China is able to shut off internet access during major ‘social security incidents’ and has granted its Cyberspace Administration agency wider decision making powers under a draft law published this month.
The draft also appears to require critical infrastructure organisations including foreign entities to store “important” data on Chinese soil without specific permission to host offshore.
The Cyberspace Administration, headed by director Lu Wei, has a leading role in planning and coordinating information security policy efforts, analysts say .
The details of the new security approach are revealed in an English translation of the draft posted online.
“To fulfill the need to protect national security and social public order, and respond to major social security incidents, the State Council … may take temporary measures regarding network communications in certain regions, such as restricting it,” the document reads.
Critical infrastructure operators that wish to store Chinese citizen personal information and other “important data” offshore will need to conduct security assessments as mandated by the Government.
“Where due to business requirements it is truly necessary to store it outside the mainland or provide it to individuals or organisations outside the mainland, they shall follow the measures jointly formulated by the State network information department and the relevant departments of the State Council to conduct a security assessment.”
Critical infrastructure operators will need to conduct yearly network security assessments and submit reports to various State departments. Some may need to run “security drills” as dictated by the Cyberspace Administration.
Some of the laws planned for formal enactment in national law were previously detailed only in contracts. Analysts say this is points to Beijing’s escalating prioritization of defensive information security.