Public Internet Cybersecurity Threat Monitoring and Mitigation Measures
This translation was kindly provided by John Costello
Ministry of Industry and Information Technology Network  No. 202
Provincial, autonomous region, and municipal communications authorities, China Telecom Group Corporation, China Mobile Communications Corporation, China Unicom Group Corporation, China National Computer Emergency Technical Team/Coordination Center of China (CNCERT), China Information Communications Research Institute, National Industrial Information Security Development Research Center, China Internet Association, domain name registration management and service organs, internet companies, and cybersecurity enterprises:
In order to deepen the implementation of the spirit of General Secretary Xi Jinping’s important speeches on cybersecurity, actively respond to the dire and complex cybersecurity situation, to move forward robust public internet cybersecurity threat monitoring and mitigation mechanism, safeguard the legitimate rights and interests of citizens, legals person, and other organizations, and in accordance with “Cybersecurity Law of the People’s Republic of China” and other relevant laws and regulations, the “Public Internet Cybersecurity Threat Monitoring and Mitigation Measures”. Hereby issued to you, please realistically and effectively implement and carry out.
Ministry of Industry and Information Technology
August 9, 2017
Public Internet Cybersecurity Threat Monitoring and Mitigation Measures
Article 1: In order to strengthen and standardize the task of monitoring and mitigating public Internet cybersecurity threats, eliminate security risks, stop attacks, avoid harm, reduce security risks, maintain cyber order and public interests, protect the legitimate rights and interests of citizens, legal persons, and other organizations, and in accordance with “The Cybersecurity Law of the People’s Republic of China”, “Decision of the Standing Committee of the National People’s Congress on Strengthening the Information Protection of Networks”, “Telecommunications Regulations of the Peoples’ Republic of China”, other relevant laws and regulations, and the duties of the Ministry of Industry and Information Technology these measures are formulated.
Article 2 The term “public Internet cybersecurity threat” as mentioned in these Measures refers to the network resources, malicious processes, security risks or security incidents that exist or disseminated on the public Internet that may or may have harmed the public, including:
(1) malicious IP addresses, malicious domain names, malicious URLs, malicious electronic information, including Trojans and botnet controllers, phishing websites, phishing emails, SMS / MMS, instant messaging, etc.,
(2) malicious programs that are used to carry out cyber attacks, including Trojans, viruses, botnet programs, mobile malware, etc.;
(3) security risks in network services and products, including hardware vulnerabilities, software vulnerabilities, business logic vulnerabilities, weak passwords, backdoors, etc.;
(4) network services and products that have been illegally compromised, illegally controlled cybersecurity incidents, including host control, data leakage, and tampering with webpages, etc.;
(5) other threats to cybersecurity or any circumstance where security risks exist.
Article 3: The Ministry of Industry and Information Technology (MIIT) shall be responsible for organizing and developing national public internet cybersecurity threat monitoring and mitigation work. Communications authorities of provinces, autonomous regions, municipalities shall be responsible for organizing and developing public internet cybersecurity threat monitoring and mitigation work in their respective administrative areas. Ministry of Industry and Information Technology and provincial, autonomous region, and municipal Communications Authority are hereafter collectively referred to as principal telecommunication departments.
Article 4: Cybersecurity threat monitoring and mitigation work shall adhere to the principle of timely, discovery, scientific identification, and effective mitigation.
Article 5: Relevant professional organizations, basic telecommunication companies, cybersecurity companies, Internet companies, domain name registration management and service organs shall strengthen the monitoring and disposal of cybersecurity threats, specify responsible departments, responsible persons and contact persons, strengthen the establishment of relevant technical measures, and constantly improve the timeliness, accuracy, and effectiveness of cybersecurity threats to monitoring and mitigation.
Article 6 After cybersecurity threats are discovered by relevant professional organizations, basic telecommunication enterprises, cybersecurity enterprises, Internet companies, domain name registration management and service organs, etc., shall be classified as the units own issue, and shall immediately begin mitigation, involve other entities, information shall be submitted to MIIT, provincial, autonomous region, and municipal communications authorities in a timely manner and in according with the content, indicators, and format of relevant regulations.
The Ministry of Industry and Information Technology will establish cybersecurity threat information sharing platform, unified collection, storage, analysis, notification, release network security threat information; formulate relevant interface specifications, and develop interoperability with related cybersecurity monitoring platforms. National Computer Emergency Response Technical Team/Coordination Center (CNCERT) is responsible for platform construction, operational and maintenance work.
Article 7: The principal telecommunication departments shall entrust CNCERT, China Information Communications Research Institute, and other specialized organs to identify threat information submitted by relevant units and issue mitigation recommendations. Identification work shall be carried out under the principles of scientific rigor, just, fair, timely, and effective. Principal telecommunication departments shall strengthen the management and training of professional organs and personnel involved in identification work.
Article 8: After the identification and mitigation recommendation has been approved by principal telecommunication organs, they may take the following mitigation measures for network security threats:
(1) Notify basic telecommunication companies, Internet companies, domain name registration management and service organs, etc., to cease service, block, or adopt other measures against malicious IP addresses (or broadband access accounts), malicious domain names, malicious URLs, malicious e-mail accounts, or malicious phone numbers.
(2) Notify network service providers, to eliminate all transmissible malware that reside on the unit’s network, systems, or website.
(3) Notify providers of network services a products that have vulnerabilities, backdoors, or who have already been compromised, controlled, or tampered with, to take corrective measures to eliminate the security risks.
(4) Other technical measures that can eliminate, stop, or control cybersecurity threats.
Mitigation notices from principle telecommunications departments must be sent to relevant units in written or verifiable electronic sources. In emergency circumstances, it is permissible to first make a telephone notice, then later supplement with a written notice.
Article 9: Basic telecommunication companies, internet companies, domain name registration management and service organs, etc, shall provide technical support and assistance for principal telecommunication organs inquiries into IP address attribution, domain name registration, and other information, and in accordance with notices from principal telecommunications departments and time limitations adopt mitigation measures and provide feedback on mitigation results. Specialized organization responsible for identifying cybersecurity threats shall be responsible for conducting verification of relevant mitigation situations.
Article 10: Where a relevant organization or individual is dissatisfied with the mitigation measures taken in accordance with Article 8 (1) of the present Measures, it shall have the right to appeal within 10 working days to the principal telecommunication departments that issued the mitigation decision. Relevant telecommunications departments shall promptly organize and investigation after receiving the complaint and reply within ten working days.
Article 11: Relevant units shall be encouraged to carry out cybersecurity threat monitoring and mitigation work in the form of industry self-discipline, technical cooperation, or technical services, and shall be responsible for handling mitigation, monitoring and mitigation results shall be reported to principal telecommunications organs in a timely manner.
Article 12: Where a basic telecommunications companies, internet companies, domain name registration management and service organ, etc. fail to take measures to deal with cybersecurity threats in accordance with notified requirements of principal telecommunication departments, the telecommunications departments shall, in accordance with Article 56, Article 59, Article 60, Article 68 of “National Cybersecurity Law of the People’s Republic of China” and other regulations, arrange questioning, issue warnings, institute fines, and other administrative penalties.
Article 13: Monitoring and mitigation work of public internet cybersecurity emergencies that cause or may cause serious social harm or influence shall be carried out in accordance with relevant emergency plans of the State and principal telecommunications departments.
Article 14: Communications authorities of provinces, autonomous regions, municipalities may, in accordance with these Measures, formulate detailed rules for implementation of cybersecurity threat monitoring and disposal within their respective administrative regions.
Article 15: These Measures shall come into force on January 1, 2018. “Trojan and Botnet Monitoring and Mitigation Mechanism” issued on April 13, 2009 and “Mobile Internet Malware Monitoring and Mitigation Mechanism” issued on December 9, 2011 are abolished at the same time.