Regulation aims for safer cybersecurity

December 12, 2023

Serious damage to critical networks or information systems, or theft of crucial data, should be reported to cyberspace departments within a specific time frame, according to a draft regulation unveiled on Friday.

The document, which was issued by the Cyberspace Administration of China, the country’s top internet regulator, identifies an overall interruption of key information infrastructure for six or more hours as an “extremely serious” cybersecurity case, requiring relevant operators to report such incidents to national cyberspace or public security authorities within one hour.

If a cyberattack causes leakage of personal data belonging to over 100 million people, or affects the work or lives of over 30 percent of residents in a given province or region, it will be deemed as “extremely serious”, meaning it must be reported to cyberspace departments within an hour, the draft said.

It added such incidents involving portal websites of government agencies at the provincial level or above, or major news outlets that cannot be accessed for more than 24 hours due to online attacks or failures, also classify as “extremely serious” cybersecurity cases.

While clarifying that the duration, platform, type and harm caused related to cybersecurity cases should be provided in timely reports, it also stipulates that a preliminary analysis of the incident, including information on suspected attackers, attack pathways and existing vulnerabilities, as well as what measures have been taken, also needs to be reported.

Internet platforms or information system operators that do not report or misstate relevant content will face consequences, it said, with the document encouraging social organizations and individuals to report such cases.

The administration said that it formulated the draft regulation on reporting cybersecurity incidents, along with the guideline on how to identify the seriousness of cyberattacks, with the aim of reducing potential loss and harm caused by such cases in order to render stronger protection to national-level and network security infrastructure.

The public opinions and suggestions on the 14-article draft regulation and the guideline are being sought until Jan 7.

Individuals and departments can provide advice about the draft regulation through two websites — www.moj.gov.cn and www.chinalaw.gov.cn — or can submit their ideas through postal or e-mail addresses.

Over the past few years, Chinese lawmakers, government departments, associations and enterprises have all stepped up efforts to protect cybersecurity by various means, such as instituting policies, upgrading technologies and helping to enhance the public’s security awareness.

In addition to implementing the Cybersecurity Law which came into effect in June 2017, Chinese police have intensified the fight against hackers and hacking activities.

The Ministry of Public Security announced last month that law enforcement officers nationwide solved 2,430 criminal cases involving hackers since the beginning of 2022, leading to the detention of more than 7,000 suspects.