P. R. China Computer Security Rules (long) [a known contributor who wishes to remain anonymous -- f

[David Farber <>]

from: [a known contributor who wishes to remain anonymous ]


connection to the Internet (CHINANET; sub CHINANET to
LISTSERV () TAMVM1 TAMU EDU).


The Chinese have named their new project to connect China to the Internet the
"Golden Bridge" project.  The following document purports to be the newly
developed "PRC Regulations on Safeguarding Computer Information Systems."  It
seems quite appropriate for RISKS.


As you read this, keep in mind that 1) in China accused persons are guilty
until proven innocent; 2) laws referred to in the document as ones applying in
certain circumstances are often harsh, subject to change without notice, and
so vaguely worded as to make easy the prosecutor's job, not of proving guilt
(not necessary), but of arguing why the penalty should be maximized; 3) the
"Public Security" laws referred to are the same laws that stipulate that the
families of serious offenders will be billed for the single bullet used in
judgement; 4) certain concepts (virus, special security products) are either
poorly defined or all inclusive; 5) in China when there is doubt as to the
legality of any particular act, illegality is assumed (this is important not
only in court, but also in normal life, where people tend to be more
conservative in part because of it.)


As we welcome this brave new domain into our net.universe, it will be
interesting, and perhaps surprising at times, to see how another set of
explorers on the electronic frontier are approaching the flow of information.
Golden Bridge, indeed.  As read, sending email without filing a customs
declaration, or accepting a shareware registration for an anti- virus product
could both be construed as being illegal.  There's a lot of room for
improvement here, imho.


===============================================================
P.R.C. Regulations on Safeguarding Computer Information Systems
===============================================================


Source: Beijing XINHUA Domestic Service in Chinese, February 23, 1994
From: john () jho com (John Ho), Asia Online


Chapter I. General Provisions


Article 1. These regulations have been formulated to safeguard computer
information systems, to promote the application and development of computers,
and to ensure smooth progress in socialist modernization.


Article 2. The computer information systems referred to in these regulations
are man-machine systems, composed of computers and their allied and peripheral
equipment and facilities (including networks), that collect, process, store,
transmit, and retrieve information according to prescribed goals and rules of
application.


Article 3. In safeguarding computer information systems, measures shall be
taken to secure computers, allied and peripheral equipment and facilities
(including networks), the operating environment, and data, as well as to
ensure the normal functioning of computers, so as to safeguard the safe
operation of computer information systems .


Article 4. In safeguarding computer information systems, priority shall be
given to the security of computer systems containing data on such important
areas as state affairs, economic construction, national defense, and
state-of-the-art science and technology.


Article 5. These regulations shall apply to safeguarding computer information
systems within the PRC's borders.


Measures for safeguarding microcomputers that have not been hooked up shall be
enacted separately.


Article 6. The Ministry of Public Security shall be in charge of safeguarding
computer information systems.


The Ministry of State Security, the State Secrecy Bureau, and relevant State
Council departments shall carry out work pertaining to safeguarding computer
information systems within the lines of authority prescribed by the State
Council.


Article 7. No organization or individual may use computer information
systems to engage in activities that endanger national or collective
interests, as well as the legitimate interests of citizens; they
may not jeopardize computer information systems.


Chapter II. The Safeguards System


Article 8. Computer information systems shall be established and applied in
accordance with laws, administrative rules, and relevant state provisions.


Article 9. Computer information systems shall be protected on the basis of
security grades. The Ministry of Public Security, in conjunction with relevant
departments, shall establish security grades and formulate specific measures
for protection based on such grades.


Article 10. Computer rooms shall conform to state norms and relevant state
provisions.


No work may be carried out in the vicinity of computer rooms that jeopardizes
computer information systems.


Article 11. Units using internationally networked computer information systems
shall register their systems with the public security departments of people's
governments at or above the provincial level.


Article 12. Individuals who ship, bring, or mail computer information media
into or out of the country shall file truthful declarations with the customs
authorities.


Article 13. Units that use computer information systems shall establish
security management systems and assume responsibility for safeguarding their
computer information systems.


Article 14. Units that use computer information systems shall report any
incidents relating to their systems to the public security departments of
local people's governments at or above the county level within 24 hours of the
incidents.


Article 15. The Ministry of Public Security shall exercise centralized
management over research into the control and prevention of computer viruses
and other harmful data that jeopardizes public security.


Article 16, The state shall implement a licensing system for the sale of
special safety products for computer information systems.  The Ministry of
Public Security shall enact specific measures in conjunction with relevant
departments.


Chapter III. Supervision Over Security


Article 17. Public security organs shall perform the following functions to
supervise efforts to safeguard computer information systems:


(1) Supervising, inspecting, and guiding the work of safeguarding computer
information systems;


(2) Investigating and dealing with illegal and criminal cases involving the
endangerment of computer information systems; and


(3) Other supervisory functions with regard to safeguarding computer
information systems.


Article 18. Upon detecting latent hazards in computer information systems,
public security organs shall promptly advise the units that use such systems
to institute safety measures.


Article 19. Under urgent circumstances, the Ministry of Public Security may
issue special circulars on specific security aspects of computer information
systems.


Chapter IV. Legal Responsibilities


Article 20. In the event of any of the following violations of the provisions
in these regulations, public security organs shall issue warnings or shut down
the computers for screening purposes:


(1) Contravening the system for protecting computer information systems based
on security grades and jeopardizing computer information systems;


(2) Violating the registration system for internationally networked computer
information systems;


(3) Failing to report incidents related to computer information systems within
the prescribed time frames;


(4) Failing to take remedial action within the prescribed time after receiving
notification from public security organs mandating security improvement
measures;


(5) Other actions endangering computer information systems.


Article 21. Public security organs, in conjunction with relevant units, shall
deal with cases in which computer rooms do not conform to state norms or
relevant state provisions, or in which work carried out in the vicinity of
computer rooms endangers computer information systems.


Article 22. The customs authorities shall deal with failure to file truthful
declarations on computer information media shipped, brought, or mailed into or
out of the country, pursuant to the "PRC Customs Law" and the provisions
outlined in these regulations and other laws and regulations.


Article 23. Public security organs shall issue warnings or impose fines of not
more than 5,000 yuan and 15,000 yuan, respectively, on individuals or units if
computer viruses or other data harmful to computer information systems are
deliberately input into such systems, or if special safety products for
computer information systems are sold without permission. They shall
confiscate illegal proceeds and impose a fine that is 100 or 300 percent more
than the sum of such proceeds.


Article 24. Actions that violate the provisions in these regulations and
constitute infractions of public security shall be punished pursuant to
relevant provisions in the "PRC Regulations on Security Administration and
Punishment"; if the actions constitute a crime, criminal responsibilities
shall be investigated.


Article 25. Any organization or individual who inflicts property losses on the
state, collectives, or other individuals in violation of the provisions in
these regulations shall assume civil responsibility in accordance with the
law.


Article 26. Interested parties who are dissatisfied with specific
administrative actions carried out by public security organs pursuant to these
regulations may apply for administrative reconsideration in accordance with
the law or file administrative lawsuits.


Article 27. Government functionaries who abuse their power to demand and take
bribes or commit other illegal or delinquent acts while enforcing these
regulations shall be punishable on criminal grounds if their actions
constitute crimes or given disciplinary actions if their actions do not
constitute crimes.


Chapter V. Supplementary Provisions


Article 28. The meanings of terms used in these regulations are defined as
follows:


Computer viruses mean a set of self-replicating computer commands or
programming codes inserted during the course of programming or into computer
programs that can impair computer functions, destroy data, or affect computer
use.


Special safety products for computer information systems mean special hardware
and software products for use in safeguarding computer information systems.


Article 29. Military-related computer information systems shall be safeguarded
in accordance with relevant military laws and regulations.


Article 30. The Ministry of Public Security may formulate implementation
measures in accordance with these regulations.


Article 31. These regulations shall take effect upon promulgation.