On November 20, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for the Publication of Cybersecurity Threat Information (“Draft Measures”) for public comment.  (An official Chinese version is available here).  The comment period ends on December 19, 2019.

The release of the Draft Measures marks an important step forward in implementing Article 26 of China’s Cybersecurity Law (“CSL”), which establishes that the publication of cybersecurity information (such as those related to system vulnerabilities, computer viruses, cyberattacks and/or network intrusions) to “the public” must comply with unspecified “relevant rules.”  Article 26 does not specify what kind of entities or individuals are subject to this requirement; thus, it is unclear whether Article 26 applies to entities that have discovered vulnerabilities on their own networks and/or the activities of third parties that have uncovered cybersecurity threats to others’ networks, such as cybersecurity research firms.

The Draft Measures are intended to provide further guidance for these entities and individuals based in China that have threat information about other network operators’ network or information systems and outlines how they can publish the threat information in a compliant way.  The Draft Measures are silent as to whether these requirements will apply to entities or individuals that are based outside of China and, if these requirements are applicable for the publication of threat information globally, how entities or individuals outside of China can comply. It is also unclear about the extent to which the Draft Measures would apply to network operators who become aware of cybersecurity threat information related to their own networks.

Below is a summary of the key requirements of the Draft Measures.

Definition of the Cybersecurity Threat Information

The Draft Measures provides a broad definition of “cybersecurity threat information,” which includes (Article 12):

  • Any information used to describe the intent, methods, tools, processes or results of activities that may threaten the normal operation of a network (for example, information about computer viruses, cyberattacks, cyber intrusions, cybersecurity incidents, etc.); and
  • Information that may expose the vulnerability of a network, including general risks and vulnerabilities of network and information systems, network planning and design, network topology structure, assets information, software source code, properties of network units or equipment (e.g., types, settings and software), cybersecurity risk assessment reports, testing and certification reports, security protection strategy and other related plans.

Report Obligations Prior to the Publication

Publication of Information related to Individual Cybersecurity Incidents

Under the Draft Measures, any entities or individuals planning to publish information on individual cybersecurity incidents (including cyberattacks or illegal intrusion of network or information systems) must first report to local public security bureaus (“PSB”) at the municipal level (Article 5).

Publication of “Comprehensive Analysis Report” on Cyberattacks, Incidents, Risks, and Vulnerabilities

Prior to the publication of a “comprehensive analysis report” — which may include descriptions of cyberattacks, incidents, risks, and vulnerabilities — that covers a “region,” entities or individuals are required to submit the report to the local CAC and PSB at the municipal level first.  The Draft Measures did not specify whether the “region” refers to a region within China.

Furthermore, if the “comprehensive analysis report” indicates that there might be risks to a number of sensitive sectors, such as “public communication and information services, energy, transportation, water projects, finance, public services, e-government, national defense science and technology, or other important industries and fields,” the report must be submitted to respective sectoral regulators first.

Finally, if the “comprehensive analysis report” covers nationwide, cross-region or cross-industry cybersecurity threat information, the report must be submitted to the CAC and the Ministry of Public Security before it can be published (Article 6).

Note that, as clarified in a Q&A published on the CAC’s website (available here), the reporting obligation is not a form of administrative approval, and as long as the reports are submitted to the respective regulators, it is unlikely the entity or individual will need to wait for the approval from the regulator.

Prior Approval from the Operator of the Network and Information System

If any entities or individuals plan to publish the risks or vulnerabilities of specific network and information systems operated by a “network operator,” they must obtain prior written approval from such an operator, unless (Article 8):

  • Relevant risks or vulnerabilities have been mitigated or fixed; or
  • Entities or individuals planning to publish cybersecurity threat information have submitted a report to the CAC, telecom regulator, PSB or relevant sectoral regulator 30 days prior to the publication.

Obligations on Operators of Publication Platforms

If any cybersecurity threat information published on a platform is in violation of the requirements described above, the operator of such platforms must cease the publication immediately after being notified by regulators or users, or otherwise becoming aware of such violation.  Platform operators must also take mitigating measures, such as preventing the dissemination of such information and keeping relevant records, and report to the local CAC and PSB at the municipal level (Article 9).  This requirement applies to the following types of “platform” operators:

  • Newspapers, television channels and other publications;
  • Websites, online forum, blogs, public accounts on social media, instant messaging tools, live streaming platforms, online audio or video platforms, mobile applications and shared internet storage space or cloud storage;
  • Conferences, forums or seminars open to the public; and
  • Cybersecurity competitions.

Prohibitions on Publishing Certain Threat Information

According to Article 4 of the Draft Measures, published cybersecurity threat information may not include the following information:

  • The source code or development methods of a computer virus or malicious software (e.g., trojanware or ransomware);
  • Descriptions of software and tools that are specifically used to (1) conduct cyber intrusions, (2) disturb the normal functions of a network, (3) destroy network protection measures, or (4) steal network data;
  • Details that can be used to replicate cyberattacks or cyber intrusions;
  • Data that is compromised from a specific data breach incident;
  • Network planning and design, network topology structure, assets information, software source code, properties of network units or equipment (e.g., types, settings and software); or
  • Cybersecurity risk assessment reports, testing and certification reports, security protection strategies and plan of specific network and information systems.

Furthermore, given that only government agencies have the authority to publish “cybersecurity warnings,” any entities or individuals who publish cybersecurity threat information are not allowed to label information as a “Warning” in the titles of published posts or articles (Article 7).  Entities and individuals may publish “risks alerts” or “threats information” to notify the public of existing or potential cybersecurity threats.

Tags: China, Chinese Cybersecurity Law 2016, Cybersecurity, Cybersecurity Threat Information, Cyberspace Administration of China (CAC), Measures for the Publication of Cybersecurity Threat Information
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Read more about Yan LuoEmail
Show more Show less
Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Nicholas is a member of the Bar of Texas and Brussels Bar (Dutch Section, B-List). District of Columbia bar application pending; supervised by principals of the firm.

Email
Show more Show less