I. Development Status of data security in the digital age
In the digital age, data has become the core production factor of the development of digital economy. In 2020, the added value of digital economy in 47 countries in the world reached 32.6 trillion US dollars, and the scale of China’s digital economy ranked second in the world, close to 5.4 trillion US dollars. In this context, data security has become a major issue related to national security and economic and social development.
(I) data security has entered the era of strong supervision under the rule of law
Legal system is an important guarantee for data security. At present, the construction of data security laws and regulations in China has made rapid progress. At the national level, the data security law came into force on September 1, 2021, clarifying the obligation of data security protection from the legal level for the first time, providing behavior guidance for organizations and individuals carrying out data processing activities, and filling the gap in China’s data security protection legislation. The personal information protection law came into force on November 1, 2021. Based on the development practice of the data industry and the urgent needs of personal information protection, it more comprehensively guaranteed individual rights and timely responded to the concerns of the state, society and individuals about personal information protection. At the level of industry supervision, on September 30, 2021, the Ministry of industry and information technology issued the measures for data security management in the field of industry and information technology (for Trial Implementation) (Draft for comments) and solicited public opinions, aiming to accelerate the institutionalization and standardization of data security management in the field of industry and information technology, improve the data security protection ability of industry and telecommunications industry and prevent data security risks. On January 4, 2022, the state Internet Information Office issued the revised Measures for network security review, which included the situations that the data processing activities carried out by network platform operators affect or may affect national security into the network security review. At the local government level, actively implement the spirit of national policies and superior laws, and successively issue relevant local laws and regulations. On June 29, 2021, the data regulation of Shenzhen Special Economic Zone was issued, taking the lead in carrying out local legislation on data protection and utilization, standardizing the marketization of data elements, and promoting the orderly flow of data and the healthy development of data industry. On September 30, 2021, the Shanghai data regulations (Draft) was publicly solicited for comments. Under the framework of the data security law and other superior laws, and in combination with the actual situation of Shanghai, the draft established a comprehensive data security governance system.
(II) frequent data security incidents and increasingly serious security threats
According to the data of risk based security, the global data leakage reached 36 billion in 2020, a record high. Compared with traditional network security threats, data security threats are more diversified and are no longer limited to the use of security vulnerabilities, malicious traffic, viruses, Trojans and other attack means. Data security problems focus on privileged account weak password, data authority abuse, API interface attack and so on.
Weak password becomes the outbreak point of data leakage. Due to the low attack cost and high hit effect of the weak password account, the attack behavior of stealing the weak password account to obtain the privileged account by horizontal penetration, and then damaging or divulging important data resources brings great challenges to the data security management. According to the analysis of 2021 data leakage investigation report released by Verizon, 61% of data leakage is related to voucher data leakage.
API has become a popular attack portal. Due to the rapid evolution of application architecture, API has become the main communication mode between business applications and data services, which leads to the use of API interface as a new attack means. In April 2021, the data of 500 million Facebook users was publicly sold on the dark network. Since 2019, the API of an online business was misused, resulting in data leakage, affecting about 530 million users.
Authority abuse is still an important trigger point for data security events. Nonstandard data authority management and lack of technical protection means are very prone to security events such as destruction, tampering and deletion of data resources caused by authority abuse. In February 2020, employees of a listed company in Hong Kong Stock Exchange logged in to the server through VPN to maliciously delete the database of the online production environment, resulting in business interruption of millions of users and direct compensation of RMB 150 million.
Privacy disclosure has become an important threat to data security. The problems of data fraud, big data ripening and abuse of personal biometric information caused by personal privacy disclosure have seriously endangered the legitimate rights and interests of personal information subjects. According to the statistics of canalys, a market research company, the global personal information leakage in 2020 exceeded the total of the past 15 years and became an important factor affecting personal rights and interests, organizational development and even national security.
(III) changes in data usage scenarios associated with technical architecture evolution
On March 14, 2021, the full text of the 14th five year plan for national economic and social development of the people’s Republic of China and the outline of long-term objectives for 2035 was released, making important arrangements for the construction of digital economy, digital society, digital government and digital ecology. Traditional information technology began to change to a new generation of information technology with data and business as the core. The organization generally adopts new technologies such as big data and cloud computing to help the organization improve its decision-making level, build a new business model and realize industrial upgrading; Organizations have significantly increased information interaction and closer cooperation. It has become a consensus to realize process optimization and win-win cooperation through business collaboration and data sharing. It can be seen that with the increasing diversification of data application scenarios and participants, data flows and remains among different carriers with business and applications, running through all levels and links of informatization and business system. Therefore, in the complex application environment, the primary goal of data security is to ensure that sensitive data such as important data, core data and user personal privacy data are not leaked.
