Core Viewpoint - A recent cyber attack on a portal website managed by an institution in Yantai, Shandong, has highlighted significant lapses in network security management, leading to unauthorized alterations and the insertion of illegal content on the site, which disrupted the online environment and caused negative social impacts [1] Group 1: Incident Overview - The cyber security department discovered that the institution had outsourced the development and maintenance of its portal website to a third-party company, which failed to implement basic network security measures and did not address known vulnerabilities before launching the system [2] - The institution, as the network operator, neglected its legal responsibilities for network security, lacking a management system and necessary protective measures, which resulted in the platform being compromised [3] Group 2: Legal Actions - The cyber security department mandated the involved institution to rectify its failure to fulfill network security obligations and to establish a management system, in accordance with Articles 21 and 59 of the Cybersecurity Law of the People's Republic of China [5] - The third-party development and maintenance company was also ordered to correct its actions for not implementing security measures and failing to report system risks, as per Article 22 and 60 of the same law [6] Group 3: Legal Framework - Article 21 of the Cybersecurity Law stipulates that network operators must fulfill security protection obligations according to the network security grading protection system to safeguard networks from interference, damage, or unauthorized access, and to prevent data leakage or tampering [7] - Article 22 mandates that network products and services must meet national standards, and providers must not install malicious programs; they are required to take immediate remedial actions upon discovering security flaws and to inform users and relevant authorities [8] Group 4: Responsibility and Accountability - The incident underscores the critical need for both the user organization and the service provider to share responsibility for security, emphasizing that outsourcing does not absolve the user of its obligations; security requirements should be included in contracts and acceptance criteria [9] - The development and maintenance company must ensure the safety of the products and services provided, adhering to the principle of "secure delivery and responsible operation," highlighting the necessity for joint accountability to strengthen the security of the supply chain [10]