Yu Nenghai
Executive Dean and Professor of the School of Cyberspace Security, University of Science and Technology of China.
With the vigorous development of new technologies such as artificial intelligence and big data, digitalization and intelligence not only liberate productivity and release technological dividends, but also bring new risks such as data security and information security, especially the continuous breakthrough of generative artificial intelligence technology, which brings new challenges to human subjectivity, which also makes people pay more attention to privacy protection in the new technology environment. Data security, privacy protection, and risk management go hand in hand. From an individual perspective, data leakage is not only an intangible loss, but also causes property damage and even endangers personal safety. From the perspective of the group level, large-scale privacy leakage may lead to social and economic risks at the national level, and even *** risk. Therefore, we need to further examine data security and privacy protection issues from the perspective of risk management, and promote the healthy and sustainable development of digital technology and industry.
In terms of risk perception, the relationship between data security, privacy protection and the flow of data elements should be viewed scientifically
To develop and expand the digital economy, on the one hand, it is necessary to promote the flow of data elements, and on the other hand, it is necessary to attach great importance to data security and privacy protection. The key to coordinating the relationship between risk and circulation is to scientifically understand the relationship between data security, privacy protection and the flow of data elements.
The first is the relationship between digital transformation and data security. The relationship between the two is like "informatization and network security", which should be the relationship of "two wings of one body, two wheels of drive", and digitalization and data security need to be designed, built, and promoted as one, and "security" should not be regarded as a qualifier of "development", but "security" should be regarded as the intrinsic endowment and promotion factor of "development".
The second is the relationship between information producers and processors. With the promulgation of a series of laws and regulations such as the Data Security Law of the People's Republic of China and the Personal Information Protection of the People's Republic of China, clear requirements have been made for data security and privacy protection, and based on the understanding that "the relationship between individuals and personal information processors is not equal", the obligations of information processors have been stipulated, putting on "armor" for personal information security, and providing legal protection for solving a series of difficult problems in data security risks.
The third is the relationship between technology and management. In the traditional concept of network security, there is an important principle - "three points of technology, seven points of management", that is, 30% of security problems rely on security equipment and technical support, and 70% of security problems rely on the improvement of user security management awareness and the update of management mode. However, under the trend of increasingly diversified data space risks, we cannot completely stick to the traditional concept of "technology management", but strengthen the concept of "using technology to manage technology" and "use technology to control risks", promote the coordinated development of technology and management, and "be firm with both hands", especially to develop "real" technology and hard technology to maintain data security and protect personal privacy, and develop effective and useful technology.
In terms of risk bearing, we should steadily balance the responsibilities of digital product manufacturers, users, and consumers
Since 2022, European and American countries have rapidly iteratively issued a number of strategies, bills and regulations to promote the "left" shift of cyber security and data security responsibilities (to deal with cyber security issues in advance), with the core concept that "manufacturers of digital products and developers of digital applications should bear greater security responsibilities", and for consumers of digital products, "security should not be a luxury choice, but a right that users can obtain without negotiating or paying more". In March 2023, the White House released the first updated National Cybersecurity Strategy in nearly five years, proposing to rebalance cybersecurity responsibilities and risks, and give more security responsibilities to the largest, most capable, and most advantaged entities. In December 2023, the EU agreed on the technical and political aspects of the Cyber Resilience Act, which, once in force, will require digital products entering the EU market to confirm that they meet EU cybersecurity standards. Recently, Gartner released the cybersecurity technology trends for 2024 and beyond, pointing out the opportunity to "integrate" security requirements into development practices, rather than "add-on" later. The "left shift" of security responsibilities reflects the basic understanding that "individuals" are in a weak position in dealing with risks, and shifts the responsibility for data security of "individuals" to digital product developers, manufacturers, and processors, so that all parties can shoulder their respective responsibilities.
In the face of the new situation of "shifting left" security risks, China also needs to steadily balance the network security and data security responsibilities on the manufacturing side and the application side, and on the basis of "who is responsible for operation, who is in charge of who is responsible", the implementation of the risk bearing model of "who designs and who is responsible" for digital products, and adopts a "zero tolerance" attitude towards the phenomenon of digital product designers and manufacturers "selectively ignoring" security issues and irresponsibly transferring product safety issues to the use side. In accordance with the new market and rules of the game, we will ensure that the design, manufacturing, and service provision processes fulfill their legal responsibilities and security obligations to consumers, critical information infrastructure operators, and other product users, so that everyone can use more secure digital products.
In terms of risk management and control, we will vigorously develop data security and privacy protection technologies with "manageable" attributes
Generally speaking, "having a system" can be regarded as "having management", and "system + technology" can be regarded as "manageable". As far as risk management is concerned, it is not enough to have a system, but also to have control technology that can ensure the implementation of the system. In the field of data security and privacy protection, if there is no corresponding technology to supervise and control, relevant regulations and systems can only stay at the level of "call", or even "dead letter". At present, four types of technologies should be developed for data security and privacy protection.
The first is architecture technology. Through the "construction effect" and system engineering methods, the occurrence path of security risks evolving into security events can be cut off, and the "unknown unknown" security risks can still be effectively suppressed in the absence of prior knowledge, and a trusted service system to ensure functional safety and data security can be built under the condition of "credibility cannot be guaranteed or there are defects".
The second is cryptography technology. From the perspective of privacy protection, this paper deeply studies the defects and possible attacks of existing technologies such as blockchain, zero-knowledge proof, homomorphic encryption, privacy computing, and provable secure steganography, and establishes a more effective privacy protection mechanism from the perspectives of network layer, wallet, and lightweight users, so as to better realize personal data and privacy protection.
The third is security risk measurement technology. Focus on solving the problem that the quality of digital products "network security, information security, and data security" is difficult to measure, provide standardized "dimensions" for the security of digital products, make the security capabilities of digital products "visible" and "visible", and can label digital products as "safe", so as to provide internationally credible quality assurance for the structural upgrading of China's digital industry and the development of the digital economy.
Fourth, digital watermarking technology. The rapid development of artificial intelligence technology represented by large language models makes data easy to be stolen, tampered with and sold by unauthorized users, so it is necessary to develop digital watermarking technology to maintain data rights and interests, verify data integrity, track risks** and conduct digital content authentication, etc., and continuously enhance the level of data management, circulation and traceability. At present, while developing traditional digital watermarking technology, on the one hand, it is necessary to develop a new cross-media digital watermarking technology to improve the traceability ability of watermarks in actual leakage scenarios such as screen photography "photoelectric photography" and sound recording "sound and electricity". On the other hand, it is necessary to develop a new digital watermarking technology based on artificial intelligence models, with the help of the distortion fitting ability and data memory ability of deep neural networks, improve the fidelity, embedding, robustness, concealment and universality of digital watermarks, and verify the effectiveness of digital watermarks in privacy protection and event traceability for the "white box" model, "black box" model and "boxless model".
In terms of risk diversification, we will promote the establishment of a financial and insurance mechanism oriented to the data space and digital ecosystem
In recent years, cyber security insurance has shown a vigorous development as a new form of business. It is precisely because there is a risk that there is insurance. In the face of the new demand for data security and privacy protection, it is urgent to develop new business formats such as data security insurance and digital security insurance. On the basis of measurable security indicators, financial and insurance institutions provide insurance services for digital products, providing economic support and risk diversification for possible data security issues. At present, the main concerns of the insurance industry about the data security industry are "unclear", "inaccurate" and "unaffordable", and the core concerns are that the uncertainty of data security risks is too large, the relationship involved is too complex, the influence of human factors is too strong, the technical controllability is too low, the product security cannot be measured, and the traceability is difficult. Therefore, it is necessary to accelerate progress from three aspects.
The first is to promote innovation in data security technology. The measurable network security function, measurable probability of network risk and estimable loss of digital products are the primary conditions for insurability, and the development of data security insurance should first explore and solve the problems of "insurability" and "self-proof innocence" from the technical perspective, innovate the data security technology paradigm, and realize that the security capability can be customized, measurable and verifiable.
The second is to establish a data security insurance technology ecosystem. Drawing on the concept of traditional auto insurance, we will build a "data security 4S store", integrate the "four-in-one" service chain of data system construction, core device allocation, data security service, and quality information feedback, and build a new ecology of "insurance + risk management + service" integration based on a new generation of data security technology.
The third is to promote innovation in the digital security insurance industry. In the future, emerging technologies based on artificial intelligence will iterate rapidly, and forms such as online collections, bio-human avatars, humanoid robots, and digital heritage will gradually take shape. It can forward-looking design security insurance for digital platforms and system products, security insurance for digital space data, including personal biological data, digital asset property insurance, personal safety insurance for digital space "twins", data security service insurance, etc.
In terms of risk prevention, encourage and support the improvement of digital literacy and cyber security awareness of the whole people
To prevent data security risks and strengthen the protection of personal privacy, it is necessary to promote the overall improvement of the people's digital literacy and cyber security awareness, especially to improve the public's digital security capabilities, to be able to identify telecommunication network fraud, protect personal privacy and information security in the digital environment, comply with laws, regulations and ethical norms, and form correct digital values, ethics and the rule of law.
In recent years, China has significantly improved the public's awareness of cyber security and the protection of personal information and privacy by holding activities such as the "National Cyber Security Publicity Week" and the "National Digital Literacy and Skills Improvement Month", and building a "National Digital Literacy and Skills Training Base". In the future, it is necessary to further strengthen the popularization of science and continuously improve the overall level of digital literacy of the whole people.
On September 11, 2023, the 2023 National Cyber Security Publicity Week Cyber Security Expo was held in Fuzhou, Fujian Province. Network insecurity cases such as phishing emails, password leaks, and phishing** have become the key areas for cybersecurity companies to improve their customers' security awareness experience. First, data security should be regarded as the top priority for the improvement of digital literacy of the whole people. Digital literacy is a collection of a series of elements such as digital knowledge, ability, quality, ethics and morality that citizens in the digital society should possess in their production and life, among which data security and privacy protection should become the basic and compulsory courses of digital literacy. New social problems such as telecom network fraud, "big data killing", and "information cocoon" have emerged one after another, and the reason for this is that the public's awareness of cybersecurity risks is not strong enough, and the understanding of the security responsibilities and obligations of data processors and digital product manufacturers is not in place.
The second is to increase risk education and awareness popularization among key populations. Focus on special groups such as "silver-haired netizens", young netizens, and college student netizens, and design scientific popularization content and scenarios according to the characteristics of each type of special population, so as to pass on the most needed knowledge and skills to the most needy groups. For example, we will promote the establishment of network security and data security training rooms on campuses, and set up data security science classes and practical courses, so that the cultivation of digital security capabilities can enter the campus and young people.
The third is to give full play to the role of national network security science and technology venues. During the 2020 National Cyber Security Publicity Week, China's first national cyber security science and technology museum was completed, and an innovative education service system for 100 campuses has been built, a digital skills training platform for 100 enterprises and institutions has been created, a data security awareness education network for 100 cities has been formed, and the network and data security science popularization education covering millions of people has been achieved.
In the future, we should further give full play to the linkage effect of various platforms such as the National Cyber Security Science and Technology Museum, build a popular science matrix for data security and privacy protection, and promote the general improvement of digital literacy of the whole people through specialization, base-based and scenario-based scientific popularization.
*: China Internet Information (CNC) No. 1, 2024.