Frequent Cybersecurity Incidents
Recently, the cyber ransomwares are rampant in the global cyberspace. Data leakage and network breakdown resulted from the viruses cause severe financial losses to network operators, and present a significant challenge in global cyberspace safety. In May, WannaCry Ransomware attacked over 150 countries, including the UK and Ukraine, and users in China were also influenced. When the world is still in the shadow of WannyCry, a new ransomware, which is regarded as a variant of Petya virus, has already spread across the world. The new ransomware has attacked the UK, Ukraine, Russia, Denmark and other countries.
The newest Norton Cybersecurity Insights Report indicates that China is faced with the severest attack of cybercrimes among the countries in the emerging markets. In 2014, over 240 million Chinese consumers became the victims of cybercrimes, and the total economic losses came up to CNY 700 billion. Regarding the increasingly rampant cyber-attacks and cybercrimes, the Office of the Central Leading Group for Cyberspace Affairs (“CLGCAO”) published the Notice of the Emergency Response Plan for Cybersecurity Incidents (the “Emergency Response Plan”) on 10th January 2017, and officially released the Emergency Response Plan on 27th June 2017. CLGCAO shows its determination to respond to cyber-attacks, safeguard information security, and maintain cyber sovereignty by establishing and consolidating the National Emergency Response Mechanism on Cybersecurity Incidents in all provinces, municipalities, and autonomy regions. The companies should not only understand the national level emergency measures of the CLGCAO, but also strictly comply with each provision of the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”), and construct regulatory systems and emergency plans from the ex ante, interim, and ex post perspectives to respond to potential cybersecurity incidents.
This article will briefly introduce the structure of the Emergency Response Plan, and summarize the basic legal obligations of the companies mainly under the Cybersecurity Law and relevant regulations in preventing and responding to cybersecurity incidents. It will also provide experienced instructions on implementing the material steps for responding to cybersecurity incidents.
Introduction to the Emergency Plan
|Scope of Cybersecurity Incidents||Cybersecurity Incidents includes Malware Incidents (MI), Network Attacks Incidents (NAI), Information Destroy Incidents (IDI), Information Content Security Incidents (ICSI), Facilities Faults (FF), Disaster Incidents (DI), and Other Incidents (OI).|
|Levels of Cybersecurity Incidents||According to the severity of loss of key network and information system, as well as the threat to national security and social stability, the cybersecurity incidents are divided into four levels: particularly serious cybersecurity incidents, serious cybersecurity incidents, important cybersecurity incidents, and general cybersecurity incidents.|
|Institutional Structure and Duties||
|Monitoring and Early Warning||Each office for cybersecurity affairs at the provincial level should, in light of the local reality, make overall organization of the security monitoring on the local network and information system. The security monitoring should contain early warning monitoring, investigation and analyses, issuance of early warning, response to early warning, and clear of early warning.|
|Emergency Response||When any cybersecurity incident occurs, the entity where the incident occurs should immediately initiate the emergency response plan, execute the implementation, and report the information timely. All offices in the relevant regions and departments should immediately organize advance emergency disposal, control the situation and eliminate hidden risk. Meanwhile, the relevant offices should organize investigation and analyses, preserve evidence, and report information. An incident which is preliminarily defined as a serious or particularly serious cybersecurity incident should be immediately reported to the Emergency Response Office.|
|Investigation and Assessment||The investigation and disposal, summarization and assessment of cybersecurity incidents, in principle, should be finished within 30 days after the end of emergency response.|
|Prevention||All office at the provincial level and all departments should, in light of their own duties, strengthen the ordinary prevention, organize emergency plan drills regularly, conduct cybersecurity publicity and education, and provide the professional skills training for the managers and relevant persons, as well as enhancing the prevention measures during the important interactions.|
|Safeguard Measures||All offices at the provincial level and all departments should strengthen the publicity of the relevant laws, regulations, and policies on prevention and disposal of emergency cybersecurity incidents by making full usage of various media and other effective promotion methods, as well as organize the publicity and education activities on the basic knowledge and skills of cybersecurity.|
Duty of network operator when facing cybersecurity incidents
Generally, legal duty of network operator when facing cybersecurity incidents can be categorized as regular preventive work, emergency measures for incidents, and post review and summary.
1. Regular preventive work
Both the Cybersecurity Law and the Emergency Response Plan provide regulation for regular preventive work of network operator of cybersecurity incidents. To be specific:
(1) Cybersecurity levels protection
Network operator should follow the requirement of cybersecurity levels protection to fulfill security protection duty, protect network from disruption, destroy or unauthorized visit, prevent network data from leaking, stealing, or distorting. Specially, network operator should identity director for cybersecurity, implement cybersecurity protection responsibility, take technical measures to prevent activities that endanger cybersecurity, such as computer virus, network attack, and network intrusion, take technical measures to supervise and record network operation status and cybersecurity incidents and keep relevant network log in record pursuant to requirements, and take measures of data classification, important data backup and encryption. 
(2) Network products and services should conform to national standards
Network products and services should conform to mandatory requirements of national standards. Important network products and services purchased by network and information system that relate to national security should pass cybersecurity examination pursuant to the Measures on Security Examination for Network Products and Services (Trial Implementation). 
(3) Consistent security maintenance
A provider of network products or services should provide consistent security maintenance for its products or services. Such maintenance shall not be discontinued within the prescribed term or the term agreed upon by the parties. 
(4) Emergency plan for cybersecurity incidents
A network operator should develop an emergency plan for cybersecurity incidents to promptly respond to security risks as system bug, computer virus, network attacks and intrusions. An emergency plan may include responsible person, data leakage notification mechanism, remedies, internal responsibility decision, and etc.
(5) Duty of timely remedies and report
When a network operator finds any risk such as security defect or bug in network products or services provided, the network operator should take remedial actions immediately, inform the users, and report the case to the competent authority as required. Besides, in case of disclosure, damage or loss of personal information, the network operator shall take remedial actions immediately, inform the users, and report the case to the competent authority as required. 
(6 )Regular examination and assessment of risk by the operator of a key information infrastructure
In addition, at least once a year, the operator of a key information infrastructure should conduct examination and assessment of its cybersecurity and potential risks by itself or entrusting a cybersecurity service provider, and submit the examination and assessment results as well as improvement measures to the competent authorities in charge of the security of the key information infrastructure. 
2. Emergency measures for security incidents
In case of an incident that threatens cybersecurity happens, including leakage, damage, and loss of personal information, a network operator should develop an emergency plan for cybersecurity incident promptly, take corresponding remedial actions, and report the case to the competent authority as required. 
Pursuant to the Emergency Response Plan, when security incident happens, a network operator should report the case to local cyberspace administration to allow relevant authority to initiate emergency response work. Besides, regarding cases happened in computer information system, users concerned should report to local public security organ at or above the county level within 24 hours. 
Similarly, the Emergency Response Plan requires that the Emergency Response Office to be in charge of coordination work of cybersecurity emergency response cross-department and cross-region and routine work of command department, as well as organize and instruct national cybersecurity emergency response technical support team to compete technical support work for emergency response work.
3. Summary and compliance work after security incidents happen
As the Emergency Response Plan provides summary and assessment mechanism by cyberspace administration, companies might need to keep communication with administrative department to assist the latter to finish investigation report, which includes summary of cause, nature, and influence of security incident and to propose improvement measures. Furthermore, we suggest that companies should review internal cybersecurity system and standards comprehensively to take preventive measures.
How should the companies deal with cybersecurity incidents?
- Take full attention of all cybersecurity incidents. Do not deal with incidents hastily based on initial judgment that the incident has limited impacts, in case to be unprepared after complete assessment.
- Take measures to control situations after incidents happen, and evaluate possibility of further invasion or leakage.
- According to specific situation of incidents, take initial evaluation of impacts and severity level of cybersecurity incident promptly, inform competent authorities and data object affected, and take measures to prevent further invasion or leakage.
- Actively cooperate with investigation by competent authorities, and consult competent authorities before publishing details of incidents.
- Preserve evidence that can be used to decide cause and nature of incident and remedies should be taken.
- Guarantee appropriate and full record of incident is taken, especially remedies taken to control and mitigate damages of incident.
Key steps to respond to cybersecurity incident at the early stage
Step 1: take measures to contain the breach and do a preliminary assessment
- Take measures to contain the breach
- Do a preliminary assessment
- Identify parties to be notified
Step 2: evaluate the risks associated with the incident and decide measures that should be taken immediately
- The type of the data leaked
- The context of the data leaked
- The cause and extent of data leakage
- The risk of serious harm to the affected individuals caused by data leakage
Step 3: fulfill notification duty of cybersecurity incident
- Decide notification procedure
- Decide what information should be included in the notification
At present, while Trojan horses, zombie network, phishing website and other non-traditional cybersecurity threats keep growing, and Distributed Denial of Service (DDOS Attack), Advanced Persistent Threat (APT Attack) and other new-type network attacks increase, threats to cybersecurity emerge endlessly and potential risks of network infrastructure exist. Information system of company faces threats all the time and company confronts serious challenges when protecting cybersecurity and user data security.
To ensure cybersecurity of company, as well as to reduce compliance risk of company in cybersecurity incident, we suggest company enhance security of software and hardware of network system during daily operation, set up integrated emergency response plan and relevant mechanism for cybersecurity incident, and strength internal cybersecurity knowledge skills training for employees. When cybersecurity incident happens, company should take measures promptly, seek for professional advice, fulfill duties according relevant laws and regulations, positively cooperate with competent authority’s investigation, and try its best to reduce risks and damages and mitigate potential legal responsibility of company. After cybersecurity incident, company should actively fix system bugs, strength network system security from perspective or technology and institution improve and perfect internal response mechanism of security incident, ensure relevant security system and standard conform with relevant national laws and regulations, thereby prevent security incident and data leakage in the future.
Cybersecurity usually involves sudden incident. If a company facing an emergency, we have an urgent assistance service mechanism to help the company go through the difficulties at the first moment.