On 27 April 2020, the Cyberspace Administration of China (“CAC“), in conjunction with 11 other government agencies, jointly issued the Cybersecurity Review Measures (“Review Measures“). The Review Measures to be implemented as of 1 June 2020 will replace the Measures for the Security Review of Network Products and Services (for Trial Implementation) (“Trial Measures“). The Review Measures stipulate the scope of application, reporting procedures, evaluation factors, compliance works (in particular for the protection of the rights and interests of operators of critical information infrastructure (“CIIOs“) and product and service providers), legal responsibilities, etc. in relation to the cybersecurity review, which portends that China’s cybersecurity review has entered a new stage.
The Review Measures are well worth attention from CIIOs and relevant network product and service providers.
“Throughout the world, it has long been an international trend and common practice to conduct cybersecurity review.”[1] However, the establishment, composition, procedure design, and other aspects of the cybersecurity review regime vary from country to country. The joint working mechanism of multiple agencies established in the Review Measures will help break down the industrial and technical barriers of critical information infrastructure (“CII“) to promote consensus on CII protection. Different requirements imposed on CIIOs and network product and service providers are also conducive to defining their respective duties and obligations under the cybersecurity review regime. From the joint working of regulatory authorities to the cooperation of different market entities, it could well be seen that cybersecurity, in particular, protection of CII, requires concerted and coordinated efforts to maintain a safe network ecosystem.
This article will review the history of the cybersecurity review regime in China, summarize the framework and procedures of the cybersecurity review system determined by the Review Measures, and, based on the comparison with the cybersecurity review regime overseas and the previous Cybersecurity Review Measures (Draft for Comments) (“Draft Review Measures“), discuss how the new cybersecurity review mechanism will provide guidance for relevant market players and industry practice.
I. History of cybersecurity review regime
The Cybersecurity Law issued in 2016 established the security review mechanism for network products and services (the “cybersecurity review“).
However, the cybersecurity review mechanism in China can be traced back to the Two Session’s proposal on “Establishing the Information Security Review Mechanism” in 2013.[2] During the period of 2013 to 2016, China released a number of laws, regulations and policies which showed the state’s close attention to the construction of cybersecurity review mechanism.[3]
Before the Cybersecurity Law officially took effect in 2017, the CAC had issued the Trial Measures on 2 May of the same year in order to enable the initial implementation of the cybersecurity review mechanism (for details of the Trial Measures, please see”Building an Institutional Framework for Cybersecurity Review — Understanding the Measures for Security Review of Network Products and Services (for trial implementation) ” 画龙画虎先画骨——解读<网络产品和服务安全审查办法(试行)>.)
With the implementation of the Cybersecurity Law, the emergence of CII security issues and the growing experience in the cybersecurity review regime, in May 2019, the CAC, together with the National Development and Reform Commission, the Ministry of Industry and Information Technology (“MIIT“), the Ministry of Public Security, the Ministry of State Security and other seven government agencies, jointly issued the Draft Review Measures (for details of the Draft Review Measures, please see “A Brief Analysis of Cybersecurity Review Measures (Draft for Comments) 千淘万漉虽辛苦,吹尽狂沙始到金 ——<网络安全审查办法(征求意见稿)>简析 ), and finally released the recent Review Measures (please see below the summary of relevant laws, regulations and legislative policies of China’s cybersecurity review mechanism).
II. Framework and Procedures of the Cybersecurity Review Mechanism
Pursuant to the Review Measures and other relevant laws, regulations and guidelines, we summarize the framework of cybersecurity review mechanism as follows:
Meanwhile, the Review Measures also refine the cybersecurity review procedures established in the 2019 Draft Review Measures. We hereby summarize the updated cybersecurity review process as follows:In addition to the application for cybersecurity review by CIIOs in accordance with the above procedures, member units of the cybersecurity review mechanism may also initiate “proactive review” of network products and services that affect or may affect national security.[6]
III. Major Amendments and Highlights of the Review Measures
Compared with the Draft Review Measures issued in 2019, this official version of the Review Measures make adjustments in various aspects including the practice of CIIOs’ risk prejudgment, the compliance requirements for the contents of supplier agreement, the scope of confidentiality obligations of review agencies and their personnel. In addition, the Review Measures also change the focus regarding the specific contents to be reviewed.
1. Establish a multi-department joint working mechanism to promote the connection between security review and industrial regulation
Currently, the security reviews in other countries are mostly led by the communications department, but there are also examples of multi-department joint review. For instance, the national security review in the US is undertaken by the Committee on Foreign Investment, which is composed of nine departments including Department of the Treasury and Department of Justice, and is responsible for organizing investigations. Similarly, the cybersecurity review in Russia is led by the Ministry of Industry and Trade, who will consult with the Federal Security Bureau and the Committee of State Security for decision review and assessment.
As shown in the above framework, the Review Measures establish a national cybersecurity review mechanism under the unified leadership of the Central Cyberspace Affairs Commission with close collaboration between CAC and 11 other important national ministries and agencies such as the Ministry of Public Security and the Ministry of State Security. Under the review mechanism, after the Cybersecurity Review Office completes the preliminary review, it will send relevant conclusions and advice to all member units thereunder and relevant CII protection departments. A final decision will then be reached on the basis of unified confirmation from relevant units and departments. In this way, a multi-departments’ joint supervision for CIIOs, i.e. the security review mechanism, is formed on the premise of a multi-department joint working mechanism for cybersecurity review being in place.
Security review requirements for CIIOs’ purchase of network products and services can also been found among various industries. For instance, the Cryptography Law provides that where CIIOs’ procurement of network products and services involve commercial cryptography and may affect national security, such CIIOs shall go through a national security review organized by relevant departments.[7] We understand that the legislative logic and purpose of aforementioned requirement are basically the same as those of the cybersecurity review mechanism. Therefore, the security assessment conducted by unit members in industries and the cybersecurity review may intersect and the multi-department joint working mechanism will help all departments to reach a consensus on CII protection, while at the same time provide easy channel for application and assessment of the cybersecurity review of CIIOs to some extent.
2. CIIOs may decide whether to apply for cybersecurity review based on industrial guidelines
Adhering to the idea of the Draft Review Measures, the Review Measures confirm that the application and review procedures for cybersecurity review do not apply unconditionally to the procurement of network products and services by any CIIOs. Article 5 thereof provides that the CIIOs, at the time of procuring network product or service, shall prejudge the potential risks such product or service may bring to national security after being in use; and when CIIOs believe that such product or service will affect or is likely to affect national security, they shall file an application for cybersecurity review.
It is noteworthy that Para 2 of Article 5 thereof specifies that CII protection departments may formulate prejudgment guidelines for their respective industries and fields. This means that such prejudgment guidelines will serve as a strong guidance for CIIOs’prejudgment of risks, and the formulation of prejudgment guidelines for certain industries and fields also reflects the recognition and respect for their particularity in the Review Measures. Such prejudgment guidelines will facilitate the connection with the CII identification mechanism, and, to a certain extent, eliminate the foregoing concern that “there are technical barriers between cybersecurity review and industry practice” which may leave CIIOs in a dilemma in practice.
Certainly, it takes time to formulate prejudgment guidelines for certain industries and fields, and the effectiveness and guiding role of such guidelines in practice await further observation upon formulation.
3. Cybersecurity review becomes the prerequisite for validation of the procurement contract
In addition, the Review Measures provide additional requirements for the contents, execution and performance of the procurement contract, the Review Measures and relevant Q&A by CAC officials make clear that CIIOs shall apply for cybersecurity review prior to signing the official contract with product and service providers, or they shall set the approval of cybersecurity review as the prerequisite for the contract validation. Meanwhile, with regard to procurement activities for which a cybersecurity review is applied, the CIIOs need to set out the obligation of product and service providers to cooperate during the cybersecurity review via procurement documents and agreements,[8] and to submit the procurement documents, agreements and contracts to be signed when applying for the cybersecurity review. [9] After passing the cybersecurity review, CIIOs also have the obligation to urge product and service providers to fulfil their commitments made during the cybersecurity review. [10]
On the one hand, the above provisions are helpful to materialize the security role of the cybersecurity review in the procurement of products and services by CIIOs, and to avoid conflicts between the agreement and the cybersecurity review that would diminish the actual role of the cybersecurity review or render it useless. On the other hand, the review of procurement contracts, agreements and other documents is also conducive to the reasonable allocation of responsibilities and obligations concerning cybersecurity between CIIOs and product and service providers, and indirectly to secure the supply chain of CII operations at all stages by contractually binding suppliers of products and services to the operator.
4. Focus of the Cybersecurity Review: Safeguarding National Security as the Core While Adhering to the Technology Neutrality.
Factors other than technology may generally be taken into account in the cybersecurity reviews by different countries. For example, according to the Executive Order on Securing the Information and Communications Technology and Services Supply Chainissued by the United States last year, the authority would consider whether “the transaction involves information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”[11] during cybersecurity review. Transactions involving or Usages of foreign information technology and services that may pose a special threat to the national security, foreign policy, and economy of the United States would be prohibited.[12]
The Review Measures exclude “the influence on technologies and industries relating to national defence, military industry and CII”, “whether the product and service provider is funded or controlled by foreign governments”[13] and other non-technical factors related to politics, diplomacy and trade environment from the key evaluation factors of cybersecurity review. As reiterated by the responsible person of the CAC in the Press Conference on the Review Measures, opening-up is a basic national policy of China,[14]such revision mainly reflects a shift of focus of the cybersecurity review. In another word, in addition to safeguarding national security, the cybersecurity review would pay more attention to the substantive contents of products and services now.
In addition, as indicated by Article 9 (III) of the Review Measures, the factors of the cybersecurity review include: “safety, openness, transparency, and diversity of sources of the product or service, reliability of supply channels, and risks of supply interruption as a result of political, diplomatic, trade or any other factor”. The supply chain security, as the focus of the security review, will be comprehensively reviewed regarding the aspects of product and service sources, supply channels, service delivery methods, service attributes and impacts of other non-technical factors on the supply chain.
However, it should also be noted that the review factors aforementioned are still directional requirements at a high level and detailed guidelines are needed to provide a clearer instruction. More time will be needed to observe how to balance among all the factors during the review and what criteria would be taken under certain factors in practice.
5. Clarification on the scope of confidentiality obligations of the agency and its personnel
Pursuant to Article 15 of the 2019 Draft Review Measures, the agency and its personnel are legally bound by the general confidentiality obligations which prohibiting them from using the information obtained from the cybersecurity review for other purposes. The Review Measures further refine and clarify the scope of the confidentiality obligations of the agency and its personnel. To be specific, the agency and its personnel are obliged to keep the trade secrets, intellectual property information, and other non-public information of the CIIOs, as well as those of the product and service providers, confidential.[15] With regard to the disclosure of materials, in addition to the restrictions on the purpose of review described in the 2019 Draft Review Measures, the Review Measures introduce an additional requirement that relevant materials shall not be disclosed to unrelated parties without the consent of the providers, with a view to providing a more comprehensive protection of the rights and interests of enterprises.
6. Anticipation to More Detailed Implementing Rules In Future
The Review Measures specify the basic procedure of and requirements for the cybersecurity review. However, in practical implementation, detailed implementing rules have yet to be introduced, for the purposes of responding to the practical questions and providing more accurate guidance. For example, considering that the Review Measures have not set up channels for appeal against review decisions, it is unclear that whether the CIIOs may raise an objection on reasonable grounds if failing the review.
May the providers of network products and services, as stakeholders, also have the right to appeal? In addition, further explanation on the issues such as CIIO identification, pre-judgment guidelines for the relevant industries and fields by the competent agencies for CII protection, and the scope of network products and services that shall abide by the Review Measures are also needed.
IV. Impact of the Review Measures on relevant enterprises
For CIIOs, the Review Measures’ establishment of multi-agency joint working mechanism will help promote the interactions between the cybersecurity review and industrial supervisions. The CIIOs might also be relieved from the burden caused by the multiple declaration on the cybersecurity reviews to both the CAC and industrial regulatory authorities.
However, it should be noted that the CIIOs may also be faced with some new obligations and legal liability accordingly. For example, the CIIOs are obliged to make pre-judgment decision on whether to declare the cybersecurity review and supervise the subsequent fulfilment of commitments by product and service providers after the cybersecurity review. In particular, considering that the guidelines on the scope of CIIOs and the specific types of procurement of network products and services required to be declared have not been issued yet, the CIIOs may have difficulty in accurately identifying thresholds and timing for declaration.
Therefore, we advise the Operators in certain important industries and fields, including but not limited to public communication and information service, energy, transportation, water conservancy, finance, public service and e-government, to:
- Communicate closely and confirm whether the operator would be recognized as CIIO with the industry regulatory agency;
- Communicate closely and confirm whether the procurement of certain network products and services shall be declared for a cybersecurity review with the CAC and the agencies responsible for the CII protection;
- Establish an internal review mechanism for cybersecurity and service procurement, including but not limited to:
- conduct pre-review assessment on the security qualifications of network product and service providers;
- improve the purchase agreements with the network product and service providers, stipulating the obligations of the providers to cooperate in the cybersecurity review and the liabilities for breach of contract that shall be borne by the providers for failure in complying with the commitments made during the cybersecurity review; and
-
- agree on the CIIO’s entitlement to conduct irregular and random inspection and monitoring of performance of commitments made by the network product and service providers in the cybersecurity review, or to require the provider to submit reports on performance of such commitments on a regular basis.
Considering that the cybersecurity review is a prerequisite for the signing or the effectiveness of the procurement contracts, network product and service providers may be faced with an increasing uncertainty, and the time period between the conclusion and entry into force of the agreement might be prolonged. For providers who may provide network products and services to the CIIOs, it is recommended to:
- Categorize potential client groups and prepare the cybersecurity review in advance in accordance with the industries the clients belong to, so as to communicate with the competent agencies of different industries in a targeted way;
- Fully communicate with the clients who may be engaged in key sensitive industries to find out whether they have been or might be identified as CIIOs, and keep communication on the subsequent identification results if any.
- Conduct internal review in advance on the factors that may be considered in the cybersecurity review, and form a preliminary conclusion if a large portion of the clients of the providers might be recognized as CIIOs.
- Cooperate with the launch of the cybersecurity review, and fulfil the commitments to the CIIOs in accordance with the results of the internal review, including not illegally obtaining user data when providing products and services to the CIIOs, illegally controlling and manipulating user equipment, or refusing to provide product supply or necessary technical support services without justifiable reasons.
Authors
[1] Cybersecurity Review Mechanism of Different Countries and Case Analysis [EB/OL]. http://www.cac.gov.cn/2015-04/17/c_1114990146.htm. Issued on 17 April 2015. Last visited on 28 April 2020.
[2] Article 35 of the Cybersecurity Law provides that any purchase of network products and services by the operator of critical information infrastructure that may threaten national security is subject to the national security review conducted by the CAC together with competent departments of the State Council.
[3] Ma Ning, The Connotation and Regime of the State Cybersecurity Review [J]. Secrecy Science and Technology, 2017(02):12-16.
[4] Cyber Administration of China, National Development and Reform Commission, Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, Ministry of Commerce, Ministry of Finance, the People’s Bank of China, State Administration for Market Regulation, National Radio and Television Administration, National Administration of State Secrets Protection, and State Cryptography Administration
[5] Id.
[6] Article 15 of the Review Measures provide: “Where any member unit of the cybersecurity review mechanism believes that the network product or service affects or may affect national security, the Cybersecurity Review Office shall, in accordance with relevant procedures, report the case to the Central Cyberspace Affairs Commission for approval, and then conduct the review in accordance with this Measures.”
[7] Para 2, Article 27 of the Cryptography Law provides: “Where CIIOs procure network products and services involving commercial cryptography which may affect national security, they shall go through a national security review organized by the state cyberspace administration in concert with the state cryptography administration and other relevant authorities in accordance with the Cybersecurity Law of the People’s Republic of China.”
[8] Article 6 of the Review Measures.
[9] Article 7 of the Review Measures.
[10] Article 18 of the Review Measures.
[11] Section 1 (a) (i) of the Executive Order on Securing the Information and Communications Technology and Services Supply Chain.
[12] Cybersecurity Law Research Centre of the Third Research Institute of Ministry of Public Security. Chinese translation of the Executive Order on Securing the Information and Communications Technology and Services Supply Chain. https://www.secrss.com/articles/10721. Issued on 16 May 2019; last visited on 28 April 2020.
[13] Article 10 of the Draft Review Measures.
[14] Q&A for the Cybersecurity Review Measures [EB/OL]. https://mp.weixin.qq.com/s/yzhiqTvfi107cir2zpMkdw. Issued on 27 April 2020; last visited on 28 April 2020.
[15] Article 16 of the Review Measures.