6 June, 2017
The Cyberspace Administration of China (CAC) published the Trial Measures for Security Review of Network Products and Services (Trial Measures) on 2 May 2017. The Trial Measures mark the first step towards establishing a nationwide security review regime for network products and services.
In this e-bulletin we highlight the key provisions of the Trial Measures and set out our observations on the regime.
BACKGROUND
The National Security Law, enacted in 2015, first introduced the concept of a national security review for "network information technology products and services", alongside other areas that have an impact on national security such as foreign investment, key technologies and construction projects. China's Cyber Security Law (CSL) requires that any purchase of network products and services by the operators of critical information infrastructure (CII) should be subject to a national security review by the CAC and other governing authorities. The National Cyber Space Security Strategy (Cyber Strategy) also highlights the importance of establishing a national security review regime for "important information technology products and services purchased and used by the party and government authorities and key industries". The Cyber Strategy also states that the purposes of a security review regime are for (i) improving the "security and controllability of the products and services" and (ii) "preventing unfair competition or damage of user's interests by the provider of such products or services through their technological advantage".
TRIAL MEASURES – KEY PROVISIONS
What falls within the scope of the security review?
The scope of the review includes:
important network products and services purchased for network and information systems that concern national security (Art.1); and
network products and services purchased by operators of CII, which may have an impact on national security (Art. 10).
What is to be reviewed?
The security review will focus on "security and controllability", including (Art. 4):
- the security risks of products and services, and risks of the products and services being illegally controlled, interfered with and disrupted;
- the security risks of the supply chain arising from manufacturing, testing, delivering, and providing technical support to, products and key components;
- the risk of illegal collection, storage, processing and use of user information by product and service providers taking advantage of their role as provider;
- the risks of jeopardising network security and user interest by providers taking advantage of user dependence on products and services; and
- other national security risks.
Who is responsible for carrying out security reviews?
The following bodies are responsible for carrying out reviews:
The Network Security Review Committee, which is responsible for:
(i) reviewing important policy;
(ii) organising network security reviews; and
(iii) coordinating important network security review issues (Art. 5).
The Network Security Review Office, which is responsible for "organizing the implementation of national security reviews" (Art. 5), in particular:
(i) determining who is to be the subject of review;
(ii) organising third-party institutions and the Network Security Review Expert Committee (see the next bullet below) to conduct the security review; and
(iii) publishing or notifying the review results (Art. 8).
The Network Security Review Expert Committee, which is responsible for assessing the "security risks of network products and services" and the "security and trustworthiness" of the provider, on the basis of third-party evaluation.
Third-party institutions, which are responsible for third-party assessments.
Regulators of key industries or sectors, such as finance, telecoms, energy and transport which are responsible for organising security reviews within their respective industry or sector (collectively, Review Bodies).
What standards apply to the security review?
When conducting a security review, third-parties institutions should:
- be objective, impartial and fair;
- follow relevant regulations and applicable standards; and
- focus on (i) the security and controllability of the products, services and supply chain and (ii) the transparency of the security systems (Art 11).
What review methods may be used?
Under the Trial Measures, the security review process can involve:
- laboratory testing;
- onsite inspection;
- online monitoring; and
- background investigation (Art. 3).
OUR OBSERVATIONS
Clarification is needed on the scope of review
The Trial Measures extend the scope of security reviews from purchases of network products and services by operators of CII to now include purchases of any network products and services for any network and information system concerning national security.
The scope of a "network and information system concerning national security" has not yet been defined and is potentially very broad.
We would expect the CAC to publish detailed rules to clarify the scope of network products and services which will be subject to security review.
The concept of "Security and controllability" needs further definition
Under the Trial Measures, the security review will focus on the "security and controllability" of network products and services. The concept of "security and controllability" was officially introduced in the National Security Law in 2015, which requires "core network and information technology, critical infrastructure and data and information systems in key sectors to be secure and controllable". The CSL provides that the state should promote "secure and trustworthy" network products and services.
According to Mr. Zhao Zeliang, head of the Cybersecurity Coordination Bureau of the CAC, the concepts of "secure and controllable" and "secure and trustworthy" have the same meaning and requirements and may be used interchangeably. Based on Mr. Zhao's interpretation, the concepts mean, in summary, (i) control by the user over their own information; (ii) control by the user over its systems and equipment; and (iii) prevention of abuse of a monopoly position by certain network and product providers.
The National Information Security Standardization Technical Committee (TC260) has released draft evaluation standards for evaluating security and controllability of computer CPUs, operating systems, and office software (TC260 Standards). The TC260 Standards adopt the term "security controllable" which is interpreted as "realizing effective control over each of the key links of the products, including research, development, design, manufacturing, supply, use, and maintenance and disposal of the product, to protect the IT product and the confidentiality, completeness and availability of relevant information."
However, we have yet to see any official document which defines the concept in detail. What seems clear is that the CAC is committed to imposing sufficient control over the full life cycle and supply chain of network products and services.
It also remains to be seen whether a mandatory quota for indigenous intellectual property would be involved.
Given the importance of this concept to the security review regime, we would expect the CAC to clarify in writing what it means.
Information to be disclosed to Review Bodies
Certain technical documents are required to be provided to the Review Bodies as part of the security review process.
In the TC260 Standards, source code and relevant technical documentation relating to key technology or modules likely to have an impact on information security must be provided to third-party institutions. This is required to evaluate the transparency of the product. Further, the source code and technical documentation may be stored in an "evaluation environment provided by the product providers".
It is not clear whether the requirement to disclose source code and technical documentation would extend to other network products and services, but we suggest providers be prepared for such a requirement.
CONCLUSION
While the Trial Measures have established the framework for the security review regime, they have sparked many questions regarding the detail of its implementation. Companies should follow closely developments in relation to the regime in order to ensure compliance.
For further information, please contact:
Karen Ip, Partner, Herbert Smith Freehills
karen.ip@hsf.com
