Guiding Opinions concerning Strengthening Cybersecurity Work in the Telecommunications and Internet Sectors
GXBB No. (2014)368
All provincial, autonomous region and municipal telecommunications management bureaus, China Telecom Group Co., China Mobile Telecom Group Co., China United Network Communications Group Co., the National Computer Network Emergency Response Coordination Centre, the Ministry of Industry and Information Technology Academy for Telecommunications Research, the Telecommunications Sector Professional Skills Supervision and Guidance Centre, the China Association of Communication enterprises, the Internet Society of China, all Internet domain name registration management bodies, and relevant work units:
In recent years, all work units have earnestly implemented the policy decisions and deployments of the Party Centre and the State Council, and the work demands of the Ministry of Industry and Information Technology, and have incessantly strengthened cybersecurity work simultaneously with strengthening the construction of network infrastructure and stimulating the rapid development of the cyber economy, and capacity to guarantee cybersecurity has clearly risen. But we must also recognize that at present, the cybersecurity situation is highly severe and complex, domestic and foreign cyberattacks become more frequent every day, the methods used in cyberattacks are ever more complex and hidden, and the problems of cybersecurity generated by new technology and new business forms is becoming ever more prominent. The problems existing in the telecommunications and Internet sectors’ cybersecurity work under new circumstances are prominently manifested as: the widespread existence of thinking that stresses development and is lax on security, the fact that cybersecurity work mechanisms and systems are not complete, that technological cybersecurity capabilities and methods are insufficient, the level of security and controllability of key software and hardware remains low, etc. In order to effectively respond to the challenges and threats of cybersecurity, which grow more sever and complex every day, realistically strengthen and improve cybersecurity work, and further raise the telecommunications and Internet sectors’ cybersecurity protection capabilities and levels, the following Opinions are put forward
I, General requirements
Earnestly implement the spirit of the 18th Party Congress, the 3rd Plenum of the 18th Party Congress as well as the 1st Meeting of the Central Leading Group for Cybersecurity and Informatization concerning safeguarding cybersecurity, persist in guaranteeing development with security and stimulating security through development, persist in the unified planning, unified deployment, unified promotion and unified implementation of security and development work, persist in the integration of laws and regulations, administrative supervision, sector self-discipline, technological guarantees, public supervision and social education, persist in being based in the sector and serving the overall picture, take raising cybersecurity protection capacity as the main line, make perfecting cybersecurity protection systems as the objective, strive to raise network infrastructure and business system security and protection levels, strengthen cybersecurity technology capabilities, strengthen the protection of online data and user information, move forward with the application of secure and controllable key software and hardware, and play a positive role in safeguarding national security, stimulating economic development, protection the interests of the popular basses and build a strong network country.
II, Focus work points
(1) Deepening the security protection of network infrastructure and business systems. Earnestly implement the “Telecommunications Network Security Protection and Management Rules” (Ministry of Industry and Information Technology Decree No. 11), and the series of standards on telecommunications security protection, perform classification and filing well, strictly implement prevention measures, regularly conduct compliance surveys and risk assessments, timely eliminate hidden security risks. Strengthen management of network and information assets, comprehensively comb through key facility tables, clarify the departments and persons responsible for cybersecurity for every network, system and key facility. Rationally differentiate network and system security areas, clarify the boundaries of networks, and strengthen boundary protection. Strengthen websites’ security and security management for companies’ business and safe terminals. Perfect domain name system security protection measures, optimize system structures, strengthen broadband protection. Strengthen emergency response domain name data back-ups of public recursive domain name analysis systems. Strengthen risk assessment of networks and systems before they go online. Strengthen software and hardware version management and patch management, strengthen tracing, verification, risk evaluation and reporting of leaked information, timely adopt effective remedial measures.
(2) Raise capacity to respond to sudden cybersecurity incidents and emergencies. Earnestly implement the Ministry of Industry and Information Technology “Public Internet Security Emergency Response Plan”, formulate and perfect emergency response planning for cybersecurity in [your] work units. Complete emergency response coordination and cooperation mechanisms concerning large-scale denial-of-service attacks, major domain name system breakdowns, large-scale leaks of users’ information and other sudden cybersecurity incidents. Strengthen emergency response planning and drills, regularly evaluate and revise emergency response plans, guarantee the scientific nature, applicability and operational nature of emergency response plans. Raise capacities to for the monitoring and early warning of sudden cybersecurity incidents, strengthen early warning information dissemination and early warning management, where it may result in influence on the overall picture, the telecommunications controlling department must be notified timely. Strictly implement sudden cybersecurity incident reporting systems. Build cybersecurity emergency response command and control systems, raise emergency response efficiency. On the basis of the needs of relevant departments, provide cybersecurity support and guarantees for major activities and during special periods, for important systems in other sectors, government websites and focus news websites, etc.
(3) Safeguard the public Internet cybersecurity environment. Earnestly implement the Ministry of Industry and Information Technology “Trojan and Botnet Monitoring and Handling Mechanism”, and the “Mobile Internet Malicious Software Monitoring and Handling Mechanism”, establish and complete mechanisms to monitor and deal with phishing websites. Clarify the duties and responsibilities of users in safeguarding the cybersecurity environment in business service contracts concluded with users. Strengthen the construction of the Trojan and virus sample database, the mobile malicious software sample database, the leaks database, the malicious website address database, etc., stimulate information sharing about cybersecurity threats within the sector. Strengthen deep analysis of hackers’ underground industry interests chains, and bring this under control at the source, vigorously coordinate with relevant law enforcement departments in attacking online law breaking and crime. Basic telecommunications must, at the same time as expanding their business and handling business for users, strengthen propaganda and guidance on users’ cybersecurity knowledge and skills, and vigorously launch value-added cybersecurity services aimed at users.
(4) Move the application of secure and controllable software and hardware forward. Promote the establishment of a national cybersecurity inspection system, to carry out the telecommunications and Internet sectors’ cybersecurity inspection work requirements. On the basis of the relevant requirements of the “Telecommunications Engineering and Construction Project Tendering Standards Management Rules” (Ministry of Industry and Information Technology Decree No. 27), comprehensively consider cybersecurity needs when tendering the purchase of key software and hardware, clearly stipulate cybersecurity requirements for key software and hardware in tendering documents. Strengthen the cybersecurity inspection and evaluation of key software and hardware before purchase, clarify suppliers’ cybersecurity responsibilities and duties through contract, demand that suppliers sign letters of commitments concerning cybersecurity. Expand indigenous research and development strength for major business application systems, launch business application and programme source code security inspections.
(5) Strengthen the protection of online data and users’ personal information. Earnestly implement the “Telecommunications and Internet User Personal Information Protection Regulations” (Ministry of Industry and Information Technology No. 24), strictly standardize the collection, storage, use and deletion of users’ personal information, implement all segments’ security responsibilities, perfect corresponding management systems and technological measures. Implement the demands of data security and users’ personal information security protection standards, perfect online data and user information anti-theft, anti-alteration, data back up and other such security protection measures. Strengthen authorization management and auditing of internal staff and cooperating partners, expand strength to punish acts violating regulations. The occurrence of large-scale leaks of users’ personal information must be immediately reported to the telecommunications controlling department, and effective remedial measures must be taken timely.
(6) Strengthen security management in mobile application stores and application programmes. Strengthen the security management in mobile application stores and mobile application programmes, stimulate mobile applications stores to establish and complete systems for the verification of mobile applications programme developers’ real-name information, the inspection of application programmes’ security, the removal of malicious programmes, a black-list for malicious programmes, user supervision and reporting, etc. Establish and complete third-party security inspection mechanisms for mobile application programmes. Promote the establishment of third-party digital credential signature mechanisms for application programme developers and signature verification and user prompting mechanisms in application stores and smart terminals. Perfect mobile malicious programme reporting acceptance and black list sharing mechanisms. Strengthen social propaganda, guide users in downloading and installing mobile application programmes from regular applications stores, and install terminal security protection software.
(7) Strengthen cybersecurity management for new technologies and new businesses. Strengthen tracing and research of cybersecurity problems in cloud computing, big data, the Internet of Things, the mobile Internet, the next-generation Internet and other such new technologies and new businesses, we must bring basic infrastructure and business systems involving the provision of public telecommunications and Internet services into telecommunications cybersecurity protection and management systems, accelerate the research and formulation of corresponding cybersecurity protection standards, perfect and implement corresponding cybersecurity protection measures. Vigorously launch trials and demonstrations of cybersecurity protection technology for new technologies and new businesses. Strengthen risk assessment for cybersecurity in new technologies and inspection of cybersecurity protections.
(8) Strengthen the construction of technological capabilities and methods for cybersecurity. Deepen the launch of research into cybersecurity monitoring and early warning, discovery of leaks, analysis of malicious code, examination, assessment, tracing and evidence-gathering technology, strengthen research into high-level sustainable attack response technology. Establish and perfect invasion monitoring and defence, anti-virus, anti-denial-of-service attack, irregular flow rate monitoring, anti-web page alteration, domain name security, leak scanning, concentrated account management, data encryption, security auditing technology and methods and other such cybersecurity protection technology and methods. Complete methods to monitor and handle Trojans, viruses and mobile malicious programmes based in the network side. Vigorously research and use cloud computing, big data and other such new technologies to raise cybersecurity monitoring and early warning capabilities. Stimulate the linkage of enterprises’ technological methods with telecommunications controlling departments’ technological methods, formulate interface standards, realize the sharing of monitoring data. Strengthen cooperation with cybersecurity service enterprises, prevent risks in service processes, and when entrusting cybersecurity service work units with launching integrated cybersecurity construction and risk assessment, it is necessary to select work units whose cybersecurity service capability has passed assessment by relevant sectoral organizations.
III, Guarantee measures
(1) Strengthen cybersecurity supervision and management. Telecommunications controlling departments must realistically implement their telecommunications and Internet sector cybersecurity supervision and management duties, incessantly complete cybersecurity supervision and management systems, vigorously promote legislation concerning the protection of crucial information infrastructure, online data protection and other such cybersecurity matters, further perfect cybersecurity protection standards and corresponding work mechanisms; we must expand supervision, inspections and assessments of basic telecommunications enterprises’ cybersecurity, strengthen supervision and management of Internet domain name registration management and service bodies, as well as value-added telecommunications enterprises, promote the establishment of a telecommunications and Internet sector cybersecurity authentication system. The National Computer Network Emergency Response Technical Coordination Centre and the Ministry of Industry and Information Technology Academy of Telecommunications Research must expand cybersecurity technology, finance and human inputs, and must forcefully increase their ability to support telecommunications controlling departments’ supervision and management of cybersecurity.
(2) Fully give rein to the role of sectoral organizations and specialist bodies. Fully give rein to the bridging and linking role of sector organizations in supporting the government and serving the sector, forcefully launch telecommunications and Internet sector cybersecurity self-discipline work. Support corresponding sectoral organizations and specialist bodies to launch propaganda on cybersecurity laws, policies and standards aimed at the sector, as well as knowledge and skills training and competitions, stimulating cybersecurity management and technological exchange; launch cybersecurity service capacity assessments, stimulate and standardize the healthy development of cybersecurity service markets; establish and complete social supervision and reporting mechanisms for cybersecurity, mobilize the forces of the entire society to participate in and safeguard the public Internet cybersecurity environment; launch cybersecurity propaganda and education activities aimed at the social public, raise uses’ awareness about cybersecurity risks and their ability to protect themselves.
(3) Implement the principal responsibility of enterprises. Corresponding enterprises must, from the height of safeguarding national security, stimulating economic and social development, and guaranteeing users’ interests, fully understand the importance and urgency of doing cybersecurity work well, realistically strengthen organizational leadership, implement security responsibilities, and complete cybersecurity and management systems. Basic telecommunications enterprises’ main leaders must bear overall responsibility for cybersecurity work, ensure that there is one controlling leader who has concrete responsibility to uniformly coordinate all cybersecurity work matters inside the enterprises; we must strengthen the construction of specialist cybersecurity management departments in group companies and provincial-level companies, strengthen the allocation of full-time staff, strengthen the role of specialist departments in cybersecurity management, realistically expand comprehensive planning and coordination, supervision and inspection, responsibility assessment and responsibility tracing inside enterprises concerning cybersecurity work. Internet domain name registration management and service bodies, and value-added telecommunications enterprises must, in integration with reality, complete internal cybersecurity management systems, allocate specialist departments and personnel to cybersecurity management, and ensure that cybersecurity responsibilities are satisfactorily implemented.
(4) Expand resource protection strength. Basic telecommunications enterprises must formulate special plans for cybersecurity in those enterprises, and at the same time as expanding network and business development input, expand financial input into cybersecurity protections in equal step, and bring cybersecurity expenses into the enterprise’s annual budget. Internet domain name registration management and service bodies, and value-added telecommunications enterprises must, in integration with reality, expand their financial cybersecurity input strength.
(V) Strengthen talent team construction. Basic telecommunications enterprises must vigorously launch specialist cybersecurity professional skills appraisal work, establish and complete specialist cybersecurity position certification systems; strengthen cybersecurity training, and bring training into personnel training plans; vigorously organize and participate in cybersecurity knowledge and skills competitions, and shape benign mechanisms to train, select, attract and use cybersecurity talents.