Report concerning the Inspection of the Implementation of the “Cybersecurity Law of the People’s Republic of China” and the “National People’s Congress Standing Committee Decisions concerning strengthening Online Information Protection”

Presented at the 31st Meeting of the 12th National People’s Congress Standing Committee on 24 December 2017

Wang Shengjun

Cybersecurity affects the long-term governance of the Party, affects a long period of peace and order for the country, and affects economic and social development as well as the personal interests of the popular masses. General Secretary Xi Jinping has emphatically pointed out that without cybersecurity, there is no national security, without informatization, there is no modernization. The National People’s Congress attaches high importance to cybersecurity work, deliberated and passed the “National People’s Congress Standing Committee Decision concerning Strengthening Network and Information Security Protection” in December 2012, and deliberated and passed the “Cybersecurity Law of the People’s Republic of China” in November 2016 (hereafter referred to as the “Law and Decision”). On the basis of the 2017 supervisory work plan, the National People’s Congress Standing Committee Law Enforcement Inspection Group has conducted a review of the implementation situation of the “Law and Decision” from August to October 2017. Now, on behalf of the Law Enforcement Inspection Group, I report to the Standing Committee.

I, The work situation of law enforcement inspection. 

The Cybersecurity Law took effect on 1 June of this year. Opening a law enforcement inspection of a newly formulated law, having effect for less than three months, is a first in the NPCSC’s supervision work. Committee chair Zhang Dejiang attached full importance to this law enforcement inspection, and provided important instructions, pointing out that cybersecurity affects the country’s long term peace and order, and affects economic and social development as well as the well-being of the popular masses. The NPCSC launching law enforcement inspection in the same year that the Cybersecurity Law has taken effect, is an implementation of the spirit of the important instructions of General Secretary Xi Jinping concerning “we must establish a correct cybersecurity view”, to supervise relevant parties to further strengthen legal propaganda, strengthen the cybersecurity awareness of all of society, grasp the formulation of accompanying laws and policies, ensure the effective implementation of the law, strive to upgrade cyberspace governance levels and realistically safeguarding security in national cyberspace and the lawful rights and interests of the people. We hope that the inspection group have meticulously organized this law enforcement inspection, persisted in problem-based guidance, and found through in facts. On the basis of the spirit of the instructions of Committee chair Zhang Dejiang, the Internal Judicial Committee, Finance and Economics Committee, Education, Science, Culture and Health Committee and the Standing Committee Office researched the matter repeatedly, and established the five focus points of this law enforcement inspection: the first is the situation of conducting legal propaganda and education work; the second is the situation of formulating accompanying regulations and rules; the third is the situation of strengthening critical information infrastructure protection and implementing the multi-level protection system for cybersecurity; the fourth is the situation of bringing online unlawful information under control and safeguarding the benign ecology of cyberspace; and the fifth is the implementation of the citizens’ personal information protection system, and investigating and prosecution unlawful and criminal acts violating citizens’ personal information and related matters.

On 25 August, the Law Enforcement Inspection Group convened its first plenary meeting to convey the important instructions of Committee chair Zhang Dejiang. The meeting heard the reports of the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, the State Administration of Press, Publications, Radio, Film and Television and the Supreme People’s Court concerning the implementation situation of the “Law and Decision”, the Ministry of Education, the Ministry of Science and Technology and the Ministry of Traffic and Transportation submitted written reporting materials. 

On the basis of arrangements, deputy Committee chair and Chef Secretary Wang Zhen, Deputy Committee Chairs Shen Yueyue, Zhang Ping, Wan Exiang, Chen Zhu and myself participated in this law enforcement inspection. The Inspection Group visited six provinces (regions, municipalities) Inner Mongolia, Heilongjiang, Fujian, Henan, Guangdong and Chongqing to conduct investigation, in that period, the Inspection Group heard reports from relevant provincial, municipal and county governments, successively convening over 30 discussion meetings, and inspected several cybersecurity command platforms and critical infrastructure operating work units on the ground. Furthermore, it also entrusted 12 provincial (regional, municipal) People’s Congresses to conduct an investigation of the implementation situation of the “Law and Decision within their administrative area.

In order to deeply understand the implementation situation of the “Law and Decision”, this law enforcement inspection conducted several new trials in terms of methods and approaches: first, it invited third-party expert bodies to participate. From early September until mid-October, the Inspection Group selected 20 important information systems in each of the six provinces (regions, municipalities) for on-the-ground inspection, and entrusted the China Information Security Monitoring Centre with conducting a vulnerability sweep and a mock attack, and issued a specialized monitoring report on the basis of the situation of monitored systems’ cybersecurity. The Inspection Group also entrusted the China Youth Daily Social Survey Centre with conducting popular opinion surveys in 31 provinces (regions, municipalities) on the basis of questions in 10 areas of the “Law and Decision” that closely affect the public, and they issued a survey report. In total, 10370 people participated in this survey. The orderly participation of third-party bodies strengthened the expertise, authority, objectivity and fairness of this inspection. Second, expert participation. Considering the strong specialized nature of cybersecurity, during the law enforcement inspection period, the Inspection Group successively invited 21 cybersecurity experts and technical personnel having engaged in cybersecurity work for a long time from the State Information Technology Security Research Centre and other such work units, to provide technical support to the Investigation Group, and strengthen the focus and efficacy of the inspection. Third, random spot checks. Each small inspection group randomly selected several critical information infrastructure operating work units according to the requirements of the inspection plan, and conducted preliminary spot checks unannounced. Six small inspection groups conducted random spot checks on 13 work units in total. 120 important information systems were monitored remotely, and were also selected randomly by the Law Enforcement Inspection Group, and monitoring was completed under circumstances where the operating work units was not aware of the matter.

II, The method and efficacy of implementing the “Law and Decision””

In recent years, all levels’ Party Committees and governments have earnestly organized study of General Secretary Xi Jinping’s series of important speeches and important judgments concerning cybersecurity, deeply implemented the Centre’s strategic arrangements concerning “building a strong cyber power”, entered cybersecurity into the overall picture of economic and social development and into comprehensive planning and arrangements, forcefully advanced cybersecurity and network information protection work, and legal implementation has seen vigorous results.

(1) Deeply conducting propaganda and education, strengthening cybersecurity awareness.

First, strengthening the entire people’s cybersecurity awareness has been made into a basic task. 9 departments including the Cyberspace Administration of China, the Ministry of Industry and Information Technology and the Ministry of Public Security have, for four successive years, organized and launched Cybersecurity Week and themed days and propaganda activities, lectures, forums, etc. during this period of events annually have exceeded 10.000 in number, with an annual average coverage of around 200 million people. After the promulgation of the Cybersecurity Law, all localities have conducted propaganda and explanation of the core content of the law through newspapers and magazines, radio and television stations, portal websites, governmental microblogs and public channels, etc. Second, strengthening legal propaganda and education in focus work units and focus sectors. The Ministry of Industry and Information Technology has entered learning about the “Law and Decision” into annual assessment standards for basic telecommunications operating enterprises, and organized learning sessions at focus Internet enterprises such as Baidu, Alibaba, Tencent, etc. The Ministry of Public Security has organized concentrated study sessions for the public security bodies nationwide, over 200 Central ministries and commissions as well as Central enterprises, and over 260 information security enterprises and related personnel. The State Administration of Press, Publications, Radio, Film and Television has organized cybersecurity knowledge and skill training and competition activities. Provinces (regions) such as Inner Mongolia and Heilongjiang have conducted focus training for professional backbones in focus work units and focus sectors who are responsible for cybersecurity. Third, closely grasping the critical minority of leading cadres, and making enhancing the cybersecurity awareness of leading cadres into the heaviest of heavies. Localities such as Guangdong and Fujian have promoted leading cadres to take the lead in knowing the law, understanding the law and using the law through organizing cybersecurity and informatization-themed deliberation classes for leading cadres, and other such methods. The Ministry of Traffic and Transportation Party Group’s members have taken the lead in study, and organized a “special training class for bureau-level leading cadres on cybersecurity”, the Ministry of education has organized cybersecurity training classes for the education system, and has conducted topical training for responsible persons in all provincial education administration departments, directly subordinate higher education institute and directly subordinate ministry bodies. All localities have made younger netizens into a focus point for law popularization, launched activities such as “cybersecurity entering campuses and entering households”, “strive to be a netizen with good ‘four haves'”, etc. guiding broad youth into going online in a lawful, civilized and healthy manner.

(2) Formulating accompanying regulations and policies, building cybersecurity structures and systems

In order to support the implementation of the “Law and Decision”, in recent years, relevant state Council departments have published the “National Cyberspace Security Strategy”, the “Telecommunications Cybersecurity Protection Management Rules”, the “Telecommunications and Internet User Personal Information Protection Regulations”, the “Telephone User Real Identity Information Registration Regulations”, the “Press, Publications, Radio, Film and Television Cybersecurity Management Rules”, the “Public Internet Cybersecurity Sudden Incident Emergency Response Plan” and other such accompanying riles, plans and policy documents. The Cybersecurity Administration of China has, together with relevant departments, published the “Some Opinions concerning Strengthening National Cybersecurity Standardization Work”, accelerated the formulation work of cybersecurity standards, and 198 national cybersecurity standards have been published. The Supreme Court and the Supreme Procuratorate have published the “Interpretation concerning Some Questions on Applicable Law when Handling Criminal Cases of Infringement of Citizens’ Personal Information”. Some provinces have also launched accompanying regulation drafting work, the Inner Mongolia Autonomous Region People’s Congress Standing Committee formulated the “Computer Information System Security Protection Rules”, the Fujian Province People’s Congress Standing Committee passed the “Fujian Province Telecommunications Infrastructure Construction and Protection Regulations”, the Guangdong Province People’s Congress Standing Committee published the “Decision concerning Implementing Telecommunications Users Real Identity Information Registration System”, the Heilongjiang Province People’s Congress Standing Committee published the “Industrial Information Security Management Regulations”. Chongqing Municipality persisted in equally stressing cybersecurity and informatization development, strengthening the construction of e-government systems and perfecting governmental website management structures. A series of accompanying regulations, rules and policy documents have been published, assisting in the implementation of the “Law and Decision”.

(3) Enhancing security protection capabilities, striving to ensure the security of network operations

First, strengthening critical information infrastructure protection. In 2016, the Cyberspace Administration of China and other departments organized the launch of critical information infrastructure investigation and inspection work, they conducted spot-checks and technological surveys of 11.000 important infrastructure systems’ operational security state, completed cybersecurity risk assessments in multiple focus sectors including finance, energy, telecommunications, transportation, radio and television, education, healthcare, social security, etc., putting forward over 4000 improvement suggestions. Second, launching network infrastructure protection work. The Ministry of Industry and Information Technology has launched network infrastructure investigation work, completely combing through network infrastructure and information systems, at present, all sectors in total have been determined to contain 11590 critical network infrastructure systems and important information systems. Since 2017, over 900 focus network systems and industrial control systems have been subject to supervision and spot-checks, and 78980 vulnerabilities have been notified for rectification. Third, deeply advancing multi-level cybersecurity protection.  140.000 information systems have already been filed, among whom 1.7000 are third-tier or higher important information systems, this basically covers all critical information infrastructure. At the same time, regularized inspection has been launched for information systems entered into multi-level protection, in recent years, the total of all kinds of security vulnerabilities that have been discovered and rectified approaches 400.000. Fourth, establishing reporting and early warning systems. The Ministry of Public Security has taken the lead in establishing a national cybersecurity reporting and early warning mechanism, with a notification scope already covering 100 Central Party and government bodies, 101 Central enterprises, 31 provinces (regions, municipalities) and the Xinjiang Production-Construction Corps, all localities have also established cybersecurity and information security notification mechanism, to notify and deal with all kinds of vulnerabilities and threats in real time. The Ministry of Education has established security supervision and early warning mechanisms for important websites and information systems in the education system, having already handled 35.000 security threats in total. Fifth, vigorously launching the construction of coordinated joint action platforms for cybersecurity. The Cyberspace Administration of China has taken the lead in establishing emergency response technology support and assistance mechanisms for critical information infrastructure, it has incessantly upgraded the overall emergency response capabilities, security protection capabilities and coordinated joint action capabilities for critical information infrastructures. Sixth, forcefully conducting cybersecurity special campaign work. The Ministry of Public Security has, together with relevant work unit, conducted large-scale special Internet enterprise defence campaigns, website security, as well as Internet and email security special governance campaigns, discovering and rectifying a batch of deep cybersecurity problems and vulnerabilities.

(4) Controlling information violating laws and regulations, and safeguarding a clear and crisp cyberspace

All localities and all relevant departments have earnestly implemented the requirements of the law, soundly performed online ideological work, and firmly cleaned up information violating laws and regulations of all kinds. Through launching a series of campaigns including “sweeping pornography and beating illegality”, the “Web Sword” etc., targeting information propagating terror, violence, obscenity or sex, etc. on Internet sites, application software, blogs, microblogs, public accounts, instant messaging tools or online streaming. Since 2015, the Cyberspace Administration of China and other departments have, according to the law, held talks with over 2200 websites violating laws or regulations, cancelled the permit or filing of websites breaking laws or regulations or closed unlawful websites in over 13.000 cases, relevant websites have, according to user service agreements, closed nearly 10 million accounts violating laws or regulations, creating a powerful deterrence against all kinds of online unlawful conduct. The China Youth Daily Social Survey Centre provided the inspection group with a large-scale survey analysis report (hereafter simply named “mass survey report” which suggests that among the 10370 people participating in the survey, over 90% of respondents affirm the efficacy of governance, and 63,5% among them believe that information violating laws and regulations online including information harming national security, propagating terror, violence, obscenity or sex has clearly reduced. The legal implementation competent departments have also established an online information patrol mechanism and public reporting platforms, to timely clean up information violating laws and regulations. Chongqing and other such localities give high regard to strengthening online content construction, vigorously creating excellent online works and strengthening online positive propaganda.

(5) Strengthening personal information protection, attacking unlawful and criminal infringement of user information security

In comprehensively implementing real identity system requirements for online access (website filing and domain names / IP addresses), fixed telephones and mobile telephones, in all cases where users do not provide real identity information, operators no longer provide related services to them. In the past five years, telecommunications enterprises have organized the accompanying registration of 300 million old users who had not yet submitted their real name, and ceased the provision of services according to the law to over 10 million users who refused to amend their registration. In order to ensure user information security, relevant departments have guided all network operating work units to further strengthen internal control and management structures, requiring them to implement strict management over application, use and period of validity of major operations such as mass data export, reproduction, information deletion, etc., preventing the mass leak of user information through workflows. Henan Province has strengthened security protection of critical systems for user information storage, enhancing capabilities to protect against hacking attacks. With regard to the trend of high incidence of user personal information crimes, the Ministry of Public Security has arranged and launched a dedicated attack campaign, establishing anti-fraud centres in 31 provinces (regions, municipalities) and the Xinjiang Production-Construction Corps, it comprehensively coordinated the attack against the use of citizens’ personal information to conduct telecommunications and online fraud crimes, in the past two years, over 3700 cases of criminal infringement of personal information were cracked, and over 11.000 criminal suspects were arrested. Between 2014 and September 2017, courts nationwide tried 1529 criminal cases where networks were used to infringe citizens’ personal information, gaining relatively good legal effects and social effects.

(6) Expanding support strength, advancing critical cybersecurity technology innovation.

In order to implement the requirements of the Cybersecurity Law to “support focus cybersecurity technology industries and projects, and support the research, development and utilization of cybersecurity technology”, the Ministry of Science and Technology, jointly with the Cyberspace Administration of China, composed dedicated research plans, based on the current development status of cyberspace security, focusing on raising our country’s critical information infrastructure and data security protection capabilities, supporting trusted management of cyberspace and data asset protection, enhancing cyberspace protection capabilities and other such goals, this established research directions in several focus points. In order to expand support to research, development and application support of cybersecurity technology the Ministry of Science and Technology and the Ministry of Industry and Information Technology gave priority to initiating the “Cyberspace Security Focus Earmarks” in the “13th Five-Year Plan Period” national focus research and development plan, with a State-issued funding input of 1.384 billion Yuan, they systematically arranged 47 research tasks, striving to basically create an indigenous and controllable core cybersecurity technology system by the year 2020. Furthermore, in the “Science and Technology Innovation 2030 – Major Projects”, they gave priority to arranging a batch of major cybersecurity research projects, providing technical support to enhancing our country’s information supervision and management, leak and theft of confidential information prevention, cyber defence, etc. The Ministry of Education has innovated cybersecurity talent education models, adding a first-tier cyberspace security discipline, issuing the “Opinions concerning Strengthening Cybersecurity Discipline Construction and Talent Training” together with relevant departments, initiating first-rate cybersecurity academy construction demonstration projects, and thus providing talent support for cybersecurity technology innovation.

III, Difficulties and problems existing in work

The inspection situation shows that various localities still display some difficulties and problems in implementing the “Law and Decision” and in safeguarding aspects of cybersecurity.

(1) Cybersecurity awareness urgently remains to be strengthened

Many critical information infrastructure operating work units have an insufficient understanding of the importance of cybersecurity, they believe that their being cyberattacked is only a low-probability matter, and they lack understanding of the harm from cyberattacks they may receive. In the area of informatization, they are “high on construction, low on security; high on use, low on protection”, they lack awareness about active defence, and are unwilling to conduct the necessary investment in security protection; when handling the relationship between the usability and security of business information systems, they often more emphasize usability, and when there is a conflict with the later, often reduce security requirements. Quite a few local governments’ and departments’ leading cadres cannot understand cybersecurity from the height of national security, they have not entered cybersecurity work on the important work agenda for that level’s government or department, or they only give it priority in name, “saying it is easy, but treating it as secondary, and forgetting it when busy”. The social public’s cybersecurity awareness is generally not strong, the “Mass Survey Report” indicates that 55,4% of respondents believe that many people around them lack a cybersecurity awareness, and “know that cybersecurity exists but do not know much about it”.

(2) Basic cybersecurity construction is generally weak

First, the construction of cybersecurity state sensing platforms is lagging behind.  Cybersecurity risks have a strong hidden component, sensing the security state is the most basic and fundamental work to do cybersecurity well. In safeguarding cybersecurity, it is first and foremost necessary to know where the risks are, what the risks are, and when the risks emerge. But quite a few provinces have not yet initiated the construction of cybersecurity state sensing platforms, they cannot realize all-weather, real-time, dynamic monitoring of the cybersecurity risk in important information systems. Second, the construction of disaster-proof back-up systems is generally lagging behind. Quite a few work units operating critical information infrastructure relating to the national economy and the people’s welfare have not conducted remote disaster-proof backups of important data according to legal provision, but have only adopted several simple data back-up measures, some have even not conducted disaster-proof backups, and cannot effectively respond to major data security risks. In several provinces, multiple important information systems have not conducted remote disaster-proof backups according to legal requirements. Third, indigenization levels in important industrial control enterprises’ equipment and control systems remains to be increased. Several important industrial control enterprises heavily rely on foreign technology, not only are production control systems built by foreign companies, but foreign products are also used as accompanying network and security equipment, the deployment of network and security equipment is controlled by foreign personnel, enterprises’ internal personnel even does not hold security equipment deployment and management powers. In some provinces, the indigenization level of important industrial control enterprises’ production control systems is less than 20%. Fourth, emergency response plans are treated as a mere formality. Some cybersecurity emergency response plans are biased towards the elimination of equipment blockages, and their content dealing with cyberattacks, information leaks and other such cyberspace security incidents is relatively limited; some emergency response plans lack feasibility; some emergency response plans have not been revised for a long time, and can no longer respond to  the present type of cybersecurity incidents; many work units have not truly organized emergency response drills because they have insufficient conditions to have emergency response drills; quite a few localities and sectors have insufficient funds to be used to resolve cybersecurity problems, and after problems are discovered, they can often not be resolved timely because of funding shortages.

(3) Prominent cybersecurity risks and vulnerabilities

In order to understand the situation of online operations, the law enforcement inspection group entrusted the China Information Security Monitoring Centre with conducting remote penetration tests and vulnerability scans of 120 randomly selected critical information infrastructure systems (60 portal websites and 60 operational systems). This Centre issued a report that stated that among the 120 critical information infrastructure systems undergoing remote monitoring, 30 contained security vulnerabilities, including 12 high-risk vulnerabilities, some provincial-level departments’ comprehensive Internet supervision and management platforms among them contained three high-risk vulnerabilities of unauthorized uploads, unauthorized downloads, and unauthorized deletion, gravely threatening the security of systems and servers, they also contained grave risks of user information leaks. The remote monitoring also discovered that multiple city-level government portal websites contained the risk that pages might be distorted. The law enforcement inspection group’s on-sit spot checks discovered that multiple work units have not retained network daily records according to laws and regulations, this may lead to the impossibility to timely conduct tracing and response measures when a cybersecurity incident occurs; some work units have not conducted risk assessments of important information systems, and lack knowledge of the cybersecurity situation they may face. The inspection also discovered that in multiple work units, the security construction of intranets and private networks has not been given sufficient attention, some work units have not arranged for any security protection equipment of their intranet systems, and not conducted vulnerability scans for a long time, and thus major cybersecurity risks exists. Following the advance of informatization construction in all areas and all localities, the datafication, onlinification and remotization of all sectors and all areas is becoming ever clearer, putting forward higher requirements for cybersecurity.

(4) The situation in user personal information protection work is grim

The “mass survey report” demonstrates that the implementation of many structures in the “Law and Decision” concerning user personal information protection is not ideal: 52.1% percent of interviewees believe that the provisions in the law concerning “online service providers and other enterprise and undertaking work units must, when collecting and using citizens’ personal electronic information during their business operations, indicate the purpose, method and scope for the collection and use of information” has been implemented badly or mediocrely; 49.6% of interviewees have encountered excessive collection of personal information, and 18.3% among them have regularly encountered excessive collection of user information; 61.2% of people have encountered “dictator clauses” where relevant enterprises use their own advantageous position to force the collection and use of user information, and if this is not accepted, the product in question cannot be used, or services received; 52.5% of people believe that law enforcements’ protection of user information has ordinary or bad results, quite a few people reflect that after discovering that their personal information was leaked or abused,  it was relatively widespread that reporting was difficult, filing complaints was difficult, and filing cases was difficult. Many interviewees reflected that the problems of excessive collection of user information and infringement of personal privacy exist in a widespread manner in free-of-charge applications, but it seems as if there is no supervision, management or lawful punishment whatsoever. The investigation discovered that some Internet companies and public service departments stored large amounts of citizens’ personal information, but security protection technology was gravely lagging behind, making it easy for law-breakers to steal and abuse it. Several work units’ internal control systems are not perfected or not implemented, a small number of “inside ghosts” have taken the risks in pursuit of unlawful gain, leading to large-scale leaks of user information. In several places at present, the use of networks to illegally collect, steal, peddle and use users’ information has created black industry chains. Cases recently uncovered by public security department recently demonstrate the features of user information leaks such as they have multiple channels, costs for unlawful acts of theft are low, the difficulty of investigation is high, etc., furthermore, law-breakers’ used methods are incessantly improving, cases of “targeted fraud” triggered by user information leaks are increasing, creating grave harm to the popular masses’ asset security.

(5) Cybersecurity law enforcement structures remain to be further smoothened

The phenomenon of “nine dragons ruling the water” in cybersecurity supervision and management still exists, problems such as unclear duties and responsibilities, each fighting their own battles, law enforcement shifts responsibility, efficiency is low, etc., still have not been effectively resolved, the comprehensive coordination role with which the law endowed cybersecurity and informatization departments has been insufficiently unhindered. In several localities, multi-headed management problems in network and information security are relatively prominent, but after information leaks, abuses of user personal information and other such information security incidents occur, users regulatory run into the problems that there is no door to complain to, or departments shift responsibility between them or dispute over trifles. The “mass survey report” reveals that 18.9% of interviewees reflect that, after encountering cybersecurity problems, they do not know which department to go to to file a report or complaint, and even if they have reported the matter, it is often not dealt with or there is no result. Multiple network operating work units participating in the discussions reflect that problems exist in administrative law enforcement, such as different law enforcement departments conduct duplicate inspections of the same work unit or the same item, and even that inspection standards are not identical, different law-implementation competent departments collect data but “interconnection and interaction” cannot yet be realized, regularly bringing increased and extra burdens to network operators. Quite a few people believe that if it is impossible to rationally structure and precisely delineate duties and responsibilities between departments, it will lead to the problem that law enforcement is not coordinated in the process of implementing the multi-level protection system and critical information infrastructure protection system. Furthermore, the investigation discovered that urban rail transport control systems and other such industrial control systems have unclear cybersecurity management responsibility boundaries, operating work units’ implementation of cybersecurity responsibility contains difficulties; supervision, management and administrative law enforcement powers in the telecommunications sector are gravely insufficient, law enforcement forces are not suited to the present sever situation that cybersecurity incidents occur at high frequency.

(6) Accompanying regulations to the Cybersecurity Law remain to be perfected

Quite a few work units reflected that as the basic law in the area of cybersecurity management, quite a few elements from the Cybersecurity Law are principle-type provisions, and true “implementation” still relies on the perfection of accompanying regulations. For example, even though the Cybersecurity Law contains provisions on data security and use, data operations in practice are relatively complicated, and data desensitization standards, inter-enterprise data sharing norms etc. still need relevant regulations and rules to clarify them; the Cybersecurity Law only clarified that critical information infrastructure operators’ data export activities require assessment, but it has not further clarified whether a security assessment is to be conducted for the export of important data held by other network operators. The critical information infrastructure protection system is an important system in the Cybersecurity Law, but understandings at present are not yet uniform with regard to what is critical information infrastructure, standards and procedures to designate critical information infrastructure, etc. this needs to be clarified through accompanying regulations. How critical information infrastructure is to conduct annual inspections and evaluations, how network operators and management departments are to uniformly publish cybersecurity early warning information, how to support indigenous intellectual property rights in cybersecurity, etc., are also waiting for accompanying regulations and rules to be clarified.

(7) There is a cybersecurity talent shortage

Among the 10370 people participating in the investigation, over 69% of interviewees believe that within their work unit or among the people they know, the specialist technical talents who are able to engage in cybersecurity protection with skill is relatively low in number, it is impossible to satisfy real needs, 21.6& among these interviewees believe that within their work unit, there is basically no-one who is well acquainted with cybersecurity protection technology. The investigation situation shows that, regardless of whether a region is economically developed or relatively backward, cybersecurity technology talents are relatively lacking in all cases, existing network operating work units’ technology talents are mostly biased towards systems use, operational maintenance, their capability for cybersecurity risk supervision and control, emergency response and comprehensive defence is insufficient, and it is difficult to respond to the needs of protecting cybersecurity. Some critical information infrastructure core business systems, even though protection systems are installed, upgrades or patches cannot be applied to security software because of a lack of high-level security technology talent, and so this means cybersecurity security protection products can play an effective role with difficulty. Quite a few government portal websites do not have specialized cybersecurity technology talents, website management personnel has not accepted systematic cybersecurity skills training. Furthermore, cybersecurity competent departments’ specialized talents are clearly insufficient in number. Under factor constraints such as personnel appointment, duties, remuneration, etc., many local cybersecurity and informatization, public security, telecommunications management, industry and information technology, and other which work units often are unable to recruit or retain specialized technical talents, first-line law enforcement personnel’s specialist training and skills can hardly gain competence for regularized supervision, management and law enforcement duties for network operational security.

IV, Some suggestions

On the basis of the inspection situation, the inspection group has put forward the following suggestions for further implementing the “Law and Decision”.

(1) Further raising understanding of the importance of cybersecurity

In the information age, cybersecurity has become the fifth space outside terrestrial, maritime, aerial and outer space, it has become a new frontier for national interests and a new area for the strategic game between all major countries worldwide, cybersecurity can affect the entire picture of national security with one move, it has become a national security problem of a fundamental and comprehensive nature. The 19th Party Congress report stressed that cybersecurity and other such non-traditional security matters are one of the common challenges that humanity faces, we must persist in the overall national security view, make the people’s security into the purpose, make political security into the foundation, comprehensively manage external security and internal security, territorial security and citizens’ security, traditional security and non-traditional security, our own security and common security, perfect national security structures and systems, and strengthen the construction of national security capabilities. We must further deepen understanding of the importance of strengthening cybersecurity work under new circumstances, incessantly strengthen our sense of urgency and self-consciousness in implementing the Cybersecurity Law and other such laws and regulations. The competent departments for implementation of law and other related work units must, in integration with their work reality, further strengthen propaganda and training about the Cybersecurity Law, incessantly let the broad network operators, critical information infrastructure operating work units and their relevant personnel be able to know the content of the law, they must also strengthen propaganda for the social public in ways that are pleasing to see and hear, let the broad public understand the close relationship between cybersecurity and themselves, and strengthen the cybersecurity awareness of all of society.

(2) Correctly dealing with the relationship between security and development. 

General Secretary Xi Jinping pointed out that cybersecurity and informatization are mutually accompanying. Security is the precondition for development, development is the guarantee for security, security and development must be advanced simultaneously. We must fully understand the role of the Internet in state management, economic development and social governance, continue to advance e-government, e-commerce and new smart city construction, incessantly enhance technological convergence, operational convergence and data convergence, create information “arteries” for economic and social development. We must, according to the requirements in the Cybersecurity Law to “equally stress maintaining cybersecurity and informatization development”, persist in grasping network and informatization development with one hand, and grasping cybersecurity with the other, “grasp with both hands, both hands must be tight”. In cybersecurity, we must give high regard to traditional information security and ideological security, and create a cyberspace with a clear atmosphere, brimming with positive energy, we must also give high regard to enhancing capabilities to defend against attacks, effectively prevent cyber attacks, and realistically safeguard the security of networks and information systems. We must scientifically formulate cybersecurity standards for different sectors and different work units, and earnestly research and resolve the problem that “cybersecurity compliance costs are excessively high” put forward by several work units. Encourage and support the development of the cybersecurity industry, give rein to the role of social forces, and provide secure products and services.

(3) Accelerate the perfection of accompanying regulations and rules of the Cybersecurity Law.

We must accelerate the legislative progress of the “Critical Information Infrastructure Protection Regulations” and the “Cybersecurity Multi-Level Protection Regulations”, make clear provisions on issues that, in practice everyone universally feels are difficult to grasp, such as what is critical information infrastructure, how to determine critical information infrastructure, etc., and further clarify the departmental duties and responsibilities in the process of implementing the multi-level protection system and the critical information infrastructure protection system. Cybersecurity and informatization, telecommunications and public security departments must formulate accompanying regulations or documents as quickly as possible, and create detailed structure for elements of the law such as personal information and important data export security assessment, online data management, cybersecurity monitoring and early warning, information reporting, cybersecurity review, cybersecurity certification and security monitoring result mutual recognition, etc. Several administrative regulations and departmental rules already formulated earlier should also be timely corrected and perfected on the basis of the requirements of the Cybersecurity Law as well as new issues and new questions that were encountered. On the basis of the need to prevent and attack online unlawful and criminal acts, strengthen Internet criminal legislation, research the formulation of a law to prevent and address online unlawful and criminal acts, and promote the effective linkage of administrative punishment and criminal punishment of online unlawful and criminal acts. 

(4) Striving to enhance cybersecurity protection capabilities

First, accelerating cybersecurity state sensing platform construction. We must integrate resources from all departments to establish a unified all-weather cybersecurity sensing platform, in order to discover risks and sense risks well, and thereby build uniform and high-efficiency cybersecurity risk discovery mechanisms, notification mechanisms, intelligence sharing mechanisms, deliberation and response mechanisms, and to accurately grasp the laws, trends and tendencies occurring in cybersecurity risks. Second, organizing and conducting risk assessment according to the law. We must, as quickly as possible, perfect cybersecurity risk assessment mechanisms, strengthen assessment in important sectors and areas such as finance, energy, transportation, etc., and on the basis of the assessment situation, adjust cybersecurity work plans and protection measures at suitable times. Third, regularly organizing emergency response drills. Organize critical information infrastructure operating work units to regularly conduct emergency response drills, to ensure that important information systems involving national security, or involving the national economy and the people’s livelihoods to be able to effectively respond against organized, high-strength cyberattacks. Fourth, we must earnestly implement the requirements of the law, accelerate the construction of disaster-proof backups in critical information infrastructure, and regularly conduct testing of their disaster-proof efficacy, enhancing the capabilities of information systems to be resilient to disasters, mitigate disasters and recover. We must supervise network operating work units in earnestly implementing the provisions of the law and preserve network daily records according to the law. Fifth, we must strengthen the construction of cybersecurity confidentiality protection systems, enhance the capabilities of cybersecurity secrecy protection equipment, and enhance the construction of cybersecurity secrecy protection technology safeguard infrastructure. Sixth, we must forcefully advance the domestic production replacement project. Strengthen technological research and development, progressively raise the degree of domestically produced content in information control systems in important industries and enterprises, and increase the indigenous and controllable capabilities in critical information infrastructure and cybersecurity equipment. 

(5) Progressively strengthening users’ personal information protection

First, we must accelerate the progress of the personal information protection legislation. Through specialized legislation, clarify the principles and procedures for network operators to collect user information, clarify their secrecy protection and [general] protection duties of collected information, and the liability they shall bear for improper use and weak protection, as well as supervision, inspection and assessment measures. Second, strengthening security protection. Strengthen the construction of data security supervision and management methods, implement tiered and categorized management for data resources, promote the research, development and deployment of security technologies for preventing data disclosure, preventing distortion and preventing leaks in the big data landscape. Third, we must earnestly research the scope and methods for user real-name registration systems, and resolutely avoid the problems that information collection subjects are excessively many in number, and real-name registration items are excessive. All localities and aal work units shall have a clear legal basis for any real identity registration system. We must enhance real identity information collection methods, and reduce the content of real identity information content. Fourth, strengthening supervision and inspection. Establish third-party assessment mechanisms, supervise network operators and public service work units in strictly collecting user information according to the law, establishing and completing internal management mechanisms, and effectively reducing the risk of “inside demons” stealing data. Fifth, further strengthening attack. Public security bodies must strengthen the attack against cyberattacks, online fraud, online harmful information and other such unlawful and criminal activities, sever online criminal profit chains, continue to shape a high-pressure situation, implement the provisions of the law on protecting citizens’ personal information, and ensure that the broad citizens’ lawful rights and interests are not harmed. Sixth, we must perfect complaints reception mechanisms. Research the establishment of uniform and highly effective user information security incident complaint reception mechanisms, to provide a convenience for user complaints and reporting, and safeguard the popular masses’ lawful rights and interests. 

(6) Strengthening comprehensive coordination in cybersecurity work

Cybersecurity work involves many domains, has a broad scope, brings heavy tasks, great difficulties, and is strongly systemic, general and coordinated in nature. To respond to complex cybersecurity situations, we must ensure uniform planning, uniform arrangements, uniform standards and uniform progress. We must incessantly perfect online law enforcement coordination mechanisms, complete standardized law enforcement suited to the features of networks as quickly as possible. We must implement regulations related to the Cybersecurity Law, strengthen the construction of cybersecurity law enforcement teams and law enforcement capabilities, strengthen the comprehensive coordination duties and responsibilities of cybersecurity and informatization departments, clarify the boundaries of and interfaces between all functional departments’ powers and responsibilities, create coordinated action mechanisms for departments including cybersecurity and informatization, industry and information technology, public security, secrecy protection, etc., we must both prevent functional overlap and multi-headed management, while also avoiding  a pushing away of law enforcement responsibilities, and blank spots in management, incessantly raise law enforcement efficiency, effectively safeguarding cyberspace security. Considering the strong cross-regional nature of the Internet, and the fact that land boundaries are not clear, we must complete and perfect cybersecurity non-local law enforcement cooperation mechanisms, and realize interregional law enforcement joint action.  We must also eliminate departmental interests, cut through data and information barriers, reduce duplicate construction, establish shared data platforms, substantially ensure that data collected by different departments can be shared, and raise cybersecurity protection capabilities.

(7) Accelerating the construction of cybersecurity talent teams

Cybersecurity is one of the areas where technological renewal happens the most quickly, competition in cyberspace fundamentally is a competition over talent; to construct a cyber power, the most crucial resource is talent. We must give high regard to cybersecurity talent training work, we must not only foster technical talents proficient in information system use and protection, but we must also foster large batches of talents who are able to conduct cybersecurity risk supervision and control, emergency response and comprehensive protection, and thereby satisfy the demands put forward in the implementation of the Cybersecurity Law. We must further strengthen the construction of cybersecurity academic disciplines, optimize the structuring of teacher teams, reform talent fostering models, foster ever more applied talents who can satisfy practical requirements. We must encourage reforms of network and informatization talents develop mechanisms systems and mechanisms to be conducted and trialled with priority, research the establishment of cybersecurity special talent training, management and incentive mechanisms, strengthen fostering, guidance and support of high-end cybersecurity talents and urgently required talents, ensure that Party and government bodies and critical information infrastructure operating work units are able to find and recruit, use well and can retain “high-end, capable and sharp” specialized talents proficient in cybersecurity technology.

At present, the Internet has deeply merged with all areas of economic development and social life, it has profoundly transformed people’s ways of production and life. We must earnestly study and comprehensively implement the spirit of the 19th Party Congress and especially Xi Jinping Thought on Socialism with Chinese characteristics for a new era, further raise our political stance, firmly establish correct cybersecurity views, further strengthen our sense of urgency and sense of awareness in implementing the law, advance all structures of the “Law and Decision” towards complete implementation, substantially safeguard cyberspace sovereignty and the direct personal interests of the popular masses, and provide firm guarantees for victoriously constructing a moderately prosperous society, gaining magnificent victories for Socialism with Chinese characteristics in a new era, and realizing the Chinese Dream of the great rejuvenation of the Chinese nation.

全国人民代表大会常务委员会执法检查组关于检查《中华人民共和国网络安全法》、《全国人民代表大会常务委员会关于加强网络信息保护的决定》实施情况的报告

——2017年12月24日在第十二届全国人民代表大会常务委员会第三十一次会议上
王胜俊

全国人民代表大会常务委员会：

网络安全事关党的长期执政，事关国家长治久安，事关经济社会发展和人民群众切身利益。习近平总书记强调指出，没有网络安全就没有国家安全，没有信息化就没有现代化。全国人大常委会高度重视网络安全工作，2012年12月审议通过《全国人民代表大会常务委员会关于加强网络信息保护的决定》，2016年11月审议通过《中华人民共和国网络安全法》(以下简称“一法一决定”)。根据2017年监督工作计划，全国人大常委会执法检查组于2017年8月至10月对“一法一决定”的实施情况进行了检查。现在，我代表执法检查组向常委会作报告。

一、执法检查的工作情况

网络安全法是今年6月1日开始施行的。一部新制定的法律实施不满3个月即启动执法检查，这在全国人大常委会监督工作中尚属首次。张德江委员长十分重视这次执法检查，作了重要批示，指出：网络安全事关国家长治久安，事关经济社会发展和人民群众福祉。全国人大常委会在网络安全法实施当年就开展执法检查，要贯彻落实习近平总书记关于“要树立正确的网络安全观”的重要指示精神，督促有关方面进一步加强法律宣传，增强全社会网络安全意识，抓紧配套法规政策制定，确保法律有效实施，着力提升网络空间治理水平，切实维护国家网络空间安全和人民群众合法权益。希望检查组精心组织好这次执法检查，坚持问题导向，务求取得实效。根据张德江委员长的批示精神，内务司法委员会、财政经济委员会、教育科学文化卫生委员会和常委会办公厅等单位反复研究，确定了这次执法检查的五个重点：一是开展法律宣传教育的情况；二是制定配套法规规章的情况；三是强化关键信息基础设施保护及落实网络安全等级保护制度的情况；四是治理网络违法违规信息，维护网络空间良好生态的情况；五是落实公民个人信息保护制度，查处侵犯公民个人信息及相关违法犯罪的情况。

8月25日，执法检查组召开第一次全体会议，传达张德江委员长的重要批示。会议听取了国家互联网信息办公室、工业和信息化部、公安部、国家新闻出版广电总局、最高人民法院关于“一法一决定”贯彻实施情况的汇报，教育部、科技部、交通运输部等单位提交了书面汇报材料。

根据安排，王晨副委员长兼秘书长、沈跃跃、张平、万鄂湘、陈竺副委员长和我六位副委员长参加这次执法检查。检查组赴内蒙古、黑龙江、福建、河南、广东、重庆等6省（区、市）进行检查，期间，检查组听取了有关省、市、县政府的汇报，先后召开30余次座谈会，实地考察了部分网络安全指挥平台和关键信息基础设施运营单位。另外，还委托12个省（区、市）人大常委会对本行政区域“一法一决定”实施情况进行检查。

为了深入了解“一法一决定”实施情况，这次执法检查在方式方法上作了一些新的尝试：一是请第三方专业机构参与。9月上旬至10月中旬，检查组在实地检查的6个省（区、市）各选取20个重要信息系统，委托中国信息安全测评中心进行漏洞扫描和模拟攻击，并就所检测系统的网络安全情况出具专业检测报告。检查组还委托中国青年报社社会调查中心就“一法一决定”中与公众关系密切的10个方面的问题，在全国31个省（区、市）进行了民意调查，出具了调查报告。共有10370人参与这次调查。第三方机构的有序参与，增强了本次检查的专业性、权威性和客观公正性。二是专家参与。考虑到网络安全专业性较强，执法检查期间，检查组先后从国家信息技术安全研究中心等单位聘请21名网络安全专家和长期从事网络安全工作的专业技术人员参加检查，为检查组提供技术支持，增强检查的针对性和实效性。三是随机抽查。各检查小组均按检查方案要求，随机选取若干关键信息基础设施运营单位，在不打招呼的情况下进行临时抽查。6个检查小组共对13个单位进行了随机抽查。远程检测的120个重要信息系统也均由执法检查组随机选取，在运营单位不知情的情况下完成检测。

二、贯彻实施“一法一决定”的做法和成效

近年来，各级党委政府认真组织学习习近平总书记系列重要讲话和关于网络安全的重要论述，深入贯彻中央关于“建设网络强国”的战略部署，把网络安全纳入经济社会发展全局来统筹谋划部署，大力推进网络安全和网络信息保护工作，法律实施取得了积极成效。

（一）深入开展宣传教育，增强网络安全意识

一是把增强全民网络安全意识作为基础工程。国家互联网信息办公室、工业和信息化部、公安部等9部门连续四年组织开展网络安全周和主题日宣传活动，每年活动期间组织的讲座论坛等都超过1万场次，年均覆盖人数约2亿人。网络安全法颁布后，各地均通过报刊杂志、电台电视台、门户网站、政务微信微博等，对法律核心内容进行宣传解读。二是加强重点单位、重点行业法律宣传教育。工业和信息化部将学习“一法一决定”情况纳入各基础电信运营企业的年度考核指标，并组织百度、阿里、腾讯等重点互联网企业开展学习。公安部组织全国公安机关、200多个中央部委和中央企业、260多家信息安全企业相关人员进行集中学习。国家新闻出版广电总局组织开展了网络安全知识技能练兵和竞赛活动。内蒙古、黑龙江等省(区)对重点单位、重点行业负责网络安全的业务骨干进行了重点培训。三是紧紧抓住领导干部这个关键少数，把提升领导干部的网络安全意识作为重中之重。广东、福建等地通过举办领导干部网络安全和信息化专题研讨班等形式，推动领导干部率先知法懂法用法。交通运输部党组成员带头学习，并举办了“交通运输网络安全局级领导专题培训班”，教育部举办了教育系统网络安全培训班，对各省级教育行政部门、直属高校、部直属机关负责人进行专题培训。四是加强重点人群宣传教育。各地把青少年网民作为普法重点，开展了“网络安全进校园、进家庭”、“争做四有好网民”等活动，引导广大青少年依法、文明、健康上网。

（二）制定配套法规政策，构建网络安全制度体系

为配合“一法一决定”实施，近年来，国务院相关部门出台了《国家网络空间安全战略》《通信网络安全防护管理办法》《电信和互联网用户个人信息保护规定》《电话用户真实身份信息登记规定》《新闻出版广播影视网络安全管理办法》《公共互联网网络安全突发事件应急预案》等配套规章、规划和政策文件。国家互联网信息办公室会同有关部门出台了《关于加强国家网络安全标准化工作的若干意见》，加快了网络安全国家标准制定工作，目前已发布198项网络安全国家标准。最高法院、最高检察院出台了《关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》。一些省份也开展了配套法规立法工作，内蒙古自治区人大常委会制定了《计算机信息系统安全保护办法》，福建省人大常委会通过了《福建省电信设施建设与保护条例》，广东省人大常委会出台了《关于落实电信用户真实身份信息登记制度的决定》，黑龙江省人大常委会制定了《工业信息安全管理条例》。重庆市坚持网络安全与信息化发展并重，加强电子政务制度建设，完善了政府网站管理制度。一系列配套法规、规章和政策文件出台，助推了“一法一决定”的贯彻实施。

（三）提升安全防范能力，着力保障网络运行安全

一是强化关键信息基础设施防护。2016年，国家互联网信息办公室等部门组织开展了关键信息基础设施摸底排查工作，对1.1万个重要信息系统安全运行状况进行抽查和技术检测，完成了对金融、能源、通信、交通、广电、教育、医疗、社保等多个重点行业的网络安全风险评估，提出整改建议4000余条。二是开展网络基础设施防护工作。工业和信息化部开展了网络基础设施摸底工作，全面梳理网络设施和信息系统，目前全行业共确定关键网络设施和重要信息系统11590个。2017年以来，监督抽查重点网络系统和工业控制系统900余个，通知整改漏洞78980个。三是深入推进网络安全等级保护。已累计受理备案14万个信息系统，其中三级以上重要信息系统1.7万个，基本涵盖了所有关键信息基础设施。同时，对纳入等级保护的信息系统开展常态化检查，近年来累计发现整改各类安全漏洞近40万个。四是建立通报预警机制。公安部牵头建立了国家网络安全通报预警机制，通报范围已覆盖100个中央党政军机构、101家央企、31个省(区、市)和新疆生产建设兵团，各地也都建立了网络安全与信息安全通报机制，实时通报处置各类隐患漏洞。教育部建立了教育系统重要网站和信息系统安全监测预警机制，已累计通报处置安全威胁3.5万个。五是积极开展网络安全协调联动平台建设。国家互联网信息办公室牵头建立了关键信息基础设施应急技术支持和协助机制，不断提升关键信息基础设施整体应急反应能力、安全保障能力和协调联动能力。六是大力开展网络安全专项整治工作。公安部会同有关单位组织开展了大型互联网企业专项保卫行动、网站安全和互联网电子邮件安全专项整治行动，发现整改了一批网络安全深层次问题和隐患。

（四）治理违法违规信息，维护网络空间清朗

各地各有关部门认真落实法律要求，扎实做好网络意识形态工作，坚决清理各类违法违规信息。通过开展“扫黄打非”、“剑网”等系列行动，对互联网站、应用程序、论坛、博客、微博、公众账号、即时通讯工具、网络直播中宣扬恐怖暴力、淫秽色情等信息及时清理。2015年以来，国家互联网信息办公室等部门依法约谈违法违规网站2200余家，取消违法违规网站许可或备案、关停违法网站13000多家，有关网站按照用户服务协议关闭违法违规账号近1000万个，对网上各类违法行为形成有力震慑。中国青年报社社会调查中心提供给检查组的万人调查分析报告(以下简称“万人调查报告”)显示，在参与调查的10370人中，超过90%的受访者对治理成效给予肯定，其中有63.5%的人认为近年来网络上危害国家安全、宣扬恐怖暴力、淫秽色情等违法违规信息明显减少。法律实施主管部门还建立了网络信息巡查机制和公众举报平台，及时清理违法违规信息。重庆等地重视加强网络内容建设，积极创作优秀网络作品，做强网上正面宣传。

（五）加强个人信息保护，打击侵犯用户信息安全违法犯罪

全面落实网络接入(网站备案和域名／IP地址)、固定电话、移动电话实名制办理要求，凡用户不提供真实信息的，运营者不再为其提供相关服务。五年来，组织电信企业对3亿多未实名的老用户进行补登记，对拒不补登记的1000余万用户依法暂停提供服务。为确保用户信息安全，有关部门指导各网络运营单位进一步强化了内控管理制度，要求对批量导出、复制、销毁信息等重大操作的申请、使用和有效期实行严格管理，从工作流程上防止用户信息的批量泄露。河南省加强对保存用户信息关键系统的安全防护，提升防止黑客攻击能力。针对侵犯用户个人信息犯罪高发态势，公安部部署开展专项打击行动，在31个省(区、市)和新疆生产建设兵团公安机关建立了反诈骗中心，统筹协调打击利用公民个人信息实施的电信网络诈骗犯罪，近两年，共侦破侵犯个人信息犯罪相关案件3700余起，抓获犯罪嫌疑人11000余名。2014年至2017年9月，全国法院共审理利用网络侵犯公民个人信息犯罪案件1529件，取得了较好的法律效果和社会效果。

（六）加大支持力度，推进网络安全核心技术创新

为落实网络安全法“扶持重点网络安全技术产业和项目，支持网络安全技术的研究开发和利用”等要求，科技部会同国家互联网信息办公室共同编制了专项研究计划，立足网络空间安全发展现状，围绕提高我国关键信息基础设施和数据安全的防护能力、支撑网络空间可信管理和数字资产保护、提升网络空间防护能力等目标，确立若干重点研究方向。为了加大对网络安全技术研究开发和应用的支持，科技部、工业和信息化部等部门，在“十三五”国家重点研发计划中优先启动了“网络空间安全重点专项”，投入国拨经费13.84亿元，系统部署了47项研究任务，力争到2020年，基本形成自主可控的网络空间安全核心技术体系。另外，在“科技创新2030——重大项目”中，也将优先安排一批网络空间安全重大研究项目，为提升我国信息监管、泄密窃密防范、网络防御等提供技术支持。教育部创新网络安全人才培养模式，增设了网络空间安全一级学科，与有关部门共同下发了《关于加强网络安全学科建设和人才培养的意见》，启动了一流网络安全学院建设示范项目，为网络安全技术创新提供人才支持。

三、工作中存在的困难和问题

从检查情况看，各地在贯彻实施“一法一决定”、维护网络安全方面还存在一些困难和问题。

（一）网络安全意识亟待增强

许多关键信息基础设施运营单位对网络安全的重要性认识不到位，认为受到网络攻击只是小概率事件，对可能受到的网络攻击的危害性缺乏认知。在信息化方面“重建设、轻安全；重使用、轻防护”，缺乏主动防御意识，不愿在安全防护方面进行必要投入；在处理业务信息系统可用性和安全性的关系时，往往更重视可用性，在二者有冲突时，往往会降低安全性要求。不少地方政府和部门领导干部不能从国家安全的高度认识网络安全，没有把网络安全工作列入本级政府和部门工作重要议程，或者只是口头上重视，“说起来重要，干起来次要，忙起来不要”。社会公众网络安全意识总体不强，“万人调查报告”显示，有55.4%的受访者认为，他们身边的许多人缺乏网络安全意识，对网络安全“知其然不知其所以然”。

（二）网络安全基础建设总体薄弱

一是网络安全态势感知平台建设滞后。网络安全风险具有很强的隐蔽性，感知安全态势是做好网络安全最基本最基础的工作。维护网络安全，首先要知道风险在哪里，是什么样的风险，什么时候发生风险。但不少省份尚未启动网络安全态势感知平台建设，不能实现对重要信息系统网络安全风险的全天候实时、动态监测。二是容灾备份体系建设总体滞后。不少关系国计民生的关键信息基础设施运营单位没有按照法律规定对重要数据进行异地容灾备份，而仅仅采取了一些简单的数据备份措施，有的甚至尚未进行过容灾备份，不能有效应对重大网络安全风险。在有些省份，多数重要信息系统未按法律要求进行异地容灾备份。三是重要工业控制企业的设备和控制系统国产化程度有待提高。一些重要工控企业对外国技术依赖严重，不仅生产控制系统由国外公司建设，配套的网络及安全设备也采用国外产品，网络及安全设备的配置由外方人员操控，企业内部人员甚至不掌握安全设备配置和管理权限。在有的省份，重要工控企业的生产控制系统国产化率不足20%。四是应急预案流于形式。有的网络安全应急预案侧重于设备设施障碍的排除，针对网络攻击、信息泄露等网络空间安全事件的内容较少；有的应急预案缺乏可操作性；有的应急预案长期未修订，已不能应对当下的网络安全事件；许多单位由于应急演练相关条件不足，未真正举行过应急演练；不少地方和行业用于解决网络安全问题的经费不足，发现了问题后，往往因经费缺乏不能及时解决。

（三）网络安全风险和隐患突出

为了解网络运行情况，执法检查组委托中国信息安全测评中心对随机选取的120个关键信息基础设施(60个门户网站和60个业务系统)进行了远程渗透测试和漏洞扫描。该中心出具的报告显示，本次远程测试的120个关键信息基础设施中，共存在30个安全漏洞，包括高危漏洞13个，其中某省级部门互联网监管综合平台存在越权上传、越权下载、越权删除文件等3个高危漏洞，严重威胁了系统及服务器安全，也存在严重的用户信息泄露风险。远程检测还发现，多个设区的市政府门户网站存在页面被篡改风险。执法检查组现场抽查时发现，许多单位没有依照法律规定留存网络日志，这可能导致发生网络安全事件时无法及时进行追溯和处置；有的单位从未对重要信息系统进行风险评估，对可能面临的网络安全态势缺乏认知。检查还发现，在许多单位，内网和专网安全建设没有引起足够重视，有的单位对内网系统未部署任何安全防护设施，长期不进行漏洞扫描，存在重大网络安全隐患。随着各地区各领域信息化建设的推进，各行业各领域数据化、在线化、远程化趋势更加明显，对网络安全提出了更高要求。

（四）用户个人信息保护工作形势严峻

“万人调查报告”显示，“一法一决定”关于用户个人信息保护的多项制度落实得并不理想：有52.1%的受访者认为，法律关于“网络服务提供者和其他企业事业单位在业务活动中收集、使用公民个人电子信息，必须明示收集、使用信息的目的、方式和范围”的规定执行得不好或者一般；有49.6%的受访者曾遇到过度收集用户信息现象，其中18.3%的受访者经常遇到过度采集用户信息现象；有61.2%的人遇到过有关企业利用自己的优势地位强制收集、使用用户信息，如果不接受就不能使用该产品或接受服务的“霸王条款”；有52.5%的人认为执法部门保护用户信息的成效一般或者不好，不少人反映，在发现本人信息被泄露或者被滥用后，举报难、投诉难、立案难现象比较普遍。许多受访者反映，当前免费应用程序普遍存在过度收集用户信息、侵犯个人隐私问题，但几乎没有受到任何监管和依法惩处。检查发现，有的互联网公司和公共服务部门存储了大量公民个人信息，但安防技术严重滞后，容易被不法分子窃取和盗用。一些单位内控制度不完善或不落实，少数“内鬼”为牟取不法利益铤而走险，致使用户信息大批量泄露。当前在一些地方，利用网络非法采集、窃取、贩卖和利用用户信息已形成黑色产业链。从公安部门近期破获的案件看，用户信息泄露呈现渠道多、窃取违法行为成本低、追查难度大等特点，而且违法分子使用的手段不断升级，因用户信息泄露引发的“精准诈骗”案件增多，给人民群众财产安全造成严重危害。

（五）网络安全执法体制有待进一步理顺

网络安全监管“九龙治水”现象仍然存在，权责不清、各自为战、执法推诿、效率低下等问题尚未有效解决，法律赋予网信部门的统筹协调职能履行不够顺畅。一些地方网络信息安全多头管理问题比较突出，但在发生信息泄露、滥用用户个人信息等信息安全事件后，用户又经常遇到投诉无门、部门之间推诿扯皮的问题。“万人调查报告”显示，有18.9%的受访者反映，在遇到网络安全问题后，他们不知该向哪个部门举报和投诉，即使举报了也往往不予处理或者没有结果。参加座谈的多数网络运营单位反映，行政执法过程中存在不同执法部门对同一单位、同一事项重复检查且检查标准不一等问题，不同法律实施主管机关采集的数据还不能实现“互联互通”，经常给网络运营商增加额外负担。不少人认为，如果不能合理定位，准确厘清部门之间的职责，等级保护制度和关键信息基础设施保护制度落实过程中也会产生执法不协调问题。另外，检查发现，城市轨道交通控制系统等工控系统网络安全管理责任边界不清，运营单位落实网络安全责任制存在困难；通信行业监管和行政执法力量严重不足，执法力量与当前网络安全事件频发多发的严峻形势不相适应。

（六）网络安全法配套法规有待完善

不少单位反映，作为网络安全管理方面的基础性法律，网络安全法不少内容还只是原则性规定，真正“落地”还有赖于配套制度的完善。比如，网络安全法虽然对数据安全和利用作了规定，但现实中数据运用比较复杂，数据脱敏标准、企业间数据共享规则等，仍然需要有关法规规章予以明确；网络安全法仅明确了关键信息基础设施运营者数据出境需进行评估，但其他网络运营者掌握的重要数据出境是否进行安全评估，尚待进一步明确。关键信息基础设施保护制度是网络安全法一项重要制度，但对于什么是关键信息基础设施、关键信息基础设施认定的标准和程序等，目前认识尚不一致，需要配套法规予以明确。关键信息基础设施如何进行年度检测评估、网络运营者和管理部门如何统一发布网络安全预警信息、如何扶持网络安全自主知识产权等，也有待于配套法规规章予以明确。

（七）网络安全人才短缺

参与调查的10370人中，有超过69%的受访者认为，所在单位或者熟悉的人中，能够熟练从事网络安全防护的专业技术人才较少，无法满足现实需要，其中有21.6%的受访者认为所在单位基本上无人熟悉网络安全防护技术。从检查的情况看，不管是经济发达地区还是相对落后地区，网络安全技术人才都比较匮乏，现有的网络运营单位技术人才多侧重于系统使用、操作维护，对网络安全风险的监控、应急处置和综合防护能力不足，难以适应保障网络安全的需要。有的关键信息基础设施核心业务系统虽然安装了防护系统，但由于缺乏高水平的安全技术人才，不能对安全软件进行升级和打补丁，从而使网络安全防护产品难以有效发挥作用。不少政府门户网站没有专门的网络安全技术人才，网站管理人员没有接受过系统的网络安全技能培训。另外，网络安全主管部门专业人才也明显不足。受到编制、职务、薪资等因素制约，许多地方网信、公安、通信管理、工信等单位往往招不到或留不住专业技术人才，一线执法人员的专业素养和技能难以胜任网络运行安全常态化监管执法职责。

四、几点建议

根据检查情况，检查组对进一步贯彻实施“一法一决定”提出以下建议。

（一）进一步提高对网络安全重要性的认识

在信息时代，网络空间已经成为继陆地、海洋、天空、外层空间之外，人类活动的第五空间，成为国家利益的新边疆和世界各主要国家战略博弈的新领域，网络安全对国家安全牵一发而动全身，已成为基础性、全局性的国家安全问题。党的十九大报告强调，网络安全等非传统安全是人类面临的共同挑战之一，要坚持总体国家安全观，以人民安全为宗旨，以政治安全为根本，统筹外部安全和内部安全、国土安全和国民安全、传统安全和非传统安全、自身安全和共同安全，完善国家安全制度体系，加强国家安全能力建设。要进一步深化对新形势下加强网络安全工作重要性的认识，不断增强贯彻落实网络安全法等法律法规的紧迫感和自觉性。法律实施主管机关和其他相关单位要结合工作实际，进一步加大对网络安全法的宣传培训力度，不仅让广大网络运营商、关键信息基础设施运营单位的相关人员能够熟知法律内容，还要以喜闻乐见的方式加强对社会公众的宣传，让广大公众认识到网络安全与自身的密切关系，增强全社会的网络安全意识。

（二）正确处理安全和发展的关系

习近平总书记强调指出，网络安全和信息化是相辅相成的。安全是发展的前提，发展是安全的保障，安全和发展要同步推进。要充分认识到互联网在国家管理、经济发展和社会治理中的作用，继续推进电子政务、电子商务、新型智慧型城市建设，不断推进技术融合、业务融合、数据融合，打通经济社会发展的信息“大动脉”。要按照网络安全法“坚持网络安全与信息化发展并重”的要求，坚持一手抓网络和信息化发展，一手抓网络安全，“两手抓，两手都要硬”。对于网络安全，既要重视传统的信息安全和意识形态安全，营造风清气正、正能量充沛的网络空间，也要高度重视攻防能力提升，有效防范网络攻击，切实维护网络信息系统安全。要科学制定不同行业、不同单位的网络安全标准，认真研究解决有些单位提出的“网络安全合规成本过高”的问题。鼓励和支持网络安全产业的发展，发挥社会力量的作用，提供安全的产品和服务。

（三）加快完善网络安全法配套法规规章

要加快《关键信息基础设施安全保护条例》《网络安全等级保护条例》的立法进程，对实践中大家普遍感觉难以把握的问题，如什么是关键信息基础设施、如何认定关键信息基础设施等作出明确规定，并对等级保护制度和关键信息基础设施保护制度落实过程中的部门职责进一步予以明确。网信、工信、公安等部门要尽快制定配套规章或者文件，细化法律中个人信息和重要数据出境安全评估、网络数据管理、网络安全监测预警和信息通报、网络安全审查、网络安全认证和安全检测结果互认等制度。此前已制定的一些行政法规和部门规章也应根据网络安全法的要求以及法律实施中遇到的新情况新问题，及时予以修改完善。根据防范和打击网络违法犯罪的需要，加强互联网刑事立法，研究制定网络违法犯罪防治法，推动网络违法犯罪行政处罚与刑事处罚的有效衔接。

（四）着力提升网络安全防护能力

一是加快网络安全态势感知平台建设。要整合各部门资源，建立统一的全天候网络安全感知平台，以更好地发现风险、感知风险，进而构建统一高效的网络安全风险发现机制、报告机制、情报共享机制、研判处置机制，准确把握网络安全风险发生的规律、动向、趋势。二是依法组织开展风险评估。要尽快完善网络安全风险评估机制，加强对金融、能源、交通等重要行业和领域的评估，根据评估情况，适时调整网络安全工作方案和保护措施。三是定期组织应急演练。组织关键信息基础设施运营单位定期进行应急演练，使事关国家安全、关系国计民生的重要信息系统能够有效应对有组织的高强度网络攻击。四是要认真落实法律要求，加快关键信息基础设施数据的容灾备份建设，并定期开展灾备效果验证，提升信息系统的抗灾、减灾和恢复能力。要督促网络运营单位认真落实法律规定，依法留存网络日志。五是要加强网络安全保密保障体系建设，提升网络安全保密装备能力，推进网络安全保密技术保障基础设施建设。六是要大力推进国产化替代工程。加大技术研发力度，逐步提高重要工业企业信息控制系统的国产化率，提升关键信息基础设施和网络安全设备的自主可控能力。

（五）进一步加大用户个人信息保护力度

一是要加快个人信息保护法立法进程。通过专门立法，明确网络运营者收集用户信息的原则、程序，明确其对收集到的信息的保密和保护义务，不当使用、保护不力应当承担的责任，以及监督检查和评估措施。二是加强安全防护。强化数据安全监管手段建设，实施数据资源分级分类管理，推动大数据场景下的数据防窃密、防篡改、防泄露等安全技术的研发和部署。三是要认真研究用户实名制的范围和方式，坚决避免信息采集主体过多、实名登记事项过滥问题。各地区各单位对某一事项实施实名登记制度，应当有明确的法律依据。要改进实名信息采集方式，减少实名信息采集的内容。四是加大监督检查力度。建立第三方评估机制，督促网络运营和公共服务单位严格依法收集用户信息，建立健全内部管理制度，有效降低“内鬼”窃密风险。五是进一步加大打击力度。公安机关要加大对网络攻击、网络诈骗、网络有害信息等违法犯罪活动的打击力度，切断网络犯罪利益链条，持续形成高压态势，落实法律保护公民个人信息的规定，使广大公民的合法权益免受侵害。六是要完善投诉受理机制。研究建立统一高效的用户信息安全事件投诉受理机制，为用户投诉、举报提供便利，维护人民群众合法权益。

（六）强化网络安全工作统筹协调

网络安全工作涉及领域多、范围广、任务重、难度大，系统性、整体性、协同性很强。应对复杂的网络安全态势，必须做到统一谋划、统一部署、统一标准、统一推进。要不断完善网络执法协作机制，尽快健全适应网络特点的规范化执法体系。要落实网络安全法相关规定，加强网络安全执法队伍和执法能力建设，强化网信部门的统筹协调职责，明确各职能部门的权责界限和接口，形成网信、工信、公安、保密等各部门协调联动机制，既要防止职能交叉、多头管理，又要避免执法推责、管理空白，不断提高执法效率，有效维护网络空间的安全。考虑到互联网跨区域性强、地域边界不明显的特点，要健全完善网络安全异地执法协作机制，实现区域之间执法联动。还要破除部门利益，打通数据和信息壁垒，减少重复建设，建立共享数据平台，切实做到不同部门收集的数据能够共享，提高网络安全防范能力。

（七）加快网络安全人才队伍建设

网络安全是技术更新最快的领域之一，网络空间的竞争，归根到底是人才的竞争；建设网络强国，最关键的资源是人才。要高度重视网络安全人才培养工作，不仅要培养精通信息系统使用和维护的技术人才，还要培养大批能够开展网络安全风险监控、应急处置和综合防护的人才，从而满足网络安全法实施提出的要求。要进一步加强网络安全学科建设，优化师资队伍结构，改革人才培养模式，培养更多满足实践需要的应用型人才。要鼓励网络和信息化人才发展体制机制改革先行先试，研究建立网络安全特殊人才培养、管理和激励制度，加大对网络安全高端人才、紧缺人才的培养、引进和支持力度，使党政机关、关键信息基础设施运营单位能够招得进、用得好、留得住精通网络安全技术的“高、精、尖”专业人才。

当前，互联网已深度融入经济发展和社会生活的方方面面，深刻改变着人们的生产和生活方式。我们要认真学习、全面贯彻党的十九大精神特别是习近平新时代中国特色社会主义思想，进一步提高政治站位，牢固树立正确的网络安全观，进一步增强贯彻实施法律的紧迫感和自觉性，推进“一法一决定”各项制度全面落实，切实维护网络空间主权和人民群众切身利益，为决胜全面建成小康社会、夺取新时代中国特色社会主义伟大胜利、实现中华民族伟大复兴的中国梦提供坚强保障。

以上报告，请审议。