What is the definition of data mishandling in the digital world, it is difficult to define a scope. There may be gaps in definition in different situations. Whether a different angle of justice occurs depends on the undefined element.
The European Data Protection Board welcomes comments on the Guidelines 04/2022 on the calculation of administrative fines under the GDPR. For more information on this, see the link – https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-042022-calculation-administrative_en
Category Archives: country cyber law
A rapid development of China Cyber Security Law
Preface: Data allows organizations to more effectively determine the cause of problems. Data allows organizations to visualize relationships between what is happening in different locations, departments, and systems.
Background: Perhaps of the Big Data powerful functions. On July 3, 2020, the Standing Committee of the National People’s Congress (NPC) published the draft Data Security Law (Draft Law) for public comment through August 16, 2020.
Reference: Data Security Law of the People’s Republic of China (Draft) 中华人民共和国数据安全法(草案) http://www.ahwx.gov.cn/zcfg/gfxwj/202007/t20200708_4629245.html
Even though the public comment period has passed. But let’s review the history of development: The Cyber security Law of the People’s Republic of China (中华人民共和国网络安全法) was adopted at the 24th meeting of the Standing Committee of the 12th National People’s Congress of the People’s Republic of China on November 7, 2016, and is hereby promulgated as of June 1, 2017 Implement.
Reference: The Cyber security Law of the People’s Republic of China (中华人民共和国网络安全法) http://www.cac.gov.cn/2016-11/07/c_1119867116_3.htm
In accordance with the “National Security Law of the People’s Republic of China (中华人民共和国国家安全法)” and the “Network Security Law of the People’s Republic of China (中华人民共和国网络安全法)”, formulate cyber security review measures. The new cyber security review measures will take effect on June 1, 2020. The “Network Product and Service Security Review Measures (Trial) (网络产品和服务安全审查办法(试行))” was repealed simultaneously. If you want to learn more about the “China Cybersecurity Review Measures (网络安全审查办法)”. Please read the following URL:
http://www.cac.gov.cn/2020-04/27/c_1589535450769077.htm
The Network Security Law of the People’s Republic of China has been implemented for more than two years. Maybe you have query? Refer to attached diagram. As far as we know, the National Security Law and Cyber security Law has defined its own review system. In the moment, Data Security Law of the People’s Republic of China (Draft) looks that do not have relevant information provided. Do you think Data Security Law will be integrated into the existing review structure?
New order in the Asia-Pacific region – Cyber security Law 2019
China Cracks Down on Foreign Firms Over Cyber Security, FT Says – two foreign companies that deal with consumer data in China had been under official investigation for several months.For details about the News, please refer below link:
https://www.ft.com/content/b84cc734-76ca-11e9-bbad-7c18c0ea0201
Synopsis: Information technology personnel are familiar with MPLS. But do they understand China’s MLPS (multi-level protection scheme)?
Background: Since the launch of the legislative process of China’s Cyber Security Law in 2015, the National Information Security Standardization Technical Committee (TC260) has issued nearly 300 standards for network security. Based on 8 factors that have the most important influence on the industry. Whereby implement new order.
- Network security review of network products and services – 是网络产品和服务的网络安全审查
- Certification and evaluation of network key equipment and network security special products – 是网络密钥设备和网络安全专用产品的认证和评估
- Safe and controllable products and services – 是安全和可控的产品及服务。
- Multi-level protection scheme (MLPS) – 是多层次的保护方案(MLPS)
- Critical information infrastructure (CII) network security protection – 是关键信息基础设施(CII)网络安全保护。
- Cross-border data transfer – 是跨境数据转移
- Personal data and data protection – 是个人数据和数据保护
- Is encrypted data – 是加密数据
Understand New implemented China Cyber Law – 2019
Aim to security:
The new regulations on China’s Cybersecurity Law on November 2018 grant China cyber security agencies (the legal authority) to conduct remote testing of any Internet-related business operating in China.
Their authority is possible to copy and share any data that government officials find on the system being inspected.
MPS (The Ministry of Public Security (MPS) ) is able to execute the following authorities:
- Conduct on-site or remote inspection of network security defenses taken by companies operating in China.
- Check for prohibited content in China.
- Record the safety response plan during the on-site inspection.
- Copy any user information found on the system being inspected during a live or remote inspection.
- Perform a penetration test to check for vulnerabilities.
- Perform a remote check without notifying the company.
- Share any collected data with other state agencies.
- During the on-site inspection, two members of the PAP (Chinese People’s Armed Police Force) had the right to enforce the procedure.
Original:
對在中國運營的公司採取的網絡安全防禦進行現場或遠程檢查。
檢查中國境內禁止的“禁止內容”。
在現場檢查期間記錄安全響應計劃。
在現場或遠程檢查期間複製在被檢查系統上找到的任何用戶信息。
執行滲透測試以檢查漏洞。
在不通知公司的情況下執行遠程檢查。
與其他州政府機構共享任何收集的數據。
在現場視察期間有兩名人民武裝警察(PAP)成員執行程序的權利。
Russian regulator moves to ban messaging app Telegram – 2018
The Fall of the Berlin Wall on November 9, 1989. A physical wall who goal to isolate the culture and humanity looks never appears in the world again. However we are living in the modern of ages. We unintend to transform our culture and daily life to a digital world. Furthermore the operation of the world also under digital mainbrain custodian. If you looking around, seems Berlin has not falling down. Don’t be childish! Perhaps Berlin wall disappeared, but another wall has been established around the world!
We are focusing censorship policy especially the China great firewall ban VPN and external parties communications. May be we overlook Russia! Russia’s Supreme Court orders telegram to hand over keys this month. Should you have interested of the headline news, please refer below url for reference.
Financial Times – Russian regulator moves to ban messaging app Telegram
https://www.ft.com/content/66062614-397c-11e8-8b98-2f31af407cc8
Will China block access to all personal VPN services by Feb 2018?
IT guys busy all the time even though at home and therefore sometimes they might forget somethings. There are 2 big things being happen at the end of this month. Heads up that PCI-DSS version 3.1 will be obsolete at the end of the month (31st Jan 2018). The version 3.2 will be effective on 1st Feb 2018.For more details, please refer below url for reference.
PCI DSS 3.2 – Important January 31, 2018 Deadline & Clarifications
https://www.chosenpayments.com/pci-dss-3-2-important-january-31-2018-deadline-clarifications/
On the other hand, an official announcement on 2017 told that China moves to block internet VPNs from 2018. Will China block access to all personal VPN services by Feb 2018? For more details, please refer below url for reference.
Article Claims China Will Block VPNs This Week, Causing Confusion
https://www.goldenfrog.com/blog/article-claims-china-block-vpns-causing-confusion
About DHS Malware Analysis Report (MAR) – 10135536-B
Preface:
There are books of which the backs and covers are by far the best parts!
― Charles Dickens, Oliver Twist
Discussion details:
Heard that the North Korean government suspected state sponsor of Lazarus Group cyber attack activities. A nick name to Lazarus group dubbed Hidden Cobra exposed to the world mid this year. The US homeland security claimed that they are the suspects of the cyber attack to Sony picture and behind the WannaCry (ransomware) cyber attack. By far we known US homeland security department with high priority to keep track their activities.
DHS malware report (10135536-B) technical findings
There are total 7 items of Portable Executable (PE) files shown on report. We make our discussion in layman terms, say that PE is a executable file. The PE checksum and details shown as below:
- PE file name checksum (MD5): C74E289AD927E81D2A1A56BC73E394AB
Antivirus vendor capable to detect checklist
- K7 – Trojan ( 700000041 )
- Cyren – W32/Heuristic-KPP!Eldorado
- VirusBlokAda – BScope.Trojan.Agent
2. PE file name checksum (MD5): FC9E40100D8DFAE2DF0F30A3414F50EC
Antivirus vendor capable to detect checklist
- Cyren – W32/Heuristic-KPP!Eldorado
- VirusBlokAda – BScope.Trojan.Agent
- F-secure – Gen:Trojan.Heur.LP.Tu4@aqf3yp
- BitDefender – Gen:Trojan.Heur.LP.Tu4@aqf3yp
- Emsisoft – Gen:Trojan.Heur.LP.Tu4@aqf3yp (B)
- F-secure – Gen:Variant.Graftor.373993
- Cyren – W32/Heuristic-KPP!Eldorado
- VirusBlokAda – BScope.Trojan.Agent
- BitDefender – Gen:Variant.Graftor.373993
- Emsisoft – Gen:Variant.Graftor.373993 (B)
5. PE file name checksum (MD5) 9E4D9EDB07C348B10863D89B6BB08141
- F-secure – Gen:Trojan.Heur.LP.hu4@aKqgOsli
- BitDefender – Gen:Trojan.Heur.LP.hu4@aKqgOsli
- Emsisoft – Gen:Trojan.Heur.LP.hu4@aKqgOsli (B)
- F-secure – Trojan.Inject.RO
- VirusBlokAda – BScope.Trojan.Agent
- Ahnlab – Trojan/Win32.Akdoor
- nProtect – Trojan/W64.Agent.95232
- McAfee – Trojan-FLDA!964B291AD9BA
- ClamAV – Win.Trojan.Agent-6319549-0
- Ahnlab – Trojan/Win64.Dllbot
- Quick Heal – Trojan.Generic
It looks confused with managed security services vendor especially APAC country of this cyber alert!
rule Unauthorized_Proxy_Server_RAT { meta: Author="US-CERT Code Analysis Team" Incident="10135536" MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB" MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209" Info="Detects Proxy Server RAT" super_rule = 1 strings: $s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3} $s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3} $s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3} $s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3} $s4 = {B91A7900008A140780F29A8810404975F4} $s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9F D19CA59F7E9F539CEF9F 029F969C6C9E5C9D949FC99F} $s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3} $s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC} $s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24} $s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523} $s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0} $s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7} $s12 = {448BE8B84FEC C44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541} $s13 = {8A0A80F9627C2380F9797F1E80F9647C 0A80F96D7F0580C10BEB 0D80F96F7C0A80F9787F05} condition: any of them }
Reference: The article provided by US Homeland security (see below)
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF
Summary:
In the meantime, I wish you Merry X’mas and Happy New year. Stay tuned!
China IPv6 implementation Road map. Will it be burden on current surveillance task?
A tough new cyber security law has been in placed in China on June 2017. The United States submitted document to WTO Services Council, said if China’s new rules enter into full force in their current form, as expected by the end of 2018, they could impact cross-border services supplied through a commercial presence abroad. A IP V6 road map announcement by General Office of the State Council of the PRC on 26th Nov 2017. The road map driven whole network, application and computer prioritize IPV6 connectivity.We known that RFC 4941 defining “privacy extensions for IPv6” autoconfiguration. This standard defines a mechanism where a device generates a random host address and uses that instead of the device’s MAC address. As a result it is better to avoid surveillance and tracking. The surveillance program in China has difference comparing with other country. Since monitoring network behavior or so called surveillance is the China government policy. See whether RFC 4941 will be a burden in coming future.
What’s happen on next?
More regulations has been implemented in China. Hey CIO,CTO and CISO any doubt?
Preface
The policies enforcement trend in China eager to enhance existing cyber security and governance in China. Perhaps our focus of this discussion pure on IT operation and information security and therefore any other background we are not going to surmise.
Censorship People’s Republic of China on behalf of Legal basis and regulations
As usual, different country maintain their regulations and view point in order to enhance their governance in their country. It looks that there is no way to refuse since you are entitle to enjoys the social benefits of their country includes environment and culture. And therefore a obligation to the individual able to follow the Law and regulations.
An official announcement of new regulations bring misgiving to business industries especially technology units.
Since cryptographic techniques implement to all business industries nowadays especially banking financial, publisher, pharmaceutical and manufacturing. In order to fulfill their company costs saving plan, The IPsec site-to-site VPN tunnel deployment is in high demand. Since it is easy to setup once Firewall and Internet are ready in your company. However this method not compliance to China regulation so far. Perhaps last few years China government not proactive enforce the regulation. And such away lets the world believe that this is the appropriate data communications method for cross border environment solution in China.
Internet Security Law of the People ‘s Republic of China let foreign country IT department in hover !
The new cyber security law has been ennounced on 1st June 2017. The Article 5 looks with powerful privileges which causes solicitor, data privacy expert headache! Let take a closer look of Article 5 (see below)
Article 5 The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People’s Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal criminal activities on the network in accordance with the law, and maintain cyberspace security and order.
Techincal view point: In the sense that even though your web hosting not located in Greater China area once there is one endpoint located in Greater China the computer owner require to follow the new law.
What’s the status today?
Since popular personal VPN client services provider was all blocked. The government objective is avoid a Chinese language term (翻牆). The English language term that is pass through firewall wall. As of today whatsapp messenger is not able to use in China. The expertise speculated that a major communist party gathering next month and therefore China government now tighten the censorship activities. it looks that the speculation make sense! The next action is to block internet unauthorized VPNs from 2018.
Let’s review the implementation time table
Hints! Provide short cut information to CIO, CTO and CISO
As of today, there are total three communication vendor are authorizes to run the internet private circuit in China (see below). The definition of internet private circuit is MPLS instead of IPSec VPN.
- China telecom
- China Unicom
- China Mobile
For data encryption product, there is no solid guideline since the approved product list looks not shown up yet.
Summary:
Since China has launched 14-month nationwide campaign against unauthorized internet connection includes VPN services (IPSec site-to-site and VPN client) to bypass the China country firewall (Great Firewall). The “cleanup” activities will be end until March 2018. As such, it is hard to drawn into summary at the moment.
Reference:
Greater China – New version of cyber security law with effective 1st June 2017
China ban VPN connectivity – current status Aug 2017
Preface:
The objective of China government ban VPN connectivity goal to control over its national internet, free from undue foreign influence.
Schedules (Milestone)
Action 1 – China Government Seeks Public Comments on the Cryptography Law (May 2017)
Action 2 – Telecommunication services providers includes China Mobile, China Unicom and China Telecom, to bar people from using personal VPN with effective Feb 2018. This is a mandatory action.
Action 3 – An official announcement of New cybersecurity regulation especially on Virtual Private Network connectivity (see below for reference) with effective on 1 June 2017.
Act: The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People’s Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal criminal activities on the network in accordance with the law, and maintain cyberspace security and order.
Action 4 – Green VPN, a China-based VPN service mainly employed by native Chinese users to bypass the Great Firewall, has been shut down on Jul 2017.
Action 5 – Apple has removed VPN apps from China’s App Store
Action 6 – China moves to block internet VPNs from 2018
Current VPN activities in China
The latest crackdown is focused on individuals, which means companies and other organizations will still have the ability to access VPNs or VPN-like services as long as they are registered.
Great wall (China Firewall) responsibility
Denied internet connectivity to Facebook, Twitter, YouTube, and Instagram. The new blocked sources include the New York Times and the Wall Street Journal, along with sites such as Google Scholar.
Next Step
1. All internet users in China go online using services run by the state-owned carriers.
2. Forcing companies to store information within the mainland.
3. The government has ordered China’s three telecommunications companies to completely block access to virtual private networks, or VPNs, by February 2018. For those who requires VPN function, it require to apply the registration license.
Highlight – Major objective of new cyber security regulation
Forcing companies to store information within the mainland.
The electronic certification service vendor (approved by China government) list displayed below:
电子认证服务使用密码许可单位名录 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(截止2016年12月15日
|