Draft rules targeting unsuitable disclosure of cybersecurity risks

Improper detailing seen as 'telling people how to commit a crime', expert says

Legal and security specialists have described a draft regulation on the publishing of information about cybersecurity threats as an important step in preventing online security risks.

The draft, issued on Wednesday by the Cyberspace Administration of China, the nation's top internet regulator, said cybersecurity information that could threaten normal network operations or expose network vulnerabilities should not be released.

Information on cybersecurity threats should not contain any content that could be readily used to harm network operations, such as source codes and methods for making malicious software, information detailing the steps taken in network attacks and intrusions, or prohibited content.

Cybersecurity incidents-including attacks on, damage to and intrusions of networks and information systems-should not be disclosed before the incidents are reported to local security departments, it said.

Without the approval and authorization of government departments, information issued on threats should not contain "warning" in its title, it added.

"We restrict the disclosure of details and methods in cybersecurity threat information because technical details of such attacks make it easier for those with bad intentions to take advantage of and harm cyberspace," the administration explained in a statement.

A few cybersecurity enterprises and institutions looking to attract customers or promote their products had improperly commented on online attacks, incidents or risks in some industries and regions, misleading the public and negatively influencing the network, it added.

Zuo Xiaodong, vice-president of the China Information Security Research Institute, welcomed the draft, saying it will help the country regulate the disclosure of security-related information and prevent online security risks.

Improperly detailing cybersecurity threats was like telling people how to open a lock or commit a crime, he said, adding that the draft was significant and necessary and would improve the implementation of China's Cybersecurity Law, which took effect in June 2017.

Wang Sixin, a professor specializing in internet law and policies at Communication University of China, said online security threat information, especially some key data, must be disclosed prudently and according to strict procedures.

Revealing more details about online threats or releasing security warnings irresponsibly and irregularly could easily cause the public to panic, he said.

"But the draft does not mean to prohibit the disclosure of online threat information," he added. "The aim is to post such information in a more regulated way."

The administration posted the draft and its contact information, including its email address, on its website on Wednesday to solicit public opinion until Dec 19.

"How much information can be detailed and what the reporting procedures are should be further specified to ensure law enforcement departments can implement the regulation more effectively in practice," Zuo said.