Comparison of Chinese and American network security legislation

2016年12月8日,第三次中美打击网络犯罪及相关事项高级别联合对话发布联合成果清单,双方重申继续合作调查源自中国或美国的网络犯罪和恶意网络行为,制止以帮助公司或商业部门获得竞争优势为目的利用网络窃取知识产权的行为。[1]随着网络技术日益深刻地塑造新的社会形态,国际网络安全问题亦不容忽视,国际网络恐怖主义、黑客攻击等事件层出不穷。网络立法安全政策在当前的国内外背景下,重要性日益凸显。
2016年11月7日,中国首部《网络安全法》发布并将于2017年6月1日正式实施,为维护网络空间秩序、保障网络安全、推进“互联网+”行动、建设网络强国,提供了必要的法律制度保障。而美国作为互联网技术的发源地,对网络安全领域的立法以及政策已经较为成熟。本文试图简要地从下述两个方面对中美的网络安全立法政策方面进行比较。
关键信息基础设施的安全体系建设
由于传统物理基础设施与信息系统的融合程度不断加深,国家关键信息基础设施在国家安全、社会民生、经济发展和政府事务中的基础性作用日益突出,并逐步成为保障整个社会持续运转的重要支撑。[2]中美当前皆高度重视关键信息基础设置的安全体系建设。
较之于2015年6月公布的中国《网络安全法(草案)》一次审议稿中明确列举了关键信息基础设施的范围,2016年11月公布的正式法律删去了相关列举内容,[3]仅规定关键信息基础设施的具体范围和安全保护办法由国务院制定,仅仅称关键信息基础设施的本质是“一旦遭到破坏、丧失功能或者数据泄露,可能严重危害国家安全、国计民生、公共利益”。[4]如此反复,反映着中国立法者在界定关键信息基础设施这一概念上的谨慎。实务中,中国核心信息技术产品和服务严重依赖国外,中国超过2000个重要控制系统接入公共网络,大部分系统存在重大网络安全隐患,没有任何安全防护措施。[5]截止目前,中国国内虽设立有国家信息网络安全标准化技术委员会、国家信息安全评测中心、国家计算机应急技术处理协调中心和国家计算机病毒应急处理中心等机构,但尚且缺乏明确的网络基础设置安全体系建设的具体方针。现有法律法规的规定仅限于较为抽象的层面。
相比之下,美国的网络基础设施安全体系建设已经较为成熟。2014年2月12日,美国白宫发布了《提升关键基础设施网络安全框架》,是旨在进一步强化美国联邦政府和私营部门合作以提升关键网络基础设施网络安全的指导性文件。该文件由框架核心、框架实现层级、框架轮廓三部分构成。《提升关键基础设施网络安全框架》开发目的是形成一套适用于各类工业技术领域的安全风险管控的“通用语言”,同时为确保可扩展性与开展技术创新,力求做到技术中性化。即,第一,以来现有的各种标准、指南和时间,使关键基础设施供应商获得单行能力;第二,承认网络安全风险的全球性,依赖全球标准、指南和时间,实现框架效果的工具和方法跨国界适用。[6]美国政府在发布该文件时,强调这是一个供美国政府、企业,或国外企业自愿采用的框架。但从美国政府还是表现出强烈推行的愿望,并试图使其成为一项国际通用标准。

网络安全信息共享与隐私保护
汇集并流通于网络中的信息不仅包含着巨大的经济价值,而且对于维护国家安全、打击恐怖主义亦存在重要的意义。通过对网络中的数据进行收集、筛选与分析,有助于国家在相关主体实施犯罪或者恐怖主义行径之前有效地对其进行阻止,避免损害的扩大。但是,大规模的数据收集分析又难免会涉及公民的个人信息以及隐私,造成了难以弥合的张力。
《网络安全法》颁布之前,中国未制定相关的法律对网络安全信息共享问题进行直接规范,但如《国家安全法》、《计算机信息系统保护条例》、《互联网信息服务管理办法》等法律法规中散见一些关于信息通报、报告的规定。[7]《网络安全法》弥补了这一空缺,该法第43条及44条的规定,理论上,网信部门和有关部门有权依据其网络安全监督管理职责,对所有网络经营者发布或传输的信息予以监视,同时,网信部门应统筹协调有关部门加强网络安全信息收集、分析和通报工作,按照规定统一发布网络安全监测预警信息。根据上述规定,实际上中国并不存在典型意义上的网络安全信息共享机制,因为政府机构已经被法律授权监视和调取所有网络中的信息,共享已无必要。这一情况可能导致政府不当获取信息、导致信息滥用。
在美国,网络信息共享向来是备受争议的话题。由于该类法案通常对关键词语定义较为模糊,而且会赋予信息企业较宽泛的法律豁免权,以及赋予政府积极的网络监听活动权。因此,国会曾多次否决了相关提案。[8]然而,奥巴马政府上台以来,相关法案有所增加。2015年10月,美国参议院通过了《网络安全信息共享法案》,这是自2014年4月美国众议院通过《网络情报共享与保护法案》之后,美国在网络空间安全信息共享方面提出的又一方案。《网络安全信息共享法案》旨在赋予信息企业以两项权利:其一是授权信息企业可出于网络安全目的,出台相应对策、对抗网络安全威胁;其二是以保护公司的权利和财产为名,增设新机构来监听各类信息系统。与此同时,该法案在设计信息资源共享模型的同时试图引入多重隐私保护机制。总而言之,该法案诸项条款在字里行间透射出美国的多重意图,即(1)消除法律障碍以及不必要的诉讼风险,(2)建构有助于鼓励各公私单位自愿分享网络安全信息的途径,进而(3)在美国本土实现更深层次的网络安全威胁联动响应机制。[9]
综上所述虽然《网络安全法》的颁布在一定程度上充实了中国网络安全的立法政策,但当前中国的网络安全立法政策仍然处在相对不完善的状态,实务经验缺乏,且在价值选择上有待进一步平衡。美国经验虽然较为成熟,但也并非一定需要为中国所借鉴,比如中美在信息共享机制方面的差异亦表现为国情的差异。在美国,85%的关键信息基础设施由私营企业所有并运营,因此,美国政府必须持续关注政府和企业之间网络安全信息的交流共享。[10]而中国的关键信息基础设施则主要由具有一定政治背景的国企、央企所控制,[11]具备直接实现信息监控的基础。此外,中国的发展阶段以及文化传统都会影响立法者的价值选择。比如,美国的隐私文化即较之于中国更为深刻严肃,中美两国关于基本人权的价值排序的理解亦存在一定的出入。
[1]中国新闻网,《中美重申继续合作调查网络犯罪和恶意网络行为》http://www.chinanews.com/gn/2016/12-09/8088319.shtml,访问时间:2016年12月14日
[2]参见李满意:《<关键信息基础设施安全保护办法>亟待制定——访公安部第三研究所网络安全法律研究中心主任黄道丽》,《保密科学技术》2016年第7期,页10
[3]列举内容包括基础信息网络、军事网络、设区的市级以上国家机关等政务网络,用户数量众多的网络服务提供者所有或管理的网络和系统
[4]参见新华社:《中华人民共和国网络安全法》。资料来源:http://news.xinhuanet.com/politics/2016-11/07/c_1119867015.htm,最后访问于2016年12月13日
[5]参见王蕊:《国家网络安全周持续升温:关键基础设施安全高峰论坛召开》,《计算机与网络》2016年第18期,页18

[6]参见刘贤刚、陈星:《关键信息基础设施网络安全框架研究(上)》,《信息技术与标准化》2016年第7期,页43-44
[7]参见赵晓明:《浅谈网络安全信息共享》,《网络安全技术与运用》2006年第10期,页39
[8]参见吴同:《美国<网络安全信息共享法案>的影响与应对》,《保密科学技术》2016年第2期,页50
[9]参见吴沈括、陈琴:《美国参议院2015年网络安全信息共享法案分析》,《中国信息安全》2016年第1期,页130
[10]参见马民虎、方婷、王玥:《美国网络安全信息共享及对我国的启示》,《情报杂志》2016年第3期,页18
[11]参见李满意:《<关键信息基础设施安全保护办法>亟待制定——访公安部第三研究所网络安全法律研究中心主任黄道丽》,《保密科学技术》2016年第7期,页12
根植于客户需求的业务布局,交叉领域的卓越人才,潜心砥砺出的极致专业,由大量精品案例累计的认可和声望是立方品牌价值的核心
长按或扫描二维码
关注立方律师事务所
更多精彩内容
该文章作者已设置需关注才可以留言
微信扫一扫关注该公众号
In December 8, 2016, the third China US combat network crime and related matters with high level dialogue issued a joint list of achievements, both sides reaffirmed their cooperation in the investigation from the network crime China or America and stop malicious network behavior, in order to help the company or business department to obtain the competitive advantage of stealing intellectual property rights for the purpose of using the network behavior. With the development of network technology, [1] is becoming more and more important, and the problem of international network security can not be ignored. Network security policy in the current domestic and international background, the importance of increasingly prominent.
In November 7, 2016, China first network security law promulgated and will be implemented in June 1, 2017, in order to maintain the order in cyberspace, network security, promote the Internet action, the construction of the network power, provides the necessary protection of the legal system. The United States as the birthplace of Internet technology, network security legislation and policy has been more mature. This paper attempts to make a brief comparison between China and the United States from the following two aspects of network security legislation.
Construction of critical information infrastructure security system
Because the degree of traditional physical infrastructure and information system integration continues to deepen, in national security, people’s livelihood and economic development and government affairs in the basic role of national critical information infrastructure is becoming increasingly prominent, and gradually become an important support to ensure the society continued to operate. [2] China and the United States attach great importance to the construction of the security system of critical information infrastructure.
Chinese network security method compared with published in June 2015 (Draft) a draft clearly lists the range of critical information infrastructure, the official announced in November 2016 the relevant law by deleting the contents list, [3] only stipulates the specific scope of critical information infrastructure and safety protection measures shall be formulated by the State Council, said the only nature of critical information infrastructure is once destroyed, the loss of function or data leakage, may seriously endanger national security, public interests, beneficial to the people’s livelihood. [4] so repeatedly reflects the Chinese legislators in the definition of critical information infrastructure, the concept of caution. In practice, China core information technology products and services rely heavily on overseas, more than 2000 Chinese important control system of public Internet access, there are security risks in most major network system, without any security measures. [5] until now, although Chinese set up a safety standard of national information network technical committee, the national information security evaluation center, the National Computer Emergency Response Coordination Center and the National Computer Virus Emergency Response Center and other institutions, but still lack of specific policy based network security system construction set clear the. Existing laws and regulations are limited to more abstract levels.
In contrast, the U.S. network infrastructure security system has been more mature. In February 12, 2014, the White House issued a key infrastructure network security framework is a guiding document, to further strengthen the federal government and private sector cooperation to enhance the key network infrastructure network security. The paper consists of three parts: the core of the framework, the level of the framework and the outline of the framework. The key to enhance the infrastructure network security framework is developed to form a set of applicable to all kinds of industrial technology in the field of security risk management and control of the common language, at the same time to ensure the scalability and carry out technological innovation, and strive to achieve technological neutrality. That is, first, since all the existing standards, guidelines and time, the critical infrastructure suppliers to obtain special ability; second, that network security risks of global, rely on global standards, guidelines and time, tools and methods to achieve the framing effect of cross-border application. [6] the United States government in the release of the document, stressed that this is a government, enterprises, or foreign enterprises to use the framework of voluntary. But the US government has shown a strong desire to pursue it, and is trying to make it an international standard.
安全是重要的保证,没有信息安全的保证,也就没有效率的实现。

大话去哪儿网备份恢复平台

海特高新:使用自有闲置资金购买银行理财产品
Network security information sharing and privacy protection
The information collected and circulated in the network is not only of great economic value, but also of great significance for the maintenance of national security and the fight against terrorism. Through the collection, screening and analysis of the data in the network, it is helpful for the state to prevent it effectively, and avoid the expansion of the damage. However, large-scale data collection and analysis will inevitably involve the personal information and privacy of citizens, resulting in difficult to bridge the tension.
Before the promulgation of network security law, China has formulated relevant laws regulations on network security information sharing problem, but as a national security law, Computer Information System Protection Ordinance, Internet information services management approach and other laws and regulations on some scattered information, reporting regulations. [7] network security law to make up for this vacancy, the law forty-third and the provisions of Article 44, in theory, network information department and the relevant departments have the right on the basis of the network security supervision and management responsibilities, to be monitored, for all network operators publish or transmit information at the same time, network information department should coordinate the relevant departments to strengthen the collection, analysis and reporting of network security information, in accordance with the provisions of the unified network security monitoring and early warning information release. According to the above provisions, in fact does not exist Chinese typical network security information sharing mechanism, because the government agencies have been authorized by law to monitor and collect all the information in the network, there is no need to share. This situation may lead to improper access to government information, leading to abuse of information.
In the United States, network information sharing has always been a controversial topic. Because of the vague definition of key words, the law will give the information companies a wide range of legal immunity, as well as the government’s active network monitoring activities. Therefore, Congress has repeatedly rejected the proposal. [8], however, since the Obama administration took office, the bill has increased. In October 2015, the U.S. Senate passed the network security information sharing act, which is since April 2014 the United States House of Representatives through the network intelligence sharing and Protection Act, the United States and put forward the scheme of sharing in network security information space. Network security information sharing act aims to give information to the enterprise two rights: one is the enterprise authorization information for network security, introduced the corresponding countermeasures against network security threats; the second is to protect the company’s property rights and the name of the creation of new institutions to monitor all kinds of information system. At the same time, the paper tries to introduce multiple privacy protection mechanism while designing the model of information resource sharing. In a word, the multiple intention of the United States the act of terms in the transmission between the lines, namely (1) to eliminate the legal obstacles and unnecessary litigation risk, (2) construction helps to encourage the private voluntary means to share network security information, and (3) in the United States the soil to achieve network security threat response mechanism deeper. [9]
In summary although the network security law promulgated full legislative policy Chinese network security to a certain extent, but the current China legislation policy of network security is still in the relatively imperfect state, the lack of practical experience, and further balance in the choice of value. Although the experience of the United States is more mature, but it is not necessarily need to learn from China, such as differences in the information sharing mechanism between China and the United States also showed differences in national conditions. In the United States, 85% of the critical information infrastructure is owned and operated by the private sector, so the U.S. government must continue to focus on network security information sharing between government and business. [10] and China’s key information infrastructure is mainly controlled by a certain political background of state-owned enterprises, the central enterprises, [11] has a direct basis for the realization of information monitoring. In addition, China’s stage of development and cultural traditions will affect the value of the legislative choice. For example, American privacy culture is more profound than Chinese serious, Sino US understanding of the basic human rights value ranking also has certain discrepancy.
[1] China news network, China and the United States reiterated the continued cooperation in the investigation of cybercrime and malicious network behavior, http:\/\/www.chinanews.com\/gn\/2016\/12-09\/8088319.shtml, visit time: December 14, 2016
[2] see Li satisfaction:
[3] lists the contents of the basic information network, the military network, the district level government agencies and other government networks, a large number of users of network service providers all or management of the network and systems
[4] see Xinhua News Agency: People’s Republic of China network security law. Source: http:\/\/news.xinhuanet.com\/politics\/2016-11\/07\/c_1119867015.htm, last visit in December 13, 2016
[5] see Wang Rui: national network security week continues to heat up: Critical Infrastructure Security Summit held, the computer and the network in 2016 eighteenth, page 18
[6] see Liu Xiangang, Chen Xing: critical information infrastructure network security framework research (on), information technology and standardization in 2016 seventh, page 43-44
[7] see Zhao Xiaoming: network security information sharing, network security technology and application in 2006 tenth, page 39
[8] see Wu with: the United States
[9] see Wu Shenkuo, Chen Qin: the United States Senate 2015 network security information sharing act analysis, China information security, first, 2016, page 130
[10] see Ma Minhu, Fang Ting, and: U.S. network security information sharing and Enlightenment to China, intelligence magazine third, 2016, page 18
[11] see Li satisfaction:
Based on the needs of the customers business layout, outstanding talents in the cross field, devote themselves to temper the ultimate professional, composed of a large number of cases accumulated recognition and prestige is the core value of the brands
Long press or scan two-dimensional code
Pay attention to the cube law firm
More exciting content

天津工生所在Cas9基因组编辑技术研究中取得进展

The author of the article has set up the need to be able to leave a message
Sweep the concern of the public, WeChat

全球供应链,让社会分工越来越细,同时让协同合作越来越密切,我们将非核心竞争力的部分业务流程外包给了第三方供应商,这些供应商的员工可以访问我们的部分系统功能,我们提供培训并且要求他们遵循我们的安全政策和安全标准。

猜您喜欢

百色供电安装在线监测系统 保障线路安全运行
中美之间商业网络窃密问题处理有高招
值得关注的非革命性创新——基于云端的HSE培训服务
《斗破苍穹》曝首场剧照吴磊林允年少破天下
THAISCHOOL PLAYMEDIAPLAYER
移动设备的安全引发企业IT界高度关注