13 June, 2019
On May 24, 2019, the Cybersecurity Administration of China (CAC) released the Measures for the Network Security Review (Draft for Comment) (“Draft for Comment”), which will remain open for public comment for one month. After it takes effect, the above measures will replace the Measures for the Security Review of Network Products and Services (Trial Implementation) (“Measures for Trial Implementation”). In comparison with the Measures for Trial Implementation, the provisions on network security systems in the Draft for Comment are clearer and more comprehensive in respect of the target, principles and leadership for a review, and the circumstances for initiating and how to undertake a review. Following is a summary of key details of the Draft for Comment.
1. Target of the Security Review
Article 2 of the Draft for Comment clarifies the target of the network security review, namely, “The network security products and services purchased by a critical information infrastructural operator which affects or may affect the national security.” In the Draft for Comment, the obligor with responsibility to conduct the network security review is limited to the critical information infrastructure operator (CIIO).
Article 18 of the Draft for Comment also clearly explains that “for the purpose of these Measures, a ‘CIIO’ refers to an operator that has been identified by the critical information infrastructure protection authorities.” This is less ambiguous than the “important network products and services purchased for network and information systems related to national security” referred to in the Measures for Trial Implementation, and may serve to minimize earlier concerns that the target for security reviews were too broad.
It is notable that when addressing the target for the network security review, Article 2 of the Draft for Comment includes the phrase “where it is otherwise provided for in laws and administrative regulations, such provisions shall prevail”, that is the target of the security review may also be indicated in other laws and administrative regulations besides the Draft for Comment.
2. Security Review Leadership
The Draft for Comment clarifies that CAC will act as the lead in any network security review, and that CAC will establish the network security review mechanism jointly with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and various other ministries. Each member of such mechanism will become part of the authority which is in charge of the security review.
A Network Security Review Office will be set up within CAC, and will be responsible for formulating systems for the security review, for organizing reviews of network security and for monitoring the implementation of the decisions of such reviews.
In summary, the Draft for Comment clearly sets out both the mechanisms for leadership of the network security review system and how its functions will be allocated.
3. Initiating a Security Review
The Draft for Comment provides for two circumstances under which a network security review may be initiated.
Firstly, when purchasing network products and services, operators shall voluntarily report for a network security review by the Network Security Review Office if their own assessment identifies any of the risks as stipulated in Article 6 might eventuate after the products and services go live.
Secondly, if members of the network security review working panel deem that the procurement activities affect or may affect national security, the Network Security Review Office will report to the Central Cyberspace Affairs Commission according to the procedure outlined for the approval of a network security review, and then undertake the review.
Compared with the process in the Measures for Trial Implementation in which a network security review can only be voluntarily initiated by the administrative department in charge, the Draft for Comment additionally provides the opportunity for operators themselves to voluntarily report for security review.
The Draft for Comment also adds corresponding reference standards for operators to assess the security risks of network products and services.
4. Procedure for the Security Review
The Draft for Comment provides clear directions on the procedures for a network security review, with the relevant details outlined in various Articles.
Article 8 specifies the materials that an operator shall submit for a network security review; Articles 11 and 12 clarify the specific process and duration of the entire network security review, and detail a three-step review mechanism to be conducted by the Network Security Review Office, members of the network security review work mechanism and the Central Cyberspace Affairs Commission:
i. A preliminary review by the Network Security Review Office, of up to 30 working days, with the possibility of an extension of up to 15 working days;
ii. Feedback on that preliminary review to be provided by members of the network security working system within15 working days;
iii. Special review of up to 45 working days in principle, again with the possibility of an extension if required.
5. Items for Assessment in the Security Review
Article 1 of the Draft for Comment stipulates the overall objective and purpose of a security review, which is to improve the security and controllability level of the critical information infrastructure (CII) and to safeguard state security.
Article 18 stipulates that the phrase "security and controllability" means that a product and service provider shall not take advantage of its provision of products and services to illegally obtain users' data or to illegally control or manipulate users' devices, nor shall they make use of users' dependence on its products and services to generate illegitimate profit or to force users into upgrades, etc.
Article 10 further stipulates seven elements to take into consideration when assessing the state security risks in network security assessment:
• the impact on the continuous, secure and stable operation of the CII;
• the security of personal information and important data;
• the controllability, transparency and supply-chain security of the products and services;
• the influence on technologies and industries relating to national defense, military industry and CII;
• the product and service provider's compliance with national laws and administrative regulations;
• whether the product and service provider is funded or controlled by foreign governments; and
• other factors that could endanger CII security and state security.
The items for assessment in the Draft for Comment are more comprehensive than those in the Measures for Trial Implementation.
6. Our Observations
Compared with the Measures for Trial Implementation, the Draft for Comment clarifies and limits the scope of application of network security reviews, and provides more details of the process and the assessment requirements for network security reviews.
It remains to be seen how the Draft for Comment will, after being formally adopted, be applied in practice and which specific standards will be enforced by the relevant authorities in their reviews of network security.
