P. R. China Computer Security Rules

PRC Regulations on Safeguarding Computer Information Systems

The Chinese have named their new project to connect China to the Internet the "Golden Bridge" project. The following document purports to be the newly developed "PRC Regulations on Safeguarding Computer Information Systems."

As you read this, keep in mind that

1) in China accused persons are guilty until proven innocent;
2) laws referred to in the document as ones applying in certain circumstances are often harsh, subject to change without notice, and so vaguely worded as to make easy the prosecutor's job, not of proving guilt (not necessary), but of arguing why the penalty should be maximized;
3) the "Public Security" laws referred to are the same laws that stipulate that the families of serious offenders will be billed for the single bullet used in judgement;
4) certain concepts (virus, special security products) are either poorly defined or all inclusive;
5) in China when there is doubt as to the legality of any particular act, illegality is assumed (this is important not only in court, but also in normal life, where people tend to be more conservative in part because of it.)

P.R.C. Regulations on Safeguarding Computer Information Systems

Source: Beijing XINHUA Domestic Service in Chinese, February 23, 1994 From: john@jho.com (John Ho), Asia Online

Chapter I. General Provisions

Article 1. These regulations have been formulated to safeguard computer information systems, to promote the application and development of computers, and to ensure smooth progress in socialist modernization.

Article 2. The computer information systems referred to in these regulations are man-machine systems, composed of computers and their allied and peripheral equipment and facilities (including networks), that collect, process, store, transmit, and retrieve information according to prescribed goals and rules of application.

Article 3. In safeguarding computer information systems, measures shall be taken to secure computers, allied and peripheral equipment and facilities (including networks), the operating environment, and data, as well as to ensure the normal functioning of computers, so as to safeguard the safe operation of computer information systems .

Article 4. In safeguarding computer information systems, priority shall be given to the security of computer systems containing data on such important areas as state affairs, economic construction, national defense, and state-of-the-art science and technology.

Article 5. These regulations shall apply to safeguarding computer information systems within the PRC's borders.

Measures for safeguarding microcomputers that have not been hooked up shall be enacted separately.

Article 6. The Ministry of Public Security shall be in charge of safeguarding computer information systems.

The Ministry of State Security, the State Secrecy Bureau, and relevant State Council departments shall carry out work pertaining to safeguarding computer information systems within the lines of authority prescribed by the State Council.

Article 7. No organization or individual may use computer information systems to engage in activities that endanger national or collective interests, as well as the legitimate interests of citizens; they may not jeopardize computer information systems.

Chapter II. The Safeguards System

Article 8. Computer information systems shall be established and applied in accordance with laws, administrative rules, and relevant state provisions.

Article 9. Computer information systems shall be protected on the basis of security grades. The Ministry of Public Security, in conjunction with relevant departments, shall establish security grades and formulate specific measures for protection based on such grades.

Article 10. Computer rooms shall conform to state norms and relevant state provisions.

No work may be carried out in the vicinity of computer rooms that jeopardizes computer information systems.

Article 11. Units using internationally networked computer information systems shall register their systems with the public security departments of people's governments at or above the provincial level.

Article 12. Individuals who ship, bring, or mail computer information media into or out of the country shall file truthful declarations with the customs authorities.

Article 13. Units that use computer information systems shall establish security management systems and assume responsibility for safeguarding their computer information systems.

Article 14. Units that use computer information systems shall report any incidents relating to their systems to the public security departments of local people's governments at or above the county level within 24 hours of the incidents.

Article 15. The Ministry of Public Security shall exercise centralized management over research into the control and prevention of computer viruses and other harmful data that jeopardizes public security.

Article 16, The state shall implement a licensing system for the sale of special safety products for computer information systems. The Ministry of Public Security shall enact specific measures in conjunction with relevant departments.

Chapter III. Supervision Over Security

Article 17. Public security organs shall perform the following functions to supervise efforts to safeguard computer information systems:

(1) Supervising, inspecting, and guiding the work of safeguarding computer information systems;

(2) Investigating and dealing with illegal and criminal cases involving the endangerment of computer information systems; and

(3) Other supervisory functions with regard to safeguarding computer information systems.

Article 18. Upon detecting latent hazards in computer information systems, public security organs shall promptly advise the units that use such systems to institute safety measures.

Article 19. Under urgent circumstances, the Ministry of Public Security may issue special circulars on specific security aspects of computer information systems.

Chapter IV. Legal Responsibilities

Article 20. In the event of any of the following violations of the provisions in these regulations, public security organs shall issue warnings or shut down the computers for screening purposes:

(1) Contravening the system for protecting computer information systems based on security grades and jeopardizing computer information systems;

(2) Violating the registration system for internationally networked computer information systems;

(3) Failing to report incidents related to computer information systems within the prescribed time frames;

(4) Failing to take remedial action within the prescribed time after receiving notification from public security organs mandating security improvement measures;

(5) Other actions endangering computer information systems.

Article 21. Public security organs, in conjunction with relevant units, shall deal with cases in which computer rooms do not conform to state norms or relevant state provisions, or in which work carried out in the vicinity of computer rooms endangers computer information systems.

Article 22. The customs authorities shall deal with failure to file truthful declarations on computer information media shipped, brought, or mailed into or out of the country, pursuant to the "PRC Customs Law" and the provisions outlined in these regulations and other laws and regulations.

Article 23. Public security organs shall issue warnings or impose fines of not more than 5,000 yuan and 15,000 yuan, respectively, on individuals or units if computer viruses or other data harmful to computer information systems are deliberately input into such systems, or if special safety products for computer information systems are sold without permission. They shall confiscate illegal proceeds and impose a fine that is 100 or 300 percent more than the sum of such proceeds.

Article 24. Actions that violate the provisions in these regulations and constitute infractions of public security shall be punished pursuant to relevant provisions in the "PRC Regulations on Security Administration and Punishment"; if the actions constitute a crime, criminal responsibilities shall be investigated.

Article 25. Any organization or individual who inflicts property losses on the state, collectives, or other individuals in violation of the provisions in these regulations shall assume civil responsibility in accordance with the law.

Article 26. Interested parties who are dissatisfied with specific administrative actions carried out by public security organs pursuant to these regulations may apply for administrative reconsideration in accordance with the law or file administrative lawsuits.

Article 27. Government functionaries who abuse their power to demand and take bribes or commit other illegal or delinquent acts while enforcing these regulations shall be punishable on criminal grounds if their actions constitute crimes or given disciplinary actions if their actions do not constitute crimes.

Chapter V. Supplementary Provisions

Article 28. The meanings of terms used in these regulations are defined as follows:

Computer viruses mean a set of self-replicating computer commands or programming codes inserted during the course of programming or into computer programs that can impair computer functions, destroy data, or affect computer use.

Special safety products for computer information systems mean special hardware and software products for use in safeguarding computer information systems.

Article 29. Military-related computer information systems shall be safeguarded in accordance with relevant military laws and regulations.

Article 30. The Ministry of Public Security may formulate implementation measures in accordance with these regulations.

Article 31. These regulations shall take effect upon promulgation.

Source:
From: farber@central.cis.upenn.edu (David Farber)
Subject: P. R. China Computer Security Rules (long)
from: [a known contributor who wishes to remain anonymous ]


Return to the World Codes Index Page