Yan Wangjia, a member of the National Committee of the Chinese People's Political Consultative Conference, submitted five proposals to the two sessions, calling for strengthening information security supervision

[51CTO.com original article] On March 3, the first session of the 13th National Committee of the Chinese People's Political Consultative Conference opened in the Great Hall of the People. In this year's committee channel, many members dared to make "good voices", which attracted widespread social attention during the two sessions. Yan Wangjia, member of the National Committee of the Chinese People's Political Consultative Conference and CEO of Venustech Group, submitted five proposals on the current status of multiple areas of domestic information security.

It is understood that the five proposals are "Proposal on Strengthening Network Security Assessment and Supervision in Smart Cities", "Proposal on Information Security Construction of Industrial Internet", "Proposal on Providing Security Assurance in Promoting IPv6 Applications", "Proposal on Accelerating the Secure Interconnection between Industrial Control Systems and Confidential Information Systems in the Military Industry", and "Proposal on Promoting the Application of Domestic Security Equipment in the Protection of Critical Information Infrastructure".

[[222945]]

In order to allow the public to have a deeper understanding of the background and value of the proposals, four experts from Venustech Group, Zhou Tao, Xie Anming, Zhao Junkai and Meng Yahui, recently accepted an interview with the media and talked about the "stories behind" these proposals.

Who pays for the last mile in the era of big connectivity?

Zhou Tao is the dean and chief researcher of the Venustech Core Research Institute. He told reporters that the reason for submitting the "Proposal on Promoting Security Assurance in the Promotion of IPv6 Applications" was mainly because security vulnerabilities are a common security issue in the software development process. The existing IPv4 protocol stack has been used on a large scale for decades, and new security vulnerabilities are still found in protocol stack software of different types and versions of operating systems. Therefore, it can be inferred that it is a high probability event to find security vulnerabilities related to IPv6 protocol stack software that can cause serious problems. Moreover, due to the differences in the IPv6 protocol format, the application of existing network security equipment to the IPv6 environment requires the replacement of the protocol stack and a lot of testing work, and cannot be directly deployed.

Zhou Tao pointed out that before promoting IPv6 applications on a large scale, the potential security risks brought by the new network architecture should be fully considered, and the government should formulate corresponding measures at the policy and system level to do a good job in risk prevention and response in advance. He suggested taking four measures to eliminate security risks: first, strengthen risk assessment work for institutions deploying IPv6 applications; second, encourage security companies and individuals to explore vulnerabilities in the IPv6 protocol stack; third, strengthen IPv6 security talent training and education; fourth, promote the transition of existing network security equipment to the IPv6 environment as soon as possible.

Smart cities also need a security framework

Among the five proposals, the security of smart cities has attracted more attention. Xie Anming, a researcher at Venustech Core Research Institute, believes that since smart cities contain a large amount of important data related to national security, economic development and social public interests, and involve a large amount of personal information, once a network security problem occurs, extremely serious consequences may occur. "We propose to evaluate and supervise the security of smart cities, which is essentially a kind of control over the situation."

Xie Anming introduced that since most cities are being built by trial and error, many places pay attention to the construction of hardware conditions, but ignore the evaluation of the effect after completion. For this reason, Venustech recommends the establishment of a smart city network security evaluation system, vigorously promote security evaluation work, explore good construction experience, and effectively guide the direction of smart city network security construction; in addition, it is recommended that the government combine laws, regulations, management and technical means to strengthen the security supervision of basic information systems that affect the national economy and people's livelihood.

The reporter learned that Venustech itself is also actively exploring effective means to ensure the security of smart cities. Strengthening unified security supervision functions and building a city network security operation center is a "good prescription" for Venustech. In December 2017, Venustech established its first network security operation center in Chengdu to provide continuous city-level security operation and maintenance capabilities. At the same time, urban network security operation centers have also begun to be built in Jinan, Kunming and other places. In addition, Sanmenxia, ​​Zhengzhou and other places are actively carrying out related work. The construction of a city-level security operation center can establish a network security monitoring, information notification and emergency response mechanism for smart cities, urban clouds, big data centers and other key information infrastructure in cities, and realize "all-weather, all-round" network security situation awareness, operation and maintenance services, and emergency response capabilities.

Break the shackles of secure interconnection of military industrial systems and realize the dream of a strong country as soon as possible

Meng Yahui, technical director of the Industrial Internet Security Department of Venustech Group, revealed that the demonstration, development, and organization and coordination of scientific research and production of weapons and equipment in the military industry basically rely on confidential office networks, but a large number of professional equipment are used in testing, trials, and production, which are basically on the control network. As the requirements for the advancement of weapons and equipment become higher and higher, the military industry needs to connect industrial control systems and confidential office networks to each other in order to enhance the scientific research and production capabilities of my country's weapons and equipment. However, industrial control equipment generally has a long replacement cycle and generally has security defects such as weak passwords and vulnerabilities. After being interconnected, it may bring new information security threats to industrial control systems. Once attacked, it will cause production line damage or reduced production capacity, malicious code implantation in weapons and equipment, and production safety accidents.

She also said that the confidentiality requirements of the military industry's industrial control systems are higher than those of ordinary industrial control systems. The information processed is confidential, but it is difficult to meet the mandatory protection requirements of confidential office systems. Targeted protection measures can only be taken according to the characteristics of its structural functions, but this is not in line with national policies, and military enterprises are at a loss. In order to prevent the production efficiency and production tasks of the military industry from being greatly restricted by the current state, to achieve secure interconnection between systems, and to break through the bottlenecks in the scientific research and production links of weapons and equipment, the "Proposal on Accelerating the Promotion of Secure Interconnection between Industrial Control Systems and Confidential Information Systems in the Military Industry" gave three suggestions: first, it is necessary to clarify the regulatory responsibility subject and responsibility boundary, second, to promote the application of industrial control system security protection technology in the military industry, and to establish an industrial control system information security management mechanism. Finally, Meng Yahui also emphasized that it is necessary to comprehensively improve the actual prevention and control capabilities of security and confidentiality risks of confidential information systems, non-confidential information systems and industrial control systems.

Industrial Internet security requires a two-pronged approach of "policy supervision + security mechanism"

Compared with several other proposals, the "Proposal on the Construction of Industrial Internet Information Security" is more likely to resonate with the public in terms of security. Zhao Junkai, a senior consultant of the Industrial Control Security Department of Venustech, told reporters that the Industrial Internet has broken the traditional closed and high-reliability pattern of industrial control systems, exposing a large number of information security issues in industrial control systems, and the interweaving and amplification of online and offline security risks. The security situation is more complicated, which greatly threatens the security of industrial enterprises, people's livelihood, national economy, and even national development.

Although the industry has generally reached a consensus that security is one of the three major functional systems of the industrial Internet, Zhao Junkai pointed out that the current responsible body for industrial Internet information security supervision is not clear enough, and the existing information security protection technology cannot be fully applied to the industrial Internet environment. The overall security protection capability of the national industrial Internet needs to be strengthened and accelerated. "The industrial Internet is a large category. The most effective approach is to take a two-pronged approach of policy supervision and security mechanisms and build it according to a unified standard." Zhao Junkai revealed that the security group of the Industrial Internet Industry Alliance released a security white paper for the industrial Internet last year, and is now formulating a white paper on the entire security architecture. In the future, it will work with the standard group in the alliance to do standard-level work.

In the proposal, Venustech proposed several solutions to the current security situation. First, it is necessary to clarify the subjects and responsibilities of industrial Internet information security supervision at the national, local and industry levels. Second, it is recommended to formulate new research directions for industrial Internet security technologies and to carry out the construction of industrial Internet information security technology innovation laboratories and demonstration bases. Third, it is recommended to improve the industrial Internet information security product certification and access mechanism and establish a relevant product catalog. Fourth, it is recommended to improve the overall security assurance capabilities of the national industrial Internet.

Accelerate the implementation of domestically produced safety equipment with tax incentives

The "Proposal on Promoting the Application of Domestic Security Equipment in the Protection of Critical Information Infrastructure" was the last proposal that was "approved". Although the demand for the "localization" of domestic security equipment has almost become a "commonplace" topic for many domestic security vendors, this time Venustech has provided a good reference suggestion for specific implementation measures.

Zhou Tao suggested that relevant government departments should introduce tax incentives for key information infrastructure operators to purchase domestic network security equipment, and clarify the network security equipment that enterprises can enjoy tax incentives. The proposal was inspired by the environmental protection industry. In order to improve the ecological environment and save resources, a few years ago, relevant government departments stipulated tax incentives for enterprises to purchase special equipment such as environmental protection, energy conservation and water conservation, and safe production, and issued a corresponding "Special Equipment Catalog" to encourage social enterprises to participate, which received a warm response from enterprises.

He told reporters that during the period of 1999-2011, the government issued the "Interim Measures for Enterprise Income Tax Credits for Investment in Domestic Equipment for Technological Transformation", which stipulated that tax credits be given to enterprises for purchasing domestic production and operation equipment, and the implementation effect was very good. "I believe that such an approach is also applicable to critical information infrastructure and can effectively promote the implementation of domestic security equipment."

Facts have proved that security issues are a major issue related to the national economy and people's livelihood, and the construction of information security cannot be taken lightly. In the eyes of reporters, the five proposals of Venustech not only cover the most important industry security priorities and hot spots that need to be paid attention to nowadays, but more importantly, behind these five proposals is a national enterprise that silently moves forward with security responsibilities. It is hoped that more and more people will join the group, and the day when China will rise as a cybersecurity power will not be far away.

[51CTO original article, please indicate the original author and source as 51CTO.com when reprinting on partner sites]