China's 2015 State Security Law, which substantively amended and supplemented its first version issued in 1993, lays down the foundations for cyber security review. The law provides that the state needs to build a network and information security safeguard system to enhance network and information security protection capabilities, and ensure that network and core information technology, critical infrastructures and information systems, and data in key areas are “secure and controllable”.
The Cyber Security Law was adopted in November 2016 and will become effective on June 1, 2017. It stipulates that any network products and services provided to the operators of Critical Information Infrastructure (“CII”) must pass cyber security review, if such network products and services could impact national security.
Against such a backdrop, the Cyberspace Administration of China (“CAC”) released the draft Security Review Measures for Network Products and Services (“Draft Measures”) on Feb. 4, 2017, for public comment. The period of solicitation for public comments will end on March 4, 2017.
Scope of Cyber Security Review
The Cyber Security Law already provides a very broad scope of cyber security review, stipulating that any network products and services procured by the operators of CII should be subject to cyber security review, if they may impact national security.
The Draft Measures takes it one step further, broadening the scope to cover any important network products and services used in information systems in connection with national security and public interests. Therefore, network products and services used by someone who is not a CII operator may also be subject to cyber security review.
Effect of Cyber Security Review
According to the Draft Measures, network products and services failing to pass the cyber security review are not allowed to be procured by party and government departments and operators of important industries. It is unclear what “important industries” refers to. The Draft Measures only lists “finance, telecom and energy” as examples of important industries, but do not provide a definition.
In addition, the Draft Measures reiterates the principle under the Cyber Security Law, stipulating that network products and services provided to CII operators must pass the cyber security review. Otherwise, they will not be allowed to be sold to CII operators.
Who Will Carry Out the Cyber Security Review
CAC, together with other authorities, will form a Cyber Security Review Committee, which will be in charge of the overall administration of the security review. The Draft Measures do not identify other such authorities. The Ministry of Industry and Information Technology (“MIIT”) and the Ministry of Public Security (“MSA”) are likely two of such other authorities to form the Cyber Security Review Committee, together with CAC.
Daily implementation of the cyber security review will be delegated to the Cyber Security Review Office, set up under the Cyber Security Review Committee. In addition, an Expert Panel will be formed to review the technical details.
CAC will also authorize third-party organizations to provide third-party evaluations.
Focus of Cyber Security Review
Echoing the State Security Law, the Draft Measures provide that the focus of the cyber security review is to ensure that network products and services are “secure and controllable”. Hence, the cyber security review will primarily assess the following risks:
- risks associated with stable operations (e.g., whether vulnerable to be controlled, interfered with, or interrupted by others during operations);
- risks associated with the supply chain (e.g., the risks from the R&D, delivery and technical support activities);
- risks associated with data security (e.g., whether vulnerable to illegal data collection and processing); and
- risks associated with users’ dependency on such products or services (e.g., whether the suppliers of network products and services will draw on such dependency to compete unfairly or impair users’ interests).
The risk assessment on user dependency may cause uncertainties, especially to foreign technology companies whose products and services, even without monopoly behaviors, may dominate the market due to their competitiveness and the lack of alternative products and services. Typically, the concerns of unfair competition caused by abuse of dominant market position should be addressed by anti-monopoly law. Consequently, it is a concern whether CAC will leverage the cyber security review process to impose additional barriers on foreign technology companies’ products and services beyond the anti-monopoly law.
Procedures of Cyber Security Review
The Draft Measures provide only brief descriptions of the procedures of cyber security review. Many details remain unknown.
The cyber security review can be initiated (i) at the request of the state's concerned departments or any national industry association, (ii) based on the voices of market entities, or (iii) in response to a company’s application.
Once the cyber security review is initiated, an authorized third-party institution will evaluate the products and services first. The Expert Panel will make an overall assessment based on the third-party organizations’ evaluation results. The Cyber Security Review Committee will make a decision based on the Expert Panel’s assessment report.
The decision made by the Cyber Security Review Committee seems to be final, as no appeal mechanism is provided in the Draft Measures.
Many Questions Yet to Be Answered
The Draft Measures contain only 16 articles, and provide only general principles for cyber security review. Many questions have yet to be answered, for example:
- “Network products and services” are not defined under either the Cyber Security Law or the Draft Measures. It is unclear how broad the scope would be in the implementation.
- Both the Cyber Security Law and the Draft Measures are silent on what information will be required for the cyber security review. Without detailed guidelines, it is unclear (i) for hardware products, what and how detailed technical documents should be provided for review, and (ii) for software products, whether source code and decryption algorithm should be disclosed to the government.
- Before the promulgation of the Cyber Security Law and the Draft Measures, many government departments and CII operators already procured many network products and services, some (if not all) of which may be subject to cyber security review. There is no provision in the Draft Measures with regard to these network products and services. Without a grace period, the use of such network products and services should be immediately stopped once the Cyber Security Law and the Draft Measures take effect, which seems to be unfeasible and unreasonable.
- Before the concept of cyber security review emerges, a mechanism called “Multi-Level Protection System” (“MLPS”) has been in place for many years, which is led and administrated by the MSA. The MLPS divides the IT systems deployed in China into five categories, with Level-1 IT systems having the least impact to national security and Level-5 IT systems being most critical to national security. Theoretically, if an IT system is classified as a Level-3 IT system, it must obtain the Level-3 MLPS certification. However, in practice, such certifications are typically voluntary. It is unclear what the relationship between MLPS certifications and the cyber security review would be in the future.
Under the Cyber Security Law and the Draft Measures, the government seems to have reserved substantial discretion. As the effective date of the Cyber Security Law is within four months, potential impacts will become apparent in the near future.