This article was written by Wang Rui(partner) and Song Yafei(senior associate).
Cyber security is at the forefront of law review throughout the world and China is no exception. The state has released a number of regulations and policy documents on cyber security such as Cybersecurity Law (《网络安全法》), Cyberspace Security Strategy (《国家网络空间安全战略》), and Opinions on Strengthening National Cybersecurity Standardization(《关于加强国家网络安全标准化工作的若干意见》), as well as developing technical standards systems to support them. Under the constant threat of cyber security attacks, to further improve the security and control of network products and services and to prevent supply chain security risks at the regulatory level, a cybersecurity review system is like an arrow on a bowstring. [1]
On February 4, 2017, the Cyberspace Administration of China ("CAC") released a draft of the Measures for the Security Review of Internet Products and Services (《网络产品和服务安全审查办法》) (the "Draft") [2] through its official website to seek public comment.
The Draft consists of 16 articles. It reflects an acknowledgment by the government of the importance of ensuring the security and controllability of network products and services [3], and explains the basic regulatory framework of the cybersecurity review system (see the diagram at the end of this article). The Draft builds on and implements the monitoring, defending and disposing measures in the Cybersecurity Law[4] (e.g. the national security review system applicable to critical information infrastructure operators purchasing network products and services), thereby turning the cybersecurity review system into another significant measure in the protection of cybersecurity.
Scope of Application
According to the Draft, in principle, important network products and services that are used by information systems relating to national security and the public interest shall be subject to a cybersecurity review. [5] This provision limits the application scope of the cybersecurity review system to network products and services concerning national security and public interest. All other network products and services are not required to have day-to-day examination. Network products and services which have passed the review will enjoy preferential purchase treatment in the procurement processes of the Party, government departments and key industries. The Party, government departments and key industries will not purchase network products and services that have failed the review. Products and services purchased by critical information infrastructure operators that may affect national security [6], will also be subject to the cybersecurity review. [7]
In addition, as indicated in the Draft, the network products and services security review system will be conducted under the principle of"all countries are treated equally". Once a network product or service is considered unsafe, it will be treated equally, regardless of whether it was developed by a domestic or foreign enterprise. [8] Subject to interpretation by a CAC official, the cybersecurity review does not aim to regulate products and services dependent on country or region. Therefore, the review will not act as a barrier for overseas products entering the Chinese market. [9]
Objects and Contents of the Review
Network products, services and their providers will be the objects of cybersecurity review. The review will be carried out using a combination of enterprise commitments and social supervision, third-party evaluation and government supervision, laboratory testing, on-site inspection, on-line monitoring, and background investigations, with a special focus on the security and controllability of the network products and services. [10]
The Draft provides 5 major review criteria:
- stability of products and service--the risks of illegal control, interference and interruption of the operation of products and services;
- security of supply chain--risks in the R&D, delivery, and technical support of products and key components;
- security of user information--risks related to products and services providers utilizing the convenience of providing products and services to engage in illegal collection, storage, handling and utilization of user information;
- autonomy of users—risks related to products and services providers taking advantage of users reliance on products and services, and carrying out unfair competition or harm to the interests of users;
- other risks that may endanger national security and the public interest.
Instead of reviewing and evaluating commercial performance, the cybersecurity review analyses the safety and controllability of network products and services. The review searches for illegal falsification, interference or interruption, and the possibility that a provider is utilizing products to endanger national security and user benefits. [11]
Body of the Review
According to the Draft, a Cybersecurity Review Committee, consisting of the CAC and other relevant authorities, will be established. The committee will be responsible for developing policies, organizing review work, and addressing major issues in relation to cybersecurity review. The Cybersecurity Review Office will specifically organize and implement the results of a cybersecurity review. [12]
The Cybersecurity Review Committee will appoint relevant experts to form a Cybersecurity Review Experts Committee. They will evaluate the security risks of network products and services and the suppliers' trustworthiness using third party evaluations. China will certify these third-party institutions in a unified manner, and entrust these institutions with the conduct of evaluations during the cybersecurity review period. [13]
System of the Review
A cybersecurity review will be initiated in the following two ways[14]:
Firstly, after the Cybersecurity Review Office has organized the conduct of a cybersecurity review of network products and services by third-party organizations and experts ,it will then publish or circulate the relevant results of the review. The review will be based on the requirements of relevant government departments, proposals from national industry associations, responses from markets, and applications from enterprises. For example, if a national industry association, based on its research, believes a product or service has a huge network security vulnerability which could affect national security, the association may report the problem to the Cybersecurity Review Committee. If the Committee agrees on the possibility of such a vulnerability, it will initiate a security review when such products or services are used in particular domains. [15]
Secondly, when departments in charge of key industries (such as finance, telecommunications, and energy) organize a security review of network products and services in their respective industry based on the requirements of the national cybersecurity review.
Impact of the Review
Following the review, the Cybersecurity Review Office will publish or circulate the results within a certain scope. It will also release security assessment reports of network products and service providers from time to time. [16]
If a network product or service does not pass the review, it may be"blacklisted", and the Party, the government department and the key industry will be prohibited from purchasing it.[17]Apart from this, the Draft does not explicitly provide any other direct consequences of network products or services failing the review. However, according to Article 65 of the Cybersecurity Law, if a critical information infrastructure operator uses any network product or service that has not undergone security review (or has failed to pass security review in an area that may influence national security), the relevant authority will order it to cease using that product or service. A fine of no less than the purchase price but no more than ten times the purchase price will be imposed, along with a fine of between RMB 10,000 and RMB 100,000 to be paid by those directly responsible.
Conclusion
As can be seen by the content of the Draft, the upcoming cybersecurity review system is mainly concerned with network products and services relating to national security and the public interest. It constitutes an important part of the cybersecurity protection system to which China is devoting much effort. At present, the Draft remains at the stage of top-level design. Government authorities need to further clarify the cybersecurity review criteria, technical standards, and specific procedures at implementation level.
[1]In fact, in 2014, the Cyberspace Administration of China proposed the establishment of a cybersecurity review system.
[2]http://www.cac.gov.cn/2017-02/04/c_1120407082.html
[3]See Article 1 of the Opinion-seeking Draft.
[4]Promulgated by the Standing Committee of the National People's Congress on November 7, 2016, becoming effective on June 1, 2017.
[5]See Article 2 of the Opinion-seeking Draft.
[7]See Article 10 and Article 11 of the Opinion-seeking Draft.
[8]《刘多:落实网络安全审查制度可有多种方式》 http://www.chinanews.com/gn/2014/05-22/6200364.shtml
[9]《帮你预习"网络安检"须知——聚焦<网络产品和服务安全审查办法(征求意见稿)>》http://news.xinhuanet.com/politics/2017-02/07/c_1120426788.html
[10]See Article 3 and Article 4 of the Opinion-seeking Draft.
[11]《又有大动作!中国将成立的这个审查委员会到底要干啥?》http://mp.weixin.qq.com/s?__biz=MzA4MDI3NjQ5NA==&mid=2658009280&idx=1&sn=21b5f6332a224c4d560219495432258a&chksm=843c1da1b34b94b7635d452e1e3abb2fdede0592fa4f2a0c1e492d4f4899d7ef83d91de949bb&mpshare=1&scene=5&srcid=02076tXHmuwt8EdAbZedTNGJ#rd
[12]See Article 5 of the Opinion-seeking Draft.
[13]See Article 6 and Article 7 of the Opinion-seeking Draft.
[14]See Article 8 and Article 9 of the Opinion-seeking Draft.
[15]See Note 12.
[16]See Article 8 and Article 14 of the Opinion-seeking Draft.
[17]See Note 12.