Topic · Originality | An important link in building the national security legal system -- Interpretation of several issues in the Password Law of the People's Republic of China

original Chen Yichao China Information Security

Click above "Information Security in China" Subscribeable

Article | Chen Yichao, National Law Office, Legislative Affairs Committee of the Standing Committee of the National People's Congress

As a special and important work of the Party and the country, password work has the status of "lifeline" and "lifeline". It has played an irreplaceable role in all historical periods of revolution, construction and reform in China. On October 26, 2019, the 14th Meeting of the Standing Committee of the 13th National People's Congress passed the comprehensive and basic law in the field of passwords in China - the Password Law of the People's Republic of China (hereinafter referred to as the Password Law). This law implements the overall national security concept, improves the leadership and management system of password work, and establishes a complete set of systems in standardizing password application and management, promoting the development of password cause, and ensuring network and information security. It has become an important link in the construction of China's national security legal system.

Focusing on the implementation of the overall national security concept and the construction of the national security legal system, this paper will interpret several issues of concern in the Code Law, such as the important role of password work, the significance of the Code Law, and how to properly handle the relationship between maintaining national security and promoting industrial development.

1、 The important role of cryptography in various fields of national security

In the new era, the connotation and extension of national security have been greatly expanded according to the requirements of the overall national security concept. On July 1, 2015, the 15th meeting of the Standing Committee of the 12th National People's Congress adopted the National Security Law of the People's Republic of China (hereinafter referred to as the National Security Law), which clearly established the requirements of the overall national security concept, It stipulates that "national security work should adhere to the overall national security concept, take people's security as the purpose, take political security as the foundation, take economic security as the basis, take military, cultural and social security as the guarantee, and promote international security as the support, maintain national security in all fields, build a national security system, and follow the path of national security with Chinese characteristics." Cryptography is directly related to national security in various fields, especially in maintaining political security, economic security, network security and other aspects.

First, password is the key link to maintain political security. Political security is fundamental to national security. Article 15 of the National Security Law clearly sets forth the requirements of "adhering to the leadership of the Communist Party of China and safeguarding the socialist system with Chinese characteristics", and stipulates that "the State shall prevent, stop and punish according to law any act of treason, secession, sedition, subversion or incitement to subvert the people's democratic dictatorship; Prevent, stop and punish according to law such acts endangering national security as stealing and divulging state secrets; Prevent, stop and punish foreign forces' infiltration, sabotage, subversion and separatist activities in accordance with the law. " Our party's password cause was founded under the leadership of Mao Zedong, Zhou Enlai and other proletarian revolutionaries of the older generation in the revolutionary war years. In the revolutionary war years, the Central Committee of the Communist Party of China planned strategies and won thousands of miles through the important channel of password communication. In the new era of socialist construction, password work is also an important tool to ensure the smooth flow of the CPC Central Committee's decrees and maintain the authority and centralized and unified leadership of the CPC Central Committee. At the same time, we must also be alert to the fact that some cryptographic technologies have become technical means to subvert the regime and split the country. For example, Telegram and other encrypted communication software have appeared in some riots. Only by further using and managing the password well can we provide strong support for maintaining political security in the new situation.

Second, passwords are the basic means to maintain network and information security. In the context of the deep integration of network and information technology into all aspects of China's economy and society, network and information security has become a major issue related to national security and development, and the vital interests of the people. Article 25 of the National Security Law clearly states: "The State shall build a network and information security guarantee system, improve the network and information security protection capability, strengthen the innovative research, development and application of network and information technology, and realize the security and controllability of network and information core technologies, key infrastructure, and information systems and data in important fields; We will strengthen network management, prevent, stop and punish cyber crimes such as cyber attacks, cyber intrusions, cyber theft, and dissemination of illegal and harmful information in accordance with the law, and safeguard China's cyberspace sovereignty, security, and development interests. " In the network age, information age and digital age, password is the most effective, reliable and economical means to solve the problem of network and information security. It has unique advantages in ensuring the confidentiality, authenticity, integrity and non repudiation of information, and is the core technology and basic support of network and information security. Network data protection, identity authentication, access control, authorization management, responsibility identification, etc. can all be solved by password technology. Especially today, with the continuous development of big data, artificial intelligence and blockchain technology, the importance of cryptography for network security is becoming increasingly prominent. General Secretary Xi Jinping recently made it clear that "we should accelerate the innovation and development of blockchain technology and industry, and actively promote the integration and development of blockchain and economy and society." Cryptography is the cornerstone of the realization of blockchain. In the final analysis, whether it is the encryption of data storage or the integrity and tamper proof of data transmission between blocks, it needs to be realized through cryptography.

Third, passwords are an important means of maintaining security in other fields. The National Security Law also puts forward clear requirements for military security, energy security, economic security, financial security, scientific and technological security, social security and other fields. In the process of realizing security in the above fields, cryptography plays an indispensable role. For example, strengthen and standardize the password application in the banking industry, issue chip bank cards with password technology, curb bank card forgery and online transaction identity counterfeiting, and effectively maintain financial security; Using password technology to build a VAT anti-counterfeiting tax control system, effectively curb illegal and criminal activities such as tax evasion and tax evasion by tampering with invoice face information, and maintain national economic security; In the second generation of resident identity cards, password chips are used to effectively prevent forgery and alteration of identity cards and maintain social security. In addition, the requirements of the National Security Law on improving resource and energy security protection measures, strengthening the construction of scientific and technological confidentiality capacity, and strengthening financial infrastructure and infrastructure capacity are inseparable from the application of cryptography.

2、 The Password Law firmly implements the requirements for safeguarding national security

On October 26, 2019, the 14th meeting of the Standing Committee of the 13th National People's Congress passed the Password Law of the People's Republic of China, which was promulgated by General Secretary Xi Jinping after signing the presidential order. The Password Law will be officially implemented from January 1, 2020. The promulgation and implementation of the Password Law is an important measure to maintain national security and build a national security legal system in the new era. It is of great significance in promoting the construction of the national security rule of law and accelerating the development of the national password cause.

First, we should clarify the basic principle of the Party's control of passwords, so as to provide a fundamental basis for giving play to the role of passwords in safeguarding national security. The principle of party control over passwords is a profound summary of the long-term practice and historical experience of password work. The power of password work lies in the Party Central Committee, the major policies and policies of password work must be decided by the Party Central Committee, and major matters of password work must be reported to the Party Central Committee. According to the provisions of the Password Law, the most fundamental provision of the Password Law is to adhere to the leadership of the Communist Party of China in password work, clearly write the fundamental principle of the Party's control of passwords into the law, and clarify that the central password work leading organization leads the national password work uniformly. Only by adhering to the Party's control of passwords can we ensure that password management does not deviate from or deviate from the correct direction, and can we truly play the role of passwords in maintaining national security.

Second, establish the basic principles of classified management, and strictly and scientifically manage core secrets and common passwords according to law. Classified management of passwords, which are divided into core passwords, ordinary passwords and commercial passwords, is the password management principle determined by the CPC Central Committee, the basic strategy to ensure password security, and the scientific summary of long-term password work experience. The objects of three types of password protection are different, so clearly dividing them is conducive to ensuring the security and confidentiality of passwords, facilitating the password management department to implement scientific management of passwords according to different information levels and use objects, and giving full play to the core supporting role of three types of passwords in protecting network and information security. The core password and ordinary password are used to protect state secret information. The highest security level of the core password protected information is the top security level, and the highest security level of the ordinary password protected information is the confidential level. Core passwords and ordinary passwords involve key fields such as confidential communication and military command, and are closely related to political security and military security. Therefore, the Password Law clearly stipulates that core passwords and ordinary passwords themselves belong to state secrets, and password management departments shall strictly and uniformly manage core passwords and ordinary passwords in accordance with this Law and relevant laws, administrative regulations and national regulations. The Password Law requires the password work organization to establish and improve the security management system, take strict confidentiality measures and confidentiality responsibility system, and ensure the security of core passwords and ordinary passwords; It specifically stipulates the mechanisms of security monitoring and early warning, security risk assessment, information notification, major event consultation and emergency disposal to ensure the coordinated, orderly and efficient security management of core passwords and common passwords. Finally, the password work organization is required to take immediate measures and report to the security administration department and the password management department in a timely manner if it finds that the core password and the common password are leaked or that there are major problems and potential risks affecting the security of the core password and the common password, and the security administration department and the password management department will organize the investigation and disposal together with the relevant departments, And guide the relevant password work agencies to eliminate security risks in a timely manner.

Third, clearly require the use of passwords in different situations to provide legal support for national security in various fields. Considering the important role of passwords in maintaining national security in various fields in modern society, the Password Law puts forward specific requirements for the use of passwords according to different situations, and promotes the universal use of passwords in relevant fields to effectively maintain national security. Specifically, it includes: (1) Mandatory use of core password and common password. The state secret information transmitted in wired and wireless communication, as well as the information system for storing and processing state secret information, shall be encrypted, protected and authenticated using core passwords and ordinary passwords in accordance with laws, administrative regulations and relevant national regulations. (2) Mandatory use of commercial passwords. The operators of key information infrastructures that are required by laws, administrative regulations and relevant national regulations to use commercial passwords for protection shall use commercial passwords for protection. (3) The use of commercial passwords is encouraged. Citizens, legal persons and other organizations can use commercial passwords to protect network and information security according to law.

At the same time, the Password Law puts forward clear requirements on the obligations of maintaining national security when using passwords, and stipulates that no organization or individual may steal the information encrypted and protected by others or illegally invade the password security system of others. No organization or individual may use passwords to engage in illegal and criminal activities that endanger national security, social and public interests, or the legitimate rights and interests of others. The scientific research, production, sales, services, import and export of commercial passwords shall not harm national security, social and public interests or the legitimate rights and interests of others.

3、 Properly handle the relationship between safeguarding national security and promoting industrial development

Article 8 of the National Security Law stipulates that the maintenance of national security should be coordinated with economic and social development. Security is the premise of development, and development is the guarantee of security. The Cryptography Law has handled the dialectical and unified relationship between the two well in legislation. On the premise of firmly safeguarding national security, the Cryptography Law has established a series of institutional measures to promote the development of the cryptology cause in accordance with the law, striving to create a good environment for the innovation of cryptology technology, industrial development and application promotion.

First, define the measures to promote and guarantee the development of passwords. The Cryptography Law clearly stipulates in the general provisions that the State encourages and supports the research and application of cryptography science and technology, protects intellectual property rights in the field of cryptography according to law, and promotes the progress and innovation of cryptography science and technology; The state strengthens the cultivation of crypto talents and team building, and awards organizations and individuals who have made outstanding contributions to crypto work in accordance with the relevant provisions of the state; The State strengthens password security education in various forms, integrates password security education into the national education system and the civil service education and training system, and enhances citizens, legal persons and other organizations' awareness of password security; People's governments at or above the county level shall incorporate password work into their national economic and social development plans, and the necessary funds shall be included in their financial budgets. At the same time, the Password Law further stipulates different development requirements for core passwords, ordinary passwords and commercial passwords, including: the state strengthens the scientific planning, management and use of core passwords and ordinary passwords, strengthens system construction, improves management measures, and enhances password security assurance capabilities. The State encourages research and development, academic exchanges, achievements transformation, popularization and application of commercial password technology, improves a unified, open, competitive and orderly commercial password market system, and encourages and promotes the development of commercial password industry.

Second, strengthen the protection of the rights and interests of relevant employers. (1) The Password Law clearly requires that people's governments at all levels and their relevant departments should follow the principle of non discrimination and treat commercial password practitioners including foreign-invested enterprises equally according to law. The State encourages cooperation in commercial cryptography technology based on the principle of voluntariness and commercial rules in the process of foreign investment. Administrative organs and their staff members shall not use administrative means to forcibly transfer commercial password technology. (2) The Password Law emphasizes self-discipline in the industry, provides services for employers through industry organizations, and stipulates that industry associations and other organizations in the field of commercial passwords provide information, technology, training and other services for commercial password practitioners in accordance with laws, administrative regulations and their articles of association, guide and urge commercial password practitioners to carry out commercial password activities according to law, and strengthen self-discipline in the industry, Promote the construction of industry integrity and promote the healthy development of the industry. (3) The Password Law strengthens the requirements on the confidentiality responsibilities of regulatory authorities and testing and certification institutions to protect business secrets of enterprises. It clearly stipulates that commercial password detection and authentication institutions shall assume confidentiality obligations for the state secrets and business secrets they know in the commercial password detection and authentication; Password management departments, relevant departments and their staff shall not require commercial password practitioners and commercial password detection and certification institutions to disclose source code and other password related proprietary information to them, and shall strictly keep confidential the business secrets and personal privacy they know in performing their duties, and shall not disclose or illegally provide them to others.

Third, on the premise of safeguarding national security, we should balance the relationship between "releasing" and "managing" to reduce the burden on enterprises. Compared with the commercial password regulations, the Password Law, in accordance with the reform requirements of "deregulation, regulation and service", has changed its regulatory thinking, significantly reduced the number of administrative licenses and relaxed market access. The whole process of pre-approval as stipulated in the Commercial Password Regulations has been changed to focus on in-process and post supervision, with the basic principles of voluntary testing and certification and self or entrusted third-party evaluation. At the same time, the system of compulsory testing, certification, licensing and review has been set up in some key areas of the key links of sales and provision, application, import and export, including: (1) involving national security Commercial password products of national economy and people's livelihood and social and public interests shall be listed in the catalogue of key network equipment and special network security products according to law, and can only be sold or provided after being tested and certified by a qualified institution. (2) If a commercial password service uses key network equipment and special network security products, the commercial password service shall be certified as qualified by a commercial password certification authority. (3) If the operator of key information infrastructure purchases network products and services involving commercial passwords, which may affect national security, it shall pass the national security review organized by the national network information department in conjunction with the national password administration department and other relevant departments. (4) Import license shall be implemented for commercial passwords that are related to national security, social public interests and have encryption protection function, and export control shall be implemented for commercial passwords that are related to national security, social public interests or China's international obligations. At the same time, during the review of the Password Law, some members of the Standing Committee, enterprises and the public also proposed that the above-mentioned compulsory detection, authentication, evaluation, review and other systems have been stipulated in the Network Security Law of the People's Republic of China (hereinafter referred to as the Network Security Law). Many password products and services are also network security products, and the connection between laws should be further improved to avoid duplication. For this reason, the Cryptography Law has made it clear in particular in this regard, stipulating that the detection and certification of commercial password products shall be subject to the relevant provisions of the Network Security Law to avoid repeated detection and certification; The security evaluation of commercial password applications should be connected with the security detection and evaluation of key information infrastructure and the network security rating evaluation system to avoid repeated evaluation and evaluation; National security review shall be conducted in accordance with the provisions of the Cyber Security Law.

On January 1, 2020, the Password Law of the People's Republic of China will be implemented on the occasion of the 90th anniversary of the founding of the party's password cause. The password cause, which came from the flames of war, has grown from scratch, from tradition to modern, from scratch to science, and is moving towards a new era of legal management. The promulgation of the Password Law and the gradual construction of a complete set of password legal systems led by the Password Law will certainly continuously improve the scientific, standardized and legal level of password management, which is of great and far-reaching significance for further promoting the progress of the password cause, safeguarding national security and social public interests, and promoting the modernization of the national governance system and governance capacity.

(This article was published in the 11th issue of China Information Security magazine in 2019)

For more information about security, please follow the official account!

Long press the QR code to follow

More wonderful videos about information security can be found in Talking about Safety!

Long press the QR code to follow

Continue sliding to see the next one