Nov. 24, 2019
China's top cyberspace regulatory body, the Cyberspace Administration of China (CAC), on November 20 published a draft regulation on how Chinese businesses, organizations, and individuals are to handle cybersecurity threat disclosure.
The "Cybersecurity Threat Information Publication Management Measures (Draft for Comment)" [网络安全威胁信息发布管理办法 (征求意见稿)], translated in full by DigiChina below, color in part of Article 26 of the 2017 Cybersecurity Law, which requires "[t]hose … publicly publishing cybersecurity information such as system vulnerabilities, computer viruses, network attacks, or network incursions [to] comply with relevant national provisions." These appear designed to be those "relevant national provisions."
Earlier draft rules published by the Ministry of Industry and Information Technology in June 2019 would already set up obligations for vulnerability management, including requirements for those publishing vulnerability information. (See Article 6 of the "Provisions for Cybersecurity Vulnerabilities Management (Draft for Comment).") This new draft, however, goes further.
The draft measures essentially bar the publication of certain details such as malware source code (Article 4) and require prior notification to government authorities before publishing other cybersecurity threat reports.
As noted by a Covington law firm summary, a Q&A published by the CAC clarifies that this government notification requirement is not an "administrative license," and so it does not appear this draft would require active government approval before publication.
The draft measures do, however, require government approval to use the phrase "early warning" in cybersecurity threat report titles, with the Q&A explaining that "early warning" has a specific authoritative credibility in the Chinese cybersecurity field that should be protected.
The new rules, which are open for public comment for one month through December 19, also follow a CAC notice from June 2018 that required participants in cybersecurity competitions to gain approval before revealing "cybersecurity vulnerabilities and risks that may endanger national security or the public interest" if they are discovered during competitions (see full DigiChina translation). That notice specifically barred cybersecurity competitors from disclosing such vulnerabilities to foreign entities, raising questions about prospects for Chinese cybersecurity talent and enterprises abroad, as well as for constructive Chinese participation in international vulnerability management initiatives.
Translation by Rogier Creemers. Editing and introduction by Graham Webster.
Notice from the Cyberspace Administration of China regarding publication and seeking opinions on the “Cybersecurity Threat Information Publication Management Measures (Draft for Comment)”
In order to standardize the publication of cybersecurity threat information, effectively respond to cybersecurity threats and risks, and ensure the secure functioning of networks; on the basis of relevant laws and regulations such as the "Cybersecurity Law of the People's Republic of China"; the Cyberspace Administration of China, in cooperation with the Ministry of Public Security and other such relevant departments, has drafted the "Cybersecurity Threat Information Publication Management Measures (Draft for Comment)," which are hereby made public in order to solicit opinions. Relevant work units and individuals from all walks may submit opinions before December 19, 2019, through the following methods:
- By sending an e-mail to: firstname.lastname@example.org.
- By sending a letter with the opinion to Cyberspace Administration of China Cybersecurity Coordination Bureau, 11 Chegongzhuang Dajie, Xicheng District, Beijing Municipality 100044, and indicating "Cybersecurity Threat Information Publication Management Rules Opinion Solicitation" on the envelope.
Cyberspace Administration of China
November 20, 2019
Cybersecurity Threat Information Publication Management Rules (Draft for Comment)
Article 1: In order to standardize the publication of cybersecurity threat information, effectively respond to cybersecurity threats and risks, and ensure the secure functioning of networks; and on the basis of the "Cybersecurity Law of the People's Republic of China" and other such relevant laws and regulations; these Measures are formulated.
Article 2: The publication of cybersecurity threat information shall occur with the goals of safeguarding cybersecurity, stimulating an increase in cybersecurity consciousness, and exchanging technical cybersecurity protection knowledge. It may not harm national security or the societal public interest, and it may not infringe the lawful rights and interests of citizens, legal persons, or other organizations.
Article 3: When publishing cybersecurity threat information, the principles of objectivity, truth, caution, and responsibility should be upheld. Cybersecurity threat information is not to be used to engage in speculation, to gain improper benefits, or to engage in improper commercial competition.
Article 4: Published cybersecurity threat information may not include the following content:
- the source code and production methods of malicious code such as computer viruses, trojans, and ransomware;
- programs or tools especially used to engage in attacks against networks, interfere in the regular functioning of networks, destroy network defense measures, steal network data, or otherwise harm networks;
- detailed information that enables the complete repetition of the process of a cyber attack or cyber intrusion;
- the content itself of data leaked in a data leak incident;
- plans and designs, topology, asset information, or software source code of specific networks; or proprietary information regarding unit or equipment selection, deployment, software, etc.;
- cybersecurity risk assessments, inspection and certification reports, or security protection plans and schemes of specific networks and information systems; and
- other content that may be directly used to harm the normal functioning of networks.
Article 5: Before the publication of information about cybersecurity incidents where network and information systems are attacked, destroyed, subject to illegal intrusion, etc., the incident is to be reported to public security office at the district-, city-, or higher-level in the location where the incident occurred. All levels of public security offices should promptly report the relevant circumstances to the same level's cybersecurity and informatization department and the higher-level public security office.
Article 6: Any enterprise, social organization, or individual should, when publishing a comprehensive analysis report about a regional cybersecurity attack, incident, risk, or vulnerability, first report the matter to the local district-, city-, or higher-level cybersecurity and informatization department and public security office.
When publishing comprehensive analysis reports on cybersecurity attacks, incidents, risks, and vulnerabilities that involve public telecommunications and information services, energy, transportation, water supply, finance, public services, e-government, national defense science, technology, and industry, and other such important sectors and areas, they should first report the matter to the sector's competent department.
When publishing comprehensive analysis reports on national, cross-regional, or cross-sectoral affairs, they should first report to the national cybersecurity and informatization department and the State Council public security department.
Article 7: When any enterprise, social organization, or individual publishes cybersecurity threat information without approval and authorization from government departments, the title may not contain the term "early warning."
Article 8: When publishing risks and vulnerabilities existing in specific network and information systems, the written opinion of the network and information system operator shall be sought in advance, except in the following circumstances:
- where the risk or vulnerability concerned has been eliminated or repaired; and
- where the matter has been reported a minimum of 30 days earlier to cybersecurity and informatization, telecommunications, public security, or relevant sectoral competent departments.
Article 9: Where information is published through the following platforms, the platform operator or sponsoring work unit shall, where they receive reports from relevant departments or users, or themselves discover that acts of publication or published content violating these Measures have occurred on the platform, immediately cease publication, adopt deletion and other such measures to handle the matter, prevent the spread of infringing content, preserve relevant records, and report the matter to the district-, city-, or higher-level cybersecurity and informatization department and public security office.
- periodicals, radio and television, and publications;
- Internet sites, forums, blogs, microblogs, public accounts, instant messaging tools, Internet streaming, Internet audiovisual programs, applications, online hard drives, etc.;
- publicly organized conferences, forums, or lectures;
- publicly organized cybersecurity competitions; and
- other public platforms.
Article 10: Where cybersecurity threat information is published in violation of the provisions of these Measures, the cybersecurity and informatization departments and public security offices will handle the matter on the basis of the provisions of the "Cybersecurity Law of the People's Republic of China."
Article 11: Cybersecurity threat information publication activities involving state secrets and secret networks will be regulated according to relevant state regulations.
Article 12: Cybersecurity threat information as addressed in these Measures includes:
- With regard to acts that may threaten the regular functioning of networks, information used to describe their intention, methods, tools, processes, results, etc. Examples: computer viruses, cyber attacks, cyber intrusions, cybersecurity incidents, etc.
- Information that may reveal network vulnerabilities. Examples: system vulnerabilities, risks or vulnerabilities existing in networks and information systems, proprietary information such as network plans and designs, topology, asset information, software source code; attributes of unit or equipment selection, deployment information, software, etc.; and cybersecurity risk assessments, inspection and certification reports, security protection plans and schemes, etc.
Article 13: These Measures take effect on the date of promulgation.