December 18, 2019

 

Cyber ​​Security Coordination Bureau

National Internet Information Office

No. 11 Chegongzhuang Street

Xicheng District, Beijing 100044

 

Submitted electronically to security@cac.gov.cn

 

Re: Enquiries on Management Measures for Cyber Security Threat Information Release

 

The Cybersecurity Coalition (“Coalition”) and the Cyber Threat Alliance (“CTA”) submit this feedback in response to the request for comment issued by the National Internet Information Office on November 20, 2019 regarding the draft Administrative Measures for the Release of Cyber Security Threat Information (“Draft Measures”).  The Coalition and CTA appreciate the opportunity to provide these comments to the Cyberspace Administration of China (“CAC”) and to express concerns about some of the requirements set forth in the Draft Measures that conflict with international standards for vulnerability management and disclosure. 

 

  1. Background About the Coalition and CTA

 

The Coalition is composed of leading companies with a specialty in cybersecurity products and services dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies.[1]  We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management.  We are supportive of efforts to identify and promote the adoption of cybersecurity best practices, information sharing, and voluntary standards throughout the global community.

 

CTA is a not-for-profit organization working to improve the cybersecurity of our global digital ecosystem by enabling near real-time, high-quality cyber threat information sharing among companies and organizations in the cybersecurity field.  We enable our members to better protect their customers and clients, supporting the disruption of malicious actors, and raising the level of cybersecurity of our digital ecosystem.

 

  1. Coalition and CTA Comments

 

  1. The Draft Measures and MIIT Regulation are in tension with international standards, common practices of the cybersecurity industry, and the security research community. 

 

The Coalition and CTA provided comments on July 2019 to the applicable Ministry of Industry and Information Technology (“MIIT”) authorities on the Proposed Draft Cybersecurity Vulnerabilities Administrative Regulation (“MIIT Regulation”)[2] and encourages the additional consideration of these comments as they directly relate to the Draft Measures.  Specifically, the Coalition and CTA urge CAC to harmonize the Draft Measures and MIIT Regulation with international standards and industry best practices.  In multiple sections, the Draft Measures and MIIT Regulation diverge from broadly adopted industry best practices and international standards in the field of cyber threat information sharing and Coordinated Vulnerability Disclosure (“CVD”).  For example, Article 5 introduces a breach notification requirement that diverges widely from global norms, including as articulated in the EU General Data Protection Regulation.[3]  Divergence on these issues and requirements concerning early disclosure of cyber threat information (including vulnerabilities) to entities, including authorities, that are not essential to mitigation development or mandating specific timelines for mitigation increases risk of potential exploitation of the vulnerability and undermines security.  It also undermines the ability of Chinese innovators to compete in global markets.  The Coalition and CTA support the alignment of the Draft Measures and the MIIT Regulation with ISO international standards ISO/IEC 29147 (2018), ISO/IEC 30111 (2019) and ISO/IEC 27035 (2016) and subsequent standards on these issues, as well as the removal of requirements that diverge from such standards.

 

The Coalition and CTA also urge the CAC and MIIT respectively to clarify the scope and minimize overlap between their respective regulations regarding threat information reporting and vulnerability disclosure, and align them with widely adopted international standards in this field.[4]  

One example, which highlights the need for clarity, is that while MIIT's Regulation applies specifically to activity in mainland territories, the Draft Measures do not address the scope of its jurisdiction.[5]  If the Draft Measures were more clearly scoped, the requirements contained therein would be more effective and companies would be better positioned to comply with them.  We recommend that the Draft Measures are revised to better align with the scope of the MIIT Regulation by clarifying that they apply only to publishing threat information within mainland territory and/or entities within the mainland territory.  In addition, both the Draft Measures and the MIIT Regulation restrict disclosure of cybersecurity vulnerabilities, with differing restrictions and reporting requirements to government agencies.[6]  For example, in certain cases, the Draft Measures permit public disclosure of vulnerabilities where the government has 30 days advance notice or preventative measures have been taken, but the MIIT Regulation restricts such public disclosures.[7]  The Coalition and CTA urge CAC and MIIT to clarify which regulation applies to which circumstances and to eliminate any redundancy.

 

  1. The Draft Measures include sweeping restrictions on the disclosure of the types of information that are necessary to strengthen cybersecurity.

 

The restrictions on the content of the security threat information that can be shared following discovery of a security threat conflict with the need to share enough information to permit resolution or mitigation of a vulnerability.  Article 4 of the Draft Measures states that cybersecurity threat information that is published shall not include several specific types of content.  For example, the Draft Measures prohibit the publishing of detailed information that can be used to reproduce the cyber-attack and intrusion processes.  However, such information is critical when determining whether a vulnerability is legitimate as well as whether it has been fixed.  The information types listed in Article 4 are precisely the types of technical information cybersecurity providers need to develop and implement defenses against cyber threats.  Network defenders need similar types of information to protect their networks against those threats.  If cybersecurity companies and network defenders are not allowed to share such information with each other, then the risk of successful intrusions and attacks will instead increase in China, rather than decrease. 

 

Rather than enhancing cybersecurity in China, it is more likely that the restrictions in Article 4 would result in the opposite outcome, compromising China’s ability to secure its networks and decreasing the overall effectiveness of cybersecurity products in China.  Malicious cyber actors already share this information amongst themselves and would likely not be deterred by this regulation from continuing that practice.  Consequently, the restrictions on vulnerability disclosure and the type of information that can be published would only impact legitimate cybersecurity providers and network defenders and would inevitably limit the growth of China’s private cybersecurity industry. 

 

The restrictions on the disclosure of information in the Draft Measures capture circumstances in which such disclosure is warranted under standards that have undergone industry-wide adoption and are reflected in international global standards.  Categorially preventing the sharing of these types of information, including in the cases in which disclosure is warranted and widely-acceptable under international standards, increases an organization’s difficulty in evaluating their risks and the effectiveness of their mitigations.  It also places cybersecurity companies at a disadvantage as they will not have access to the information even when mitigations are available.  
 

  1. The Draft Measures contain over-inclusive restrictions on routine reporting that improve the awareness and preparedness of affected organizations and individuals, and that diverge from international standards.

 

The Draft Measures restrict reports on cybersecurity attacks, risks, or vulnerabilities in geographic regions and industry sectors.[8]  This appears to apply even if such information is publicly available and disclosure is warranted under international standards. However, these reports are commonplace, and industry, policymakers, and consumers depend on the accuracy of such reports to understand the threat landscape and make defensive decisions based on the risks.  Restricting publication of threat information reports within the mainland territories in cases warranted under international standards and industry best practices not only undermines China's cybersecurity, but may also affect international cybersecurity by skewing the accuracy of reports that rely on data related to China.

 

  1. The Draft Measures require covered entities to provide notice to the government before publishing cyber threat information, which creates unequal access to critical information and diverges from international standards. 

 

Article 5 of the Draft Measures provides that before publishing cybersecurity incident information stating that a network or information system has been attacked, damaged, or illegally hacked into, a covered entity must report to the public security organs at and above the prefectural level in the location of the incident.  According to the Draft Measures, the public security organs at various levels must promptly inform the cyberspace administration authorities of the same level as well as higher-level public security organs.  Additionally, Article 6 of the Draft Measures provides that any enterprise, social organization or individual, when publishing a comprehensive analysis report on cybersecurity attacks, incidents, risks and vulnerabilities throughout a region, must report in advance to the cyberspace administration authorities and public security organs at and above the prefectural level in the relevant region. 

 

Requiring covered entities to report to local public security organs (or any entity not essential to mitigation development) before publishing cybersecurity incident information and related mitigations presents a significant risk of creating unequal access to critical information among customers.  Technology is shared globally, and uneven awareness of vulnerabilities hinders efforts to coordinate mitigations wherever the technology is used. The reporting requirements set forth in Articles 5 and 6 introduce unnecessary complexity to the vulnerability disclosure process and create counter-incentives that can delay resolution of the vulnerability or lead to the use of the vulnerability used for unintended purposes. This outcome could lead to customers using the information to attack each other rather than to strengthen security. In addition, the Draft Measures risk establishing a precedent whereby other governments may require early disclosures.  Such a result conflicts with current international standards and would further hinder timely mitigation of vulnerabilities. 

 

  1. Conclusion

 

The Coalition and CTA appreciate the CAC's willingness to accept feedback on its Draft Measures and the consideration of the MIIT Regulation comments provided by the Coalition and CTA to the CAC.  As the country continues to develop standards regarding the disclosure of cybersecurity threat information, the Coalition and CTA look forward to serving as a resource concerning both technical and policy questions. 

 

We appreciate your interest in this area and would welcome further collaboration moving forward.

 

Sincerely,


 

Ari Schwartz

Executive Coordinator

Cybersecurity Coalition

 J. Michael Daniel

President & CEO

Cyber Threat Alliance

 

 

[1] The views expressed in this comment reflect the consensus views of the Coalition and CTA and do not necessarily reflect the views of any individual Coalition or CTA member. For more information on the Coalition, see www.cybersecuritycoalition.org.  For more information on CTA, see https://www.cyberthreatalliance.org/.

[2] Cybersecurity Coalition and Cyber Threat Alliance, Comments on “Cybersecurity Vulnerabilities Administrative Regulation,” July 17, 2019, https://www.cyberthreatalliance.org/wp-content/uploads/2019/07/Joint-Coalition-CTA-Letter-to-Ministry-of-Industry-and-Information-Technology-on-Draft-Cybersecurity-Vulnerabilities-Administrative-Regulation.pdf.

[3] See, for example, Articles 4(12) and 33 to the EU General Data Protection Regulation and Article 29 WG report on applicable regulations (“Guidelines on Personal data breach notification under Regulation 2016/679”).

[4] Cyberspace Administration of the People's Republic of China, Administrative Measures for Publishing Cybersecurity Threat Information, Nov. 20, 2019, http://www.cac.gov.cn/2019-11/20/c_1575785387932969.htm.  See also translation by Rogier Creemers and Graham Webster, New America, Nov. 24, 2019, https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-chinas-cybersecurity-threat-information-publication-management-measures-draft-comment. Ministry of Industry and Information Technology of the People's Republic of China, Cybersecurity Vulnerabilities Administrative Regulation, Jun. 18, 2019, https://mp.weixin.qq.com/s/TnYAoxtBV_Oq-dvE-l1ZpQ. See also translation by Dahlia Peterson and Rui Zhong, New America, Jun. 19, 2019, https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-chinese-rules-managing- cybersecurity-vulnerabilities-published-draft-form.

[5] See MIIT Regulation, Art. 2. See also CAC draft regulation, Art. 6.

[6] See MIIT Regulation, Arts. 3 and 10. See also CAC draft regulation, Arts. 5, 6, and 8.

[7] CAC draft regulation, Art. 8. MIIT Regulation, Art. 6(III).

[8] CAC draft regulation, Art. 6.