New Chinese cybersecurity rules could delay release of threat alerts to business and public, tech specialists warn
- Draft guidelines state that police and regulators must be notified before any information about cybersecurity dangers is made public
- Regulations are designed to prevent information being exploited, but security specialists fear ban on sharing technical details could hamper their ability to fix problems
China’s proposed cybersecurity regulations could delay alerts to the public and business about critical threats, specialists have warned.
The draft rules issued by the Cyberspace Administration of China on Wednesday would require police and government regulators to be notified before any information is made public.
They also prohibit the public sharing of technical information such as malicious source codes or security loopholes.
The proposed rules, open for public consultation until December 19, would cover media reports, online discussions, public forums and messages from security apps.
China-linked hackers stealing military and government text messages, says cybersecurity firm FireEye
The cyberspace administration said the new rules were designed to strengthen cybersecurity, prevent profiteering and stop illegal exploitation of online security.
It also said the enforced delay would give police and regulators time to mitigate any damage.
But one cybersecurity expert – who wished to be identified only by the alias MDrights – said the proposed rules could limit sharing of knowledge among specialists and impair their ability to fix these security flaws.
“This [technical] information needs to be communicated to the industry. We need to know how the attacks happen so we know how to protect against them, and everyone can learn and improve together,” he said.
The regulations would also significantly affect the way the Chinese media could cover cybersecurity threats, Wang Boyuan, a Chinese technology writer, warned.
“There is basically nothing left to write about. The rules ban many things relating to cybersecurity incidents from being disclosed,” Wang said.
“Chinese media will need to notify authorities before they report on cybersecurity incidents.”
However, the watchdog insisted the media could continue “normal reporting” of cybersecurity news, as long as they complied with the notification requirement and did not disclose any data leaked due to cyberattacks.
It added that once the cybersecurity threat was reported to the authorities, the source did not need government approval for releasing the information to the public.
In a Q&A posted on the administrator’s website, it also complained that some cybersecurity firms had been exaggerating some threats for marketing purposes.
Some industry specialists said the new rules could help to check malicious hackers and simplify the process of reporting threats.
Maxime Oliva, chief executive of cybersecurity firm TekID, said that currently people could report attacks to the police, the Ministry of Industry and Information Technology, or other regulators.
“Now we have a very clear, identified process of how to report,” he said.
Taiger Zhao, a lawyer from Dentons’ Shanghai Office, said he did not think the new rules would have a great impact on the flow of information and media reporting of cybersecurity threats although it would increase the workload involved in the process.
The new guidelines are the latest in a series of measures designed to enforce a cybersecurity law, introduced in 2017, which was described as a way to improve national security, safeguard internet sovereignty and the public interest.
The year before the law’s introduction Wooyun, one of the leading platforms for “white hats” – or ethical hackers who look for flaws in security systems to warn people of the risks – was shut down after several managers were reportedly detained.
The platform had faced numerous complaints after exposing security flaws in large companies’ websites although it was not clear whether anyone ever faced criminal charges.
However, the Wooyun archive had survived online until Wednesday’s announcement about the new rules.
It has since been taken down and replaced with a message that says: “Due to rules four, eight and 12 on the disclosure of cybersecurity threats, our website will be closed. Reopening to be determined.”