This is one of a series of articles on cyber Security Law.

The Cyber Security Law has been in force for a quarter.

As the first law in the field of network security in China and the basic law of network security management, this law has symbolic significance in the industry. It announced that the Internet in China has entered an era of comprehensive supervision, and that no matter enterprises or individuals engaged in Internet business, they now have laws to follow and check. All network operators need to understand, master and practice the provisions of the Network Security Law to avoid the risk of violating the law.

For small and medium-sized enterprises, it is mainly to implement a few specific provisions, such as the establishment of safety personnel/departments, safety systems, safety norms, etc., relatively simple; However, eco-level companies such as Tencent and Alibaba, due to their extensive business and huge number of users, involve several times more provisions. Although they have maintained good communication with government departments during the legislative process, it is still a huge and arduous project on the whole.

To explain one by one, Tencent in each provision on how to practice, apparently impossible. Readers are also welcome to point out any omissions in the comments of this article, especially for external observers like Sihu. Tencent cloud security experts on the “Network security Law” interpretation of the six key points, I will take these six as the main line to introduce.

We will promote a tiered cybersecurity protection system

Because of the different division of responsibilities, the three top regulatory bodies of the interpretation of network security law is also different. Among them, the most core element of the Ministry of Public Security is the network security hierarchical protection system, which was introduced in 2007 and is now improving version 2.0. The Ministry of Public Security hopes to make the hierarchical protection system into the basic system and national policy of national network security in the new era.

For Tencent, the implementation of such a system is mainly divided into three aspects. First, ordinary business, in accordance with the requirements of the establishment of conventional security protection capacity, this need not say more; The second is Tencent Cloud, which can only provide services for important information system customers after passing the cloud and other security assessment. They have obtained the cloud and other security level 4 qualification. Third, core businesses, such as QQ and wechat, are important Internet platforms with national influence. According to relevant sources, they may be rated as key information infrastructure and subject to stricter supervision.

The Regulations on the security protection of critical information infrastructure are still being formulated, and can only be determined after being evaluated.

Strengthen the protection of personal information

The Network Security Law requires network operators to establish and improve user information protection systems. The collection and use of users’ personal information must comply with the principle of legality, legitimacy and necessity, the principle of security and confidentiality of the collected information, the principle of domestic storage of citizens’ information, and the disclosure reporting system.

Two recent cases on wechat illustrate this aspect. In early August, there was a dispute between Tencent and mobile phone manufacturers for reading user chat records. Tencent vice President Ding Ke responded to the media, wechat will not read and store wechat chat records, only national judicial requirements and multi-crowd chat compliance, have the ability to support; In late August, wechat updated its privacy protocol to specify the collection and storage of users’ personal information and security measures, but it did not mention the peer-to-peer technology it had used in the past. It was unclear why.

Data transfer across borders requires security assessment

The Cyber Security Law requires that personal information and important data of critical information infrastructure should be stored in China, and security assessment should be conducted if it needs to be provided overseas. In April this year, the Cyberspace Administration of China (CAC) issued the Draft measures for assessing the security of Personal Information and important data leaving The country to solicit comments, expanding the scope of supervision to include “network operators”. That is to say, no matter individuals or enterprises, as long as there is personal information and important data to transmit abroad, they need to conduct security assessment. If the amount is large (more than 500,000 people, more than 1000GB, etc.), they need to report to the regulatory authorities for organizational assessment.

Four days after issuing the draft, Hu Xiao, deputy director of the cyberspace Administration’s cyber security coordination bureau, explained it in detail at an industry closed-door salon. He emphasized the legal effect of the method (method belongs to the lower law, but the network security law also has “administrative regulations can be stipulated” space), and introduces the security assessment of three important dimensions: whether the subject of personal information consent, whether it may affect national security and social public interests, whether the regulatory unit allows. In this view, companies can avoid risks by declaring exit authorization in the user’s personal information use agreement.

But Tencent is worried that the approval system could hamper its overseas business. The guests at the salon included legal executives of Tencent, Alibaba and other companies. Tencent’s legal staff told about the embarrassing situation they faced in the round table: they need to submit security assessment in advance for new business overseas, and the assessment may not be completed (up to 60 days), so the best time of business launch has passed; Tencent is building network infrastructure around the world. After users go abroad, their personal data will pass through overseas infrastructure. Does every business need to be reported for security assessment?

Tencent and Alibaba hope the CAC will consider similar cases and reduce the approval process, and it is uncertain whether the CAC will add relevant content to the final draft.

Purify the network environment and observe the network order

Article 47 of the Network Security Law: the network operator shall strengthen the management of the information released by its users, and shall immediately stop the transmission of information prohibited by laws and administrative regulations, take disposal measures such as elimination, prevent the spread of information, save relevant records, and report to the relevant competent authorities.

On August 11, Guangdong Cyberspace Administration office (CAC) initially investigated Tencent wechat for users who spread violence, terrorism, false rumors, obscenity and other information endangering national security, public security and social order, suspected of violating the Cyber Security Law and other laws and regulations and failing to fulfill its management obligations. Cac guided the investigation.

Roaring comments: When does the number of audit staff exceed business staff?

To respond quickly and implement emergency plans for cyber security risks

Although Tencent’s business loopholes are numerous, TSRC’s level is still commendable and basically represents the highest level of emergency response in the industry.

Tencent security once found the earliest XcodeGhost risk, the earliest domestic discovery of XShell backdoor, the strength of self-evident. If you are interested in the question, you can leave a message to Sihu, I find the opportunity to ask.

We will fully implement real-name authentication in cyberspace

In terms of personal information, there is also a requirement that network operators providing Internet access and speaking services need to collect users’ real identity information. Therefore, QQ and wechat now need to be bound with mobile phone numbers to register and use, which is also one of the changes brought by the network security Law.

Provide technical support and assistance to law enforcement activities

On the fourth Internet Security Publicity Week, The Roar editor asked Ma Bin, vice president of Tencent, the title question, and his answer was quite official, but you will find that many words are reflected in the above:

Tencent has been involved in the draft of the Cyber Security Law. We have been working with the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT) and the legislature from the beginning to the end, and the country has very high requirements on this level. I have attended many national meetings. In fact, the country has certain requirements for the implementation of the Network Security Law. Therefore, Tencent, from top to bottom, including our own institutions, other business groups of Tencent and relevant institutions, have learned and applied them in their own work.

Ma Bin details did not say, is head of the tencent anti-fraud Li Xuyang they are introduced and the public security, bank and other multilateral cooperation anti-fraud the wisdom of the brain, the scene has show four product – eagle eye smart phone fraud case, kirin pseudo base station positioning system, capital budgeting god ZhaKong system, tencent security situation awareness system.

Tencent security anti-fraud laboratory uses AI technology to study the mode of black-production confrontation, and has developed more than ten anti-fraud products such as Eagle Eye, Kylin, Shenzhen, Shencha (anti-phishing) and Shenyang (intelligence analysis), which can play a role in the key link of fraud before, during and after. So far, they have worked with over 20 cities across China to deploy anti-fraud products and help solve fraud cases.

The last

In the network security publicity and education, network security personnel training, protection of minors, security monitoring and early warning and many other provisions, Tencent has obligations and actions, limited to space here will not mention, if there are related topics to talk about later.

www.4hou.com/info/news/7…