2016 global cyberspace security highlights (policy)

Posted by tetley at 2020-03-21

Click "cyberspace governance innovation" above to subscribe


The development of the new generation of network information technology promotes the integration of cyberspace and the real world to deepen day by day. The connotation of Cyberspace Security is expanding and its influence is increasing day by day. It has become a core issue related to national security, economic development and social governance of various countries.

In 2016, although governments and enterprises all over the world pay more attention to the threat of Cyberspace Security, major cyberspace accidents still occur frequently. The development trend of network crime industrialization focusing on digital economy has not been curbed, and the network crime activities such as network attack, network blackmail and telecommunication fraud continue to upgrade. Attacks on critical information infrastructure and industrial systems are more intelligent, hidden and influential. Users' personal information, business secrets and even political secrets of the government and political parties have been leaked on a large scale. Hacker attacks on major political events such as general election have become a new form of ideological strategic game among countries.

Correspondingly, the global cyberspace governance system is undergoing a new round of changes, and major countries have successively implemented major strategies, policies and regulations around cybersecurity. In view of the urgent and practical public security policies of cyber crime and cyber anti-terrorism, the differences and games among the government, enterprises and citizens around national security and privacy protection have begun to highlight. Network security and data protection have become the key barriers to international industry competition, and the trend of ICT industry innovation and development driven by security is more obvious.

Based on the authoritative reports of relevant media at home and abroad, this topic combs and analyzes the major events, laws and policies of Cyberspace Security at home and abroad in 2016, and observes and judges the overall situation of global cyberspace governance in 2016. This is the 2016 global Cyberspace Security Chronicle (Policy)

1. The United States releases the national action plan for cybersecurity

Policy summary: on February 9, 2016, the U.S. government released the national action plan for cybersecurity (CNAP). The plan is a seven-year experience summary of the U.S. government, and draws lessons from the trends, threats, and intrusions of cybersecurity. The main contents include the following six points: first, establish the National Cybersecurity Promotion Committee, which includes representatives of leading enterprises and top technical experts. The committee is committed to developing a ten-year action line of Cyberspace Security and promoting the United States alliance Communication and cooperation between state government, state government and enterprises in network security. The second is to improve the overall national network security level, including upgrading network infrastructure, improving personal network security protection capability, increasing network security investment, etc., establishing a "federal chief information security officer" to coordinate the implementation of security policies within the Internet government. Third, we will combat malicious acts in cyberspace, strengthen international cooperation with foreign countries, expand cyber forces internally, and promote the international community to establish national codes of conduct. Fourth, we will improve the response capacity of network incidents, introduce federal cooperation policies on network security incidents, formulate guidelines on the assessment methods for the hazards of security incidents, and improve the mechanism of government enterprise collaborative response to network security incidents. The fifth is to protect personal privacy, establish the "federal privacy committee", formulate and implement more strategic and comprehensive federal privacy protection guidelines, and promote the research, development and innovation of privacy protection technology.

Brief comments: this 10-year network security development roadmap shows that the United States continues to strengthen the forward-looking layout of international cyberspace, and tries to maintain the global leading position of the United States. By promoting "best practice" as an important means of network infrastructure protection, the United States encourages public-private cooperation, gives full play to the technical expertise and advantages of enterprises, and emphasizes the balanced development of technological capabilities of government and enterprises. The United States also regards network security publicity and training as one of the core tasks to enhance network security, focusing not only on awareness training, but also on skill training.

2. EU launches general data protection regulations

Legal summary: on May 4, 2016, the European Union officially promulgated the general data protection regulation (gdpr). The regulations will replace the 1995 data protection directive, which has been implemented for 20 years, to protect the privacy rights of European citizens in the new technological, economic and social environment. The main contents of the regulations include: (1) to expand the scope of application, any enterprise providing goods or services to EU citizens will be subject to the general data protection regulations, regardless of whether the enterprise is located in the EU or uses domestic equipment. (2) This paper puts forward two new rights, the right to delete / be forgotten and the right to carry personal data, in order to deal with the increasingly serious problems such as the inability of data subjects to effectively control personal data and information asymmetry under the big data environment. (3) To regulate the risk of big data utilization and strictly limit the behavior of data profiling will seriously affect the business practice of the current big data industry. (4) Further strengthen the power of regulatory agencies. Data protection agencies of Member States have the right to punish enterprises that violate EU data protection laws, with fines up to 20 million euros or 4% of the global annual turnover of enterprises. (5) It is proposed that the public authorities dealing with personal data should set up data protection officers to strengthen the information security governance of relevant public authorities. (6) Put forward the obligation of data disclosure notification, and require the data controller to report the notification to the relevant regulatory authority within 72 hours of knowing the data disclosure event.

Brief comments: the general data protection regulations adopted by the European Union aims to further strengthen individual data protection rights and give European people a greater voice in the use of their own data. It is also an important landmark event in the development of the global data protection system. The EU's data protection reform not only improves the personal data protection standards, but also increases the compliance cost of enterprises and limits the development of data business value. In view of the extraterritorial effect of EU laws and strict requirements for data cross-border transmission, the spillover effect of its system will promote other countries to improve the level of data protection, so as to avoid data protection becoming an obstacle to international trade.

3. EU issues network and information system security directive

Summary of law: on July 6, 2016, the first network security law "network and information system security directive" was formally passed by the EU legislative body, which aims to "promote cooperation among Member States and formulate security obligations to be observed by basic service operators and digital service providers". In order to achieve this goal, the Directive requires operators to take relevant measures to manage network security risks and report security incidents. In addition, the law requires Member States to formulate national strategies for cybersecurity, strengthen cooperation among Member States and international cooperation, and increase investment and support in research and development of cybersecurity technology.

Brief comments: as a key part of the EU's overall strategy for cybersecurity, the EU directive releases clear signals in the field of cybersecurity Supervision: first, attach great importance to the supervision of cybersecurity and information security, strengthen comprehensive supervision and coordination, and set up or strengthen existing regulatory agencies at the level of the EU and its Member States, so as to ensure that they have substantive functions The second is to strengthen the obligations of the enterprise, stipulate the obligations of taking reasonable network security management measures and sharing network security information for the enterprise, especially the new obligation of reporting enterprise security incidents, which has become the biggest highlight of the directive; the third is to avoid excessive supervision. In the previous revisions of the directive, all parties have launched fierce disputes on the scope of application of the directive and the corresponding obligations of the main body In addition, EU authorities have made a number of significant changes, especially to avoid over regulation, which may cause burden on enterprises, especially to avoid damage to the innovation ability of small and medium-sized enterprises, and stipulate that the undertaking of enterprise obligations should be consistent with the degree of risk.

4. The US and Europe approve the privacy shield agreement

Policy summary: on July 12, 2016, the European Union officially approved the data treaty "privacy shield agreement" between Europe and the United States, replacing the original "safe harbor agreement". The new protocol will provide a new standard for personal privacy protection in data transmission across the Atlantic. The main contents of the "privacy shield agreement" include: (1) privacy shield principle: the code of conduct explicitly protects the personal data transmitted by the EU to the United States. American enterprises can make mandatory commitment to the code of conduct in accordance with American law. (2) Supervision and Implementation: the letter signed by the highest level of all relevant U.S. government agencies specifies the relevant contents of framework management and implementation. (3) Ombudsman mechanism: this mechanism is a new mechanism to promote the process of requirements related to access to national security data transmitted from the European Union to the United States. (4) Safeguards and restrictions: communications from the office of the head of the National Intelligence Agency and the Ministry of justice set out safeguards and restrictions applicable to national security and law enforcement on data access.

Brief comments: the EU repealed the safe harbor agreement and re established the privacy shield agreement, mainly driven by the "prism gate" event. Europe and the United States have a long history of differences on privacy protection. The European Union tends to adopt strict legislation to regulate the cross-border flow of personal data, while the United States relies on self-discipline mechanism for a long time, believing that the government should not set obstacles for the cross-border flow of personal data, otherwise it will affect the freedom of the network and hinder the development of the digital economy. EU regulation of cross-border data flow is not only to protect the personal data and privacy interests of EU citizens, but also the mapping of EU in the development of digital economy, industrial capacity building and political and diplomatic games.

5. The U.S. Court ruled that the FBI search warrant had no extraterritorial effect

Basic case: in December 2013, James C. Francis, assistant judge of the Federal District Court in the Southern District of New York, issued a search warrant Warrant) asked Microsoft to assist in the investigation of a drug case and submit the e-mail content and other account information of a user to the U.S. government, while Microsoft refused to hand over the user's e-mail content. On August 29, 2014, Loretta Preska, a judge of the Federal District Court of Manhattan, ordered Microsoft to submit user email information stored in the Irish data center to US prosecutors. The judge ruled that Microsoft had to submit e-mail data because it was stored abroad but controlled by an American company. Microsoft refused to obey the court's order and appealed to the second circuit court of appeals. The central issue in this case is whether U.S. law enforcement has the right to force U.S. companies to provide data content stored outside the United States. That is to say, whether the U.S. government has this right - all users of the products and services of U.S. enterprises, no matter where they are, no matter their nationality, and whether the U.S. Internet enterprises adopt "data storage localization", the U.S. government can legally obtain all kinds of data of global users of U.S. enterprises. On July 14, 2016, the federal court of Appeals for the second circuit ruled in the case of "Microsoft v. U.S. government". The dispute over whether the FBI started in 2013 had the right to obtain the user data stored by Microsoft in the Irish data center came to an end. The three judges of the court of appeal agreed that the FBI's search warrant has no extraterritorial effect; to obtain overseas data, it is the right way to go through bilateral mutual legal assistance treaties.

Brief comments: the judgment of this case gives transnational Internet companies a certain degree of legal certainty: to operate in a country, only one country's laws need to be observed; and the laws of this country should not have extraterritorial effects. This decision also reinforces the trend of data localization. If U.S. courts believe that the location of data storage is crucial, only more and more countries will put forward more and more strict requirements for data localization in order to avoid U.S. monitoring. The judgment in this case is not only about the scope of law enforcement power of the United States government, but also about the autonomy of each country's cyberspace.

6. UK issues national cyber security strategy

Policy summary: on November 1, 2016, the UK announced a new round of "national cyber security strategy". The new network security strategy includes three main points: defense, deterrence and development. Defense is the first step of the three-step strategy proposed by the British government, which aims to strengthen the Internet defense capability, especially in key industries such as energy and transportation. The British government, together with the industrial sector and private enterprises, will adopt automatic defense technology to resist hacker attacks, viruses, spam and other violations. Deterrence is the second main point. The British government believes that an effective response to cyber attacks will help reduce the threat. The British government plans to strengthen the ability of network law enforcement from two aspects; strengthen international cooperation to jointly respond to network threats; improve technology and enhance the ability of network counterattack. The third key point is to vigorously cultivate network talents, develop the latest technology and keep pace with the development of global Internet technology. The UK will set up a network security institute to work with universities to improve the security of devices such as smartphones, tablets and laptops. Next year, a network innovation fund will be launched to provide training and financial support to network security startups to help them seek investment and commercialize their technological achievements.

Brief comments: the British government has issued three National Cybersecurity strategies within seven years to build a prosperous, reliable, secure and resilient cyberspace and ensure its dominant position in the global cyberspace. From the perspective of the framework system, the UK has basically established a relatively complete network security strategic framework, with clear objectives, clear principles, and specific and operable measures. The UK's strategic orientation is to develop the network economy. In the action plan, it is required to increase the investment in network security, so that the development of global cyberspace will be in the direction beneficial to the UK's economic and security interests. The strategy focuses on the development from simple network security and passive defense to enhancing the strategic initiative and deterrence.

7. China issues the network security law

Summary of law: on November 7, 2016, China's network security law was passed and will come into force on June 1, 2017. This is the first basic law on network security in China. The cybersecurity law defines the principles of cyberspace sovereignty, the security obligations of network products and service providers and network operators, improves the rules of personal information protection, establishes the security protection system of key information infrastructure, and establishes the rules of cross-border transmission of important data of key information infrastructure.

Brief comment: as a special law on network security, network security law carries out the dialectical thinking of development and security, and emphasizes that both network security and information development should be emphasized. The network security law puts forward the requirement of security and credibility, that is to say, the user's own information, system and equipment are required to be the owner, and the product and service providers are forbidden to illegally obtain the information in the user's system and equipment, illegally control and manipulate the user's system and equipment, and damage the user's autonomy and domination of their own information, system and equipment. The promulgation of network security law is of great significance to protect the legitimate rights and interests of network subjects, guarantee the legal, orderly and free flow of network information, promote the innovation of network technology, and finally realize the development of network security.

8. The right to investigate act 2016 passed by the British Parliament

Summary of law: on November 30, the British Parliament passed the Investigation Rights Act 2016. The law requires network companies and telecommunication companies to collect customer communication data and store 12-month browsing history records for the use of the police, security departments and other public institutions in tracking down those suspected of terrorist activities and serious criminal activities. The company is obliged to assist the relevant departments to bypass the encryption program in order to perform the task. At the same time, all levels of government, tax collectors and other public authorities in the UK will also have the right to collect information about citizens' activities on websites and social media. The new version of the power of investigation law aims to "strengthen the ability of law enforcement agencies and intelligence agencies to complete their key operations", so as to make up for the loopholes in the work of these agencies, so that the security sector has greater power to collect intelligence and evidence against online activities such as suspicious persons.

Brief comments: for the government, the real tasks such as dealing with the threat of terrorist activities require the government to supervise the network communication data in the digital era. At the same time, people's awareness of network information security is constantly improving. The continuous impact of Snowden incident also made the government increase the supervision of network information security and touch the sensitive nerves of the public. The essence of the dispute between personal privacy and national security is the dispute over data and rights. This is closely related to the international and domestic political and economic situation, and the two are in a dynamic balance of the rise and fall.

9. Russia issues a new version of the Federal Information Security doctrine

Policy summary: on December 5, 2016, Russia promulgated and revised the information security doctrine of the Russian Federation. This document is the development of the national security strategy of the Russian Federation and the strategic plan documents in other decrees as defined in order 683 signed by the president of the Russian Federation on December 31, 2015 ". The document aims to ensure Russia's national security in the field of information and prevent and contain military conflicts related to information technology from a strategic level. The document is divided into five parts: General principles, national interests in the field of information, major information threats and information security status, strategic objectives and main development directions of information security, and organizational basis of information security. From the fields of national defense, national and social security, economy, scientific research, technology and education, maintaining strategic stability and equal strategic partnership, the main development directions of information security are put forward.

Brief comments: the theory provides a framework and basis for the formulation of Russian follow-up documents and bills. The document shows the Russian government's concerns about a series of threats, such as foreign hacker attacks, negative media reports, and the activities of foreign intelligence agencies in Russia. As a big country in the transition period, Russia's domestic and foreign policies have been in a state of constant adjustment. Russia and the west, especially the United States, have formed a new confrontation in cyberspace.

10. China issues the national cyberspace security strategy

Policy summary: on December 27, the state Internet Information Office issued the national cyberspace security strategy, marking the basic completion of the top-level design of China's national cyberspace power, announcing that the Chinese government will be more open and confident to promote the construction of cyberspace power and the governance of cyberspace. The strategy expounds the core concepts and strategic propositions of Cyberspace Security in China from four aspects: opportunities and challenges, objectives, principles and strategic tasks. The strategy systematically defines the concept and influence of cyberspace, puts forward the strategic objectives of promoting cyberspace peace, security, openness, cooperation and order, safeguarding national sovereignty, security and development interests, realizing the construction of a cyber power, and determines to respect and maintain cyberspace sovereignty, make peaceful use of cyberspace, govern cyberspace according to law, coordinate Cyberspace Security and The four principles of development put forward nine strategic tasks: firmly defending the sovereignty of cyberspace, firmly maintaining national security, protecting key information infrastructure, strengthening the construction of cyber culture, combating cyber terrorism and illegal crimes, improving the network governance system, consolidating the foundation of cyber security, improving the capability of cyber space protection, and strengthening international cooperation in cyberspace.

Brief comment: the strategy, together with laws and regulations and organization construction, will constitute the institutional pillar of China's network power. In 2014, the Party Central Committee started with the reform of system and mechanism, broke the barriers of Cyberspace Security Management Department, and established the office of Cyberspace Security and Informatization Leading Group; on this basis, it took more than one year to lead the introduction of the basic law of Cyberspace Security in China - "Cyberspace Security law", and now it has further issued the "national cyberspace security strategy", completing the top level of China's cyberspace power Closed loop design. This series of institutional measures reflect the openness and transparency of Cyberspace Security Governance in China, which is the standard system for China to integrate into the world system to build a cyber power. At the same time, although the strategy is the top-level design, its realization needs to rely on the bottom-up corporate and social forces, and needs to be based on security but also beyond security. The strategy is not only a comprehensive guarantee for China's economic and social development in the new era, but also a new exploration of China's social development and governance model in the network era. Only in this way can China's citizens' rights and interests and the innovation and prosperity of enterprises be fundamentally guaranteed, and better integrated into the international network space development and governance system. Building a community with a shared future in cyberspace is the fundamental meaning of the construction of China's cyberspace power and Cyberspace Security.

Please also pay attention to the 2016 global Cyberspace Security Chronicle (event chapter) pushed by CGI last issue!

Edit Ye Xuefeng