On November 20, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for the Publication of Cybersecurity Threat Information (“Draft Measures”) for public comment. (An official Chinese version is available here). The comment period ends on December 19, 2019.
The release of the Draft Measures marks an important step forward in implementing Article 26 of China’s Cybersecurity Law (“CSL”), which establishes that the publication of cybersecurity information (such as those related to system vulnerabilities, computer viruses, cyberattacks and/or network intrusions) to “the public” must comply with unspecified “relevant rules.” Article 26 does not specify what kind of entities or individuals are subject to this requirement; thus, it is unclear whether Article 26 applies to entities that have discovered vulnerabilities on their own networks and/or the activities of third parties that have uncovered cybersecurity threats to others’ networks, such as cybersecurity research firms.
The Draft Measures are intended to provide further guidance for these entities and individuals based in China that have threat information about other network operators’ network or information systems and outlines how they can publish the threat information in a compliant way. The Draft Measures are silent as to whether these requirements will apply to entities or individuals that are based outside of China and, if these requirements are applicable for the publication of threat information globally, how entities or individuals outside of China can comply. It is also unclear about the extent to which the Draft Measures would apply to network operators who become aware of cybersecurity threat information related to their own networks.
Below is a summary of the key requirements of the Draft Measures.
Definition of the Cybersecurity Threat Information
The Draft Measures provides a broad definition of “cybersecurity threat information,” which includes (Article 12):
- Any information used to describe the intent, methods, tools, processes or results of activities that may threaten the normal operation of a network (for example, information about computer viruses, cyberattacks, cyber intrusions, cybersecurity incidents, etc.); and
- Information that may expose the vulnerability of a network, including general risks and vulnerabilities of network and information systems, network planning and design, network topology structure, assets information, software source code, properties of network units or equipment (e.g., types, settings and software), cybersecurity risk assessment reports, testing and certification reports, security protection strategy and other related plans.
Report Obligations Prior to the Publication
Publication of Information related to Individual Cybersecurity Incidents
Under the Draft Measures, any entities or individuals planning to publish information on individual cybersecurity incidents (including cyberattacks or illegal intrusion of network or information systems) must first report to local public security bureaus (“PSB”) at the municipal level (Article 5).
Publication of “Comprehensive Analysis Report” on Cyberattacks, Incidents, Risks, and Vulnerabilities
Prior to the publication of a “comprehensive analysis report” — which may include descriptions of cyberattacks, incidents, risks, and vulnerabilities — that covers a “region,” entities or individuals are required to submit the report to the local CAC and PSB at the municipal level first. The Draft Measures did not specify whether the “region” refers to a region within China.
Furthermore, if the “comprehensive analysis report” indicates that there might be risks to a number of sensitive sectors, such as “public communication and information services, energy, transportation, water projects, finance, public services, e-government, national defense science and technology, or other important industries and fields,” the report must be submitted to respective sectoral regulators first.
Finally, if the “comprehensive analysis report” covers nationwide, cross-region or cross-industry cybersecurity threat information, the report must be submitted to the CAC and the Ministry of Public Security before it can be published (Article 6).
Note that, as clarified in a Q&A published on the CAC’s website (available here), the reporting obligation is not a form of administrative approval, and as long as the reports are submitted to the respective regulators, it is unlikely the entity or individual will need to wait for the approval from the regulator.
Prior Approval from the Operator of the Network and Information System
If any entities or individuals plan to publish the risks or vulnerabilities of specific network and information systems operated by a “network operator,” they must obtain prior written approval from such an operator, unless (Article 8):
- Relevant risks or vulnerabilities have been mitigated or fixed; or
- Entities or individuals planning to publish cybersecurity threat information have submitted a report to the CAC, telecom regulator, PSB or relevant sectoral regulator 30 days prior to the publication.
Obligations on Operators of Publication Platforms
If any cybersecurity threat information published on a platform is in violation of the requirements described above, the operator of such platforms must cease the publication immediately after being notified by regulators or users, or otherwise becoming aware of such violation. Platform operators must also take mitigating measures, such as preventing the dissemination of such information and keeping relevant records, and report to the local CAC and PSB at the municipal level (Article 9). This requirement applies to the following types of “platform” operators:
- Newspapers, television channels and other publications;
- Websites, online forum, blogs, public accounts on social media, instant messaging tools, live streaming platforms, online audio or video platforms, mobile applications and shared internet storage space or cloud storage;
- Conferences, forums or seminars open to the public; and
- Cybersecurity competitions.
Prohibitions on Publishing Certain Threat Information
According to Article 4 of the Draft Measures, published cybersecurity threat information may not include the following information:
- The source code or development methods of a computer virus or malicious software (e.g., trojanware or ransomware);
- Descriptions of software and tools that are specifically used to (1) conduct cyber intrusions, (2) disturb the normal functions of a network, (3) destroy network protection measures, or (4) steal network data;
- Details that can be used to replicate cyberattacks or cyber intrusions;
- Data that is compromised from a specific data breach incident;
- Network planning and design, network topology structure, assets information, software source code, properties of network units or equipment (e.g., types, settings and software); or
- Cybersecurity risk assessment reports, testing and certification reports, security protection strategies and plan of specific network and information systems.
Furthermore, given that only government agencies have the authority to publish “cybersecurity warnings,” any entities or individuals who publish cybersecurity threat information are not allowed to label information as a “Warning” in the titles of published posts or articles (Article 7). Entities and individuals may publish “risks alerts” or “threats information” to notify the public of existing or potential cybersecurity threats.