On 13 April 2023, China’s National Information Security Standardization Technical Committee (SAC/TC 260) released a document Key Working Points of National Information Security Standardization Technical Committee in 2023 outlining its key working tasks and priorities in 2023. As cybersecurity standards are mainly developed to support governmental regulations, the development of this document is in line with the requirement of China’s policies and legislation, such as the National Standardization Development Outline, cybersecurity legislation, and China’s basic data system.

The document consists of four main sections: development of national cybersecurity standards in key fields, training and promotion, strengthening international competitiveness while promoting Chinese technology, as well as optimization of working mechanisms and capacity-building of SAC/TC 260. A total of 15 tasks are elaborated in the document. The following is a summary of the main highlights; foreign stakeholders are advised to keep monitoring relevant developments.

Accelerating the development of national cybersecurity standards in key fields

The first section indicates 7 tasks, accounting for nearly half of the total tasks of the document for 2023. Specifically:

  • The first task involves the identification and analysis of standardization needs and improvement of the standards system. These mainly originate from relevant cybersecurity legislation and policies, especially the ones that are related to general cybersecurity standardization system framework, data security, personal information protection, critical information infrastructure security, supply chain security, etc. In fact, it is highly consistent with the main purpose of cybersecurity standards which is to support the cybersecurity policies and legislation.
  • The second to fifth tasks indicate specific key fields for standardization, including critical information infrastructure, software supply chain, large-scale internet platforms, establishment of data system, specialized cybersecurity products, etc. Each of these key areas are further elaborated and supported with specific actions, either standardization research, standard development or relevant document compilation. It is noteworthy that several actions are already ongoing, such as the promotion of GB/T 39204-2022 Cybersecurity requirements for critical information infrastructure protection – a conference was held in Beijing on 19 April, hosted by the Ministry of Public Security and attended by more than 300 representatives from industries, scientific research institutions and governmental authorities.
  • The sixth and seventh tasks indicate areas presenting challenges and risks caused by the application of new technology, and for which cybersecurity standards are needed, including generative artificial intelligence, block chain consensus mechanism, zero trust, drones, quantum cryptography, 6G, privacy computing, in a general manner without detail actions attached.

Only a small number of specific national standards are explicitly listed in the document, including 20230259-T-469 Security evaluation method for open source software, and 20221848-T-469 IPv6 address assignment and coding rules Interface identifier.

International standards development and engagement

The general attitude of TC 260 in participating in international standardization activities is proactive and positive, largely aimed at promoting Chinese technology and consolidating the relevant outcome of innovation into international standards. This is confirmed in the document, which clearly reiterates TC 260’s willingness to engage and participate in international activities, while at the same time putting forward specific goals, namely: “at least two new international standard projects shall be officially initiated and approved, including cybersecurity for civilian drones”; and “at least two approved proposals on international standards for the security of industrial Internet platforms and the home Internet of Things will be advanced to the next stage of development”. As of May 2023, TC 260’s meeting minutes on plenary meeting of ISO/IEC JTC1/SC27 shows that the target set in the document is mostly accomplished:

  • ISO/IEC 24392 Cybersecurity — Security reference model for industrial internet platform (SRM- IIP)and ISO/IEC 27071 Cybersecurity — Security recommendations for establishing trusted connections between devices and services, ISO/IEC 27033-7 Information technology – Network security — Part 7: Guidelines for network virtualization security have proceeded into the FDIS stage
  • ISO/IEC 27035-4Information technology — Information security incident management — Part 4: Coordination has proceeded into DIS phase; for the second target
  • a PWI on Cyberspace Security Guidelines for Unmanned Air Craft System is officially approved via ballot
  • a PWI on Information security — Secure multiparty computation —Part 3 is waiting to be approved as a NP via ballot

Furthermore, the document also indicates the key areas where international engagement will focus, such as artificial intelligence and digital twins: these may represent good entry points for foreign stakeholders interested in cooperation with China through international platforms. In terms of bilateral or multilateral cooperation, TC 260 reiterates the importance of China’s existing bilateral or multilateral cooperation mechanisms, such as Belt and Road Initiatives, Association of Southeast Asian Nations, BRICS, etc.

Optimization of working mechanisms

The document hints a proactive attitude of TC 260 to optimize its working mechanism to attract a wider participation of stakeholders, especially from the industry, which will ultimately facilitate the implementation of standards. The actions indicated include, but are not limited to, standard evaluation in post-development stage, pilot trials in leading companies or organizations, development of relevant mobile application for opinion and feedback collecting, etc.

In short, the document is a comprehensive to-do-list. For foreign stakeholders, it is critical to analyze the tasks in detail, identify trends, actively engage and monitor progress.