NOTE: This translation was originally published on the China Copyright and Media blog, a project of DigiChina’s Prof. Rogier Creemers of the University of Leiden. It has not been edited, double-checked, or standardized with DigiChina’s original content. Read more. State Informatization Leading Group (ZBF No. [2003]27) Following the tremendous development of science and technology worldwide and the broad application of information technology, and especially the comprehensive acceleration of our country’s national economic and social informatization trajectory, the foundational and comprehensive roles of networks and information systems is strengthening daily, information security has become an important component past of national security. In recent years, under the leadership of the Party Centre and the State Council, our country’s information security protection work has seen clear achievements, a batch of information security infrastructures has been built, Internet information content security management has strengthened, playing an important role in safeguarding national security and social stability, ensuring and stimulating the healthy development of informatization construction. But it must also be considered that several problems that urgently require resolution still exist in our country’s information security protection work: network and information system protection levels are not high, emergency response processing capabilities are not strong; information security management and technology talents are lacking, we are still relatively backward in critical technology in general, the industry lacks core competitiveness; information security laws, regulations and standards are not perfected; the information security awareness of the entire society is not strong, and information security management is weak. At the same time, the proliferation of online harmful information, the invasion of viruses and cyberattacks are growing more grave every day, online loss and leakage of secret information occurs repeatedly, cybercrime displays a trend of acceleration and increase, domestic and foreign hostile forces’ attacks and destructive activities against radio and television satellites, cable television and terrestrial networks, and their use of information network to conduct reactionary propaganda activities are growing more brazen every day, gravely harming the public interest and national security, and influencing our country’s healthy development of informatization construction. Following the progressive advance of our country’s informatization and especially the broad use of the Internet, information security stell faces ever more new challenges. In order to further increase information security protection work capabilities and levels, safeguard the public interest and national security, and stimulate the healthy development of informatization construction, the following Opinions are hereby put forward. I, Strengthening information security protection work: overall requirements and main principles The overall requirements for strengthening information security protection work are: persist in the policy of active defence and comprehensive defence, comprehensively raise information security protection levels, focus on protecting the security of basic information networks and important information systems, create a secure and healthy online environment, ensure and stimulate the development of informatization, protect the public interest and safeguard national security. The main principles of strengthening information security protection work are: starting from national circumstances, putting ourselves central, persist in equally stressing management and technology; correctly handle the relationship between security and development, ensure development through security and seek security in development; plan comprehensively, focus in breakthroughs, strengthen fundamental work; clarify the responsibilities and duties of the State, enterprises and individuals, fully give rein to the vigour of all sides, jointly build a national information security protection system. II, Implementing multi-level protection for information security. Informatization development’s different stages and different information systems have different security requirements, we must start from reality, comprehensively weigh the costs and risks of security, optimize the allocation of information security resources, and guarantee focus points. We must focus on protecting basic information networks and important information systems related to national security, the lifelines of the economy, social stability and other such areas, grasp the construction of multi-level protection systems for information security, and formulate management rules and technical guidelines for multi-level protection of information security. We must pay high regard to information security risk assessment work, conduct analysis and assessment of the latent threats, weak segments, protection measures, etc. concerning network and information system security, comprehensively consider the importance of networks and information systems, the degree to which they involve secret information, the information security risks, they face and other such factors, in conducting corresponding tiered security construction and management. With regard to information systems involving State secrets, we must conduct protection according to the relevant secrecy-protection regulations of the Party and the State. III, Strengthening the construction of information protection and network trust system construction based on encryption technology. We must give full rein to the important role of encryption in protecting e-government and e-commerce security as well as protecting citizens’ personal information and other such areas. According to the principles of satisfying demand, convenient use and strengthening management, further perfect encryption management regulations, establish and complete encryption management structures suited to the development of informatization. We must strengthen the exploitation and use of encryption technology, and establish scientific decryption management systems. We must establish coordinated management mechanisms, standardize and strengthen a network trust system construction with identity verification, authorized management and responsibility verification as main contents.  IV, Constructing and perfecting information security control systems Information security supervision and control is an important method to timely discover and deal with cyberattacks, prevent he dissemination of harmful information, and protecting network and information infrastructure. Basic information network operating work units and all important information systems’ competent departments or operating work units must, on the basis of the actual situation, establish and perfect information security supervision and control systems, increase their capability to prevent cyberattacks, virus intrusions, theft of network secrets, and prevent the dissemination of harmful information. The State comprehensively plans and constructs a national information security supervision and control system, to provide technical support according to the law for strengthening information content security management, the investigation and prosecution of unlawful and criminal acts, preventing cyberattacks, virus intrusions and theft of network secrets and other such work. V, Paying high regard to information security emergency response handling work. The State and all walks of society must give full regard to information security emergency response handling work. We must further perfect State information security emergency response handling coordination mechanisms, establish and complete command and coordination mechanisms ad well as information security reporting structures, and strengthen information security incident response and handling work. All basic information network and important information system construction must fully consider resilience and disaster recovery, and formulate and incessantly perfect information security emergency response and handling preparations and plans. Disaster back-up construction must start from reality, resource sharing and mutual back-ups are advocated. We must strengthen information security emergency response support and service team construction, encourage social forces to participate in disaster back-up infrastructure construction and the provision of technical services, and raise information security emergency response capabilities. VI, Strengthening information security technology research and development, enhancing information security industry development We must adopt vigorous measures, organize and mobilize forces on all sides, closely track advanced global technology developments, strengthen research and development of critical information security technologies and related core technologies, raise indigenous innovation capabilities, stimulate technological transformation and accelerate the process of industrialization. We must concentrate forces, strengthen research and development of encryption technology, secure isolation and auditing, virus prevention, network supervision and managing, monitoring and emergency response handling, information security testing and assessment, evidence-gathering, anti-satellite attack and other such critical technologies as well as related technologies. We must strengthen research of secure and controllable technologies for imported information technology products, pay attention to researching information questions possibly brought by using new technologies and new business models. We must pay high regard to researching information security technologies used on the Internet, to ensure the healthy development of the Internet.  Persist in the integration of government guidance with market mechanisms, promote the development of our country’s information security industry, and progressively create a structure where basic information networks and important information systems are mainly composed of indigenous and controllable equipment.  Informatization projects whose construction was funded with State finances must adopt domestically produced software, equipment and services according to the “Government Procurement Law of the People’s Republic of China”. We must advance verification and certification work, standardize and strengthen information security product testing and certification. Establish and complete information security market service systems, and create a beneficial market environment for our country’s information security industry’s development.  VII, Strengthening the construction of an information security legal system and the construction of standardization. Persist in ensuring and stimulating the healthy development of informatization according to the law. Standardize online conduct and safeguard online order strictly according to existing laws and regulations. We must strengthen information security theory and strategy research, closely grasp the research and drafting of an “Information Security Law”, establish and perfect information security legal structures, clarify the responsibilities and duties of all areas of society in maintaining information security. We must vigorously participate in international information and network norm formulation, and launch international judicial assistance involving information networks. We must give high regard to the construction of information security law enforcement teams, strengthen attacks against unlawful and criminal activities where the network us used to disseminate harmful information or to harm the public interest and national security.  We must strengthen information security standardization work, grasp the formulation of urgently needed information security management and technology standards, and create an information security standards system with Chinese characteristics that is joined to international standards. We must give high regard to the implementation of information security standards, fully giving rein to their fundamental and normative role. VIII, Accelerating the training of information security talents, and strengthening information security awareness among the entire people Strengthening information security protection work means that we must have a batch of high-quality information security management and technology talents. We must strengthen information security discipline, speciality and training body construction, and accelerate the training of information security talents. We must adopt vigorous measures to attract and appoint high-quality information security management and technology personnel.  Strengthening the construction of information security propaganda, education and online civilization. We must forcefully disseminate basic knowledge and basic skills concerning information security, and give high regard to information security training of leading cadres at all levels. We must launch information security education and legal and regulatory education among the whole of society and especially the young, strengthen the information security awareness of the entire people, so their consciously standardize their online behaviour. IX, Ensuring information security funds. Information security construction is an organic component part of informatization, and must be planned and constructed simultaneously with informatization. All localities and all departments must, in informatization construction, simultaneously consider information security construction, and ensure operational and maintenance funds for information security equipment. The State focuses on supporting basic information security work and basic equipment construction, and increases financial input into information security protection systems and crucial technology research, at the same time, it must strengthen the excavation, use and integration of stored funds, and fully give rein to the usage effect of information security protection funds. X, Strengthening leadership over information security protection work, establishing and completing information security management responsibility systems. Information security protection work is a long-term task affecting the entire picture of national economic and social informatization. All levels’ Party Committees and governments must fully understand the importance and urgency of strengthening information security protection, give high regard to information security protection work, and realistically strengthen leadership over information security protection work. In the process of moving forward informatization, we must persist in grasping informatization development with one hand, and grasping information security protection work with the other. We must firmly grasp the establishment and completion of information security management structures, clarify competences and leadership, implement departmental responsibilities, where each performs their tasks, and matters are grasped permanently without stinting. We must establish and implement an information security management responsibility system. Public telecommunications networks, radio and television broadcast networks and other such basic information networks’ security management will respectively be the responsibility of the Ministry of Information Industry and the State Administration of Radio, Film and Television. All important information systems’ security construction and management, according to the requirements of who manages is responsible, and who operates is responsible, will be the responsibility of every competent department and operating work unit. With regard to all kinds of unlawful and criminal activity of destroying basic information networks and using networks to disseminate harmful information, harming the public interest and national security, the Ministry of Public Security and the Ministry of State Security will conduct investigation, prosecution and attack on the basis of their respective duties and responsibilities. Centre and State bodies’ relevant departments must, according to the division of labour and duties, coordinate and cooperate, and realistically implement information security management duties. The National Cyber and Information Security Coordination Group must do national information security protection comprehensive coordination work well.  All localities and all departments must, on the basis of the spirit of this Opinion, integrating reality, formulate implementation plans, and satisfactorily implement information security protection work.  Military information security protection work will be regulated by the Central Military Commission. 国家信息化领导小组关于加强信息安全保障工作的意见　　（中办发[2003]27号） 随着世界科学技术的迅猛发展和信息技术的广泛应用，特别是我国国民经济和社会信息化进程的全面加快，网络与信息系统的基础性、全局性作用日益增强，信息安全已经成为国家安全的重要组成部分。近年来，在党中央国务院的领导下，我国信息安全保障工作取得了明显成效，建设了一批信息安全基础设施，加强了互联网信息内容安全管理，为维护国家安全与社会稳定、保障和促进信息化建设健康发展发挥了重要作用。 但是必须看到，我国信息安全保障工作仍存在一些亟待解决的问题：网络与信息系统的防护水平不高，应急处理能力不强；信息安全管理和技术人才缺乏，关键技术整体上还比较落盾，产业缺乏核心竞争力；信息安全法律法规和标准不完善；全社会的信息安全意识不强，信息安全管理薄弱。与此同时，网上有害信息传播、病毒入侵和网络攻击日趋严重，网络失泄密事件屡有发生，网络犯罪呈快速上升趋势，境内外敌对势力针对广播电视卫星、有线电视和地面网络的攻击破坏活动和利用信息网络进行的反动宣传活动日益猖撅，严重危害公众利益和国家安全，影响了我国信息化建设的健康发展。随着我国信息化的逐步推进，特别是互联网的广泛应用，信息安全还将面临更多新的挑战。为进一步提高信息安全保障工作的能力和水平，维护公众利益和国家安全，促进信息化建设健康发展，现提出以下意见。 一、加强信息安全保障工作的总体要求和主要原则 加强信息安全保障工作的总体要求是：坚持积极防御、综合防范的方针，全面提高信息安全防护能力，重点保障基础信息网络和重要信息系统安全，创建安全健康的网络环境，保障和促进信息化发展，保护公众利益，维护国家安全。　　加强信息安全保障工作的主要原则是：立足国情，以我为主，坚持管理与技术并重；正确处理安全与发展的关系，以安全保发展，在发展中求安全；统筹规划，突出重点，强化基础性工作；明确国家、企业、个人的责任和义务，充分发挥各方面的积极性，共同构筑国家信息安全保障体系。 二、实行信息安全等级保护 信息化发展的不同阶段和不同的信息系统有着不同的安全需求，必须从实际出发，综合平衡安全成本和风险，优化信息安全资源的配置，确保重点。要重点保护基础信息网络和关系国家安全、经济命脉、社会稳定等方面的重要信息系统，抓紧建立信息安全等级保护制度，制定信息安全等级保护的管理办法和技术指南。要重视信息安全风险评估工作，对网络与信息系统安全的潜在威胁、薄弱环节、防护措施等进行分析评估，综合考虑网络与信息系统的重要性、涉密程度和面临的信息安全风险等因素，进行相应等级的安全建设和管理。对涉及国家秘密的信息系统，要按照党和国家有关保密规定进行保护。 三、加强以密码技术为基础的信息保护和网络信任体系建设 要充分发挥密码在保障电子政务、电子商务安全和保护公民个人信，急等方面的重要作用。按照满足需求、方便使用、加强管理的原则，进一步完善密码管理法规，建立健全适应信息化发展的密码管理体制。要加强密码技术的开发利用，建立科学的密钥管理体系。要建立协调管理机制，规范和加强以身份认证、授权管理、责任认定等为主要内容的网络信任体系建设。 四、建设和完善信息安全监控体系 信息安全监控是及时发现和处置网络攻击，防止有害信息传播，对网络和系统实施保护的重要手段。基础信息网络的运营单位和各重要信息系统的主管部门或运营单位要根据实际情况建立和完善信息安全监控系统，提高对网络攻击、病毒入侵、网络失窃密的防范能力，防止有害信息传播。国家统筹规划和建设国家信息安全监控系统，依法为加强信息内容安全管理、查处违法犯罪和防范网络攻击、病毒入侵、网络失窃密等工作提供技术支持。 五、重视信息安全应急处理工作 国家和社会各方面都要充分重视信息安全应急处理工作。要进一步完善国家信息安全应急处理协调机制，建立健全指挥调度机制和信息安全通报制度，加强信息安全事件的应急处置工作。各基础信息网络和重要信息系统建设要充分考虑抗毁性与灾难恢复，制定并不断完善信息安全应急处置预案。灾难备份建设要从实际出发，提倡资源共享、互为备份。要加强信息安全应急支援服务队伍建设，鼓励社会力量参与灾难备份设施建设和提供技术服务，提高信息安全应急响应能力。 六、加强信息安全技术研究开发，推进信息安全产业发展 要采取积极措施，组织和动员各方面力量，密切跟踪世界先进技术的发展，加强信息安全关键技术和相关核心技术的研究开发，提高自主创新能力，促进技术转化，加快产业化进程。要集中力量，加强对密码技术、安全隔离与审计、病毒防范、网络监管、检测与应急处理、信息安全测试与评估、取证、卫星防攻击等关键技术以及相关技术的研究开发。要加强对引进信息技术产品的安全可控技术研究，注意研究应用新技术、新业务可能带来的信息安全问题。要重视研究应用于互联网的信息安全技术，保障互联网的健康发展。　　坚持政府引导与市场机制相结合，推动我国信息安全产业的发展，逐步形成基础信息网络和重要信息系统以自主可控设备为主的格局。使用国家财政资金建设的信息化项目，要按照《中华人民共和国政府采购法》的规定采用国产软件、设备和服务。要推进认证认可工作，规范和加强信息安全产品测评认证。建立健全信息安全市场服务体系，为我国信息安全产业发展创造良好的市场环境。 七、加强信息安全法制建设和标准化建设 坚持依法保障和促进信息化健康发展，严格依照现行法律法规，规范网络行为，维护网络秩序。要加强信息安全理论和战略研究，抓紧研究起草《信息安全法》，建立和完善信息安全法律制度，明确社会各方面保障信息安全的责任和义务。要积极参与国际信息网络规则的制定，开展涉及信息网络的国际司法协助。要重视信息安全执法队伍建设，加强对利用网络传播有害信息、危害公众利益和国家安全的违法犯罪活动的打击。　　要加强信息安全标准化工作，抓紧制定急需的信息安全管理和技术标准，形成与国际标准相衔接的中国特色的信息安全标准体系。要重视信息安全标准的贯彻实施，充分发挥其基础性、规范性作用。 八、加快信息安全人才培养，增强全民信息安全意识 加强信息安全保障工作，必须有一批高素质的信息安全管理和技术人才。要加强信息安全学科、专业和培训机构建设，加快信息安全人才培养。要采取积极措施，吸引和用好高素质的信息安全管理和技术人才。　　加强信息安全宣传教育和网络文明建设。要大力普及信息安全的基础知识和基本技能，重视对各级领导干部的信息安全培训。要开展全社会特别是对青少年的信息安全教育和法律法规教育，增强全民信息安全意识，自觉规范网络行为。 九、保证信息安全资金 信息安全建设是信息化的有机组成部分，必须与信息化同步规划、同步建设。各地区各部门在信息化建设中，要同步考虑信息安全建设，保证信息安全设施的运行维护费用。国家重点支持信息安全的基础性工作和基础设施建设，增加对信息安全保障体系关键技术研究的资金投入，同时要加大存量资金挖掘、使用及整合的力度，充分发挥信息安全保障资金的使用效益。 十、加强对信息安全保障工作的领导，建立健全信息安全管理责任制 信息安全保障工作是一项关系国民经济和社会信息化全局的长期任务。各级党委和政府要充分认识加强信息安全保障工作的重要性和紧迫性，高度重视信息安全保障工作，切实加强对信息安全保障工作的领导。在推进信息化过程中，要始终坚持一手抓信息化发展，一手抓信息安全保障工作。要抓紧建立健全信息安全管理体制，明确主管领导，落实部门责任，各尽其职，常抓不懈。　　要建立和落实信息安全管理责任制。公用通信网、广播电视传输网等基础信息网络的安全管理分别由信息产业部和国家广电总局负责。各重要信息系统的安全建设和管理，按照谁主管谁负责、谁运管谁负责的要求，由各主管部门和运营单位负责。对破坏基础信息网络和利用网络传播有害信息、危害公众利益和国家安全等各种违法犯罪活动，由公安、国家安全部门依据职责分工进行查处和打击。中央和国家机关各有关部门要按照职能分工，协同配合，切实履行信息安全管理的职责。国家网络与信息安全协调小组要做好国家信息安全保障的综合协调工作。　　各地区各部门要根据本意见精神，结合实际制定实施计划，将信息安全保障工作落到实处。