"Early" and "post -afterwards" of network security: Who needs to be responsible for the use of UFIDA software?

Southern Finance All Media Reporter Wu Liyang Intern Wu Feng Beijing reported

Recently, many social media and security technology communities have claimed to have encountered the ".Locked" suffix to extortion virus attacks. Computer files were encrypted by the virus. ) Unlock.

It is reported that the target of this ransom virus attack is mainly CRM (Customer Relationship Management Customer Relationship Management System) manufacturers, including "UFIDA" and its "Changjietong" management software.

After the incident, Chang Jietong released the vulnerabilities on August 29 and August 30, respectively. It stated in the announcement that the software server that was attacked by the ransom virus "has its own deployment method for customers and does not do the necessary cybersecurity protection."

A number of people and lawyers in the network security industry said in an interview with the 21st Century Business Herald that suppliers and customers usually agreed in the procurement contract for the income and compensation of economic losses in the purchase of software products. In accordance with the current industry practice, when a third party is usually attacked by a third party, the supplier must provide solutions as soon as possible in accordance with the fault treatment, but it usually does not bear the liability for compensation for related losses.

Who is responsible for security loss?

On August 30, the National Information Security Vulnerability Sharing Platform (CNVD) issued a security announcement on the loopholes of arbitrary documents of Changjietong T+software. Ops without identity certification can use vulnerabilities to upload arbitrary files remotely to obtain server control permissions.

The announcement also suggested that the affected units and users immediately upgrade the use of Chang Jietong to the latest version, contact Chang Jietong's technical support, and take temporary preventive measures such as deleting files or confirming whether there are conditions and operation methods to recover data from backup files. Essence

An Changjietong user who was attacked by the ransom and was locked by the file told reporters that in addition to a response below the account of a self -proclaimed Changjietong worker Safety reinforcement, in addition, no official personnel contacted them.

"Related documents need to find a special third -party company to repair 30,000 to 40,000," said the netizen.

Xia Hailong, a lawyer of Shanghai Shenlun Law Firm, said in an interview with a reporter from Southern Finance and Economics that if the user suffers from a third party's malicious invasion system, the invaders should generally bear the relevant legal responsibilities and determine whether the software service provider needs to need Responsibility depends on whether there is a fault.

Wang Xinlei, assistant professor at the School of Law School of Xi'an Jiaotong University, also said that according to Article 1,165 of the Civil Code, if a perpetrators have damaged the civil rights and interests of others due to fault, they shall bear the liability for infringement.

However, he also pointed out that there are many types of legal liability for online attacks such as ransomware, involving civil liability, administrative responsibility, and criminal responsibility. If the network product and services provided by the network product service provider do not meet the standards of safety technology standards, it can be considered that there is a certain mistake to the damage to the infringer, and it may be possible to compensate for it. This process mainly depends on whether network product service providers and users have strictly abide by the security obligations of online product services.

According to the provisions of my country's "Cyber ​​Security Law" and "Data Security Law", when software service providers find that their products have vulnerabilities and security risks, remedial measures should be taken immediately, and users should be told in time and reported to relevant competent departments.

Xia Hailong pointed out that if the software itself has a vulnerability or after the invasion does not take remedial measures in time, the software service provider shall bear certain responsibilities; if the system is invaded because the user fails to properly keep the account and password, the user will then the user will then It cannot only be required to take responsibility for the service provider, but can only be held accountable to the invaders.

"When a cyber attack occurs, the public security network security department will not only trace the attackers, but also check the attacker or product service provider to fulfill the network security obligations according to Article 21 of the Network Security Law." Wang Xinlei Wang Xinlei. It is said that the scope of the inspection is mainly to evaluate whether the relevant parties such as enterprises perform their level protection obligations. If there is an obligation to violate the protection of network security levels, relevant enterprises and their leaders may need to bear administrative responsibility or even criminal responsibility.

However, many practitioners in the network security industry have told reporters that under the background of continuous improvement of supervision requirements and improved corporate compliance awareness, companies whose network security issues occur normally, in addition to reporting to relevant departments in a timely manner, reporting to relevant departments in a timely manner. You only need to perform vulnerabilities as soon as possible without liability for civil compensation.

This is also a common practice in the current industry. A Nanjing network security engineer told reporters that current service providers and customers usually write the responsibilities and obligations required by the two parties in the procurement contract. In accordance with industry practices, in most cases, the losses caused by cyber security attacks are mostly cases. It will be regarded as a failure, and the service provider needs to perform loopholes in a timely manner, but there is no need to compensate the losses caused by the attack.

"As a software service provider, it is really difficult to ensure that your products have no security problems at all. As far as I know, there is no precedent for compensation in the industry." Another coordinator Chengdu's net security practitioners told reporters.

New framework for exploration and governance

With the rapid development of the digital economy, the threat of network security issues on social production and life is becoming more frequent and serious, and the governance framework of network security is also constantly improving. Regulations and measures representing technology, supervision, and standard formulation are continuously landing. On the other hand, the responsibility requirements for the preliminary prevention, mid -term response and later treatment of network security issues are further refined. In July last year, the Ministry of Industry and Information Technology, the National Internet Information Office, and the Ministry of Public Security issued the "Regulations on the Management of Safety Vulnerability of Network Products". Network product providers and network operators were the main subject of their own products and system vulnerabilities. Information receiving channels, timely verify the vulnerability and complete the vulnerability repair. At the same time, the "Regulations" also put forward the specific time limit requirements for loopholes in network product providers, as well as the obligation to provide technical support for product users.

Wang Xinlei pointed out that after the software service provider found that the product has security vulnerabilities, the degree of harm and influence of verification and evaluation vulnerabilities should be fulfilled, and relevant information is submitted to the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology. Three obligations.

In November of the same year, the State Cyber ​​Information Office issued a notice on the "Regulations on the Management of Network Data Security (Draft for Opinions)". Article 44 of the soliciting opinion draft stipulates that the Internet platform operator shall be connected to the third -party product and service of its platform to bear data security management responsibilities. Strengthen data security management and take necessary data security protection measures. Third -party products and services cause damage to users, users can ask for compensation for Internet platform operators first.

Wang Xinlei said that network security regulations such as the "Three Laws and One Regulations" focus on administrative supervision and public interests. In the future, my country will continue to establish and improve supporting laws and regulations on the basis of the "Three Laws and One Regulations" to improve the operability of cyber security regulations. Clarify the responsibility boundary of the stakeholder of the network space.

For example, in the scenic software attacks and other scenarios, through special regulations, judicial interpretation, etc., the corresponding security obligations of attackers, network product service providers and users are clearly allocated according to different errors.

"We also need to improve the legal investigation system of cross -border network crimes, and advocate and promote international cooperation mechanisms to combat cross -border cyber crimes." Wang Xinlei said.

- END -