two thousand and nineteen year ten month twenty-six Adopted at the 14th Meeting of the Standing Committee of the 13th National People's Congress 《 Password Law of the People's Republic of China 》 President Xi Jinping signed the thirty-five Promulgated by Presidential Decree No two thousand and twenty year one month one It will come into force from. The introduction of the password law is the dream of several generations of cryptographers, the practical need of the development of the password cause, and a milestone in the history of password work. The promulgation and implementation of the Password Law is an important measure to build a national security legal system, safeguard the sovereign security of the national cyberspace, promote the high-quality development of the password cause, and provide an important legal guarantee for the password to keep the "lifeline" and "lifeline" of the party and the country.
1、 The Legislative Process of Cryptography Law
The CPC Central Committee and the State Council attach great importance to password legislation, and regard the password law as an important part of the national security legal system. two thousand and eighteen Since, the password law has been included in the legislative plan of the 13th NPC Standing Committee and the annual legislative work plan of the NPC Standing Committee and the State Council. two thousand and fourteen year twelve In August, the State Password Administration officially launched the legislation of the password law. two thousand and sixteen year twelve In June, the password law (draft) was reviewed and approved in principle by the central leading agency for password work. two thousand and seventeen year four Month to five In August, the password law (draft for comments) was first published to the public on the website of the Commercial Password Management Office of the State Password Administration. two thousand and seventeen year six In June, the Cryptography Law (draft for review) was officially submitted to the State Council. two thousand and nineteen year six month ten The password law (draft) was approved by the State Council fifty-two It was discussed and approved at the th executive meeting. Subsequently, Premier Li Keqiang signed the proposal and formally submitted the Password Law (draft) to the Standing Committee of the National People's Congress for deliberation. six month twenty-five Solstice twenty-nine The 11th meeting of the Standing Committee of the 13th National People's Congress first deliberated the password law (draft). seven month five Solstice nine month two The draft of the Cryptography Law was published on the website of the National People's Congress of China (NPC) for public comments. ten month twenty-one Solstice twenty-six The 14th meeting of the Standing Committee of the 13th National People's Congress (NPC) deliberated and voted on the password law (draft) for the second time, and President Xi Jinping signed the thirty-five The Presidential Decree No two thousand and twenty year one month one Effective from.
Looking back at the whole legislative process, the introduction of the Code Law was hard won. It was the result of the CPC Central Committee's high attention and cordial care, the central cryptogram work leading organization's caring and correct leadership, the understanding, support and strong help of the relevant departments in all regions, and the concerted efforts of comrades in the cryptogram front across the country.
2、 Main contents of cryptography
The password law is an important part of the national security legal system under the framework of the overall national security concept, and it is also a specialized law with strong technical and professional characteristics. This law focuses on the balance between the requirements of the reform of "decentralization, regulation and service" and the protection of national security, and pays attention to the relationship with relevant laws such as the Cyber Security Law and the Law on Guarding State Secrets. There are five chapters and forty-four articles in the password law, which mainly regulate the following contents:
(1) What is a password?
According to the provisions of Article 2 of the Cryptographic Law, the term "password" in this Law refers to technologies, products and services that use specific transformation methods to encrypt, protect, and authenticate information. Password is the core technology and basic support to ensure network and information security. It is the most effective, reliable and economical means to solve the problem of network and information security. It has played an irreplaceable role in China's revolution, construction and reform in various historical periods. Passwords are like cyberspace DNA It is the cornerstone of building the immune system and trust system of the network information system. It is directly related to national political security, economic security, national defense security and information security. It is a strategic resource to protect the fundamental interests of the Party and the country, and is a national priority.
Articles 6 to 8 of the Password Law divide passwords into core passwords, ordinary passwords and commercial passwords according to the types of protected information. Core passwords are used to protect information at the top, secret and secret levels of the state, ordinary passwords are used to protect information at the top and secret levels of the state, and commercial passwords are used to protect information that is not a state secret. The classification management of passwords into core passwords, ordinary passwords and commercial passwords is the fundamental principle of password management determined by the CPC Central Committee, the basic strategy to ensure password security, and the scientific summary of long-term password work experience.
(2) Who will manage the password?
Article 4 of the Password Law: Adhere to the fundamental principle of the Party's control of passwords, establish the leadership system for password work according to law, define the central leadership organization for password work, and exercise unified leadership over the national password work, which is to fix the leadership and management system determined by the central government through legal forms, change it into the national will, and provide fundamental guarantee for the development of password work in the right direction. The Central Leading Agency for Password Work uniformly leads the national password work, is responsible for formulating major guidelines and policies for national passwords, coordinating major issues and important work of national passwords, and promoting the construction of the rule of law for national passwords. Article 5 of the Password Law establishes the national, provincial, municipal and county four level password work management system according to law, and specifies that the national password management department, namely the State Password Administration, is responsible for managing the password work throughout the country; The local password administration departments at or above the county level, that is, the provincial, municipal and county level password administration bureaus, are responsible for administering the password work in their own administrative areas; State organs and units involved in password work shall be responsible for the password work of their own organs, units or systems within the scope of their duties.
(3) How to manage the password?
Chapter II of the Password Law (Articles 13 to 20) stipulates the main management systems of core passwords and ordinary passwords. Core passwords and ordinary passwords are used to protect state secret information and secret related information systems, effectively guaranteeing the security of central government orders and military orders, and building an unbreakable password barrier for safeguarding the sovereignty, security and development interests of the national cyberspace. The Password Law clearly stipulates that the password management department implements strict and unified management of core passwords and ordinary passwords according to law, and stipulates the requirements for the use of core passwords and ordinary passwords, the security management system, and a series of special security systems and measures to strengthen the work of core passwords and ordinary passwords. Core passwords and ordinary passwords are national secrets in themselves. Once they are disclosed, national security and interests will be endangered. Therefore, it is necessary to strictly and uniformly manage the scientific research, production, service, detection, equipment, use and destruction of core passwords and common passwords to ensure the security of core passwords and common passwords.
Chapter III of the Password Law (Articles 21 to 31) stipulates the main management system of commercial passwords. Commercial passwords are widely used in all aspects of national economic development and social production and life, covering important fields such as finance and communication, public security, taxation, social security, transportation, health, energy, e-government, and actively serving the "Internet" + ”Action plans, smart cities and big data strategies play an important role in safeguarding national security, promoting economic and social development, and protecting the legitimate rights and interests of citizens, legal persons and other organizations. The Cryptography Law clearly stipulates that the State encourages the research and development, academic exchange, achievement transformation, promotion and application of commercial cryptography, improves the unified, open, competitive and orderly commercial cryptography market system, and encourages and promotes the development of commercial cryptography industry. First, we will resolutely implement the reform requirements of "streamlining, regulating and servicing", fully reflect the principles of non discrimination and fair competition, further reduce the number of administrative licenses, relax market access, and better stimulate market vitality and social creativity. Second, the strict management of all links stipulated in the Regulations on the Administration of Commercial Passwords has been adjusted to focus on controlling key links such as product sales, service provision, use, import and export, and the management mode has shifted from pre approval to in-process and post supervision, with emphasis on playing the supporting role of standardization, testing and certification. Third, this Law provides for necessary administrative licensing and control measures for a few matters that are related to national security and social public interests and are difficult to be effectively supervised through the market mechanism or the way of in-process and post supervision. According to the above legislative ideas, the Password Law stipulates the main management systems of commercial passwords, including the standardization system of commercial passwords, the detection and authentication system, the market access management system, the use requirements, the import and export management system, the e-government electronic authentication service management system, and the supervision system of commercial passwords in and after the event.
(4) How to use the password?
In terms of the use of core passwords and ordinary passwords, Article 14 of the Cryptography Law requires that the state secret information transmitted in wired and wireless communications, as well as the information systems that store and process state secret information, should be encrypted, protected and authenticated according to law with core passwords and ordinary passwords. In terms of the use of commercial passwords, on the one hand, in order to ensure the safe and stable operation of key information infrastructure and safeguard national security and social public interests, Article 27 of the Password Law requires that key information infrastructure must be protected by commercial passwords according to law and carry out security assessment of commercial password applications, If the operators of key information infrastructure are required to purchase network products and services involving commercial passwords, which may affect national security, they shall pass the national security review organized by the State Cyberspace Office in conjunction with the State Password Administration and other relevant departments according to law. On the other hand, Article 8 of the Password Law stipulates that citizens, legal persons and other organizations can use commercial passwords in accordance with the law to protect network and information security. There is no mandatory requirement for ordinary users to use commercial passwords. There are a lot of confidential information, information systems and key information infrastructures in the Party and government organs, which must be protected by passwords according to law. In addition, since passwords belong to dual-use items, Article 12 of the Password Law also clearly stipulates that no organization or individual may steal the information encrypted and protected by others or illegally invade the password security system of others, and may not use passwords to engage in illegal and criminal activities that endanger national security, social and public interests, and the legitimate rights and interests of others.
The vitality of law lies in its implementation, and the authority of law also lies in its implementation. The introduction of the password law provides a powerful legal weapon for us to strengthen the confidential password work in the new era. The password management departments at all levels shall resolutely implement the password law and ensure that all rules and regulations of the password law are implemented.
(Author Liu Ping is Deputy Director of the State Encryption Administration)
