Opinions concerning Appropriately Limiting Specific Gravely Untrustworthy Persons from Riding Trains for a Certain Period, and Promoting the Construction of the Social Credit System
All provincial, autonomous region, municipal and Xinjiang Production-Construction Corps social credit system construction leading work units, spiritual civilization offices, higher-level people’s courts, finance offices (bureaus), human resources and social security offices (bureaus), the State Administration of Taxation, local taxation bureaus, all delegated agencies of the China Securities Regulatory commission, railway transportation enterprises, the Academy of Railway Science, and all railway public security bureaus: Read the rest of this entry »
Report concerning the Inspection of the Implementation of the “Cybersecurity Law of the People’s Republic of China” and the “National People’s Congress Standing Committee Decisions concerning strengthening Online Information Protection”
Presented at the 31st Meeting of the 12th National People’s Congress Standing Committee on 24 December 2017
Cybersecurity affects the long-term governance of the Party, affects a long period of peace and order for the country, and affects economic and social development as well as the personal interests of the popular masses. General Secretary Xi Jinping has emphatically pointed out that without cybersecurity, there is no national security, without informatization, there is no modernization. The National People’s Congress attaches high importance to cybersecurity work, deliberated and passed the “National People’s Congress Standing Committee Decision concerning Strengthening Network and Information Security Protection” in December 2012, and deliberated and passed the “Cybersecurity Law of the People’s Republic of China” in November 2016 (hereafter referred to as the “Law and Decision”). On the basis of the 2017 supervisory work plan, the National People’s Congress Standing Committee Law Enforcement Inspection Group has conducted a review of the implementation situation of the “Law and Decision” from August to October 2017. Now, on behalf of the Law Enforcement Inspection Group, I report to the Standing Committee.
I, The work situation of law enforcement inspection.
The Cybersecurity Law took effect on 1 June of this year. Opening a law enforcement inspection of a newly formulated law, having effect for less than three months, is a first in the NPCSC’s supervision work. Committee chair Zhang Dejiang attached full importance to this law enforcement inspection, and provided important instructions, pointing out that cybersecurity affects the country’s long term peace and order, and affects economic and social development as well as the well-being of the popular masses. The NPCSC launching law enforcement inspection in the same year that the Cybersecurity Law has taken effect, is an implementation of the spirit of the important instructions of General Secretary Xi Jinping concerning “we must establish a correct cybersecurity view”, to supervise relevant parties to further strengthen legal propaganda, strengthen the cybersecurity awareness of all of society, grasp the formulation of accompanying laws and policies, ensure the effective implementation of the law, strive to upgrade cyberspace governance levels and realistically safeguarding security in national cyberspace and the lawful rights and interests of the people. We hope that the inspection group have meticulously organized this law enforcement inspection, persisted in problem-based guidance, and found through in facts. On the basis of the spirit of the instructions of Committee chair Zhang Dejiang, the Internal Judicial Committee, Finance and Economics Committee, Education, Science, Culture and Health Committee and the Standing Committee Office researched the matter repeatedly, and established the five focus points of this law enforcement inspection: the first is the situation of conducting legal propaganda and education work; the second is the situation of formulating accompanying regulations and rules; the third is the situation of strengthening critical information infrastructure protection and implementing the multi-level protection system for cybersecurity; the fourth is the situation of bringing online unlawful information under control and safeguarding the benign ecology of cyberspace; and the fifth is the implementation of the citizens’ personal information protection system, and investigating and prosecution unlawful and criminal acts violating citizens’ personal information and related matters.
On 25 August, the Law Enforcement Inspection Group convened its first plenary meeting to convey the important instructions of Committee chair Zhang Dejiang. The meeting heard the reports of the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, the State Administration of Press, Publications, Radio, Film and Television and the Supreme People’s Court concerning the implementation situation of the “Law and Decision”, the Ministry of Education, the Ministry of Science and Technology and the Ministry of Traffic and Transportation submitted written reporting materials.
On the basis of arrangements, deputy Committee chair and Chef Secretary Wang Zhen, Deputy Committee Chairs Shen Yueyue, Zhang Ping, Wan Exiang, Chen Zhu and myself participated in this law enforcement inspection. The Inspection Group visited six provinces (regions, municipalities) Inner Mongolia, Heilongjiang, Fujian, Henan, Guangdong and Chongqing to conduct investigation, in that period, the Inspection Group heard reports from relevant provincial, municipal and county governments, successively convening over 30 discussion meetings, and inspected several cybersecurity command platforms and critical infrastructure operating work units on the ground. Furthermore, it also entrusted 12 provincial (regional, municipal) People’s Congresses to conduct an investigation of the implementation situation of the “Law and Decision within their administrative area.
In order to deeply understand the implementation situation of the “Law and Decision”, this law enforcement inspection conducted several new trials in terms of methods and approaches: first, it invited third-party expert bodies to participate. From early September until mid-October, the Inspection Group selected 20 important information systems in each of the six provinces (regions, municipalities) for on-the-ground inspection, and entrusted the China Information Security Monitoring Centre with conducting a vulnerability sweep and a mock attack, and issued a specialized monitoring report on the basis of the situation of monitored systems’ cybersecurity. The Inspection Group also entrusted the China Youth Daily Social Survey Centre with conducting popular opinion surveys in 31 provinces (regions, municipalities) on the basis of questions in 10 areas of the “Law and Decision” that closely affect the public, and they issued a survey report. In total, 10370 people participated in this survey. The orderly participation of third-party bodies strengthened the expertise, authority, objectivity and fairness of this inspection. Second, expert participation. Considering the strong specialized nature of cybersecurity, during the law enforcement inspection period, the Inspection Group successively invited 21 cybersecurity experts and technical personnel having engaged in cybersecurity work for a long time from the State Information Technology Security Research Centre and other such work units, to provide technical support to the Investigation Group, and strengthen the focus and efficacy of the inspection. Third, random spot checks. Each small inspection group randomly selected several critical information infrastructure operating work units according to the requirements of the inspection plan, and conducted preliminary spot checks unannounced. Six small inspection groups conducted random spot checks on 13 work units in total. 120 important information systems were monitored remotely, and were also selected randomly by the Law Enforcement Inspection Group, and monitoring was completed under circumstances where the operating work units was not aware of the matter.
II, The method and efficacy of implementing the “Law and Decision””
In recent years, all levels’ Party Committees and governments have earnestly organized study of General Secretary Xi Jinping’s series of important speeches and important judgments concerning cybersecurity, deeply implemented the Centre’s strategic arrangements concerning “building a strong cyber power”, entered cybersecurity into the overall picture of economic and social development and into comprehensive planning and arrangements, forcefully advanced cybersecurity and network information protection work, and legal implementation has seen vigorous results.
(1) Deeply conducting propaganda and education, strengthening cybersecurity awareness.
First, strengthening the entire people’s cybersecurity awareness has been made into a basic task. 9 departments including the Cyberspace Administration of China, the Ministry of Industry and Information Technology and the Ministry of Public Security have, for four successive years, organized and launched Cybersecurity Week and themed days and propaganda activities, lectures, forums, etc. during this period of events annually have exceeded 10.000 in number, with an annual average coverage of around 200 million people. After the promulgation of the Cybersecurity Law, all localities have conducted propaganda and explanation of the core content of the law through newspapers and magazines, radio and television stations, portal websites, governmental microblogs and public channels, etc. Second, strengthening legal propaganda and education in focus work units and focus sectors. The Ministry of Industry and Information Technology has entered learning about the “Law and Decision” into annual assessment standards for basic telecommunications operating enterprises, and organized learning sessions at focus Internet enterprises such as Baidu, Alibaba, Tencent, etc. The Ministry of Public Security has organized concentrated study sessions for the public security bodies nationwide, over 200 Central ministries and commissions as well as Central enterprises, and over 260 information security enterprises and related personnel. The State Administration of Press, Publications, Radio, Film and Television has organized cybersecurity knowledge and skill training and competition activities. Provinces (regions) such as Inner Mongolia and Heilongjiang have conducted focus training for professional backbones in focus work units and focus sectors who are responsible for cybersecurity. Third, closely grasping the critical minority of leading cadres, and making enhancing the cybersecurity awareness of leading cadres into the heaviest of heavies. Localities such as Guangdong and Fujian have promoted leading cadres to take the lead in knowing the law, understanding the law and using the law through organizing cybersecurity and informatization-themed deliberation classes for leading cadres, and other such methods. The Ministry of Traffic and Transportation Party Group’s members have taken the lead in study, and organized a “special training class for bureau-level leading cadres on cybersecurity”, the Ministry of education has organized cybersecurity training classes for the education system, and has conducted topical training for responsible persons in all provincial education administration departments, directly subordinate higher education institute and directly subordinate ministry bodies. All localities have made younger netizens into a focus point for law popularization, launched activities such as “cybersecurity entering campuses and entering households”, “strive to be a netizen with good ‘four haves'”, etc. guiding broad youth into going online in a lawful, civilized and healthy manner.
(2) Formulating accompanying regulations and policies, building cybersecurity structures and systems
In order to support the implementation of the “Law and Decision”, in recent years, relevant state Council departments have published the “National Cyberspace Security Strategy”, the “Telecommunications Cybersecurity Protection Management Rules”, the “Telecommunications and Internet User Personal Information Protection Regulations”, the “Telephone User Real Identity Information Registration Regulations”, the “Press, Publications, Radio, Film and Television Cybersecurity Management Rules”, the “Public Internet Cybersecurity Sudden Incident Emergency Response Plan” and other such accompanying riles, plans and policy documents. The Cybersecurity Administration of China has, together with relevant departments, published the “Some Opinions concerning Strengthening National Cybersecurity Standardization Work”, accelerated the formulation work of cybersecurity standards, and 198 national cybersecurity standards have been published. The Supreme Court and the Supreme Procuratorate have published the “Interpretation concerning Some Questions on Applicable Law when Handling Criminal Cases of Infringement of Citizens’ Personal Information”. Some provinces have also launched accompanying regulation drafting work, the Inner Mongolia Autonomous Region People’s Congress Standing Committee formulated the “Computer Information System Security Protection Rules”, the Fujian Province People’s Congress Standing Committee passed the “Fujian Province Telecommunications Infrastructure Construction and Protection Regulations”, the Guangdong Province People’s Congress Standing Committee published the “Decision concerning Implementing Telecommunications Users Real Identity Information Registration System”, the Heilongjiang Province People’s Congress Standing Committee published the “Industrial Information Security Management Regulations”. Chongqing Municipality persisted in equally stressing cybersecurity and informatization development, strengthening the construction of e-government systems and perfecting governmental website management structures. A series of accompanying regulations, rules and policy documents have been published, assisting in the implementation of the “Law and Decision”.
(3) Enhancing security protection capabilities, striving to ensure the security of network operations
First, strengthening critical information infrastructure protection. In 2016, the Cyberspace Administration of China and other departments organized the launch of critical information infrastructure investigation and inspection work, they conducted spot-checks and technological surveys of 11.000 important infrastructure systems’ operational security state, completed cybersecurity risk assessments in multiple focus sectors including finance, energy, telecommunications, transportation, radio and television, education, healthcare, social security, etc., putting forward over 4000 improvement suggestions. Second, launching network infrastructure protection work. The Ministry of Industry and Information Technology has launched network infrastructure investigation work, completely combing through network infrastructure and information systems, at present, all sectors in total have been determined to contain 11590 critical network infrastructure systems and important information systems. Since 2017, over 900 focus network systems and industrial control systems have been subject to supervision and spot-checks, and 78980 vulnerabilities have been notified for rectification. Third, deeply advancing multi-level cybersecurity protection. 140.000 information systems have already been filed, among whom 1.7000 are third-tier or higher important information systems, this basically covers all critical information infrastructure. At the same time, regularized inspection has been launched for information systems entered into multi-level protection, in recent years, the total of all kinds of security vulnerabilities that have been discovered and rectified approaches 400.000. Fourth, establishing reporting and early warning systems. The Ministry of Public Security has taken the lead in establishing a national cybersecurity reporting and early warning mechanism, with a notification scope already covering 100 Central Party and government bodies, 101 Central enterprises, 31 provinces (regions, municipalities) and the Xinjiang Production-Construction Corps, all localities have also established cybersecurity and information security notification mechanism, to notify and deal with all kinds of vulnerabilities and threats in real time. The Ministry of Education has established security supervision and early warning mechanisms for important websites and information systems in the education system, having already handled 35.000 security threats in total. Fifth, vigorously launching the construction of coordinated joint action platforms for cybersecurity. The Cyberspace Administration of China has taken the lead in establishing emergency response technology support and assistance mechanisms for critical information infrastructure, it has incessantly upgraded the overall emergency response capabilities, security protection capabilities and coordinated joint action capabilities for critical information infrastructures. Sixth, forcefully conducting cybersecurity special campaign work. The Ministry of Public Security has, together with relevant work unit, conducted large-scale special Internet enterprise defence campaigns, website security, as well as Internet and email security special governance campaigns, discovering and rectifying a batch of deep cybersecurity problems and vulnerabilities.
(4) Controlling information violating laws and regulations, and safeguarding a clear and crisp cyberspace
All localities and all relevant departments have earnestly implemented the requirements of the law, soundly performed online ideological work, and firmly cleaned up information violating laws and regulations of all kinds. Through launching a series of campaigns including “sweeping pornography and beating illegality”, the “Web Sword” etc., targeting information propagating terror, violence, obscenity or sex, etc. on Internet sites, application software, blogs, microblogs, public accounts, instant messaging tools or online streaming. Since 2015, the Cyberspace Administration of China and other departments have, according to the law, held talks with over 2200 websites violating laws or regulations, cancelled the permit or filing of websites breaking laws or regulations or closed unlawful websites in over 13.000 cases, relevant websites have, according to user service agreements, closed nearly 10 million accounts violating laws or regulations, creating a powerful deterrence against all kinds of online unlawful conduct. The China Youth Daily Social Survey Centre provided the inspection group with a large-scale survey analysis report (hereafter simply named “mass survey report” which suggests that among the 10370 people participating in the survey, over 90% of respondents affirm the efficacy of governance, and 63,5% among them believe that information violating laws and regulations online including information harming national security, propagating terror, violence, obscenity or sex has clearly reduced. The legal implementation competent departments have also established an online information patrol mechanism and public reporting platforms, to timely clean up information violating laws and regulations. Chongqing and other such localities give high regard to strengthening online content construction, vigorously creating excellent online works and strengthening online positive propaganda.
(5) Strengthening personal information protection, attacking unlawful and criminal infringement of user information security
In comprehensively implementing real identity system requirements for online access (website filing and domain names / IP addresses), fixed telephones and mobile telephones, in all cases where users do not provide real identity information, operators no longer provide related services to them. In the past five years, telecommunications enterprises have organized the accompanying registration of 300 million old users who had not yet submitted their real name, and ceased the provision of services according to the law to over 10 million users who refused to amend their registration. In order to ensure user information security, relevant departments have guided all network operating work units to further strengthen internal control and management structures, requiring them to implement strict management over application, use and period of validity of major operations such as mass data export, reproduction, information deletion, etc., preventing the mass leak of user information through workflows. Henan Province has strengthened security protection of critical systems for user information storage, enhancing capabilities to protect against hacking attacks. With regard to the trend of high incidence of user personal information crimes, the Ministry of Public Security has arranged and launched a dedicated attack campaign, establishing anti-fraud centres in 31 provinces (regions, municipalities) and the Xinjiang Production-Construction Corps, it comprehensively coordinated the attack against the use of citizens’ personal information to conduct telecommunications and online fraud crimes, in the past two years, over 3700 cases of criminal infringement of personal information were cracked, and over 11.000 criminal suspects were arrested. Between 2014 and September 2017, courts nationwide tried 1529 criminal cases where networks were used to infringe citizens’ personal information, gaining relatively good legal effects and social effects.
(6) Expanding support strength, advancing critical cybersecurity technology innovation.
In order to implement the requirements of the Cybersecurity Law to “support focus cybersecurity technology industries and projects, and support the research, development and utilization of cybersecurity technology”, the Ministry of Science and Technology, jointly with the Cyberspace Administration of China, composed dedicated research plans, based on the current development status of cyberspace security, focusing on raising our country’s critical information infrastructure and data security protection capabilities, supporting trusted management of cyberspace and data asset protection, enhancing cyberspace protection capabilities and other such goals, this established research directions in several focus points. In order to expand support to research, development and application support of cybersecurity technology the Ministry of Science and Technology and the Ministry of Industry and Information Technology gave priority to initiating the “Cyberspace Security Focus Earmarks” in the “13th Five-Year Plan Period” national focus research and development plan, with a State-issued funding input of 1.384 billion Yuan, they systematically arranged 47 research tasks, striving to basically create an indigenous and controllable core cybersecurity technology system by the year 2020. Furthermore, in the “Science and Technology Innovation 2030 – Major Projects”, they gave priority to arranging a batch of major cybersecurity research projects, providing technical support to enhancing our country’s information supervision and management, leak and theft of confidential information prevention, cyber defence, etc. The Ministry of Education has innovated cybersecurity talent education models, adding a first-tier cyberspace security discipline, issuing the “Opinions concerning Strengthening Cybersecurity Discipline Construction and Talent Training” together with relevant departments, initiating first-rate cybersecurity academy construction demonstration projects, and thus providing talent support for cybersecurity technology innovation.
III, Difficulties and problems existing in work
The inspection situation shows that various localities still display some difficulties and problems in implementing the “Law and Decision” and in safeguarding aspects of cybersecurity.
(1) Cybersecurity awareness urgently remains to be strengthened
Many critical information infrastructure operating work units have an insufficient understanding of the importance of cybersecurity, they believe that their being cyberattacked is only a low-probability matter, and they lack understanding of the harm from cyberattacks they may receive. In the area of informatization, they are “high on construction, low on security; high on use, low on protection”, they lack awareness about active defence, and are unwilling to conduct the necessary investment in security protection; when handling the relationship between the usability and security of business information systems, they often more emphasize usability, and when there is a conflict with the later, often reduce security requirements. Quite a few local governments’ and departments’ leading cadres cannot understand cybersecurity from the height of national security, they have not entered cybersecurity work on the important work agenda for that level’s government or department, or they only give it priority in name, “saying it is easy, but treating it as secondary, and forgetting it when busy”. The social public’s cybersecurity awareness is generally not strong, the “Mass Survey Report” indicates that 55,4% of respondents believe that many people around them lack a cybersecurity awareness, and “know that cybersecurity exists but do not know much about it”.
(2) Basic cybersecurity construction is generally weak
First, the construction of cybersecurity state sensing platforms is lagging behind. Cybersecurity risks have a strong hidden component, sensing the security state is the most basic and fundamental work to do cybersecurity well. In safeguarding cybersecurity, it is first and foremost necessary to know where the risks are, what the risks are, and when the risks emerge. But quite a few provinces have not yet initiated the construction of cybersecurity state sensing platforms, they cannot realize all-weather, real-time, dynamic monitoring of the cybersecurity risk in important information systems. Second, the construction of disaster-proof back-up systems is generally lagging behind. Quite a few work units operating critical information infrastructure relating to the national economy and the people’s welfare have not conducted remote disaster-proof backups of important data according to legal provision, but have only adopted several simple data back-up measures, some have even not conducted disaster-proof backups, and cannot effectively respond to major data security risks. In several provinces, multiple important information systems have not conducted remote disaster-proof backups according to legal requirements. Third, indigenization levels in important industrial control enterprises’ equipment and control systems remains to be increased. Several important industrial control enterprises heavily rely on foreign technology, not only are production control systems built by foreign companies, but foreign products are also used as accompanying network and security equipment, the deployment of network and security equipment is controlled by foreign personnel, enterprises’ internal personnel even does not hold security equipment deployment and management powers. In some provinces, the indigenization level of important industrial control enterprises’ production control systems is less than 20%. Fourth, emergency response plans are treated as a mere formality. Some cybersecurity emergency response plans are biased towards the elimination of equipment blockages, and their content dealing with cyberattacks, information leaks and other such cyberspace security incidents is relatively limited; some emergency response plans lack feasibility; some emergency response plans have not been revised for a long time, and can no longer respond to the present type of cybersecurity incidents; many work units have not truly organized emergency response drills because they have insufficient conditions to have emergency response drills; quite a few localities and sectors have insufficient funds to be used to resolve cybersecurity problems, and after problems are discovered, they can often not be resolved timely because of funding shortages.
(3) Prominent cybersecurity risks and vulnerabilities
In order to understand the situation of online operations, the law enforcement inspection group entrusted the China Information Security Monitoring Centre with conducting remote penetration tests and vulnerability scans of 120 randomly selected critical information infrastructure systems (60 portal websites and 60 operational systems). This Centre issued a report that stated that among the 120 critical information infrastructure systems undergoing remote monitoring, 30 contained security vulnerabilities, including 12 high-risk vulnerabilities, some provincial-level departments’ comprehensive Internet supervision and management platforms among them contained three high-risk vulnerabilities of unauthorized uploads, unauthorized downloads, and unauthorized deletion, gravely threatening the security of systems and servers, they also contained grave risks of user information leaks. The remote monitoring also discovered that multiple city-level government portal websites contained the risk that pages might be distorted. The law enforcement inspection group’s on-sit spot checks discovered that multiple work units have not retained network daily records according to laws and regulations, this may lead to the impossibility to timely conduct tracing and response measures when a cybersecurity incident occurs; some work units have not conducted risk assessments of important information systems, and lack knowledge of the cybersecurity situation they may face. The inspection also discovered that in multiple work units, the security construction of intranets and private networks has not been given sufficient attention, some work units have not arranged for any security protection equipment of their intranet systems, and not conducted vulnerability scans for a long time, and thus major cybersecurity risks exists. Following the advance of informatization construction in all areas and all localities, the datafication, onlinification and remotization of all sectors and all areas is becoming ever clearer, putting forward higher requirements for cybersecurity.
(4) The situation in user personal information protection work is grim
The “mass survey report” demonstrates that the implementation of many structures in the “Law and Decision” concerning user personal information protection is not ideal: 52.1% percent of interviewees believe that the provisions in the law concerning “online service providers and other enterprise and undertaking work units must, when collecting and using citizens’ personal electronic information during their business operations, indicate the purpose, method and scope for the collection and use of information” has been implemented badly or mediocrely; 49.6% of interviewees have encountered excessive collection of personal information, and 18.3% among them have regularly encountered excessive collection of user information; 61.2% of people have encountered “dictator clauses” where relevant enterprises use their own advantageous position to force the collection and use of user information, and if this is not accepted, the product in question cannot be used, or services received; 52.5% of people believe that law enforcements’ protection of user information has ordinary or bad results, quite a few people reflect that after discovering that their personal information was leaked or abused, it was relatively widespread that reporting was difficult, filing complaints was difficult, and filing cases was difficult. Many interviewees reflected that the problems of excessive collection of user information and infringement of personal privacy exist in a widespread manner in free-of-charge applications, but it seems as if there is no supervision, management or lawful punishment whatsoever. The investigation discovered that some Internet companies and public service departments stored large amounts of citizens’ personal information, but security protection technology was gravely lagging behind, making it easy for law-breakers to steal and abuse it. Several work units’ internal control systems are not perfected or not implemented, a small number of “inside ghosts” have taken the risks in pursuit of unlawful gain, leading to large-scale leaks of user information. In several places at present, the use of networks to illegally collect, steal, peddle and use users’ information has created black industry chains. Cases recently uncovered by public security department recently demonstrate the features of user information leaks such as they have multiple channels, costs for unlawful acts of theft are low, the difficulty of investigation is high, etc., furthermore, law-breakers’ used methods are incessantly improving, cases of “targeted fraud” triggered by user information leaks are increasing, creating grave harm to the popular masses’ asset security.
(5) Cybersecurity law enforcement structures remain to be further smoothened
The phenomenon of “nine dragons ruling the water” in cybersecurity supervision and management still exists, problems such as unclear duties and responsibilities, each fighting their own battles, law enforcement shifts responsibility, efficiency is low, etc., still have not been effectively resolved, the comprehensive coordination role with which the law endowed cybersecurity and informatization departments has been insufficiently unhindered. In several localities, multi-headed management problems in network and information security are relatively prominent, but after information leaks, abuses of user personal information and other such information security incidents occur, users regulatory run into the problems that there is no door to complain to, or departments shift responsibility between them or dispute over trifles. The “mass survey report” reveals that 18.9% of interviewees reflect that, after encountering cybersecurity problems, they do not know which department to go to to file a report or complaint, and even if they have reported the matter, it is often not dealt with or there is no result. Multiple network operating work units participating in the discussions reflect that problems exist in administrative law enforcement, such as different law enforcement departments conduct duplicate inspections of the same work unit or the same item, and even that inspection standards are not identical, different law-implementation competent departments collect data but “interconnection and interaction” cannot yet be realized, regularly bringing increased and extra burdens to network operators. Quite a few people believe that if it is impossible to rationally structure and precisely delineate duties and responsibilities between departments, it will lead to the problem that law enforcement is not coordinated in the process of implementing the multi-level protection system and critical information infrastructure protection system. Furthermore, the investigation discovered that urban rail transport control systems and other such industrial control systems have unclear cybersecurity management responsibility boundaries, operating work units’ implementation of cybersecurity responsibility contains difficulties; supervision, management and administrative law enforcement powers in the telecommunications sector are gravely insufficient, law enforcement forces are not suited to the present sever situation that cybersecurity incidents occur at high frequency.
(6) Accompanying regulations to the Cybersecurity Law remain to be perfected
Quite a few work units reflected that as the basic law in the area of cybersecurity management, quite a few elements from the Cybersecurity Law are principle-type provisions, and true “implementation” still relies on the perfection of accompanying regulations. For example, even though the Cybersecurity Law contains provisions on data security and use, data operations in practice are relatively complicated, and data desensitization standards, inter-enterprise data sharing norms etc. still need relevant regulations and rules to clarify them; the Cybersecurity Law only clarified that critical information infrastructure operators’ data export activities require assessment, but it has not further clarified whether a security assessment is to be conducted for the export of important data held by other network operators. The critical information infrastructure protection system is an important system in the Cybersecurity Law, but understandings at present are not yet uniform with regard to what is critical information infrastructure, standards and procedures to designate critical information infrastructure, etc. this needs to be clarified through accompanying regulations. How critical information infrastructure is to conduct annual inspections and evaluations, how network operators and management departments are to uniformly publish cybersecurity early warning information, how to support indigenous intellectual property rights in cybersecurity, etc., are also waiting for accompanying regulations and rules to be clarified.
(7) There is a cybersecurity talent shortage
Among the 10370 people participating in the investigation, over 69% of interviewees believe that within their work unit or among the people they know, the specialist technical talents who are able to engage in cybersecurity protection with skill is relatively low in number, it is impossible to satisfy real needs, 21.6& among these interviewees believe that within their work unit, there is basically no-one who is well acquainted with cybersecurity protection technology. The investigation situation shows that, regardless of whether a region is economically developed or relatively backward, cybersecurity technology talents are relatively lacking in all cases, existing network operating work units’ technology talents are mostly biased towards systems use, operational maintenance, their capability for cybersecurity risk supervision and control, emergency response and comprehensive defence is insufficient, and it is difficult to respond to the needs of protecting cybersecurity. Some critical information infrastructure core business systems, even though protection systems are installed, upgrades or patches cannot be applied to security software because of a lack of high-level security technology talent, and so this means cybersecurity security protection products can play an effective role with difficulty. Quite a few government portal websites do not have specialized cybersecurity technology talents, website management personnel has not accepted systematic cybersecurity skills training. Furthermore, cybersecurity competent departments’ specialized talents are clearly insufficient in number. Under factor constraints such as personnel appointment, duties, remuneration, etc., many local cybersecurity and informatization, public security, telecommunications management, industry and information technology, and other which work units often are unable to recruit or retain specialized technical talents, first-line law enforcement personnel’s specialist training and skills can hardly gain competence for regularized supervision, management and law enforcement duties for network operational security.
IV, Some suggestions
On the basis of the inspection situation, the inspection group has put forward the following suggestions for further implementing the “Law and Decision”.
(1) Further raising understanding of the importance of cybersecurity
In the information age, cybersecurity has become the fifth space outside terrestrial, maritime, aerial and outer space, it has become a new frontier for national interests and a new area for the strategic game between all major countries worldwide, cybersecurity can affect the entire picture of national security with one move, it has become a national security problem of a fundamental and comprehensive nature. The 19th Party Congress report stressed that cybersecurity and other such non-traditional security matters are one of the common challenges that humanity faces, we must persist in the overall national security view, make the people’s security into the purpose, make political security into the foundation, comprehensively manage external security and internal security, territorial security and citizens’ security, traditional security and non-traditional security, our own security and common security, perfect national security structures and systems, and strengthen the construction of national security capabilities. We must further deepen understanding of the importance of strengthening cybersecurity work under new circumstances, incessantly strengthen our sense of urgency and self-consciousness in implementing the Cybersecurity Law and other such laws and regulations. The competent departments for implementation of law and other related work units must, in integration with their work reality, further strengthen propaganda and training about the Cybersecurity Law, incessantly let the broad network operators, critical information infrastructure operating work units and their relevant personnel be able to know the content of the law, they must also strengthen propaganda for the social public in ways that are pleasing to see and hear, let the broad public understand the close relationship between cybersecurity and themselves, and strengthen the cybersecurity awareness of all of society.
(2) Correctly dealing with the relationship between security and development.
General Secretary Xi Jinping pointed out that cybersecurity and informatization are mutually accompanying. Security is the precondition for development, development is the guarantee for security, security and development must be advanced simultaneously. We must fully understand the role of the Internet in state management, economic development and social governance, continue to advance e-government, e-commerce and new smart city construction, incessantly enhance technological convergence, operational convergence and data convergence, create information “arteries” for economic and social development. We must, according to the requirements in the Cybersecurity Law to “equally stress maintaining cybersecurity and informatization development”, persist in grasping network and informatization development with one hand, and grasping cybersecurity with the other, “grasp with both hands, both hands must be tight”. In cybersecurity, we must give high regard to traditional information security and ideological security, and create a cyberspace with a clear atmosphere, brimming with positive energy, we must also give high regard to enhancing capabilities to defend against attacks, effectively prevent cyber attacks, and realistically safeguard the security of networks and information systems. We must scientifically formulate cybersecurity standards for different sectors and different work units, and earnestly research and resolve the problem that “cybersecurity compliance costs are excessively high” put forward by several work units. Encourage and support the development of the cybersecurity industry, give rein to the role of social forces, and provide secure products and services.
(3) Accelerate the perfection of accompanying regulations and rules of the Cybersecurity Law.
We must accelerate the legislative progress of the “Critical Information Infrastructure Protection Regulations” and the “Cybersecurity Multi-Level Protection Regulations”, make clear provisions on issues that, in practice everyone universally feels are difficult to grasp, such as what is critical information infrastructure, how to determine critical information infrastructure, etc., and further clarify the departmental duties and responsibilities in the process of implementing the multi-level protection system and the critical information infrastructure protection system. Cybersecurity and informatization, telecommunications and public security departments must formulate accompanying regulations or documents as quickly as possible, and create detailed structure for elements of the law such as personal information and important data export security assessment, online data management, cybersecurity monitoring and early warning, information reporting, cybersecurity review, cybersecurity certification and security monitoring result mutual recognition, etc. Several administrative regulations and departmental rules already formulated earlier should also be timely corrected and perfected on the basis of the requirements of the Cybersecurity Law as well as new issues and new questions that were encountered. On the basis of the need to prevent and attack online unlawful and criminal acts, strengthen Internet criminal legislation, research the formulation of a law to prevent and address online unlawful and criminal acts, and promote the effective linkage of administrative punishment and criminal punishment of online unlawful and criminal acts.
(4) Striving to enhance cybersecurity protection capabilities
First, accelerating cybersecurity state sensing platform construction. We must integrate resources from all departments to establish a unified all-weather cybersecurity sensing platform, in order to discover risks and sense risks well, and thereby build uniform and high-efficiency cybersecurity risk discovery mechanisms, notification mechanisms, intelligence sharing mechanisms, deliberation and response mechanisms, and to accurately grasp the laws, trends and tendencies occurring in cybersecurity risks. Second, organizing and conducting risk assessment according to the law. We must, as quickly as possible, perfect cybersecurity risk assessment mechanisms, strengthen assessment in important sectors and areas such as finance, energy, transportation, etc., and on the basis of the assessment situation, adjust cybersecurity work plans and protection measures at suitable times. Third, regularly organizing emergency response drills. Organize critical information infrastructure operating work units to regularly conduct emergency response drills, to ensure that important information systems involving national security, or involving the national economy and the people’s livelihoods to be able to effectively respond against organized, high-strength cyberattacks. Fourth, we must earnestly implement the requirements of the law, accelerate the construction of disaster-proof backups in critical information infrastructure, and regularly conduct testing of their disaster-proof efficacy, enhancing the capabilities of information systems to be resilient to disasters, mitigate disasters and recover. We must supervise network operating work units in earnestly implementing the provisions of the law and preserve network daily records according to the law. Fifth, we must strengthen the construction of cybersecurity confidentiality protection systems, enhance the capabilities of cybersecurity secrecy protection equipment, and enhance the construction of cybersecurity secrecy protection technology safeguard infrastructure. Sixth, we must forcefully advance the domestic production replacement project. Strengthen technological research and development, progressively raise the degree of domestically produced content in information control systems in important industries and enterprises, and increase the indigenous and controllable capabilities in critical information infrastructure and cybersecurity equipment.
(5) Progressively strengthening users’ personal information protection
First, we must accelerate the progress of the personal information protection legislation. Through specialized legislation, clarify the principles and procedures for network operators to collect user information, clarify their secrecy protection and [general] protection duties of collected information, and the liability they shall bear for improper use and weak protection, as well as supervision, inspection and assessment measures. Second, strengthening security protection. Strengthen the construction of data security supervision and management methods, implement tiered and categorized management for data resources, promote the research, development and deployment of security technologies for preventing data disclosure, preventing distortion and preventing leaks in the big data landscape. Third, we must earnestly research the scope and methods for user real-name registration systems, and resolutely avoid the problems that information collection subjects are excessively many in number, and real-name registration items are excessive. All localities and aal work units shall have a clear legal basis for any real identity registration system. We must enhance real identity information collection methods, and reduce the content of real identity information content. Fourth, strengthening supervision and inspection. Establish third-party assessment mechanisms, supervise network operators and public service work units in strictly collecting user information according to the law, establishing and completing internal management mechanisms, and effectively reducing the risk of “inside demons” stealing data. Fifth, further strengthening attack. Public security bodies must strengthen the attack against cyberattacks, online fraud, online harmful information and other such unlawful and criminal activities, sever online criminal profit chains, continue to shape a high-pressure situation, implement the provisions of the law on protecting citizens’ personal information, and ensure that the broad citizens’ lawful rights and interests are not harmed. Sixth, we must perfect complaints reception mechanisms. Research the establishment of uniform and highly effective user information security incident complaint reception mechanisms, to provide a convenience for user complaints and reporting, and safeguard the popular masses’ lawful rights and interests.
(6) Strengthening comprehensive coordination in cybersecurity work
Cybersecurity work involves many domains, has a broad scope, brings heavy tasks, great difficulties, and is strongly systemic, general and coordinated in nature. To respond to complex cybersecurity situations, we must ensure uniform planning, uniform arrangements, uniform standards and uniform progress. We must incessantly perfect online law enforcement coordination mechanisms, complete standardized law enforcement suited to the features of networks as quickly as possible. We must implement regulations related to the Cybersecurity Law, strengthen the construction of cybersecurity law enforcement teams and law enforcement capabilities, strengthen the comprehensive coordination duties and responsibilities of cybersecurity and informatization departments, clarify the boundaries of and interfaces between all functional departments’ powers and responsibilities, create coordinated action mechanisms for departments including cybersecurity and informatization, industry and information technology, public security, secrecy protection, etc., we must both prevent functional overlap and multi-headed management, while also avoiding a pushing away of law enforcement responsibilities, and blank spots in management, incessantly raise law enforcement efficiency, effectively safeguarding cyberspace security. Considering the strong cross-regional nature of the Internet, and the fact that land boundaries are not clear, we must complete and perfect cybersecurity non-local law enforcement cooperation mechanisms, and realize interregional law enforcement joint action. We must also eliminate departmental interests, cut through data and information barriers, reduce duplicate construction, establish shared data platforms, substantially ensure that data collected by different departments can be shared, and raise cybersecurity protection capabilities.
(7) Accelerating the construction of cybersecurity talent teams
Cybersecurity is one of the areas where technological renewal happens the most quickly, competition in cyberspace fundamentally is a competition over talent; to construct a cyber power, the most crucial resource is talent. We must give high regard to cybersecurity talent training work, we must not only foster technical talents proficient in information system use and protection, but we must also foster large batches of talents who are able to conduct cybersecurity risk supervision and control, emergency response and comprehensive protection, and thereby satisfy the demands put forward in the implementation of the Cybersecurity Law. We must further strengthen the construction of cybersecurity academic disciplines, optimize the structuring of teacher teams, reform talent fostering models, foster ever more applied talents who can satisfy practical requirements. We must encourage reforms of network and informatization talents develop mechanisms systems and mechanisms to be conducted and trialled with priority, research the establishment of cybersecurity special talent training, management and incentive mechanisms, strengthen fostering, guidance and support of high-end cybersecurity talents and urgently required talents, ensure that Party and government bodies and critical information infrastructure operating work units are able to find and recruit, use well and can retain “high-end, capable and sharp” specialized talents proficient in cybersecurity technology.
At present, the Internet has deeply merged with all areas of economic development and social life, it has profoundly transformed people’s ways of production and life. We must earnestly study and comprehensively implement the spirit of the 19th Party Congress and especially Xi Jinping Thought on Socialism with Chinese characteristics for a new era, further raise our political stance, firmly establish correct cybersecurity views, further strengthen our sense of urgency and sense of awareness in implementing the law, advance all structures of the “Law and Decision” towards complete implementation, substantially safeguard cyberspace sovereignty and the direct personal interests of the popular masses, and provide firm guarantees for victoriously constructing a moderately prosperous society, gaining magnificent victories for Socialism with Chinese characteristics in a new era, and realizing the Chinese Dream of the great rejuvenation of the Chinese nation.
The digital economy is a driver for global economic growth that becomes more important every day, and is playing an ever more important role in accelerating economic development, enhancing labour productivity in existing industries, fostering new markets and new industrial growth points, realizing inclusive growth and sustainable growth. In order to expand cooperation in the digital economy area, as countries supporting the “One Belt, One Road” initiative, we will, on the basis of the principles of interconnection and interaction, innovation and development, openness and cooperation, harmony and inclusivity, mutual benefit and win-win, explore the common use of digital opportunities and response to challenge, strive to realize an interconnected and interactive “Digital Silk Road” through strengthening policy communication, infrastructure linkages, trade facilitation, financial flows and interlinking popular sentiment, and forge a mutually beneficial, win-win “community of interests” and a “community of destiny” for common development and flourishing. To this end, on the basis of voluntarity and non-restraint, we put forward the following proposal:
1. Expanding broadband access, raising broadband quality. Build and perfect regional telecommunications, Internet, satellite navigation and other such important information infrastructure, stimulate interconnection and interaction, explore the expansion of high-speed Internet access and connectivity measures at a bearable price, stimulate broadband network coverage, improve service capabilities and quality.
2. Stimulating the digital transformation. Stimulate the digitization of agricultural production, operations and management, as well as the networked transformation of agricultural product distribution. Encourage digital technologies to converge with the manufacturing sector, build an ever more linked, networked and smart manufacturing sector. Use information and telecommunications technology to improve cultural education, healthcare and medicine, environmental protection, urban planning and other public services. Stimulate the sustained development of service sectors such as smart logistics, online tourism, mobile payment, digital creativity and the shared economy.
3. Stimulate e-commerce cooperation. Explore the feasibility of establishing information sharing, mutual trust and mutual recognition mechanisms for cross-border e-commerce credit, customs passage, inspection, quarantine, consumer protection and other such areas, strengthen cooperation in areas such as financial payment, storage and logistics, technology services, offline exhibitions, etc. Strengthen cooperation in consumer rights protection.
4. Support Internet start-ups and innovation. Encourage the promotion of Internet-based research, development and innovation through beneficial and transparent legal frameworks, and support Internet-based start-ups. Use the Internet to stimulate innovation in products, services, processes, organizational and commercial models.
5. Stimulate the development of small, mid-size and micro enterprises. Stimulate small, mid-size and micro enterprises to use information and telecommunication technologies to conduct innovation, raise competitiveness and open up new market sales channels through policy support. Promote the provision of required digital infrastructure to small, mid-size and micro enterprises at bearable prices. Encourage small, mid-size and micro enterprises to provide information and telecommunication products and services to public departments, and enter into global value chains.
6. Strengthen digitized skills training. Increase the public’s digitized skills levels, ensure that they obtain gains from the development of the digital economy. Launch on-the-job training for digital skills, enhance employees’ digital skills. Encourage government departments, universities, research bodies and enterprises to vigorously launch training programmes, and stimulate the popularization and improvement of digital skills.
7. Stimulating investment in the information and telecommunications technology area. Improve the commercial environment through stimulating research, development and innovation as well as investment, including cross-border investment in the digital economy. Promote all kinds of financial bodies, multilateral development bodies, etc., to invest in information and telecommunications technology infrastructure and applications, guide commercial share investment funds as well as social funds to invest in the area of the digital economy, encourage public-private partnership relations and other such forms of participation. Encourage the organization of investment information exchange activities between information and telecommunications technology enterprises and financial bodies, encourage reciprocal investment in the information and telecommunications technology area.
8. Promoting inter-city digital economy cooperation. Stimulate relevant cities to launch twinning cooperation, support the establishment of strategic cooperation relationships between twinned cities, drive international traffic and logistics, enhance quality and increase efficiency through constructing information infrastructure, promoting information sharing, stimulating information technology cooperation, and stimulating Internet trading services. Explore the establishment of “Digital Silk Road” economic cooperation demonstration areas. Encourage and support relevant cities in establishing “Digital Silk Road” economic demonstration areas within these cities, promote profound bilateral cooperation in areas such as information infrastructure, smart cities, e-commerce, long-distance healthcare, “Internet Plus”, the Internet of Things, artificial intelligence, etc.
9. Increasing digital inclusivity. Adopt many kinds of policy measures and technological measures to reduce the digital divide, including the digital divide between countries and within countries, and forcefully stimulate the proliferation of the Internet. Stimulate the use of digital technologies in school education and non-official education, promote the realization of broadband access for schools and equip them with online learning environments, so that ever more students can use digitized tools and resources in pursuit of learning. Strengthen the development of digital content such as excellent online games, cartoons, audiovisual materials, literature, music and knowledge resources, and stimulate exchange between the cultures of all countries, and a meeting of people’s hearts.
10. Encouraging and fostering transparent digital economy policies. Develop and maintain an open, transparent and inclusive digital economy policy formulation method. Encourage the dissemination of related and publishable government data, and understand the potential of these in driving new technologies, new products and new services. Encourage online open tendering and procurement, support enterprises in innovating digital product production and services, and simultaneously ensure that demand is market-led.
11. Furthering international standardization cooperation. Propose the formulation and application of international standards for technology products and services developed through joint coordination, these international standards should maintain consistency with international norms including the norms and principles of the World Trade Organization.
12. Strengthening confidence and trust. Strengthen the feasibility, completeness, secrecy and reliability of online transactions. Encourage the development of secure information infrastructure, in order to stimulate trustworthy, stable and reliable Internet applications. Strengthen international cooperation in the area of online trading, jointly attack cybercrime and protect the information and telecommunications technology environment. Through ensuring and respecting privacy and protecting personal data, establish confidence among users, this is a critical factor influencing the development of the digital economy.
13. Encourage and stimulate cooperation while respecting autonomous development paths. Encourage all countries along the Belt and Road to strengthen exchange and enhance mutual understanding, strengthen cooperation in policy formulation, supervision and management, reduce, eliminate or prevent unnecessary differences in supervision and management requirement, in order to liberate the vitality of the digital economy, simultaneously understand that all countries should preserve consistency with their international legal obligations, and that they will plan their development path no the basis of their own development situation, historical and cultural traditions, national legal systems and national development strategies.
14. Encouraging the joint construction of a peaceful, secure, open, cooperative and ordered cyberspace. Support information and telecommunication technology policies that safeguard the global nature of the Internet, permit Internet users to lawfully and autonomously choose the information, knowledge and services they obtain online. Understand that cybersovereignty must be fully respected, safeguard cybersecurity, determinedly attack cyberterrorism and cybercrime, protect personal privacy and information security, and promote the establishment of a multilateral, democratic and transparent international Internet governance system.
15. Encouraging the establishment of multi-level exchange mechanisms. Stimulate all sides, governments, enterprises, scientific research bodies, and sectoral organizations to communicate and interact, share viewpoints, and promote cooperation in the digital economy. Strengthen training, research and cooperation in the area of the digital economy. Strengthen exchanges about policy formulation and legislative experiences among the “Belt-Road Initiative” countries, and share best practices. Launch the construction of digital technology capabilities, welcome and encourage the United Nations Trade and Development Committee, the United Nations Industrial Development Organization, the Organization for Economic Cooperation and Development, the International Telecommunications Union and other such international organizations to play an important role in driving international cooperation on the “Belt-Road Initiative” digital economy.
(Signed by China, Laos, Saudi Arabia, Serbia, Thailand, Turkey and the United Arab Emirates)
Chapter I: General provisions
Article 1: In order to strengthen management of content management staff in Internet news information service work units, safeguard the lawful rights and interests of staff and the social public, and stimulate the healthy and orderly development of internet news information services, on the basis of the “Cybersecurity Law of the People’s Republic of China” and the “Internet News Information Management Regulations”, these Rules are formulated. Read the rest of this entry »
Security Assessment and Management Regulations concerning New Technologies and New Applications in Internet News Information Services
Article 1: In order to standardize security assessment and management work concerning new technologies and new applications in Internet news information services, safeguard national security and the public interest, protect the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “Cybersecurity Law of the People’s Republic of China”, and the “Internet News Information Service Management Regulations”, these Regulations are formulated.
Article 2: These Regulations apply to national, provincial, autonomous region and municipal Internet information offices’ organization and execution of security assessments of new technologies and new applications concerning Internet news information services. Read the rest of this entry »
Yesterday, Xi Jinping presented his political report to the 19th Party Congress – a 32000 word behemoth comprehensively covering all areas of economic, political and social life. The report announces a new era in China’s historical progress. In CCP theory, history is divided in stages, which are characterised by various contradictions that are subordinate manifestations of one fundamental contradiction. Once that contradiction is solved, history moves to the next phase. Xi now announced that the primary contradiction is no longer the one defined by Deng Xiaoping: the tension between China’s material poverty and the needs of its population. Instead, Xi claims the major problem that must now be solved is China’s imbalanced development. In other words, GDP growth at all costs is out, in favour of a more comprehensive approach to social and economic governance. Technology will obviously play a central role in this regard, as a governance tool and a potential economic growth pole, but also as a source of potential risk and disruption. The journal China Information Security very usefully listed the excerpts referring to cybersecurity and informatization, which are translated here:
I, The work from the past five years and historical changes
Public culture service levels have incessantly risen, literature and art creation continues to flourish, cultural undertakings and cultural industries thrive and develop, Internet construction, management and use has incessantly been perfected, and the entire people’s fitness and competitive sports levels have developed comprehensively.
III, The thought and basic orientation of Socialism with Chinese Characteristics for a New Era and
(4) Persisting in new development ideas. […] Push forward the synchronized development of new kinds of industrialization, informatization, urbanization and agricultural modernization, actively participate in and promote the progress of economic globalization, and develop and ever higher-level, open economy, incessantly expand our country’s economic strength and comprehensive national strength.
(10) Persist in the overall view of national security. […] Comprehensively manage external security and internal security, territorial security and citizens’ security, traditional security and non-traditional security, our own security and common security, perfect national security structures and systems, strengthen the construction of national security capabilities, and determinedly defend the country’s sovereignty, security and development interests.
V, Implement new development ideas, build modernized economic systems
(1) Deepen supply-side structural reform. […] Accelerate the development of advanced manufacturing sectors, promote the profound convergence of the Internet, big data, artificial intelligence and the real economy, foster new growth points and create new drivers in areas such as mid- and high-end consumption, innovative leadership, greenness and low-carbon, the sharing economy, modern supply chains, human capital services and other such areas. […] Strengthen the construction of basic infrastructure networks for irrigation, railways, roads, waterways, aviation, pipelines, the electricity grid, information, logistics, etc.
(2) Accelerate the construction of an innovative country. […] Strengthen the use of basic research, expand the implementation of national major science and technology programmes, give prominence to critical and common technologies, advanced forerunner technologies, modern engineering technologies, disruptive technology innovation, in order to provide powerful support for the construction of a strong science and technology country, a strong quality country, a strong aviation country, a strong cyber country, a strong transportation country, a strong digital country and a smart society.
VII, Persist in cultural self-confidence, promote the flourishing and ascendance of Socialist culture
(1) Firmly grasp leadership power in ideological work. […] Deepen Marxist theory research and construction, accelerate the construction of philosophy and social science with Chinese characteristics, and strengthen the construction of new types of think tanks with Chinese characteristics. Give high regard to construction and innovation in means of dissemination, and raise the communication power, guiding power, influence and credibility of news and public opinion. Strengthen the construction of Internet content, establish comprehensive network governance systems, and create a clear and crisp cyber space.
VIII, Raising, guaranteeing and improving people’s living standards, strengthening and innovating social governance
(1) Giving priority to development of education. […] Promote the integrated development of urban and rural compulsory education, give high regard to rural compulsory education, run preschool education, special education and online education well, universalize education at the higher secondary stage, and strive to let every child enjoy fair and high-quality education.
(7) Effectively safeguard national security. National security is an important cornerstone to bring peace and stability to the nation, safeguarding national security is the locus of the fundamental interest of the people of all ethnicities in the entire country. We must perfect the national security strategy and national security policies, firmly safeguard national political security, and comprehensively advance security work in all areas. Complete national security systems, strengthen legal guarantees for national security, and raise capabilities to guard against and resist security risks. Closely guard against and resolutely attack all kinds of infiltration, subversive and destructive activities, violent and terrorist activities, ethnic separatist activities, and religious extremist activities. Strengthen national security education, strengthen the national security consciousness of the entire Party and the people in the entire country, and promote all of society to create and safeguard powerful polled efforts for national security.
X, Firmly march the path of a strong military with Chinese characteristics, comprehensively move national defence and military modernization forward
Adapt to new global military changes and development trends and national security demands, raise construction quality and efficiency, ensure that mechanization is basically realized by 2020, that informatization concentration sees major progress, and strategic capabilities increase greatly.
The military must prepare to wage war, all work must target the norm of combat effectiveness, the focus must be on waging war and waging war victoriously. Firmly prepare for military struggles in all strategic orientations, comprehensively advance military struggle preparation in traditional security areas and new strategic areas, develop new kinds of battle forces and protection forces, launch combat-type military training, strengthen the use of military forces, accelerate the development of military smartification, raise joint warfare capabilities and all-area warfare capabilities based on online information systems, effectively mould situations, manage and control crises, contain war, and fight war victoriously.
XII, Persist in the path of peaceful development, promote the construction of a community of common destiny for humanity.
At the same time, the world faces prominent instabilities and indeterminacies, global economic growth drivers are insufficient, the difference between rich and poor grows graver daily, regional hotspots and problems rise one after another, terrorism, cybersecurity, major epidemics, climate change and other such non-traditional security threats continue to proliferate, humanity faces many common challenges.
XIII, Unwaveringly, comprehensively and strictly govern the Party, incessantly raise the Party’s governing ability and leadership levels.
Strengthen reform and innovation skills, maintain a tenacious and enterprising spiritual bearing, be good at integrating real creativeness in moving work forward, and be good at using Internet technologies and informatized means to carry out work.
Ministry of Industry and Information Technology Decree
The “Internet Domain Name Management Rules” were deliberated and passed at the 32nd Ministerial meeting of the Ministry of Industry and Information Technology on 16 August 2017, are hereby promulgated, and take effect on 1 November 2017. The “Internet Domain Name Management Rules” (then-Ministry of Information Industry Decree No. 30) promulgated by the then-Ministry of Information Industry on 5 November 2004 are abolished at the same time.
Minister Miao Wei
24 August 2017
Internet Domain Name Management Rules
Chapter I: General Provisions
Article 1: These Rules are formulated in order to standardize domain name services, protect users’ lawful rights and interests, ensure the secure and reliable operation of the Internet domain name system, promote the development and application of Mandarin-language domain names and national top-level domain name domain names, and stimulate the healthy development of the Chinese Internet, on the basis of regulations such as the “Administrative Licencing Law of the People’s Republic of China”, the “State Council Decision on Determining Administrative Licences and Administrative Examination and Approval Programmes that Need to Be Maintained”, etc., and with reference to international Internet domain name management norms.
Article 2: These Rules shall be followed when engaging in Internet domain name services and their related activities such as operational maintenance, supervision and management within the territory of the People’s Republic of China
Internet domain name services as mentioned in these Rules (hereafter simply named domain name services) refers to engaging in activities such as domain name root server operation and maintenance, top-level domain name operation and management, domain name registration, domain name resolution, etc.
Article 3: The Ministry of Industry and Information Technology implements supervision and management over domain name services nationwide, its main duties and responsibilities are:
(1) Formulating Internet domain name management rules and policies;
(2) Formulating development plans for the Internet domain name system and domain name resources;
(3) Managing domestic domain name root server operating bodies and domain name registration management bodies;
(4) Being responsible for the network and information security management of domain name systems;
(5) Protecting users’ personal information and lawful rights and interests according to the law;
(6) Being responsible for domain name-related international coordination;
(7) Managing domestic domain name resolution services;
(8) Managing other domain name service-related activities.
Article 4: All provincial, autonomous region and municipal telecommunications management bureaus implement supervision and management over domain name services within their administrative areas, their main duties and responsibilities are:
(1) Implementing and enforcing domain name management laws, administrative regulations, rules and policies;
(2) Managing domain name registration service bodies within their administrative areas;
(3) Assisting the Ministry of Industry and Information Technology in conducting management of domain name root server operating bodies and domain name registration management bodies within their administrative areas;
(4) Being responsible for the network and information security of domain name systems within their administrative areas;
(5) Protecting users’ personal information and lawful rights and interests according to the law;
(6) Managing domain name resolution services within their administrative areas;
(7) Managing other domain name service-related activities within their administrative areas.
Article 5: The Chinese Internet domain name system is announced by the Ministry of Industry and Information Industry. On the basis of the actual circumstances of domain name development, the Ministry of Industry and Information Technology may adjust the Chinese Internet domain name system.
Article 6: “.cn” and “.中国” are China’s national top-level domain names.
Mandarin-language domain names are an important component part of the Chinese Internet domain name system. The State encourages and supports technological research and broad application of Mandarin-language domain names.
Article 7: Those providing domain name services, shall abide by relevant State laws and regulation, and conform with relevant technological norms and standards.
Article 8: No organization or individual may impede the secure and stable operation of the Internet domain name system.
Chapter II: Domain name management
Article 9: Those establishing domain name root servers and domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies within the borders, shall obtain corresponding licenses on the basis of these Rules from the Ministry of Industry and Information Technology or provincial, autonomous region and municipal telecommunications management bureau (hereafter generally designated as telecommunication management bodies).
Article 10: Those applying to establish domain name root servers and domain name root server operating bodies, shall meet the following conditions:
(1) Setting up the domain name root server within the borders, and conforming to Internet development-related plans and secure and stable operating requirements for the domain name system;
(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record;
(3) Having premises, funding, environments, specialist personnel and technical capabilities to ensure the secure and reliable operation of the domain name root server, as well as information management systems conform to telecommunications management bodies’ requirements;
(4) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;
(5) Having the capacity to protect users’ personal information, the capacity to provide long-term services and complete service withdrawal mechanisms;
(6) Other conditions provided in laws or administrative regulations.
Article 11: Those applying to establish a domain name registration management body shall meet the following conditions:
(1) Establishing the domain name management system inside the borders, and holding top-level domain names in conformity with related laws and regulations as well as requirements for the secure and stable operation of domain name systems;
(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record;
(3) Having a perfected business development plan and technical plan, as well as the premises, funding and specialist personnel corresponding to engaging in top-level domain name operations and management, as well as information management systems conform to telecommunications management bodies’ requirements;
(4) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;
(5) Having the capacity to conduct real identity information verification and protect users’ personal information , the capacity to provide long-term services and complete services withdrawal mechanisms;
(6) Having complete domain name registration service management structures and supervision mechanisms over domain name registration service bodies;
(7) Other conditions as provided in laws and administrative regulations.
Article 12: Those applying to establish a domain name registration service body shall meet the following conditions:
(1) Establishing the domain name registration service system, registration database and corresponding domain name resolution systems within the borders;
(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record;
(3) Having the premises, funding and specialist personnel corresponding to engaging in domain name registration, as well as information management systems conform to telecommunications management bodies’ requirements;
(4) Having the capacity to conduct real identity information verification and protect users’ personal information , the capacity to provide long-term services and complete services withdrawal mechanisms;
(5) Having complete domain name registration service management structures and supervision mechanisms over domain name registration agents;
(6) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;
(7) Other conditions provided in laws and administrative regulations.
Article 13: Those applying to establish a domain name root server or root server operating body, or a domain name registration management body, shall submit application materials to the Ministry of Industry and Information Technology. Those applying to establish a domain name registration service body, shall submit application materials to the local provincial, autonomous region and municipal telecommunications management bureau.
The application materials shall include:
(1) The applicant work unit’s basic situation as well as a commitment letter signed by its legal representative to do business sincerely and according to the law;
(2) Materials proving the implementation of effective management of domain name services, including materials proving relevant systems, premises and service capabilities, management rules, agreements signed with other bodies, etc.;
(3) Network and information security protection structures and measures;
(4) Materials proving the applicant work unit’s reputation.
Article 14: Where application materials are complete and conform to statutory forms, telecommunication management bodies shall issue an application acceptance notification letter to the applicant work unit; where application materials are not complete or do not conform to statutory forms, telecommunication management bodies shall notify the applicant work unit on the spot or once in writing within five working days about the complete content they need to supplement; where it is not accepted, they shall issue a non-acceptance notification letter and explain the reasons.
Article 15 Telecommunication management bodies shall complete inspection within twenty working days from the date of acceptance, and make a decision on granting a licence or not granting a licence. Where a decision cannot be made within twenty working days, with the approval of the responsible person of the telecommunication management body, an extension of ten working days is permitted, and the applicant work unit will be notified about the reasons for the extended time limit. Where it is necessary to organize expert appraisal, the appraisal time is not counted into the inspection period.
Where a licence is granted, corresponding licence documents shall be issued; where a licence is not granted, the applicant work unit shall be notified in writing and the reasons explained.
Article 16: Licences of domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies are valid for a period of five years.
Article 17: Where a change occurs in the name, address, legal representative or other such information of domain name root server operating bodies, domain name registration management bodies or domain name registration service bodies, they shall conduct modification formalities within twenty working days from the day the change occurs with the original licence-issuing body.
Article 18: Where, within a licence’s period of validity, a domain name root server operating body, domain name registration management body, or domain name registration service body plans to terminate corresponding services, they shall notify users in writing thirty days in advance, put forward feasible plans to deal with the aftermath, and submit a written application to the original licence-issuing body.
After the original licence-issuing body receives the application, it shall publish it to society for thirty days. The publication period concludes within sixty days, and the original licence-issuing body shall complete inspection and make a decision.
Article 19: Where it is required to continue engaging in domain name services when a licence’s period of validity expires, an extension shall be applied for with the original licence-issuing body ninety days in advance; where it is not required to continue engaging in domain name services, the original licence-issuing body shall be notified ninety days in advance, and aftermath work conducted.
Article 20: Where a domain name registration service body entrusts a domain name registration agency body to conduct market sales and other such work, it shall conduct supervision and management of the domain name registration agency body’s work.
Domain name registration agency body entrusted with conducting market sales and other such work shall, in that process, actively indicate the agency relationship, and explicitly clarify the domain name registration service body’s name and agency relationship in the domain name registration service contract.
Article 21: Domain name registration management bodies and domain name registration service bodies shall establish corresponding emergency response back-up systems within the borders and regularly back up domain name registration data.
Article 22: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall indicate information related to their licence in a clear location on the front page of their website and their business premises. Domain name registration management bodies shall also show a list of domain name registration service bodies with which they cooperate.
Domain name registration agency bodies shall indicate the name of the domain name registration service body for which they are agents in a clear location on the front page of their website and their business premises.
Chapter III: Domain name services
Article 23: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall provide secure, convenient and stable services to users.
Article 24: Domain name registration management bodies shall, on the basis of these Rules, formulate domain name registration implementation rules and publish them to society.
Article 25: Domain name registration management bodies shall, conduct domain name registration services through domain name registration service bodies licenced by telecommunication management bodies.
Domain name registration service bodies shall provide services according to the domain name registration service items licenced by telecommunication management bodies, they may not provide domain name registration services for domain name registration management bodies who do not have a telecommunication management body licence.
Article 26: “First application, first registration” is implemented for domain name registration services in principle, where related domain name registration implementation rules provide otherwise, those provisions are followed.
Article 27: In order to uphold the national interest and the social public interest, domain name registration management bodies shall establish reserved domain name registration word systems.
Article 28: Domain names registered and used by any organization or individual may not contain the following content:
(1) Content violating the basic principles determined in the Constitution;
(2) Content harming national security, divulging State secrets, subverting the national regime, or destroying national unity;
(3) Content harming the country’s honour and interest;
(4) Content inciting ethnic hatred or ethnic discrimination, or destroying ethnic unity;
(5) Content destroying State religious policies, propagating heresy and feudal superstition;
(6) Content disseminating rumours, upsetting social order, or destroying social stability;
(7) Content disseminating obscenity, sex, gambling, violence, homicide or terror, or inciting crime;
(8) Content insulting or slandering other persons, or harming other persons’ lawful rights and interests.
(9) Other content prohibited by laws and administrative regulations.
Domain name registration management bodies and domain name registration service bodies may not provide services to domain names containing content listed in the previous Paragraph.
Article 29: Domain name registration service bodies may not use fraudulent, coercive or other such improper means to require other persons to register domain names.
Article 30: Domain name registration service bodies providing domain name registration services shall require domain name registration applicants to provide domain name holders’ real, accurate and complete identity information and other such domain name registration information.
Domain name registration management bodies and domain name registration service bodies shall check the veracity and completeness of domain name registration information.
Where domain name registration applicants provide inaccurate or incomplete domain name registration information, domain name registration service bodies shall require correction. Where applicants do not correct the matter or provide untrue domain name registration information, domain name registration service bodies may not provide domain name registration services to them.
Article 31: Domain name registration service bodies shall publish domain name registration service content, time limits and fees, to ensure service quality, and provide public inquiry services of domain name registration information.
Article 32: Domain name registration management bodies and domain name registration service bodies shall store and protect users’ personal information according to the law. Without user agreement, users’ personal information may not be provided to other persons, except where laws and regulations provide otherwise.
Article 33: Where a change occurs in domain name holders’ contact method and other such information, they shall conduct domain name registration information modification formalities within thirty days after the change with the domain name registration service body.
Where domain name holders transfer domain names to other persons, the assignee shall abide by domain name registration-related requirements.
Article 34: Domain name holders have the right to choose or change domain name registration service bodies. Where a domain name registration service body is changed, the original domain name registration service body shall cooperate with the domain name holder to transfer their domain name registration-related information.
Without proper reason, domain name registration service bodies may not impede domain name holders’ changing domain name registration service bodies.
Article 35: Domain name registration management bodies and domain name registration service bodies shall establish complaints acceptance mechanisms, and publish complaints acceptance methods in a clear location on the front page of their website and their business premises.
Domain name registration management bodies and domain name registration service bodies shall handle complaints timely; where they cannot be handled timely, the reasons and handling period shall be explained.
Article 36: In the provision of domain name resolution services, relevant laws, regulations and standards shall be observed, corresponding technical, service and network and information protection capabilities possessed, network and information security protection measures implemented, daily domain name resolution records recorded and preserved according to the law, daily records and modification records maintained, and resolution service quality and resolution system security guaranteed. Where it involved commercial telecommunications business, a telecommunications business licence shall be obtained according to the law.
Article 37: In the provision of domain name resolution services, it is prohibited to alter resolution information without authorization.
No organization or individual may maliciously direct domain name resolution towards other persons’ IP addresses.
Article 38: In the provision of domain name resolution services, it is prohibited to provide domain name aliasing for domain name with content listed in Article 28 Paragraph I of these Rules.
Article 39: Of those engaging in Internet information services, the domain names they use shall conform to laws, regulations and the relevant requirements of telecommunication management bodies, and may not use domain names to conduct unlawful acts.
Article 40: Domain name registration management bodies and domain name registration service bodies shall cooperate with relevant State departments conducting inspection work according to the law, and adopt measures such as cessation of resolution, etc. against domain names where unlawful acts occur according to telecommunication management bodies’ requirements.
Where domain name registration management bodies and domain name registration service bodies discover the domain names to which they provide services publish or transmit information of which the publication or transmission is prohibited by laws and administrative regulations, they shall immediately adopt measures in response, such as deletion, cessation of resolution, etc., prevent the spread of the information, preserve relevant records, and notify the matter to relevant departments.
Article 41: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall abide by relevant State laws, regulations and standards, implement network and information security protection measures, deploy the necessary network and telecommunications emergency response equipment, establish and complete technical network and information security monitoring methods and emergency response structures. When a network or information incident occurs on a domain name system, it shall be reported to the telecommunication management body within 24 hours.
When required for national security and to deal with emergencies or incidents, domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall submit to the uniform commands and coordination of telecommunication management bodies, and abide by telecommunication management bodies’ management requirements.
Article 42: Where any organization or individual believes that a domain name registered or used by another person harms their lawful rights and interests, they may apply for mediation with a domain name dispute settlement body or file a lawsuit with a People’s Court according to the law.
Article 43: Where one of the following circumstances is present with a registered domain name, the domain name registration service body shall cancel it, and notify the domain name holder:
(1) The domain name holder applies for domain name cancellation;
(2) Domain name holders submitted false domain name registration information;
(3) It shall be closed on the basis of a People’s Court judgment, or a domain name dispute settlement body verdict;
(4) Other circumstances where laws and administrative regulations provide for cancellation.
Chapter IV: Supervision and inspection
Article 44: Telecommunication management bodies shall strengthen supervision and inspection of domain name services. Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall accept and cooperate with supervision and inspection by telecommunication management bodies.
Domain name service sectoral self-discipline and management is encouraged, public supervision of domain name services is encouraged.
Article 45: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall, according to telecommunication management bodies’ requirements, regularly report business development situations, operations security situations, network and information security responsibility situation, the complaints and dispute handling situation and other such information.
Article 47: When telecommunication management bodies carry out supervision and inspection, they shall examine the materials submitted by domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, and inspect the situation of their executing laws, regulations and relevant provisions of telecommunication management bodies.
Telecommunication management bodies may entrust specialized third-party bodies to conduct relevant supervision and inspection activities.
Article 47: Telecommunication management bodies shall establish credit-recording structures for domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, and enter their violations of these Rules and the administrative punishment they receive into the credit file.
Article 48: Telecommunication management bodies conducting supervision and inspection may not impede the regular commercial and service activities of domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, they may not accept any fees, and may not leak the domain name registration information they learn.
Chapter V: Punitive provisions
Article 49: Where, in violation of the provisions of Article 9 of these Rules, a domain name root server or domain name root server operating body, domain name registration management body or domain name registration service body is established without a licence or authorization, telecommunication management bodies shall, on the basis of the provisions of Article 81 of the “Administrative Licensing Law of the People’s Republic of China”, adopt measures to stop the matter, and in view of the gravity of circumstances, issue a warning or a fine of more than 10.000 Yuan but less than 30.000 Yuan.
Article 50: Where, in violation of the provisions of these Rules, a domain name registration management body or domain name registration service body commits one of the following acts, the telecommunication management body will order correction within a limited time on the basis of their duties and powers, and in view of the gravity of circumstances, impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society:
(1) Providing domain name registration services to unlicensed domain name registration management bodies, or conducting domain name registration services through unlicensed domain name registration service bodies;
(2) Not providing services according to the licenced domain name registration service items;
(3) Not checking the veracity and completeness of domain name registration information;
(4) Obstructing domain name holders to change domain name registration service bodies without proper reason.
Article 51: Where, in violation of the provisions of these Regulations, domain name resolution services are provided and one of the following acts committed, the telecommunication management body will order correction within a limited time, and may, in view of the gravity of circumstances, impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society;
(1) Altering domain name resolution information without authorization or maliciously directing domain name resolution towards other persons. IP addresses;
(2) Providing domain name aliasing for domain name with content listed in Article 28 Paragraph I of these Rules;
(3) Not implementing network and information security protection measures;
(4) Not recording and preserving daily domain name resolution records according to the law, maintaining daily records and modification records;
(5) Not dealing with domain names where unlawful activities according to requirements.
Article 52: Where the provisions of Article 17, Article 18 Paragraph I, Article 21, Article 22, Article 28 Paragraph II, Article 29, Article 31, Article 32, Article 35 Paragraph I, Article 40 Paragraph II or Article 41 of these Rules are violated, the telecommunication management body will order correction within a limited time on the basis of their duties and powers, may additionally impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society.
Article 53: Where laws or administrative regulations provide otherwise on relevant unlawful conduct, the provisions of those laws and administrative regulations are implemented.
Article 54: Where any organization or individual registers or uses domain names in violation of the provisions of Article 28 Paragraph I of these Rules, constituting a crime, criminal liability will be prosecuted according to the law; where the matter does not constitute a crime, relevant departments will punish the matter according to the law.
Chapter VI: Supplementary provisions
Article 55: The meaning of the following terms in these Rules is:
(1) Domain name: refers to a hierarchically structured character indication to identify and locate a computer on the Internet, corresponding with that computer’s IP address.
(2) Mandarin-language domain name: refers to a domain name using Mandarin characters.
(3) Top-level domain name: refers to the first-level name of the root node in the domain name system.
(4) Domain name server: refers to servers with domain name system root node functioning (including mirror servers).
(5) Domain name root server operating body: refers to a body that lawfully obtained a licence and undertakes domain name root server operations, maintenance and management work.
(6) Domain name registration management body: refers to a body that lawfully obtained a licence and undertakes top-level domain name operations and management work.
(7) Domain name registration service body: refers to a body that lawfully obtained a licence, accepts domain name registration applications and completes the registration of a domain name in the top-level domain name database.
(8) Domain name registration agency body: refers to a body that is entrusted by domain name registration service bodies to accept domain name registration applications, and indirectly complete domain name registration in the top-level domain name database.
(9) Domain name management system: refers to the main information system required by domain name registration management bodies to conduct top-level domain name operations and management work within the borders, and includes registration management systems, registration databases, domain name resolution systems, domain name information inquiry systems, identity information inspection systems, etc.
(10) Domain name aliasing: refers to the transfer of a visit of one domain name to another domain name and IP address or online information service connected with or directed by that domain name.
Article 56: The time periods provided in these Rules, except where working days are determined, are all natural days.
Article 57: Those conducting domain name services without obtaining corresponding licences before these Rules took effect, shall conduct licensing formalities according to the provisions of these Rules within 12 months from the date these Regulations take effect.
For domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies that already obtained a licence before these Rules took effect, the provisions of Article 16 of these Rules shall apply to the period of validity of their licence, the period of validity will be computed form the day these Rules take effect.
Article 58: These Rules take effect on 1 November 2017. The “Chinese Internet Domain Name Management Rules (then-Ministry of Information Industry Decree No. 30) promulgated on 5 November 2004 are abolished at the same time. Where inconsistencies exist between these Rules and relevant provisions promulgated before these Regulations took effect, these Rules shall be implemented.
第 43 号
部 长 苗 圩
第一章 总 则
第五章 罚 则
第六章 附 则
This translation was kindly provided by John Costello
Ministry of Industry and Information Technology Network  No. 202
Provincial, autonomous region, and municipal communications authorities, China Telecom Group Corporation, China Mobile Communications Corporation, China Unicom Group Corporation, China National Computer Emergency Technical Team/Coordination Center of China (CNCERT), China Information Communications Research Institute, National Industrial Information Security Development Research Center, China Internet Association, domain name registration management and service organs, internet companies, and cybersecurity enterprises:
In order to deepen the implementation of the spirit of General Secretary Xi Jinping’s important speeches on cybersecurity, actively respond to the dire and complex cybersecurity situation, to move forward robust public internet cybersecurity threat monitoring and mitigation mechanism, safeguard the legitimate rights and interests of citizens, legals person, and other organizations, and in accordance with “Cybersecurity Law of the People’s Republic of China” and other relevant laws and regulations, the “Public Internet Cybersecurity Threat Monitoring and Mitigation Measures”. Hereby issued to you, please realistically and effectively implement and carry out.
Ministry of Industry and Information Technology Read the rest of this entry »
This documents was translated jointly by Graham Webster, Paul Triolo, Elsa Kania, and Rogier Creemers. John Costello assisted with helpful comments. An analysis of this document can be found on the New America website.
State Council Notice on the Issuance of the Next Generation Artificial Intelligence Development Plan
Completed: July 8, 2017
Released: July 20, 2017
A Next Generation Artificial Intelligence Development Plan
The rapid development of artificial intelligence (AI) will profoundly change human society and life and change the world. To seize the major strategic opportunity for the development of AI, to build China’s first-mover advantage in the development of AI, to accelerate the construction of an innovative nation and global power in science and technology, in accordance with the requirements of the CCP Central Committee and the State Council, this plan has been formulated.
I. The Strategic Situation
This document was translated jointly by Graham Webster, Paul Triolo and Rogier Creemers
CAC Notice concerning the Public Solicitation of Opinions on the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”
In order to guarantee the security of critical information infrastructure, based on the “Cybersecurity Law of the People’s Republic of China”, our Administration, jointly with relevant departments, has drafted the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”, which is now made public for open solicitation of opinions. Relevant work units and individuals from all circles may, before 10 August, put forward opinions through the following ways:
1, Sending opinions in a letter form to: Beijing Xicheng Chegongzhuang Avenue 11, CAC Cybersecurity Coordination Bureau, Post Code 100044, and clearly indicate “opinion solicitation” on the envelope
2, Sending an e-mail to: email@example.com.
10 July 2017
Critical Information Infrastructure Security Protection Regulations
Chapter 1: General principles Read the rest of this entry »
Chapter I: General Provisions
Article 1: In order to strengthen and guarantee national intelligence work, and safeguard national security and interests, on the basis of the Constitution, this Law is formulated.
Article 2: National intelligence work shall persist in an overall national security view, provide intelligence reference for major national policy decisions, provide intelligence support for preventing and dissolving risks endangering national security, and safeguard the national regime, sovereignty, unity, independence and territorial integrity, the prosperity of the people, economic and social sustainable development and other major national interests. Read the rest of this entry »
This translation was kindly provided by Paul Triolo
Article 1 These Measures are developed with a view to enhancing the secure and controllable levels of network products and services, guarding against cyber security risks, and safeguarding the national security, and in accordance with the laws and regulations such as National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China.
Article 2 Important network products and services procured for use in networks and information systems that touch on national security are subject to a cybersecurity review.
Article 3 A cybersecurity review shall be conducted for network products and services and their supply chains, in a manner that combines enterprise commitments with public supervision, combines third-party assessments with government continuous regulation, and combines laboratory testing with on-site checks, on-line monitoring and background investigations. Read the rest of this entry »
This translation was kindly provided by John Costello
State Internet Information Office
Decree No. 2
“Regulations for Internet Content Management Administration Law Enforcement Procedures” approved in a meeting of the State Internet Information Office is hereby announced, to be implemented from June 1, 2017 onward.
Director Xu Lin
May 2, 2017
Regulations for Internet Content Management Administration Law Enforcement Procedures Read the rest of this entry »
Circular of the State Internet Information Office on the Public Consultation on the Measures for the Assessment of Personal Information and Important Data Exit Security (Draft for Soliciting Opinions)
This translation was kindly provided by Paul Triolo
To safeguard personal information and important data security, to safeguard cyberspace sovereignty and national security, and social and public interests, and promote the orderly free flow of network information according to the law, according to the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations , our office has worked with relevant departments and drafted the “Personal Information and Important Data Outbound Security Assessment Measures (draft)”, is now open to the public for comments.
Relevant units and people of all walks of life may submit their views by May 11, 2017, in the following manner:
First, through a letter to the views sent to: Beijing Dongcheng District Chaoyang Gate Street 225, the State Internet Information Office Cybersecurity Coordination Bureau, Zip code: 100010, and in the envelope marked “comments”.
Second, by e-mail to: firstname.lastname@example.org.
State Internet Information Office
April 11, 2017
Personal Information and Important Data Outbound Security Assessment Measures (draft)
Article 1 These Measures have been drafted in order to protect the security of personal information and important data, safeguard cyberspace sovereignty and national security, and social and public interests, while protecting the legitimate interests of citizens, legal persons and other organizations, in accordance with the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations.
Article 2 The personal information and important data collected and generated by network operators within the People’s Republic of China during operations shall be stored within the [national] territory. If the business requirements make it necessary to provide data outside of China, a security assessment shall be carried out in accordance with these Measures.
Article 3 The security assessment for outbound data shall follow the principle of impartiality, objectivity and validity, protect the security of personal information and important data, and promote the orderly and free flow of network information according to law.
Article 4 Where personal information leaves China’s borders, the purpose, scope, content, recipient and destination country of the data shall be explained to the subject of the personal information and agreed upon. Minors’ personal information is subject to the consent of their guardian.
Article 5 State cybersecurity and informatization departments shall coordinate the outbound data outbound security assessment work and guide the industry regulatory or supervisory departments in organizing the outbound data security assessment.
Article 6 Industry regulatory or supervisory departments shall be responsible for the security assessment of the industry outbound data and shall regularly organize the inspection of the specific industry outbound data.
Article 7 Network operators shall, before data leaves China’s borders, on their own initiative organize the conduct of a security assessment for outbound data and be responsible for the evaluation results.
Article 8 The outbound data security assessment shall focus on the following:
(A) the necessity of outbound data;
(B) the conditions touching on personal information, including the amount, scope, type, and sensitivity, and whether or not the subject of the personal information agrees that his/her personal information can leave China’s borders;
(C) the conditions touching on important data, including the amount, scope, type and sensitivity level of important data;
(D) the security protection measures and capability level of the data receiving party, and the cybersecurity environment in the country and region;
(E) risks such as disclosure, damage, tampering and abuse after the data leaves China’s borders and after re-transfer;
(F) the risks that may be brought to national security, social and public interests, and personal legitimate interests arising from the data leaving China’s borders and outbound data collection;
(G) other important matters that need to be assessed.
Article 9 If outbound data is stored in one of the following circumstances, network operators should report to the industry regulators or supervisory authorities and organize a security assessment:
(A) the [data set] contains or has accumulated personal information of more than 500,000 people;
(B) the amount of data is over 1000 GB;
(C) the data includes sector data on nuclear facilities, chemical and biological facilities, the national defense industry, or population health, large-scale engineering activities, the marine environment, and sensitive geographic information data;
(D) the data includes cybersecurity information including system vulnerabilities and security protection for critical information infrastructure;
(E) personal information and important data provided by critical information infrastructure operators to [parties] outside China;
(F) other data that could affect national security and social and public interests that industry regulators or supervisory departments consider should be assessed.
For areas where the is no clear industry regulator or supervisory department, an assessment shall be organized by national cybersecurity and informatization departments.
Article 10 The security assessment organized by industry regulatory or supervisory departments shall be completed within 60 working days, and feedback on the security assessment shall be provided to the network operator in a timely manner and reported to the national cybersecurity and informatization departments.
Article 11 In any of the following circumstances, data shall not be allowed to leave the country:
(A) personal information leaving China’s borders without the consent of the subject of the personal information, or that may be against the interests of the individual;
(B) there is a risk that the data leaving China’s borders could impact national politics, the economy, S&T, and national defense, and could affect national security and harm social and public interests;
(C) other data that national cybersecurity and informatization departments, public security departments, state security departments, and other relevant departments deem cannot leave China.
Article 12 Network operators should, according to business development and the network operation situation, annually conduct at least once a security assessment of outbound data, ad in a timely manner assess the situation and report to industry regulatory and supervisory departments.
When the data receiver changes, or there is a relatively large change in the destination, scope, quantity, type of data, etc., or a major security incident occurs with the data receiver or outbound data, a new security assessment should be conducted.
Article 13 Any individual or organization shall have the right to report to the relevant cybersecurity and informatization departments, public security department, and other relevant departments any violations of relevant laws and regulations and these Measures in terms of providing data outside of China’s borders.
Article 14 Whoever violates the provisions of these Measures shall be punished in accordance with the relevant laws and regulations.
Article 15 Agreements between the Chinese government and other countries and regions on outbound data shall be carried out in accordance with the provisions of the agreement.
Data involving state secret information shall be handled in accordance with the relevant provisions.
Article 16 Security assessment work for the personal information and important data sent outside China’s borders that was collected and produced by other individuals and organizations within the territory of the People’s Republic of China shall be carried out in accordance with the present Measures.
Article 17 The definitions for the following terms used in the present Measures:
A network operator is the owner of a network, a manager, and a network service provider.
Outbound data refers to personal and important information co9llection and generated by network operators during operations within the territory of the People’s Republic of China, and provided to overseas institutions, organizations, or individuals.
Personal information refers to various types of information recorded by electronic or other means capable of identifying a person’s personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, identity document number, personal biometric information, telephone number and so on. Important data refers to data that is closely related to national security, economic development, and social and public interests, with specific reference to national relevant standards and important data identification guidelines.
Article 18 These Measures shall come into force on the day X of 2017.
Office of the Central Cybersecurity and Informatization Leading Small Group
(Cyberspace Administration of China)
Cybersecurity Coordination Bureau
第十八条 本办法自2017年 月 日起实施。