The following article is based on a translation of a post that appeared first in Chinese on Hong Kong citizen media outlet inmediahk.net.
Macau, a former Portuguese colony and a special administrative region on the south coast of China, has begun public consultations on a proposed Cybersecurity Law.
The Macau government is proposing the legislation in an effort to ensure the “security of network communications.” The law would establish a local cybersecurity standing committee and a cybersecurity center which would monitor online information flows in binary code to keep track of and investigate future cyber attacks. The center would coordinate with government departments to supervise and implement protection procedures for companies in 11 crucial sectors, including internet operators, media organizations, water and energy suppliers, financial and banking companies, gambling companies and medical institutions, among others.
The law would also obligate telecommunication operators and internet service providers (ISPs) to implement a real-name registration system, in which all users would be required to be fully identified in all their online activities. The law would require ISPs to keep users’ online activity logs for at least one year.
Various critics say the proposed law will provide a legal framework for mass surveillance, much more so than improve network security.
To look into the rationality behind the legislation, the Chinese Q&A news team interviewed a senior information security analyst who works in one of the 11 crucial sectors listed in the consultation document, to get an insider's perspective.
Q: Have any hacking incidents taken place in Macau in the past few years? Does the information security sector find it necessary to set up a mechanism for monitoring data flows?
A: There haven’t been any major hacking incidents [affecting public security] in Macau in recent years, neither the public nor the public sector has been attacked by hackers. (The WannaCry kind of ransomware is not target specific attack.)
[Editor’s note: according to media report, apart from the WannaCry ransomware, a Macau ISP operator was hacked in January 2013, but only 34 clients’ information were stolen. This, however, was not considered a serious security breach.]
There is no need to set up a mechanism for monitoring data flows. If we have to monitor data flows, we have to record and analyze all of the data, much like immigration officers unpacking travelers’ baggage. Moreover, this type of monitoring system cannot prevent a cyber attack.
To take it a bit further, here are the two most common forms of cyber attack:
1. Distributed Denial of Service Attack (DDOS): A massive DDoS would produce a tremendous amount of data. Recording the data flow would require a huge storage space and a good deal of manpower. In other words, you can’t possibly monitor data flows in a DDoS attack.
2. Hacking of website and private network: In the case of targeted hacking attack, the incident response team of the cybersecurity center would have to get evidence from the server under attack. Of course, evidence can be obtained from a network facility. However, recording and unpacketing all the data packet on the network is a very ineffective way of gathering evidence in the investigation of a cyber attack.
On the other hand, the data flow monitoring mechanism is effective for keyword filtering. For example, when the data packet contains keyword like “Vindication of June 4”, the monitoring system can send out an alert. But this is not a network security measure — it looks much more internet censorship, in the style of mainland China.
Q: The proposed Cybersecurity Law will affect the 11 crucial sectors the most. Has the commercial sector submitted any opinion so far?
A: Commercial sector representatives are still in the process of understanding the content of the proposal. For example, the proposal mentioned that operators of the 11 crucial sectors have to hand in a network security report, but it did not mention what should be included in the report. It also said that operators should conduct a qualification and professional background check when appointing key positions. But what do they mean by “qualification”? Should the employees obtain a license from China’s Ministry of Industry and Information? And what is the meaning of “background check”? Do they need to prove that they love China and Macau? These are major concerns from the information security sector.
Q: Has there been any consultation on the listing of 11 businesses as crucial sectors?
A: There was no consultation among the business sector. The proposal was released on 8 December 2017 without prior notification and we had just one week to prepare for the consultation, which made it a very rushed process.
Q: For the IT sector, what kind of mechanism is more reasonable?
A: As a cybersecurity worker, I don’t think the proposed cybersecurity management framework is capable of maintaining what the draft proposes, which is a “three-level monitoring system that involves top [government authorities] and bottom [business operators] who will integrate strategy and implementation in an organic manner”. To the contrary, the framework will obstruct cybersecurity work.
From the cybersecurity sector’s viewpoint, policy makers and executive personnel should be familiar enough with the technology in order to integrate strategy and implementation in an organic manner.
In the so-called three-level cybersecurity management framework, the business operators would be supervised by government administrative bodies.
Would the government authorities have the ability [i.e. technical know-how] to supervise and protect network safety or assist the business operators to defend against cyber attacks? Why not set up an independent department with professional knowledge to manage the cybersecurity work?
Q: Would the proposed law, such as the policy of SIM card real name registration, affect the economic interest of the business sectors, in particular the gambling, media and ISP sectors?
A: First, regarding real-name registration of SIM cards, the policy would have little effect on the gambling and ISP sectors. Currently when applying for service, users have to provide their identity card or passport for registration. As for media, this is rather sensitive. Reporters’ communication is subjected to wiretapping. If all SIM cards have to be registered with real name, there will be certain negative impact.
Second, regarding operators’ cybersecurity reports, the content of the reports may involve some business secrets and of course the business sector doesn’t want any third party (including the government) to get hold of their secrets. Would the government allow the operators to submit a security report that hides sensitive and important information?
Third, regarding the duty of cooperators, the proposal mentioned that operators have to allow representatives of the cybersecurity center to enter its facilities and offices and assist their work by providing information and cooperation as requested. For those who cannot fulfill their duties, they would be seen as violating the administrative regulation and subjected to a MOP$50,000-150,000 fine for a minor offense and a MOP$150,000-5,000,000 fine for a serious offense.
However, if a business is subjected to cyber attack, the first thing that they do is try to recover the system. In the case of gambling businesses, the security incident would be handled by internal security staff as well as cybersecurity subcontractors who have the most advanced tools and knowledge. Moreover, they have signed an agreement of confidentiality. However, according to the government proposal, the police and the director of Postal and Telecommunication services would be responsible for cybersecurity alerts and prevention measures. For the business sector, of course they would seek help from a professional security team rather than the government authorities. Yet, by doing so, will the business be fined? If the government demands that investigation should come before system recovery, who would cover the loss?
Q: Would the proposed law infringe citizens’ privacy and freedom?
A: It would create a chilling effect for the public. Real-name registration will assist the monitoring of data and people will be worried about the security of private communication. Moreover, currently, ISPs already have the power to monitor our online activities or even intercept the data in the network. With this legislation, such power would be in the hands of the police and people would not know if their communication is being intercepted.