On 16 March 2017, the Prime Minister issued Decision No. 05/2017/QD-TTG on providing emergency response plans to ensure national cyber information security (“Decision No. 05“). Decision No. 05 has laid out the basic framework for reporting and responding to cyber information security incidents. More recently, the Ministry of Information and Communications (“MIC“) issued Circular No. 20/2017/TT-BTTTT on 12 September 2017 on the coordination and response to cyber information security incidents nationwide (“Circular No. 20“) to further elaborate on the action plans to respond to non-serious cyber information security incidents as assigned in Decision No. 05.
Incidents under the authority of the Ministry of National Defense (“MOD“) and Ministry of Public Security (“MPS“) are not covered by Decision No. 05 and Circular No. 20. Circular No. 20 took effect on 01 November 2017.
1.1. Authorities and networks responsible for security incidents
The leading authority in responding to cyber information security incidents is the National Steering Committee on Information Security (“NSC“). The NSC instructs the MIC, the MPS, the MOD and other relevant ministries and local governments with regard to emergency response activities. The MIC is the Standing Committee of the NSC which directly decides and orchestrates emergency response action plans.
Below the Standing Committee of the NSC, there are:
– the Steering Committees on emergency responses to cyber information security incidents of ministries, ministerial-level agencies, government affiliates and provincial / city affiliated People’s Committees;
– specialized cyber information incident response units in charge of information security or information technology of ministries or Provincial-level People’s Committees; and
– the National Cyber Information Security Incident Response Network (“Incident Response Network“).
Decision No. 05 provides that certain entities must become members of the Incident Response Network. This Incident Response Network includes entities in the State sector, such as:
- Units in charge of incident response, information security or information technology of ministries, ministerial-level agencies, government affiliates and central-level agencies; Departments of Information and Communications for provinces or central-affiliated cities;
- Relevant agencies/units affiliated with the MIC; the Authority of Information Security, Vietnam Computer Emergency Response Team (“VNCERT“), Vietnam Internet Network Information Center (“VNNIC“) and the Authority of Central Posts;
- Relevant agencies/ units affiliated with the MPS; Authority of Cyber Security; Police Department for High-Tech Crime Prevention; and
- Relevant agencies/ units affiliated to the MOD; Department of Information Technology; Government Cipher Committee.
Further, Decision No. 05 also requires certain entities and units that are potentially in the private sector to join the Incident Response Network. This includes telecommunications companies; ISPs; data centers; data storage leasing companies; IT and cybersecurity departments/units of banking and financial institutions, or National Treasury, tax and customs’ bodies/authorities.
Members of the Incident Response Network are responsible for complying with the operating regulations of the Network and coordination orders given by the National Coordinating Agency (i.e., VNCERT) r, as well as actively participating in the operations of the Network.
Particularly, telecommunications enterprises and ISPs shall store and provide information concerning IP addresses of subscribers, servers, IOT equipment, log files and logs of a domain name system (DNS) within the scope of their management; provide space for installing monitoring/ sampling equipment and provide data flows on the Internet to serve the supervision and detection of incidents upon request of the National Coordinating Agency. They must also arrange a 24/7 standing team and personnel and material resources to cooperate and develop solutions for responding to and remedying consequences of incidents in cases where the source of cyber attacks has originated from subscriber(s) under the enterprise’s management or at the request of the National Coordinating Agency.
1.2. Subjects under Decision No. 05 and Circular No. 20
Subjects under Decision No. 05 and Circular No. 20 are entities and individuals that are directly involved in or related to cyber information security activities in Vietnam, including:
- Administrator of the information system (“Administrator”): as defined under the Law on Cyber Information Security (“LOCIS“), it means an organization or individual who directly administers an information system. More specifically, as defined under Circular No. 03/2017/TT-BTTTT guiding Decree No. 85/2016/ND-CP (“Circular No. 03“), it means the body (the term used by Circular No. 03) of an organization / entity that has the authority to make decisions on the investment, establishment, upgrade and expansion of the information system.
- Operator of the information system (“Operator”): as defined under Circular No. 03, means a body designated by the Administrator to operate such information system. If the Administrator outsources information technology services, the Operator shall be the service provider. Circular No. 20 contemplates that any individual / organization being the Operator must report to the Administrator, VNCERT and other relevant agencies about incidents.
- Other organizations and individuals that do not operate the information (“Other Persons”): not defined by law.
1.3. Serious and non-serious cyber information security incidents
Depending on the level of seriousness, cyber information security incidents are classified into serious and non-serious cyber information security incidents.
Serious incidents under the scope of Decision No. 05 include:
- Information systems of Level 4 or Level 5, or of the List of Important National Information Systems, of which:- the service is interrupted;- the State’s confidential / top secret data is likely disclosed;- the important data cannot be secured as to integrity and recovery;- the system administrator has been deprived of control rights; or
– the incident likely occurs on a wide scale or impacts on and causes damage to other Level 4 / Level 5 systems; and
- The operator of the information system is not able to control and remedy the incident.Responding procedures for serious cyber information incidents will follow the action plans set out in Decision No. 05. Responding procedures for non-serious cyber information incidents is regulated under Circular No. 20.
1.4. Mandatory notifying/reporting obligations under Circular No. 20
Notifying and reporting obligations of Operators:
A “cyber information security incident” is defined, in Circular No. 20, as an incident where information or an information system is attacked or harmed, affecting the integrity, confidentiality or usability of the information or information system.
Pursuant to Article 9 of Circular No. 20, the Operator shall, within five days after detecting an incident, notify the following agencies and units of the incident:
- the Administrator;
- the National Coordinating Agency: VNCERT;
- the specialized accident response unit: VNCERT; Vietnam Internet Center; ISPs; other state agencies;
- the member of the concerned incident rescue network (if any).
At the time of notification, if the incident has not been completely resolved, organizations and individuals operating the system shall have to update the incident’s status to the agencies and units that were notified before the incident was completely resolved.
In case the Operator determines that they are not able to handle the incident on their own, they must prepare an Initial Report on the Incident to report to the Administrator, the specialized accident response unit, and VNCERT. Within five days after finishing responding to the incident, they must complete the Final Report on Response to the Incident to submit to the Administrator and VNCERT. VNCERT will only record the incident as “resolved” after receiving the Final Report on Response to the Incident.
Currently, penalties for not complying with incident reporting obligations are provided under Article 71 of Decree No. 174 (up to VND70 million, approx. US$3,180).
Notifying obligation of non-Operators:
Under Circular No. 20, other subjects (organizations and individuals that do not operate the information system) who detect signs of an attack shall quickly notify one or more of the following agencies and units: the Operator, the Administrator, the national coordinating agency (VNCERT) and the member responsible for the Incident Response Network.
Currently, there is no available sanction imposed on “other persons” if they do not report.
1.5. Form of reporting
Forms of notification: Official letters, fax, emails, multimedia messages or technical systems for reporting cyber information security incidents as instructed by VNCERT.
Forms of reporting: Signed paper or electronic documents (which have an official seal or signature (including digital) of the relevant authority).
Circular No. 20 prescribes a form of reporting in its appendix. The prescribed form is substantive (e.g., comprises identity of the Administrator, IP address, domain name, time / date of the incident, brief of the incident).