China’s top legislature has voted to adopt a national law on cryptography. Lawmakers approved the law at the closing meeting of a bimonthly session of the Standing Committee of the National People’s Congress (NPC), after a second review.
The law will take effect on January 1, 2020. The enactment of the law was necessary for regulating the utilisation and management of cryptography, facilitating the development of the cryptography business and ensuring the security of cyberspace and information, according to the NPC Constitution and Law Committee, Xinhua news agency has reported.
According to the law, the state encourages and supports the research and application of the science and technology in cryptography and protects the intellectual property rights in cryptography. The law underlines the training of talent in cryptography and says that those with outstanding contributions in the work on cryptography can be awarded.
The law classifies cryptography into core, common and commercial cryptography. Strictly managed by authorities in cryptography, core and common cryptography are used to protect the country’s confidential information, and are state secrets.
The law stipulates that confidential information of the state transmitted via wire and wireless communications, and information systems storing and disposing of such confidential information, must use core and common cryptography for their encrypted protection and security certification.
Institutions whose work is related to cryptography must set up management systems to ensure the security of core and common cryptography. Response measures should be taken as soon as risks concerning the security of such cryptography are spotted.
The law also urges the establishment of sound and rigorous supervision and security examination systems at cryptography authorities and institutions to oversee their personnel’s observance of laws and discipline.
Commercial cryptography is for the protection of information that are not state secrets, and can be used by citizens, legal persons and organisations in accordance with law to ensure the security of cyberspace and information.
According to the provisions, the country encourages the research, academic exchanges, conversion of academic achievements and application of the technologies of commercial cryptography, but the scientific research, production, sales, service and import and export of it must not harm the state security and public interests or other people’s rights and interests.
Stipulating on the authentication of commercial cryptography, the law reads that relevant provisions in the Cybersecurity Law apply to the authentication of commercial cryptography.
In addition, cryptography management departments, relevant departments and their personnel must not ask practitioners in commercial cryptography to disclose to them exclusive information related to the cryptography such as source codes, and must keep the business secrets and privacy they get in their duties strictly confidential.
The law also features a chapter on the legal liability related to misconduct concerning cryptography.
For instance, those who steal others’ encrypted information, hack into others’ cryptography security system or use cryptography to engage in illegal activities that harm the state security, public interest or others’ rights and interests, will be held accountable based on the Cybersecurity Law and other laws and regulations.
Those who spot risks concerning the security of core and common cryptography but do not take response measures or do not report them in time will be punished.
Moreover, those who sell or provide commercial cryptography products and services that are not examined or authenticated, or fail either procedure, will also be warned, fined or have their illicit gains confiscated.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]