1.1 Establishment of Computer Information Systems Security Protection System

From the early 1980s to the early 1990s, as large and medium-sized general-purpose computer systems (such as IBM4300 series, Fujitsu FACOM), and personal computer (such as IBM Personal Computer) became more popular in the industry, Chinese government authorities, scientific research organizations, institutes of higher education, and enterprises began to adopt and apply IT technology in a variety of research and administrative purposes. At the same time, new classes of security issues, such as computer equipment electromagnetic emanation, and computer viruses emerged, and became increasingly prominent. Chinese government began to focus on computer security, and in the 1980s, the Ministry of Public Security (MPS), established the (former) Computer Management and Supervision Division to supervise and manage computer security protection for the government, and the industry^[2].

In the late 1980s, computer viruses such as ©Brain and Kingpin (also known as the Ball) were prevalent, causing adverse effect and losses to the computer users. Under this background, while strengthening supervision and administration of computer information systems security practices, together with relevant departments, the public security authorities of China sped up the legislation process to govern the protection of computer systems. On February 18, 1994, the State Council of China issued Order No. 147, Regulations of the People’s Republic of China on the Protection of Computer Information System Security ( hereinafter referred to as the Regulations on the Protection of Computer Information System Security, or RPCISS ). This regulation stipulates that within the territory of People’s Republic of China, computer information systems shall implement a multilevel classification based protection system (known as Multi-level Protection System, or MLPS), and the sale of computer systems security solution products shall subject to a product licensing scheme, which the public security authorities will lead and implement.

To implement the Regulations on the Protection of Computer Information System Security,

the Ministry of Public Security organized an expert committee and drafted the Measures for the Administration of Testing and Sales of Products Specialized for the Security of Computer Information Systems and the Classified Criteria for Security Protection of Computer Information System.

On June 28, 1997, MPS published the Measures for the Administration of Testing and Sales of Products Specialized for the Security of Computer Information Systems, effective from Dec 12, 1997. This administrative policy classifies all hardware and software products designed for protecting the security of computer information systems as “products specialized for the security of computer information systems”. These products are subject to a sales license system in the Chinese market. Manufacturers of specialized security products must apply for the license before selling their products in China. When a manufacturer applies for specialized product sales license, subject to MPS’ CMSD examination and approval. CMSD is also responsible for accreditation of organizations (i.e., evaluation facilities) for performing technical evaluation of the security products. The product evaluation process shall follow the industry standard, Principle of Classification of Special Products for Security of Computer Information System (GA 163—1997). The standard was published by the Information Standardization Technical Committee of MPS on April 21, 1997 and was effective from July 1, 1997.

On September 13, 1999, the State Bureau of Quality and Technical Supervision published

Classified Criteria for Security Protection of Computer Information System (GB 17859—1999), a mandatory national standard replacing GA 163—1997, effective from January 1, 2001.

Organizations are now equipped with the basic supports required for implementation of

Regulations on the Protection of Computer Information System Security, gradually putting on track the practices of computer information systems classified protection, and the management of the computer information systems security special products. Implementation of GB 17859—1999 had played an important role in improving the security protection ability of China’s information system, and laid a strong foundation for further development and improvement of the security protection system.