Author 丨 Poplar
Editor 丨 Zhang Weixian
On March 4, the 21st Century Business Herald reporter learned that Zhou Hongyi, a member of the National Committee of the Chinese People's Political Consultative Conference and founder of 360, will submit a number of security-related proposals this year. These include the "Proposal on Upgrading Network Security to Digital Security and Building a Solid Digital Security Barrier" and "Proposal on Establishing a Long-term Mechanism for the "Digital Space Crash Test" of Intelligent Connected Vehicles".
Upgrade cybersecurity to digital security
In the "Proposal on Upgrading Network Security to Digital Security and Building a Solid Digital Security Barrier", Member Zhou Hongyi pointed out that security risks are spread across all digital scenarios, and network security has become difficult to solve new and complex challenges.
On the one hand, industrial digitalization has penetrated into all walks of life, and security risks have spread throughout all digital scenarios. Especially with the development of industrial digitalization, security risks have spread across major scenarios such as critical infrastructure, industrial Internet, Internet of Vehicles, energy Internet, digital government, and smart cities. As a result, digital security threats have extended beyond the virtual world to the real world, affecting national, national defense, economic, social and even personal security.
On the other hand, the emergence of new digital technologies and applications has led to the upgrading of simple security issues to complex security issues. With the use of a large number of new technologies such as big data, cloud computing, and artificial intelligence, in addition to network security, it is also facing a series of new and complex security challenges such as big data security, cloud security, supply chain security, and blockchain security.
Therefore, member Zhou Hongyi put forward the following suggestions:
The first is to aim at the new scenario of industrial digitalization, synchronously plan and build the digital security system of the industry, and ensure the digital transformation of traditional industries.
In the future, all traditional industries will be digitally reshaped, resulting in new scenarios for industrial digitalization such as the industrial Internet, energy Internet, and Internet of Vehicles. It is recommended that the competent departments of relevant industries incorporate the digital security system of the construction industry into the overall planning of industrial digitalization, promote the construction of a digital security system with a security brain as the core of leading enterprises in various industries, replace compliance orientation with capability orientation, and consolidate the security base of industrial digitalization.
The second is to study and build a forward-looking digital security platform system for new digital technologies and application scenarios.
At present, new technologies such as artificial intelligence, blockchain, and quantum computing continue to advance, and new applications such as digital currency, automatic driving, and metaversity continue to rise, bringing unpredictable security risks, and traditional network security lacks mature experience in coping. It is recommended that relevant departments adopt the method of "unveiling the leader" and encourage enterprises, research institutions, and universities to jointly build digital security platforms, such as relying on the national new generation of artificial intelligence open platforms and big data open collaborative laboratories, etc., to drive the industry to innovate digital security systems.
The third is to suggest that the city should be the main body, and the government should build a city-level digital space security infrastructure and emergency response system to ensure the stable development of the economy and society.
As an economic and population concentration, the city will gather 80% of the country's GDP and population in the future. Once a city's government services and critical infrastructure clusters are attacked by cyberattacks, it will bring about a shutdown of urban business, economic stagnation, and social unrest. However, in the past, cities were not the main body of digital security construction, and various enterprises and units "who built who is responsible", self-construction, dispersed capabilities, and lack of a unified digital security perception, emergency response, and command system.
It is recommended that the city be the main body, and the government should build a city-level digital space security infrastructure, and build a city-level "digital security hospital", including a unified perception system, emergency response system and command system at the city level, so as to achieve timely detection, rapid response, joint prevention and control, output security basic services for all units, and escort the city's digitalization.
Establish a "digital space crash test" mechanism for intelligent and connected vehicles
In the "Proposal on Establishing a Long-term Mechanism for the "Digital Space Crash Test" of Intelligent Connected Vehicles", Member Zhou Hongyi pointed out that in recent years, the mainland's intelligent networked vehicles have shown a strong momentum of development, and in 2021, the market penetration rate of new passenger cars with L2 level (combined driving assistance) and above has exceeded 20%, and it is expected to exceed 50% by 2025.
At the same time, the digital security risks of intelligent networked vehicles are also emerging, and there are more and more network attacks, and digital security is becoming a major security issue for intelligent networked vehicles.
Member Zhou Hongyi said that software-defined cars make digital security problems inevitable, and their harm is no less than that of traditional security issues.
First, the increase in the number of codes has led to a surge in security defects in the in-vehicle system; second, the increase in the attack surface caused by the network connection of the car; third, the increasing degree of network connection of car companies, the cloud is the biggest security risk; and finally, the data-driven car, bringing about a rise in data security risks.
Therefore, automotive network security lies not only in the body network, but also in the car cloud network, the number of vehicle networks, the car network, the car company network and other aspects of security, any network problem may lead to the car being attacked or even physically damaged.
However, at present, although crash testing has become a mandatory means to test the safety performance of automobiles, traditional crash tests can only find physical safety defects in automobiles, and cannot detect digital safety hazards of automobiles.
The first is to establish a "digital space crash test" mechanism and related standards for intelligent and connected vehicles to ensure the safety of the car factory and continuous testing.
It is recommended that the state learn from the traditional concept of automobile crash testing, establish a "digital space crash test" mechanism for intelligent and connected vehicles as soon as possible, encourage safety enterprises to build a third-party "digital space crash test" platform, and mandate that all intelligent and connected vehicles sold in the mainland must pass the "digital space crash test" certification, and discover the system-wide digital security problems of the car "cloud, pipe, and end" of the car by conducting penetration tests on the body network, the car cloud network, the car number network, the car network and the car enterprise network in accordance with the law. Ensure the safety of the car at the factory. At the same time, in the car inspection and software online upgrade links, the requirements of "digital space crash test" are added to ensure that the car continues to maintain a good digital safety state.
The second is to recommend that the reporting of automobile safety loopholes be regulated, and no malicious speculation and illegal disclosure should be allowed.
The mainland has promulgated the Regulations on the Management of Security Vulnerabilities in Network Products, but there are still irregularities in arbitrarily disclosing automotive security vulnerabilities and hyping up relevant security incidents. In view of the high sensitivity of automobile security vulnerabilities, once the disclosure may cause personal injury and property losses, it is recommended that relevant departments further strengthen the implementation of relevant laws and regulations on automobile safety vulnerabilities, guide network security enterprises and hackers to report car vulnerabilities in accordance with the prescribed procedures, and must not maliciously speculate and disclose in violation of regulations.
The third is to create an intelligent networked automotive industry situational awareness system with the safety brain as the core, and establish a long-term mechanism for automobile safety supervision.
Intelligent connected vehicle safety is a typical complex system problem, the need for systematic safety solutions, it is recommended that the automotive industry as soon as possible to build a set of intelligent networked vehicle situational awareness system with the safety brain as the core, the car, the car company supply chain, roadside facilities, cloud control platform, etc. are connected, convergence and analysis of automotive safety big data, timely discovery of safety risks and events, a comprehensive grasp of the digital security status of each car, to help regulatory authorities and car companies to achieve real-time automotive safety throughout the whole process of "visible, controllable, manageable", Ensure that intelligent connected vehicles are always in good safety condition.
Focus on open source software security as well as SMB security
In addition to the above two proposals, member Zhou Hongyi also submitted the "Suggestions on Encouraging and Helping Small and Medium-sized Enterprises to Build Digital Security Capabilities" and the "Suggestions on Strengthening the Prevention and Governance of Open Source Software Security Risks in the Mainland" around the issue of security.
In the "Suggestions on Encouraging and Helping Small and Medium-sized Enterprises to Build Digital Security Capabilities", Member Zhou Hongyi suggested that regulators encourage all parties to carry out systematic vulnerability mining of open source code and grasp security risks through security communities and challenges. It also conducts a census of critical information infrastructure and important information systems, finds out the "home base" of the use of open source software, accurately grasps its basic information such as types, protocols, and sources, forms a full view of the usage relationship, and mines system vulnerabilities and lays out security risk management.
It is recommended that the relevant departments clearly require open source software enterprises to have the obligation to review the vulnerabilities of the open source code used, establish an enterprise security response center, and improve the security management capabilities of open source software. At the same time, Chinese software developers are encouraged to actively participate in the international open source community, improve their influence in the international open source community, drive the international open source community to carry out large-scale vulnerability mining, and improve the security level of open source projects.
In the "Suggestions on Strengthening the Prevention and Governance of Open Source Software Security Risks in the Mainland", Member Zhou Hongyi suggested the introduction of special policies to clarify the digital security capabilities requirements that small and medium-sized enterprises should have; it is suggested that relevant departments encourage large enterprises to provide free or low-cost digital security SaaS services and related products for small and medium-sized enterprises by means of policy encouragement, service subsidies, tax reductions and exemptions, etc., reduce the cost and threshold for small and medium-sized enterprises to enjoy digital security services, and provide small and medium-sized enterprises with "specialization and specialization" for small and medium-sized enterprises. Digital development provides security.
This issue is edited by Feng Zhanpeng Intern Zhan Huinan
