cool hit counter Multi-pronged approach required for cyber black and grey governance_Intefrankly

Multi-pronged approach required for cyber black and grey governance


authors:360 Director, Institute of Legal Studies: Zhao Jun

360 Researcher, Institute of Legal Studies: Zhang Jianxiao

The rapid development of the Internet has provided a breeding ground for the cyber black and grey industry、 The soil and facilitation conditions for the spread of, The number of people involved in the industry and the amount of money involved are currently growing at an incredible rate, Serious threats to the field of cybersecurity and the security of people's property。 Managing the network black and grey industry, While focusing on legal regulation, More legal protection should be given to companies and individuals engaged in cybersecurity, Promoting a virtuous cycle of network industry development。

Most of the information leaks, On the one hand, this is due to a lack of awareness among practitioners of their cybersecurity protection obligations, This negligence has resulted in security not being carried out effectively, Ultimately, the information was compromised。 The general perception in many businesses with mobile payments、 e-commerce、 Information Security、 Rapid growth of network industries such as software development, The large network platform has also become a breeding ground for the black and grey industry。 According to the data, There are now people involved in the black and grey industry in China40 great number, And the average age of that group is less than23 year, But the annual value of production involved is up to 100 billion RMB。

The so-called black and grey industry involves both black and grey industrial chains. The black industry mainly includes "hacking", "account theft" and "phishing" illegal activities; while the grey industry mainly refers to "malicious registration and false authentication" which is in the grey area of the law. At present, the black and grey industry has taken the form of a chain, becoming a form of support for cybercrime, and the whole chain has formed a complete streamlined operation in terms of its upstream, midstream and downstream.

one、 upper reaches (of a river) information leak

The problem of information leakage belongs to the upstream stage of the black and grey industry. In practice, network security is not a must but an option when developing systems or software, for example, when developing a game, the attractiveness of the game content and the number of active users is the key concern, while the content related to network security is often ignored, and the game developer emphasizes what it is important and what it is light, and even does not even consider how to dispose of and manage the real name information, mobile phone numbers, bank accounts and other content of all the game players collected in the game, which has laid a hidden danger for information leakage. On the other hand, management gaps in leadership are also a major cause of information leakage. In reality, many enterprises invest only a small amount of personnel and funds in this area of network security, and the phenomenon of inadequate management systems and regulations abounds. In order to avoid the regular change of secrets and daily protection to business disruption, the relevant leaders refuse to patch the system knowing that there are vulnerabilities, and do not take any simultaneous construction of security measures, which is another major cause of information leakage as an upstream.

With regard to the problems that arise upstream, regulation can currently be carried out in two ways.

First, intensify the fight. To educate relevant enterprises and relevant personnel about the crime of refusing to fulfil the obligations of information network security management added by Amendment (IX) to the Criminal Law and the compliance obligations involved in the Cybersecurity Law, so that they understand that in the process of building critical information infrastructures, they need to bear the corresponding penalties for failing to synchronize the planning, construction and use of the three synchronizations.

Second, increase positive incentives and protections for white hat hackers. The so-called white hat hackers are the civilian forces engaged in mining cyber vulnerabilities and fighting cyber hacking. For a long time, the group wandered into the zone between gray and white. Although white hat hackers operate much the same as real hackers as well as the means to do so, the two have very different objectives. White hats alert the relevant personnel to protect their systems in a timely manner by mining vulnerabilities, while the latter are earning high profits by mining vulnerabilities for illegal trading.

The white hat community tends to be younger, most are not highly educated, or even have no formal university education, but have become professionals in the field with their dedication to information systems and their own love of network vulnerability mining. However, the lack of special attention to white hat hackers in the reality of the law has left such a group of technicians facing great temptation to walk on the edge of the law. For example, in the absence of positive legal incentives and protections, when white hats dig up important vulnerabilities, they are likely to be unable to resist the temptation of hundreds of thousands of transactions in the black industry chain and follow a path that harms people and themselves. Accordingly, it can be seen that positive guidance from the law and policy is a major trend to regulate the behavior of the white hat group.

2、 Midstream information flow

Information is leaked upstream and then flows through certain channels, The intermediaries and platforms that are used by hackers to trade information are the midstream part of the chain。 The division of labour in the midstream segments is very clear—— theft of information、 Flow Information、 Illegal use of information and other interlocking。 nevertheless, Not all compromised information can only be used by criminals as a tool for cybercrime, If properly utilized, Instead, it minimizes the damage caused to victims by information breaches。 with“ Social Work Pool” as an example, This is a compilation of leaked user registration information into a database, And make a query site that displays the password by looking up the username, The existence of the site does provide access to some people who want to engage in illegal activities, But it can also have a positive effect。 for example, When the banking system is stolen, While taking timely protective measures, Banks can also inform users of the situation, Let users use social worker databases to check if their banking information has been compromised, This leads to information sharing between banks and users、 Shared resilience purpose。 But for now., The practice lacks a legal exemption, This results in the positive effect of the social work pool not being used effectively, This makes it impossible to protect the interests of the compromised in the most timely and effective manner.。

III. Downstream precision fraud

After an upstream information leak、 After the midstream flow of information, Downstream, they specialize in using this information to commit precision fraud。 in recent years, Telecom scams happen repeatedly, The traditional view is that, An important reason behind this phenomenon is the damage to the property of the defrauded person as a result of greed for profit。 But the current study shows, In many cases, It's not just the weak will of the person being defrauded that makes telecom scams successful, Rather, it is because the personal information provided by the fraudster is too precise, So much so that the deceived person cannot doubt the authenticity。 for example, Criminals can provide passengers with a variety of detailed boarding information when they impersonate airline staff to inform the scammed person that their flight has been cancelled, Making passengers highly convinced of what the scammer says, thereby falling for a scam。 in response to this situation,360 The company offers product services such as telephone tagging that enable a large degree of information sharing, Let the label of fraudster be permanently affixed, Just in case more users repeat the same mistake。 moreover,360 The hunting network platform built in cooperation with Beijing Net Security also provides security for users。 For cases that cannot meet the criteria for filing a case, Once reported to the platform, It will be noticed and dealt with by the platform。 When these case data are aggregated, Big data will accurately analyze and summarize the source of the scam, This leads to the targeting of those who are substantiated as reported。

However, for industries that provide cybersecurity products and services, the current lack of relevant legal protection and exemption mechanisms is a common legal risk faced by major related companies. The enacted and implemented Cybersecurity Law only provides numerous compliance obligations and prohibitions, but only lacks positive guidance and incentives and protection mechanisms set for cybersecurity service providers. For example, the regulations on the protection of critical information infrastructure stipulate that "no individual or organization shall conduct penetrative or offensive scanning and probing of critical information infrastructure without authorization", which on the one hand clarifies that network security service providers have no legal privilege and restricts and hinders them from making timely detection and assessment of system vulnerabilities and risks, and on the other hand fails to legally restrain the behaviour of hackers, resulting in the group's reckless scanning and probing of critical information infrastructure and endangering network security.

In summary, to combat cybercrime, especially the problem of the network black and grey industry, the legal level has a long way to go, and enterprises and individuals engaged in the network security industry should be given more attention and support, so as to promote the long-term and stable development of the network industry in the direction of a virtuous cycle.

(in China Information Security, No. 12, 2017, image source online)


Recommended>>
1、How to identify inaccurate news on tweet I
2、Java Polymorphism of Abstract Classes and Interfaces
3、Do not mess with arguments objects
4、How bad is overtime for programmers
5、ThreadLocal Memory Leak Issue in a Nutshell

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送

    已发送

    朋友将在看一看看到

    确定
    分享你的想法...
    取消

    分享想法到看一看

    确定
    最多200字,当前共

    发送中

    网络异常,请稍后重试

    微信扫一扫
    关注该公众号