The Ministry of Industry and Information Technology (“MIIT”) published the Emergency Response Plan for Cybersecurity Incidents in Public Networks (“Plan”) on 14 November 2017. This Plan further implements the general principles set out in the PRC Cybersecurity Law and an emergency response plan published by the Cyberspace Administration of China (“CAC“) in June 2017.
According to the Plan, a Cybersecurity Emergency Response Office (“Office”) under the leadership of CAC and MIIT will be responsible for coordinating the relevant sectoral authorities and local authorities to handle public cybersecurity incidents. The Plan divided incidents into four categories, i.e. extremely significant incidents (e.g. users are unable to get access to the Internet nationwide, “. CN” DNS efficiency drops significantly, more than 100 million users’ information leaked, or there is a large-scale network virus outbreak nationwide), significant incidents (e.g. users in several provinces are unable to access the Internet, nationwide access failures occur in main websites or large-scale DNS, more than 10 million users’ information leaked, or there are network virus outbreaks in several provinces), relatively significant incidents (e.g. users in a single province are unable to access the Internet, access failures occur in main websites in a single province, more than 1 million users’ information leaked, or there is a large-scale network virus outbreak in a single province), and ordinary incidents (e.g. users in a city is unable to get access to the Internet, or more than 100,000 users’ information leaked).
After an incident occurred, the relevant internet companies, network operators, and cybersecurity institutions shall immediately report the incident to the local MIIT and the Office. The report shall specify the time of the incident, a preliminary estimation of the affected scope and the risks involved, the remedial measures already taken and other relevant information.
Depending on the significance of an incident, the local MIIT and/or the Office will decide the response level (from Level 1 to 4) and instruct the relevant entities to take measures such as expanding broadband capacity, controlling the source of attacks, filtering attack traffic, patching vulnerabilities, implanting antivirus measures, shutting down ports, enabling backup data, temporarily shutting down related systems, etc. For large-scale user information leakage incidents, the attacked entity is also required promptly to notify affected users, and inform users of mitigation measures and measures necessary to prevent the occurrence of secondary or derivative events.
In addition, internet companies, network operators, and cybersecurity institutions are required to update their cybersecurity software and hardware regularly, monitor the cybersecurity status during their daily operation, and carry out internal training and drills.
According to the Plan, the MIIT will establish international cooperative channels better to handle global cybersecurity incidents. Internet companies and network operators are also encouraged to engage in international communication and cooperation in the relevant areas.