The Ministry of Public Security and the Cyberspace Administration of China (CAC) are seeking public comment on draft regulations that could restrict public vulnerability disclosures, requiring those who seek to expose computer security issues to instead report them to public security bureaus and the country's internet regulator first.
Though the authorities have previously cracked down on privacy violations, this marks the first time they have sought to limit discussion of Chinese networks’ vulnerability to hacking.
Spreading information on cybersecurity threats “should have the promotion of online safety awareness and technique as its purpose ... and must not harm national security and public interest,” the CAC said in its announcement. Disclosures that implicate state secrets and classified networks will be dealt with “according to relevant national regulations,” it said.
Threats to online safety include network flaws, attacks and data leaks, according to the statement.
The draft legislation builds on the country’s 2017 Cyber Security Law. It says those who discover a vulnerability or breach must first report it to the police prior to trying to publish their information.
Regional incidents and even planned penetration testing reports must first be shared with the police in a city of sub-provincial level or higher, who will pass on the information to higher-level offices as well as the local CAC, according to the draft rules. Reports on national, interprovincial, and multi-industry vulnerabilities must be sent to the CAC’s national office and the Ministry of Public Security.
An industry’s regulator can be notified first only in the event that issues affect “important industries or fields,” such as telecom and information services, energy, transportation, water conservation, finance, public services, “electronic government,” and national defense.
The draft regulation does not say at what stage vulnerabilities should be privately shared with the organizations or individuals concerned. However, the “views of the network operator” must be obtained in writing prior to disclosing security holes, unless they have been fixed or 30 days have passed since relevant authorities and regulators have been notified.
Even after meeting these criteria, a person or group that want to go public must tailor their report according to banned topics. Disclosures cannot discuss the source codes or the creation of computer viruses, Trojan horses and ransomware, programs and tools used to hack or disrupt networks, the data that was stolen, various details about any particular network, or any detailed information that “could be used to replicate attacks,” the statement said.
Risk assessment reports and a system’s security plans must not be publicly shared, and public disclosures require government approval to have “warning” in their title.
Not only must those in charge of public platforms—including publications, broadcasters, digital media, public speeches and even hackathons — delete disclosures that violate these regulations from the platform, they must also keep records and report such revelations to authorities.
Regulators are seeking comment until Dec 19.
China has in recent months ramped up its once-intermittent crackdown on big data and financial companies misusing personal info they collected, most notably for shady debt collection practices. Nearly 66,000 suspects were arrested between January and October for offenses including computer hacking, internet fraud, online gambling and cybersex.
In February, a Dutch security researcher revealed that the personal information of more than 2.5 million people, including their ID card numbers and photos, addresses, employers and location in the past 24 hours, had been publicly accessible for months on the database of Shenzhen-based facial recognition company SenseNets Technology Ltd.
Contact reporter Dave Yin (firstname.lastname@example.org)