingdom, Russia, and Japan can basically represent the three most active economies in Europe, Asia, and Asia, with the exception of China. In the following, we will make a horizontal comparison and analysis of the similarities and differences between the coverage areas of key information infrastructures prescribed by these five countries from the perspective of defining industries and fields.
First of all, if we do not consider the issues that may be very rich in certain industries, considering the number of key information infrastructure defined by each country (as shown in the figure below), the United States is the most, reaching 16 categories; Germany is followed by 9 Class; Next is Class 8 in Japan, Class 7 in Russia, and Class 5 in United Kingdom.
Legend: Comparison of the number of key information infrastructure categories divided by the five countries
It is worth noting that the UK defines critical information infrastructure in a different way. It is neither a specific type of enterprise or institution nor a specific type of infrastructure, but is almost completely abstract and conceptual. facility.
Except for the United Kingdom, the United States, Russia, Germany, and Japan have relatively similar approaches for defining critical information infrastructure. From the perspective of defining critical information infrastructure, the United States, Japan, and Germany are also relatively close. Government departments, communications, and transportation have received the most attention, and have been delimited by the United States, Russia, Germany, and Japan. There are 7 areas jointly delineated by China, the United States, and Germany, including government (government) departments, communications, transportation, energy, finance, water conservancy, and health care. In addition, both the United States and Russia have identified emergency response and defense systems as key information infrastructures, which are worthy of reference for China. And Japan has even included the logistics industry in the category of critical information infrastructure, which is unique.
The chart below gives a comparison of the distribution of key information infrastructure defined by the US, Russia, Germany and Japan in terms of industry distribution. Because the British way of defining is more special and abstract, it is not listed in the figure below.
Legend: Comparison of the distribution of key information infrastructure industries defined by the four countries
3. Summary
Studies have shown that dozens of countries around the world are currently formulating or have begun to implement key information infrastructure related security policies, regulations, and standards, which profoundly affect all levels of national security, economic development, and social life. The United States has formed a systematic key information infrastructure protection system and has continuously improved its implementation plans. The European Union has also issued a number of policies in recent years to strengthen the protection of key information infrastructure. Although the protection of critical information infrastructure in China started relatively late, the starting point is relatively high. As an important content of the "Network Security Law", the formulation of key information infrastructure protection regulations and related national standards are already in progress.
Note: Part of this article is quoted and adapted from 360 Threat Intelligence Center's "Analysis Report of Global Critical Information Infrastructure Network Security Situation"