Cyber security bill insists on real name registration for SIM cards

The Chief Executive Council has completed its discussion of the cyber security law and has proposed real name registration for SIM cards in addition to the establishment of the Permanent Commission for Cyber Security (CPC).

According to the bill, Macau’s cyber security structure will consist of the CPC, the Cybersecurity Incident Alert and Response Center (CARIC) and other cyber security supervisory entities.

The CPC will be the decision- making body, whereas CARIC will carry out management and take measures to deal with cyber security matters. The supervisory entities will provide oversight to the infrastructure sector’s operators.

The cyber security supervisory entities already existed within the relevant government departments.

Regarding CARIC, its staff members will mainly consist of employees from the Public Administration and Civic Service Bureau (SAFP), the Judiciary Police (PJ) and the Macao Post and Telecommunications Bureau (CTT).

The bill has also proposed establishing responsible personnel for cyber security, and requiring operators to nominate people eligible for the position with relevant professional experience.

“If [operators] do not [have] cyber security responsible personnel, or if their responsible personnel are not qualified or do not have enough experience, we will apply a punishment. The punishment includes canceling operators’ right to respond to the government’s public tenders; or, canceling operators’ eligibility to receive government subsidies for a maximum period of two years,” said the ExCo spokesperson, Leong Heng Teng.

As explained by Chan Hin Chi, adviser of the Office of the Secretary for Security, people responsible for cyber security should reside in Macau and should answer the government’s requests when issues occur.

“They must be reachable at any time in order to solve cyber security incidents,” said Chan, adding that such personnel must be able to mobilize both human and economic assets.

In addition, Leong noted that the supervisory entities will only conduct checks on the system status at regular intervals, including network traffic and system logs.

“The relevant supervisors will only check network traffic. It will not conduct any decoding of the network traffic nor will it record any relevant data or decode online [conversations]. This is clear,” said Leong.

The bill, which will come into effect 180 days after its publication, proposed that internet operators should check and register their customers’ identification presented for SIM cards purchased before the law come into effect.

Internet operators must require SIM card users and buyers to register their identification within 60 days after the law comes into effect. If users fail to make their registration, the SIM cards will be deactivated. Users will also be given 60 days to complete the real name registration.

This policy will only apply to local internet operators.   

As previously announced, cyber security will include all public departments and organizations, and private entities of such sectors as transportation, telecommunication, water and electricity supply.

In total, private entities from 11 sectors are included in the bill. The Office of the Secretary for Security will also join as one of the bodies supervising cyber security.