The Cyberspace Administration of China (“CAC”) announced on 2 May 2017 the Measures for Security Review of Network Products and Services (Tentative) (the “Review Measures”), which will be formally implemented from 1 June 2017. The 16 articles of the Review Measures set up an institutional framework for the security review of network products and services. This is an integral part of the whole cybersecurity regime established by the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”). The Review Measures represents a further step and makes improvements to the CAC’s Measures for Security Review of Network Products and Services (Draft Review Measures) (the “Draft Review Measures”) which was released on 4 February 2017. This article will canvas the main provisions of the security review system for network products and services, the highlights of the Review Measures and the issues to be addressed, to provide guidance to companies in terms of cybersecurity compliance.
The Institutional Framework for the Security Review of Network Products and Services
The security review structure set up by the Review Measures includes: products and services subject to review, review focuses, authorities in charge of the review, rights and obligations of network product and service providers and legal responsibilities. Details are as follows:
Highlights in the Review Measures Compared with the Draft Review Measures
1.The term “public interest” has been removed.
Article 1 of the Review Measures explicitly states that the Review Measures is enacted under the National Security Law (the “National Security Law”), the Cybersecurity Law, and other relevant laws and regulations of the People’s Republic of China. Pursuant to Article 59 of the National Security Law, the national security review and supervisory systems and mechanisms are set up to deal with “network information technology products and services that affect or may affect national security”. Article 35 of the Cybersecurity Law provides: “Where CII operators purchase network products and services that may affect national security, they must go through a security review organized by the national cyberspace authority in conjunction with relevant departments of the State Council.”
The Review Measures does not use the term “public interest” that appeared in Articles 1, 2, and 4(5) of the Draft Review Measures. That is because implementing measures must be in strict accordance with the extent authorized by its higher-level statute and should not have an uncertainly expanded range of products and services subject to security review and the standards of review.
2.Standards of review are clarified.
Article 4 of the Review Measures stipulates that reviews will focus security and control of network products and services. Article 4 (2) amends the earlier Draft by substituting “supply chain security risk in the production, testing, and delivery of products and key components and their technical support” for “risks in the research and development, delivery of and technical support of products and key components”.
Because product R&D involves know-how, trade secrets and other core business resources, a risk review at the R&D stage is significantly more taxing Enterprises will also need to protect know-how and trade secrets from loss or damage during the security review. It is more practical and meaningful to evaluate security risks after it has been decided to actually make new products The Review Measures requirement of the security review at the time of “production and testing” rather than at the “research and development” stage is an improvement on the Draft.
It should also be noted that Article 4(2) requires a review of “supply chain security risk”. In the light of Article 3 of the Review Measures, it can be seen that the CAC has adopted an overall “process control” instead of “node control” in the review of network products and services. Given the complexity of network products and services supply chains and diversified business models (including outsourcing), it is inadequate for network security reviews to just focus on end products and services . To be comprehensive reviews should cover all aspects of supply chains not just end products and services and their direct providers.
3.A “negative list” and a “white list” are created
Article 2 of the Review Measures states: “Important network products and services purchased for network and information systems relating to national security shall be subject to network security review”. Article 10 states: “Any network product or service purchased by an operator in key sectors or industries or by a CII operator shall be subject to national security review if the product or service may affect national security…” These provisions are in line with Article 35 of the Cybersecurity Law. Article 10 of the Draft Review Measures which reads “party and government departments and key sectors shall firstly purchase network products and services passing a review, and shall not purchase any network product or service that fail a review” is not repeated in the Review Measures.
For both purchaser and supplier the above revision removes an uncertainty in the Draft Review Measures. Can “grey” network products and services that have not been reviewed be purchased? Are there any restrictions on purchasers who are not “party and government departments or key sectors”? The Review Measures makes clear that a purchaser, whether or not in “party and government departments or key sectors” must buy products and services that have passed a network security review whenever they are “important network products and services in network and information systems concerning national security”. That means products and services that “have not been reviewed” (grey list) or “fail a review” (negative list) are both prohibited from the market.
4.Transparency of review results increases
Article 8 of the Review Measures, states: “…to carry out cyber security review of network products and services, and publish or circulate within certain groups the review results”. Article 13 of the Review Measures provides: “The Cyber Security Review Office is to publish security assessment reports on network products and services from time to time” instead of “… to publish security assessment reports on network product and service providers from time to time” contained in the Draft Review Measures.
The Draft Review Measures did not specify either the relationship between “review of network products and services” and “security assessment on network product and service providers”, or the purpose and possible influence of the said “security assessment report on network product and service providers”. Some enterprises were concerned that these reports would be considered a “negative list”, i.e. if a provider was negatively assessed in the report, all its network products and services would be adversely affected. The Review Measures reduces this concern by clarifying that the assessment will be of “network products and services”, and not a qualitative conclusion regarding the security and credibility of the “provider”. In addition, the assessment reports published from time to time will guide the purchase of products and services, so as to make assessment reports useful.
5.There are more remedies and penalties
Article 14 of the Review Measures permits reporting to the Cyber Security Review Office when network product and service providers believe that an institution has made a non-objective and unfair assessment or r other concerns. Article 15 confirms that violations will be dealt with in accordance with applicable laws and regulations.
Things to Be Clarified or Supplemented in the Review Measures
1.Scope of products and services to be reviewed
According to Article 2 of the Review Measures, “important network products and services to be purchased for networks and information systems concerning national security are subject to network security review.” However, the Review Measures does not define the scope of “network and information systems concerning national security” nor does it indicate which parts of security network and information systems are “important network products and services”. Therefore, enterprises are still uncertain about the applicable scope of the Review Measures.
Based on the context of the Cybersecurity Law and the Review Measures, preliminary observations may be made that “network and information systems concerning national security” at least include “critical information infrastructure”. It is said that the CAC will publish a “Guidelines on Critical Information Infrastructure” in the near future in order to partially specify the scope of Article 2 of the Review Measures. But what about other “network and information systems concerning national security” that are not “critical information infrastructure”? Both the criteria and the decision making authority for defining the scope are uncertain and will need specification in further guidelines.
Moreover, the concept of “important network products and services” is so broad that, without specific criteria, it may be expanded at will and cause significant uncertainty. The Cybersecurity Law prevails over the Review Measures, is it practical that its provisions should apply mutatis mutandis to the operation of the Review Measures? For example, will the “catalog of critical network equipment and specialized network security products” provided in Article 23 of the Cybersecurity Law be used as reference for identifying some of the “important network products and services”?
2.Review of “providers” and the “supply chain” of network products and services
Articles 3 and 11 of the Review Measures have omitted the expressions “to conduct reviews of providers of network products and services” contained in the Draft Review Measures and Article 13 changes “publish security assessment report on providers of network products and services” to “publish security assessment report on network products and services” accordingly. Such changes have made clear that the review focuses on “network products and services” rather than “providers”. We can see from such changes that reviews of enterprises are not included in security reviews and related enterprises need not worry that reviews will be targeted at them.
It is noteworthy that the matters to be reviewed stipulated in Article 4 of the Review Measures remain “the risk of product and service providers taking advantage of users’ dependence on the products and services to harm cyber security and users’ interests”. Article 6 of the Review Measures still includes “product and service providers’ security credibility status” as one of the assessment considerations of the Network Security Review Committee. Thus, we may not rule out the possibility of reviews of “the providers of network products and services”.
As noted above, Articles 3 and 4 (2) specifically require “supply chain risks” to be reviewed. To identify and prevent risks, it would be necessary to review the whole supply chain, but is it possible or practical to review all the related outsourced technical and service providers? This issue needs to be clarified.
3.Access to remedies
Under Article 14 of the Review Measures providers of network products and services may complain to the Cyber Security Review Office if they believe their assessment by a third party to be unfair. However, the Review Measures does not give any remedies following the Cyber Security Review Office review. For instance, if the results are negative, can providers apply for another review after they have made improvements? If the provider challenges the decision of the Cyber Security Review Office to uphold a third party assessment, can it file a complaint, and to whom?
4.Penalties are too general and unclear
Article 15 of the Review Measures states: “Any breach of the Review Measures must be dealt with in accordance with applicable laws and regulations”. Article 65 of the Cyber Security Law contains penalties for operators of CIIs that buy network products or services that have not been examined for security or passed any security review. Otherwise, the reference to “applicable laws and regulations” is too general, and gives no clear expectations of possible penalties and legal consequences.
5.Procedures to be further confirmed
Article 7 of the Review Measures states: “The state designates third-party institutions of network security review in accordance with related laws, to undertake third-party assessment of network security reviews”. However, the “related laws” are not clear and whether cyberspace authorities will release detailed qualifications, designating standards and specific procedures for third-party institutions needs to be further confirmed.
In addition, Article 8 of the Review Measures says that “the office of network security review shall, in accordance with related requirements…determine review targets pursuant to procedures…”, but there are currently no clear procedures for determining review targets. Whether the cyberspace authorities will formulate and release procedures in the future will be a concern for enterprises.
As the implementing rules of the Cyber Security Law, the Review Measures have been drafted and released before the entry into force of the Cyber Security Law. They reflect the state’s resolution to safeguard national security and network sovereignty and the importance it attaches to the security of network products and services. Although some of the details of the Review Measures remain to be clarified, there is no denying that the Review Measures establish a fundamental framework for the security of network products and services. It is likely that reviews of network products and services will be undertaken in full as soon as the Review Measures come into force. The security review results will affect the sales and purchases of network products and services, Accordingly we will pay close attention to any updates of operational guidance and law enforcement practices arising from the Review Measures to help avoid any negative impact on businesses.