Abstract
As a key factor in the State security system, state information security is closely related to the existence and future development of a nation. Based on the full knowledge of the basic theory and safeguards approaches of state information security, this paper is committed to analyzing the existing problems concerning state information security and the corrective actions, as well as grasping its development strategies and trends in the right direction, so as to make contributions to our country's safety, social stability and the construction of a harmonious socialist society.
This paper aims to study the issue of state information security soundly and systematically, put forward countermeasures, and solve two problems: first, against the background of global informationization and economic globalization, it will form a theoretical framework for state information security; second, from the perspective of industrial safety, it will establish an authoritative form of study on state information security, so as to provide theory and methods for various future monographic studies. With this starting point, the paper mainly consists of three parts, namely, research on the theory of state information security, analysis on the issue of state information security, and China's information security strategies and systems by comparison with those of other countries.
Ⅰ. Research on Theories of State Information Security
Firstly, this paper elaborates on the related theories concerning state information security, which lays down a solid theoretical foundation for the research. The systematic analysis in the theoretical research part is mainly conducted from four aspects.
1. Informationization and Information Security
Firstly, the paper presents an overview about informationization and information security, and introduces respectively the fundamental attributes of information, its life cycle, the connotation and development trends of informationization, global informationization, economic globalization, as well as the issue of information security in the age of global informationization. The issue of information security is a problem of system engineering, which relates to extensive fields, covering technical, management and legislative contents. Therefore, against the background of global informationization, it is very necessary to do a series of researches on related issues of informationization and information security.
2. A Concept Analysis of Information Security
The concept analysis of information security is conducted mainly to define the basic connotation of information security, interprets the connotation, characteristics and main contents of state information security. And finally, the paper gives an overview about the state information security system, and on the basis of all above researches, summarizes the strategies for constructing the state information security system, including establishing and perfecting the infrastructure for state information security, pushing forward the innovation and development of information security technologies, setting up an information security industry with independent property rights, as well as creating a supportive environment for state information security.
3. Information Security Management and Technologies
All nations in the world are striving to strengthen the construction of their information security systems, so as to avoid being threatened with invasion. During constructing the overall information security system, management plays a significant role as it is an important foundation for constructing the system. Related theoretical research on information security management and technologies clarifies the management methods, content, system standard and platform, etc. The paper also presents the current major information security technologies, including firewall, virtual private network(VPN), intrusion detection system(IDS), identification, digital signature, and encoding. At last, the paper introduces the concept of information security engineering, and expounds its construction procedure and life cycle, system security engineering capability maturity model(CMM), implementation and class protection of information security engineering, as well as other contents.
4. Information Security Evaluation
To safeguard the products and technologies in the information system is the foundation to ensure the information security of all countries, industries and enterprises. So it is of great significance to work out related evaluation and assessment standards pertinent to such products and technologies. Information security evaluation is an important part of state information security theory. This paper introduces a few popular informationization evaluation systems, and explains their components and algorithm principles, based on which, the paper systematically analyzes the information security evaluation system, including overview on the standardization of information security, the objectives and process of information security evaluation, information security index system, and comprehensive evaluation methods for information security. Besides, the paper also analyzes the risk evaluation on informationization projects, including analysis of informationization projects and related risk management, the cause and sign of such risks, the methods to identify and evaluate risks, as well as risk evaluation principles and model methods.
Ⅱ. Analysis of the Issue of state information Security
Based on theoretical research, the paper conducts an in-depth study into the issue of state information security, and analyzes with stress on the basic problems of China's state information security and China's information security industry.
The paper analyzes the basic problems mainly from four perspectives, namely e-government, e-commerce, general enterprises and government infrastructure.
1. E-government Information Security
On the basis of defining the basic connotation of e-government information security and analyzing its development status in China, the paper summarizes the existing e-government information security problems in three aspects, including China's dependence of software and hardware on other countries, system and management vulnerability of government websites at all levels, as well as lack of information security legislation and standard system.
In consideration of the application status of e-government system, the paper conducts an in-depth analysis into five representative e-government systems, namely tax system, financial system, fiscal system, customary system, and political and legal system. It sums up the existing information security problems of each system as below:
The existing problems of the tax system information security include, firstly, computer virus and network attack. The spreading of computer virus and attacks by hackers may bring the tax system to a standstill, and hackers may also steal or alter important data, so the loss could be immense and immeasurable for all parties in the system. Secondly, people's information security consciousness is weak. Tax informationization almost covers every corner of our country's tax system. At present, the tax department relies heavily on the information system. So if the leading cadres at all levels are not able to catch up with the times, it would be impossible to take good advantage of informationization and safeguard information security. Thirdly, there are not enough infrastructural facilities, which are mainly seen in departments at the grass-roots level, which is due to the lack of security consciousness and unbalanced informationization development status in different areas. However, according to the bucket theory, inadequate allocation of security equipments in departments at the grass-roots level will lead to low efficiency of the whole network.
The existing problems of the financial system information security include computer virus and network attack. The spreading of computer virus and attacks by hackers may bring the financial system to a standstill, and hackers may also steal or alter important data, so the loss could be immense and immeasurable for all parties such as the banks and users in the system. Also, there are risks in identification. Due to the virtual nature of network, the identification of the subjects of finance transactions becomes very important. For example, there are many cases reporting cardholders being defrauded of the card number and password at fake bank websites (phishing). Meanwhile, the phenomenon of internal personnel embezzling money in the financial system still exists.
The existing problems of the fiscal system information security include, firstly, computer virus and network attack. The spreading of computer virus and attacks by hackers may bring the fiscal system to a standstill, and hackers may also steal or alter important data, so the loss could be immense and immeasurable in the system. Secondly, there are problems in the security management system. The awareness of information security should be enhanced in the financial government department, from top leaders to the whole staff. A sound security management body shall be set up, and security objectives, strategies and duties shall be clarified. Thirdly, there are not enough infrastructural facilities, which are mainly seen in departments at the grass-roots level, due to the lack of security consciousness and unbalanced informationization development status in different areas.
The existing problems of the customary system information security include, first and foremost, problems concerning security of the vast information network environment(internet and communication network), such as attack by hackers, virus spreading, network crime, junk information, sudden failure of network, etc. Second, there are problems in the organization framework managing information security. The customary information system is collectively subject to the maintenance of the technical department of the general administration, while different departments perform their own functions, so the collaborative work efficiency is low. As the personnel know nothing except their own share of work, it is impossible to build a sound and extensive information security management and control system.
The existing problems of the political and legal system information security include, firstly, problems concerning security of network and application system (hardware and software security). There could be destructive or non-destructive attacks launched by internal or external hackers. The internal personnel(legal users)may abuse their rights to commit a crime, and act beyond their power to visit confidential information, or maliciously tamper with data, etc. Internal security threats include malicious attacks and false operation. Secondly, there is spreading of virus or harmful messages, natural disasters, or man-made physical destruction. The virus tends to spread by taking advantage of any weakness existing in the computer operating system, so to increase system security is an important aspect in virus prevention.
2. E-commerce Information Security
At first, the paper defines the basic connotation of e-commerce information security, which means the possibility of commerce data being destroyed in completeness, correctness, accuracy, or being stolen, covering various aspects of the whole information environment, including information network, content, application, media, communications infrastructure etc. This paper clarifies the development status of e-commerce in China, and existing security problems, including:
Firstly, there are inherent security problems in the computer operating system and communication network. As e-commerce relies on the computer operating system and communication network, the latter's inherent security problems also threaten the former, such as, hacker, virus, and network or system fault.
Secondly, security flaws exist in business software. As software and programs become more complex and an increasing variety of programming, possibilities of flaws are on the rise. In addition to the inherent flaws, e-commerce security is exposed to tremendous threats.
Thirdly, there are problems in identification during transaction. With the popularity of e-commerce, the netizens are becoming used to managing financial affairs thru internet. So attacks on e-bank, security institutions and the third-party payment platform will increase abruptly. Malicious program attacking financial institutions will become more professional and complex, and may combine phishing, e-bank malicious program, and information stealing, making the attacks even more threatening.
Fourthly, e-business legislation and security standards lag behind. The existing law may not cover or is not applicable for issues occurring during e-commerce transaction. A uniform market rule is necessary to support a safe transaction environment for e-commerce.
3. General Enterprise Information Security
On the basis of defining the basic connotation of enterprise information security, the paper sums up two security characteristics: first, hierarchical classification is evident in information security. Based on position and rank, the enterprise staffs are entitled to different level of rights to visiting or altering enterprise information. Second, asymmetric information exists between the opposing parties, and information security is in accordance with“short-board effect”. On this basis, the paper analyzes the informationization development status of China's enterprises, and clarifies that existing problems in enterprise information security mainly come from external attacks and internal threats.
Firstly, attacks from outside the enterprises. There is widespread lack of self-defense capability and consciousness in enterprises, especially small and medium-sized enterprises in our country. These attacks include cutting off communication lines, acquiring data by wiretapping on internet, altering the value of statistical data, changing the content of internet messages, or faking ID, etc. Enterprises that introduce and purchase lots of foreign information technologies or devices are not able to handle the potential security problems.
Second, threats from inside the enterprise. On one hand, enterprises are confronted with problems like management loopholes, system problems, and quality of personnel. On the other hand, collusion between insiders and outsiders is possible. In addition, human error may create incorrect information, information deletion or alteration by mistake, and leakage of information, etc. The possibility of collusion between insiders and outsiders may increase as internal personnel familiar with corporate LAN may be seduced by offering of profits.
4. State Infrastructure Information Security
This paper expounds with emphasis on the information security status of different infrastructure fields, including telecommunication, radio & television network, stock, electric power, railway, transportation, civil aviation, and national defense.
The existing problems in telecommunication information security include leakage of information about transmission lines, unauthorized visit, DoS(Denial of Service)attack, forged IP datagram, destruction of the completeness of data, destruction of system availability, network viruses, and threats from inside personnel.
The existing problems in radio & television information security include intentional or unintentional technological jamming, and a lack of talents in defending information security.
The existing problems in stock information security include too many systems but no uniform security system, such as network transaction system, trading system, registration and settlement system. And the talents team needs more training.
The existing problems in electric power information security include security of physical infrastructure, network and the construction of standard system, as well as new problems brought about by the development of power grids.
The existing problems in railway information security include poor security management, lack of security consciousness, and a widespread erroneous attitude of“attaching great importance to products and technologies, while neglecting service and management”, as well as the inherent insecurity and vulnerability of network information system.
The existing problems in transportation information security include the great damage to the normal operation of computer information network caused by rampant viruses. Also, the different levels of development in various regions can easily cause the problem of“information islands”.
The most severe existing problem in civil aviation information security is leakage of information. The safety of airplane will be threatened once the information system of civil aviation is attacked, the wireless communication system is disturbed, the important special flight information is leaked out, or there are various system faults. As a result, the flights will be cancelled, or even the safety of the airplane and nation will be endangered.
The existing problems in transportation information security include lack of uniform planning, physical threats, leakage of radiation information, dependence of hardware and software on other countries, security risks in communication channels, and shortage of talents in information security.
As for China's information security industry, the paper mainly analyzes the overview, environment, development trends and safeguard measures of the industry.
1. Overview of the Information Security Industry
During period of“the Eleventh Five-year Plan”period, China's information security industry maintains fast growth, with an annual growth rate of over 30%. The scale of the industry keeps expanding, and the products range is perfecting. The strength of enterprises improves and the standardized system is improving. Also the number of professional personnel is on the rise. All these have further strengthened national economy and social progress. On the basis of summing up the development status of the industrial scale, product system and enterprise strength, the paper points out that though China's information security industry grows fast, there are still lots of challenges: first, the entire industry is relatively weak, for key products and high-end services are acquired thru import. So the enterprises need to strengthen their support to guarantee the state information security. Second, the industrial core technology is inadequate and technological innovation needs improving. There is a lack of aggressive enterprises to lead the development of the industry. Acquisition and integration is inevitable. Enterprises without technological innovation, service competence, and unique commercial application mode will be gradually eliminated. Third, high-end talents in information security can not meet the demands of the fast growing industry. Fourth, the state information security standards are not sound, and the market competition needs further standardization. It is urgent to optimize the management system, and the development environment needs improvement and perfection.
2. Environment for Information Security Industry
The paper analyzes with emphasis the industry's environment such as policies and laws, technologies, standardized system, evaluation and certification. In China, environment in these aspects are improving comprehensively. Key technologies have achieved certain breakthrough. The R&D strength and service level of national enterprises are improving gradually, and their power of independence and control is improving continuously. Thus their capability in safeguarding information security has greatly improved.
In terms of environment regarding policies and laws, the government's support, guidance and standards in policy, planning and standards is conducive to creating a good environment for the development of the industry, so as to give full play to the functions of market mechanism, promote the continuous, healthy and fast growth of the industry.
In terms of technological environment, compared with international advanced level, the industrial core technology in our country is not adequate, and the capability of transforming scientific and technological achievements needs improving. However, our country is in the leading position in security services.
In terms of environment in standardized system and evaluation, our country's information security standardization work is pushing forward orderly. The information security standardization system framework was established in the initial stage, forming a national standard covering information security basis, technologies, management and evaluation, so as to support the construction of state information security system. Also the certification system of information security products has improved step by step. Centering on the construction of state information security system, our country's standardization system have made certain achievements, which has provided a significant standard support for China's major informationization projects and information security system.
3. Development Trends and Safeguard Measures of the Information Security Industry
The“12th Five-Year-Plan”for the Information Security Industry formulated by the Ministry of Industry and Information Technology points out that the development of the industry features the following trends:
Firstly, the industry goes systematic and stresses active defense. The information security safeguard has turned gradually from traditional passive protection to active defense of“monitor-response”mode. The technology has developed in the direction of comprehensive defense system featuring completeness, integrated operation, credibility and fast response. There is growing tendency of product functions becoming evidently integrated and systematic with ever-increasing performance. The integrated protection and comprehensive defense level are continuously enhanced.
Secondly, the industry depends more on internet and become more intelligent. The heart of computing technology turns from computer to internet, which is becoming the platform for software development, deployment, operation and service, thus more demanding on effective prevention and comprehensive control. Information security products become more dependant on internet and intelligent. More and more attention is given to internet identification, security intelligence technology, encrypting algorithms and other information technologies.
Thirdly, more attention is given to services. The industrial structure is turning from technology and product-orientation to paying equal attention to technology, product and service. Security service gradually becomes the focus of industrial development. For the fact that information technology depends more on internet and pays more attention to services has pushed information security industry to focus on services. The proportion of information security services in the industry will keep rise and gradually lead the development of the industry.
Meanwhile, in order to guarantee the healthy and continuous development of China's information security industry, the“12th Five-Year-Plan”for the Information Security Industry also points out the safeguard measures of the industry:first, to perfect government policies and laws, so as to optimize the industrial development environment; second, to put more emphasis on innovation, so as to strengthen the competitiveness of the industry; thirdly, to perfect standardization system to support development of the industry; fourthly, to improve the product certification to regulate the development of the industry; fifthly, to cultivate more talents as the foundation for the development of the industry.
Ⅲ. A Comparative Study of Information Security Strategies and Systems of China and Other Countries
On the basis of the theoretical foundation of and the study into state information security, this paper conducts a comparative study of strategies and systems of China and other countries. It analyzes with stress the strategies and systems of foreign countries, and then put forward China's state information security strategies and systems.
1. Foreign Information Security Strategies and Systems
The paper conducts an in-depth analysis on the information security strategies and systems of America, Russia, EU and other countries. Specific contents include the background and objectives of the strategies, state information security management system, technology system, evaluation system, etc. In addition, the paper draws valuable foreign experience, lesson and inspiration for the reference of our country's strategies after summery and analysis. For example, as the most powerful information country in the world, America has relatively more advanced and improved information security systems. The combination and complementation of management system, technology system and evaluation system can maintain the whole system being stable, safe and highly efficient. We have been inspired by its security system mainly in the following aspects.
First, as the foundation of state information security system, the management system shall offer more legal support, policy support and regulation and standards for technology system.
Secondly, the management system should not be too complicated, and shall avoid power conflicts. A central power organ is needed to integrate all management rights, and subordinate organs shall be set up to divide and coordinate rights, so as to form a healthy pyramid framework.
Thirdly, while stipulating management strategies and laws and regulations, we should pay attention to public privacy and rights to know. A balance should be struck between“control”and“freedom”. We should safeguard state information security under the condition that public feelings shall not be hurt.
Fourthly, from the Report on National Security Strategy recently released by the Obama Administration, we can see that America is trying to deal with the issue of information security thru international cooperation. In fact, the transnational nature of internet and the interdependence of all economies decide that it is impossible for a single country to control global information flow on its own. Countries shall seek for internal information security thru cooperation.
Fifthly, to ensure the high efficiency of international information security system, a sound information security evaluation system shall be established, i. e. , we have to build a closed-loop feedback evaluation mechanism that can discover hidden dangers, work out countermeasures, enhance strength and certify results.
Sixthly, to further enhance and develop state information security. Apart from the support of the management system and the information feedback of the evaluation mechanism, the technology system also needs further improvement. As a result, we need to expand the“information security team of talents”, increase the R&D costs of information security technologies, and attach more importance to cultivating related talents in the field.
Seventhly, we have to enhance our strength to fight against internet attacks, adopt active defense, and seek to gain the initiative.
Eighthly, we have to raise the public awareness of information security, and work on the education and training in internet security.
2. China's state information Security Strategies and System
Firstly, the paper summarizes major problems in safeguarding state information security, the most serious among which are heavy dependence of informationization on foreign countries, information security management mode needing improvement, as well as threats on internet information security.
In consideration of these problems, the paper conducts an in-depth analysis on the components of state information security strategies:
(1)Strategic Objectives
We shall establish and improve the information security system step by step to keep up with the development of informationization, and improve comprehensively the capacity to safeguard state information security, enhance management, prevention and control on information security, ensure the safety of fundamental network, significant information system, and information content, so as to promote the healthy and steady development of State informationization construction, safeguard State security, social stability and legitimate public rights and interests.
(2)Guidelines
Our country's state information security strategy shall stick to the basic principal of“active defense and comprehensive prevention”, improve soundly the ability of early warning, prevention and control, protection and evaluation, dealing with emergency and fast recovery, discovery and cracking down on attacks, combating and controlling hackers, as well as supervision and check. We should also set up a dimensional defense system, improve the overall safeguarding ability and promote the healthy development of informationization. In consideration of the market demands, we should consider promoting the supporting ability of information security as objective, and centering on guaranteeing the safety of basic information network and significant information system, in the principal of“ensuring security and controllability, innovative development, and environment creation”, push forward technology and product innovation, application and service mode innovation, and drive state information security develop systematically and continuously, as well as focus on scale, characteristics and high-end products and services.
(3)Basic Principles
First, stick to security and controllability. We should guarantee basic information network, important information system, new technologies and application secure and controllable by setting up sound and standard system in information security technologies, products and services, so as to provide technical support for the information security of the State, enterprises and individuals. Considering globalization and informationization at the height of State strategy, we should try our best in all the above ways to ensure information security. One of the key points is to develop software products with independent intellectual property rights, and promote with efforts such products in the market, so as to give full play to China's software that are“secure, dependable and controllable”, making them play the role as pillar products to ensure information security. In addition, the government shall lead domestic software and hardware to work together and help each other forward, so as to ensure security and controllability on the road of informationization construction.
Second, adhere to innovative development. We should integrate resources from all parties, strengthen input in security technological innovation, develop core technologies and key products, innovate in service mode, capture the high-end of the value chain, and enhance core competence. To meet the demands of State informationization construction and the integration of informationization and globalization, we should speed up the promotion of secure and controllable information security technologies, products and services, encourage and support secure and controllable products and services, improve the competitiveness of major application, and accelerate the development of information security.
Thirdly, hold on to environment creation. The administrative departments of information internet and information system shall be responsible for leading the security work of this system, shoulder on and carry out the information security tasks, organize operation and implement security measures. For the operation of information internet and information system, the application unit shall get ready security organization, staff, management regulations, and technological measures. The organizations that provide information security products and services shall guarantee the products and services are safe, safeguard State security and public interests, keep State secrets, protect the legitimate rights and interests of citizens, legal persons and other organizations. While taking advantage of the information internet and system, citizens, legal persons and other organizations shall observe the laws and regulations of China, and take responsibility for security as specified by laws and regulations.
On the premise of clarified strategic objectives, guidelines and basic principles of state information security, we should put forth that the security system shall be at several levels and with various dimensions. General planning and command of the overall situation is needed in the construction of security system, which shall center on the following details: improve the legal system of information, constrict information security standard system, enhance security technology strength, carry out the responsibility of supervision, attach importance to information security emergency response system, and reinforce the subject construction of information security.
In conclusion, this paper builds the theoretical system framework and research patterns for state information security, in hope of providing theories and methods for the future monographic study including information security engineering. We believe that, under the forceful support of the State and governments at all levels, as well as the joint efforts of all workers in the information security cause, we'll make more splendid achievements in safeguarding state information security.