China's Cybersecurity Reviews for 'Critical' Systems Add Focus on Supply Chain, Foreign Control (Translation)
Translating the "Cybersecurity Review Measures (Draft for Comment)"
Blog Post
Unsplash / Agence Olloweb
May 24, 2019
INTRODUCTION
The Cyberspace Administration of China (CAC) on May 21 released a new draft of regulations that set up a cybersecurity review regime for information technology products and services linked to “national security.” The updated version provides new information in an area where clarity has been long awaited, and it comes in the context of dramatic U.S. actions targeting China, in part through a similar regulatory tool.
When finalized and implemented, these new “Cybersecurity Review Measures (Draft for Comment)” are to replace earlier “interim” or “trial” “Network Products and Services Security Review Measures” (Chinese, English) published in May 2017, just before China’s Cybersecurity Law went into effect.
The review system set up by the existing interim rules and reshaped in the new draft is designed to fulfill a requirement in Article 35 of the Cybersecurity Law for “critical information infrastructure operators” (CII operators) to undergo a national security review when purchasing network products and services that may impact national security.
In its initial form and over two years of evolution, industry experts have referred to this cybersecurity review regime as a “black box” review, because the criteria and processes needed for a product or service to pass review have not been clear—meaning customers and vendors had great uncertainty in their dealings, and officials appeared to have broad, opaque discretion.
Although updates to the cybersecurity review regime have long been expected, the timing of this release inevitably means its contents will be interpreted in the context of U.S.–China economic disputes centering on technology.
First, U.S.–China trade discussions have touched on several major aspects of the Cybersecurity Law, including this cybersecurity review regime in specific, as well as another important set of draft measures related to cross-border data flows. Several additions to this version appear designed to address concerns raised by U.S. and European interests, and it is quite possible CAC had been waiting to release this draft in case adjustments were needed (should U.S.–China trade and economics have succeeded in time).
Second, elements of the new draft mirror U.S. actions linking political and legal issues to supply chain security, including a sweeping executive order scrutinizing the security of products or services linked to a “foreign adversary” last week, as well as ongoing U.S. efforts to persuade European and other partners to ban or restrict Huawei network equipment in their networks, including through the “Prague Proposals” on 5G security.
Yet the changes also reflect domestic developments that have little to do with the United States. These include: harmonizing the cybersecurity review regime with related rules on reviewing certain transfers of data out of China; a bureaucratic turf war between CAC and the Ministry of Public Security, with these reviews and the MPS-linked Multi-Level Protection System (MLPS) overlapping in jurisdiction; and the expansion of data protection regulations.
Overall, the latest version of the Measures reflects a number of important changes, while still maintaining the vague and broad language consistent with its reputation as a “black box.” Below we identify several significant developments.
Intellectual property (IP) protection
This version includes a new phrase stating that the review will “persist in … protecting intellectual property rights” (Article 3). This new language is likely a response to the criticism from U.S. government and industry groups that the invasive and opaque nature of the security reviews could put U.S. firms’ IP at risk.
Cementing enforcement authority of the Central Commission
This version includes two statements asserting that the Central Commission for Cybersecurity and Informatization has the lead role in the Cybersecurity Review process, decision-making, and enforcement (Articles 4 and 19). These are among the first (if not the first) explicit references to the enforcement authorities of the Commission, which is CAC’s parent. The elevation of the commission from “leading group” status last year aimed to consolidate power given jockeying for influence among lower-level bodies over critical information infrastructure rules.
Data protection as one new trigger for the review process
The Measures offer some new details about triggers that would would require a cybersecurity review (Article 6). This seeks to address the criticism that the previous version had no information about the conditions that would require a review, although the conditions remain quite vague. For example, the catch-all phrase “other risks and dangers seriously endangering critical information infrastructure equipment security” does little to narrow the scope of what requires a review.
Still, one of the triggers for a review in the new version is if a “large volume of personal information and important data [could be] leaked, lost, damaged, or removed from the country” (Article 6.2). The 2017 version had no reference to protection of data of any kind. The change reflects the increasing importance of data protection, particularly “personal information,” as Beijing has accelerated the build out a data protection system since release of the Cybersecurity Law.
Broad powers to block products and services based on perceived supply chain disruption risks from ‘foreign governments’
The Measures identify the “possibility of [supply chain] disruption due to non-technical factors like politics, diplomacy, and trade” (10.3) and “situations in which product or service providers are funded, controlled, etc., by foreign governments” (10.6) as two factors that warrant consideration in the cybersecurity review process.
The addition of these factors may be a direct response to U.S. action against Huawei. Even if not, one factor (10.1) could give the Chinese government explicit grounds to exclude U.S. companies from CII, especially if the U.S. government continues to use the Department of Commerce “Entity List” to disrupt the supply chains of Chinese companies.
Meanwhile, officials across several bureaucracies have broad latitude to propose reviews for any network product or service if they “believe” that it “may influence national security” (Article 19).
TRANSLATION
Cyberspace Administration of China Notice on the Publication for Comment of “Cybersecurity Review Measures (Draft for Comment)”
In order to raise the level of security and controllability in critical information infrastructure; to uphold national security; in accordance with the National Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, and other laws and regulations; the Cyberspace Administration of China, the National Reform and Development Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Commerce, the Ministry of Finance, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the Office of the State Commercial Cryptography Administration jointly drafted the “Cybersecurity Review Measures (Draft for Comment)” and published them to seek comment from society. The general public can use the following channels to offer feedback and opinions.
[(1) Visit http://www.chinalaw.gov.cn; (2) Email shencha@cac.gov.cn; (3) By mail.]
The comment period is open until June 24, 2019.
Attachment: Cybersecurity Review Measures (Draft for Comment)
Cyberspace Administration of China
May 21, 2019
Cybersecurity Review Measures (Draft for Comment)
Article 1: In order to improve the level of security and controllability of critical information infrastructure and protect national security, and in accordance with the National Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, and other laws and regulations, these measures are formulated.
Article 2: Critical information infrastructure operators (hereafter referred to as operators) procuring network products and services that influence or could influence national security should conduct a cybersecurity review according to these measures. Where there are other provisions in laws and administrative regulations, those provisions apply and are to be followed.
Article 3: The cybersecurity reviews: persist in safeguarding against cybersecurity risks and promoting the use of advanced technologies, strengthening fairness and transparency, and protecting intellectual property rights; persist in pre-review and ongoing supervision, the integration of enterprise commitment and social supervision; and, from the viewpoint of product and service security, undertake comprehensive analysis and evaluation of potential national security risks and dangers.
Article 4: Central Commission for Cybersecurity and Information has unified leadership of cybersecurity review work.
Article 5: The Cyberspace Administration of China, with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Commerce, the Ministry of Finance, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the Office of the State Commercial Cryptography Administration, establishes a cybersecurity review work mechanism. The Cybersecurity Review Office resides in the Cyberspace Administration of China with responsibility for organizing implementation of cybersecurity review and the related system of regulations and work processes, organizing the cybersecurity review, and supervising implementation of supervisory review decisions.
Article 6: When operators purchase network products and services, the potential security risks of operating products and services once in operation should be anticipated, and a security risk report should be generated. Where the following circumstances may occur, a cybersecurity review should be reported to the Cybersecurity Review Office:
- Critical information infrastructure equipment is down or the main function cannot work normally;
- A large volume of personal information and important data has been leaked, lost, damaged, or removed from the country;
- Critical information infrastructure equipment operations protection, technical support, and upgrades and replacement face supply chain security threats.
- Other risks and dangers seriously endangering critical information infrastructure equipment security.
Article 7: Regarding purchasing activities that are to undergo cybersecurity review, operators should use purchase documents, contracts, or other binding means to require product and service providers to cooperate with the cybersecurity review, and agree with product and service providers that the agreement takes effect upon passage of the cybersecurity review.
Article 8: When an operator submits to a cybersecurity review, the following materials shall be submitted:
- A written declaration;
- A security risk report in accordance with Article 6 of these Measures;
- A procurement contract, agreement, etc.;
- Other materials required by the Cybersecurity Review Office.
Article 9: After the Cybersecurity Review Office accepts a review submission, it shall complete a preliminary review within 30 working days; in cases involving complex situations, the review may be extended an additional 15 working days.
Article 10: The cybersecurity review focuses on assessing the potential national security risks brought about by procurement activities, mainly considering the following factors:
- The impact on the continuous, secure, and stable operation of critical information infrastructure, including the possibility that critical information infrastructure could be controlled, or that business continuity could be harmed;
- The possibility that large amounts of personal information and important data could be leaked, damaged, lost, or removed from the country, etc.;
- The possibility that the controllability, transparency, and supply chain security of a product or service could be disrupted, including the possibility of disruption due to non-technical factors like politics, diplomacy, and trade;
- The impact on the defense industry or industries and technologies related to critical information infrastructure;
- Product or service providers’ respect for the country's laws and regulations, as well as their commitment to bear the responsibilities and duties [associated with them];
- Situations in which product or service providers are funded, controlled, etc., by foreign governments;
- Other factors that could endanger the security of critical information infrastructure or national security.
Article 11: The Cybersecurity Review Office shall, after completing preliminary review, generate a suggested review conclusion and submit it to cybersecurity review work mechanism work units to seek opinions. The suggested review conclusion is to include three types: passing review, conditionally passing review and not passing review.
The cybersecurity inspection work mechanism work units shall, within 15 working days, issue written response opinions. Where the opinions of the cybersecurity inspection work mechanism work units are consistent, the Cybersecurity Review Office will return the review conclusion to the operator in writing; where the opinions are not consistent, the special review procedure is to be initiated, and the operator notified.
Article 12: Where the special review procedure is initiated, the Cybersecurity Review Office shall, after further hearing opinions from relevant departments, specialized bodies and experts, conducting a deep analysis and assessment, creating a suggested review conclusion, and seeking opinions from cybersecurity inspection work mechanism work units, report the matter to the Central Cybersecurity and Informatization Commission for approval according to procedure.
Article 13: Special reviews shall, in principle, be completed within 45 working days; where circumstances are complex, this period may be extended.
Article 14: Where the Cybersecurity Review Office requires the provision of additional materials, etc., operators shall cooperate. The review time is to be calculated from the date of submission of additional materials.
Operators shall bear responsibility for the veracity of the materials they submit. Where they refuse to provide materials according to requirements or wilfully provide false materials during the inspection process, they shall be considered as not having passed security review.
Article 15: Personnel participating in cybersecurity reviews have a duty to protect the secrecy of information they obtain during review work, and may not use it for purposes other than the review.
Article 16: Operators are to strengthen security management, and are to urge product and service providers to earnestly carry out the commitments made in cybersecurity reviews
The Cybersecurity Review Office is to strengthen supervision and management during and after their work through spot checks, accepting reports, and other such means.
Article 17: Where operators violate the provisions of these Measures, they will be punished according to the provisions of Article 65 of the Cybersecurity Law of the People’s Republic of China.
Article 18: In these Measures, “critical information infrastructure operators” refers to operators designated by critical information infrastructure protection work departments.
“Secure and controllable” refers to the fact that product and service providers may not use the convenient conditions of the products or services they provide to illegally obtain user data, illegally control or operate user equipment, and may not use users’ reliance on products or services to seek improper benefit or coerce users to renew or upgrade, etc.
Article 19: Where cybersecurity inspection work mechanism member work units believe network product and service purchasing activities, or information technology service activities influence or may influence national security, the Cybersecurity Review Office shall, according to procedure, report the matter to the Central Cybersecurity and Informatization Commission for approval, and conduct inspections according to these Measures.
Article 20: Where information related to state secrets is involved, the relevant national secrecy protection provisions apply.
Article 21: These Measures take effect on (day, month, year), the “Network Product and Service Security Review Measures (Trial)” will be abolished at the same time.