Decoding the latest cybersecurity product review rules
August 21, 2017 | BY
Katherine JoThe CAC's regulations governing reviews of network products and services focus on security and controllability, but companies await clarity on the scope of “critical information infrastructure”
Notwithstanding a lengthy consultation process that commenced in July 2015 when the first draft was published, the PRC Cybersecurity Law (CSL) suffers from significant gaps and ambiguities in practical implementation. Many commentators expected these shortcomings to be addressed through implementing rules issued before the CSL came into effect. The enforcement of many of its key provisions, such as the data localization requirement under Article 37 and the security review requirement under Article 35, depend on implementing measures. Yet, between November 1, 2016, when the CSL was promulgated, and June 1, 2017, when it entered into effect, mostly only draft measures addressing limited questions were issued.
The one exception was with respect to Article 35. The Measures for the Security Review of Network Products and Services (Trial Implementation) (网络产品和服务安全审查办法(试行) (Measures), setting out some details for the security review under Article 35, are the only implementing measures to have been issued to date in final form. The Measures were published by the Cyberspace Administration of China (CAC) in May and came into effect, together with the CSL, on June 1. They do not expressly refer to Article 35 but the language of the Measures permits the inference that they relate to and operate within the scope of Article 35.
Article 35 of the CSL requires operators of “critical information infrastructure” (关键信息基础设施) (CII) to complete a national security review when purchasing network products and services that “may affect national security”, but does not specify either the scope of or procedure for such review. The Measures provide some guidance on these issues but still leave significant ambiguity, due to both loose drafting and various key issues being expressly left to be determined. Significant additional guidance from the CAC and other government agencies will be required before a network operator can properly assess whether its network falls within the scope of the Measures and, if so, what specific products and services are subject to review—and how to go about completing that review.
Scope and definition of CII
While the drafting of the Measures is loose in this respect, it would appear that they ought to apply, as Article 35 of the CSL does, only to operators of networks falling within the scope of CII.
Precisely what types of computer networks fall within the scope of CII, and therefore precisely which companies are governed by Article 35 and other significant provisions, is perhaps the most significant open question in relation to the CSL. The Measures do not offer an answer to this question.
The CSL defines CII generally to include networks and systems used in important industries such as public communications and information services, energy, transportation, water resources, finance, public utilities, and e-government affairs that, if they were to suffer damage, loss of function or data breach, might seriously endanger national security, national welfare and people's livelihood, or the public interest. The CSL contemplates that the State Council will separately issue regulations that describe the scope of CII with more specificity. Such separate regulations have not yet been issued, although a draft was published on July 11.
The draft Regulations for Security Protection of Critical Information Infrastructure (关键信息基础设施安全保护条例(征求意见稿)) (Draft CII Regulations) list networks and information systems operated by the following entities as likely to be viewed as CII:
- government authorities;
- entities in sectors such as energy, finance, transportation, water resources, hygiene and healthcare, education, social insurance, environmental protection, public utilities;
- operators of information networks such as telecommunications networks, broadcast networks, and the Internet;
- entities providing cloud computing, big data and other public information network services;
- R&D and manufacturing entities in sectors such as science and technology for national defense industry, large plant and machinery, chemicals, and food and drugs;
- news organizations such as radio stations, television stations and news agencies; and
- other “key entities” (重点单位).
The Draft CII Regulations repeat the condition in the CSL that a network or information system will only be treated as CII if damage, a loss of function or a data breach involving the network or system might seriously endanger national security, national welfare and people's livelihood, or the public interest, but do not offer guidance as to how this will be assessed. Instead, the Draft CII Regulations make clear that the specific scope of CII will be determined on a sector-by-sector basis and set forth the following additional work that is needed to fully define the scope of CII in each sector:
- the CAC, the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS) will promulgate guidelines for the recognition of CII; and
- government authorities responsible for specific sectors will follow these guidelines in their specification of CII in their respective sectors.
The Draft CII Regulations do not stipulate the timeframe within which this additional work will be completed. Some indirect guidance on this issue was offered at the end of May in the form of a media interview with a senior official at the Cybersecurity Coordination Bureau (网络安全协调局) of the CAC posted on the CAC website (Q&A). The CAC official stated that the government work required to define the scope of CII and the protective measures to be adopted by operators of CII would be completed no later than May 31, 2018. In relation to the potential breadth of the definition of CII, the official offered little guidance other than to say that the scope of CII is likely to be narrower than the scope of networks covered by China's existing system of tiered network security standards.
Apart from the Q&A, the only other clue as to the likely scope of CII is in the form of pilot enforcement efforts. Based on unofficial Internet sources, it would appear that certain government departments have already started to undertake security inspections and investigations on certain networks and IT systems on the basis of guidance on the scope of “CII” set out in an internal CAC notice. Unfortunately, the notice itself is not publicly available, although certain documents are in circulation that purport to be appendices to the notice. Among other things, these appendices include a document entitled Guidelines for Determination of Critical Information Infrastructure (关键信息基础设施确定指南) (Purported CII Guidelines). The Purported CII Guidelines do not provide definitive guidance on the scope of the CII, but do provide important insight on the perspective of a key enforcement agency in relation to the question. Various characteristics are set out in the Purported CII Guidelines to assist government departments to identify IT systems for inspection as part of the pilot program. These include, for example:
- certain types of government network;
- data centers of a particular scale;
- systems that, if affected by a network incident, would result in the well-being or livelihood of sizable proportion of the local community;
- websites with daily page-views above a stated number.
The Purported CII Guidelines have not been formally issued and, even if the document in circulation is genuine, only relate to a specific pilot program and should not be taken as offering a definitive explanation of CII. As such, companies should view the Purported CII Guidelines, at most, as evidencing the types of considerations that may guide the CAC and other government departments in the work remaining to be done in order to define CII.
Affected products and services
As noted above, Article 35 of the CSL provides that a security review is required for network products and services procured by CII operators that “might have an effect on national security”. An additional key issue therefore is how a potential effect on national security will be assessed.
The Measures start to address this issue, although in a somewhat oblique manner, through Article 4, which addresses the criteria to be used when a security review is undertaken in relation to a product or service. The same or similar standards are also expected to be relevant in addressing the threshold question of whether a product or service is subject to a security review requirement.
In any event, the Measures make clear that determining what particular products and services might have an effect on national security and are therefore subject to security review will be done on a sector-by-sector basis by the “critical information infrastructure protection department” (关键信息基础设施保护工作部门) (CIIP Department) in the ministry responsible for the particular sector.
The CSL contemplates that CIIP Departments will be set up within the government departments with oversight of CII in different sectors. No sector-specific catalogue of network products and services subject to national security review has been issued yet, and indeed it is not clear whether relevant government ministries have set up CIIP Departments yet.
Criteria for the security review
Article 4 of the Measures describes as the key focus of the security review the evaluation of the “security (安全性) and controllability (可控性)” of the relevant product or service. The “security and controllability” criteria include considerations on security and controllability risks inherent to the product or service, security risks that relate to the supply chain, risks related to user information, and risks of the user's interests being harmed by the product or of the service provider by taking advantage of the user's reliance on the product or service.
There has been some variation in the terminology employed in different official documents. The term “controllability” (可控性) is not used in the CSL, although it does appear in various government policy documents pre-dating the CSL. The CSL uses instead the term “reliable” (可信) as part of the term “secure and reliable” (安全可信). The Q&A seems to downplay the difference in terms. It restates that the security review will evaluate whether relevant products or services are “secure and controllable” (安全可控), and then offers the view that the terms “secure and reliable” (安全可信) and “secure and controllable” (安全可控) (as well as a third– “independent and controllable” (自主可控)) should all be understood to describe products and services that assure:
- the user's control of its data–the product or service provider may not take advantage of the functioning of the product or service in order to interrupt the user's control of its own data, in order to illegally obtain the user's important data;
- the user's control of its information system–the product or service provider may not illegally control and manipulate a user's equipment, violating the user's right to control the equipment and system owned or used by the user; and
- the user's right to choose other products/services–the product or service provider may not restrict the user's right to choose other products or services by taking advantage of a user's reliance upon the product or service, or force the user to procure upgrading or replacement by stopping provision of reasonable technical support.
International technology companies have a serious concern that the application of these standards of “security (安全性) and controllability (可控性)” during the security review process might effectively exclude their IT products and technical services from the Chinese market. In the Q&A, the CAC official stressed that both domestic and foreign IT products should be equally capable of meeting these requirements, and denied that the security review process would result in any potential discrimination against, or blockage of market access for, foreign-developed technology or products.
Review procedures and government oversight
The Measures contemplate that multiple government departments both inside and outside the CAC itself will be involved in the formulation of policies and rules for and in the conduct of security reviews.
Based on the somewhat disorganized provisions in the Measures, it appears that a security review process supervised by a cybersecurity review committee (网络安全审查委员会) and specifically organized by the cybersecurity review office (网络安全审查办公室) (Article 5), might involve the following:
- The cybersecurity review office initiates a security review process by determining a “review subject through procedures” (Article 8);
- A third-party institution designated by the cybersecurity review office conducts the security review (Articles 7, 8 and 11);
- The cybersecurity review expert panel (网络安全审查专家委员会) designated by the cybersecurity review office proceeds with an integrated evaluation based on the security review results done by the third-party institution (Articles 6 and 8);
- The cybersecurity review office releases or circulates the final security review conclusions (Article 8).
However, the specific roles of these departments, and how they will interact with each other, are not fully clear. For instance, the Measures do not explain how the role of the cybersecurity review office in determining “review subjects (审查对象) through procedures (按程序)”, as provided in Article 8, will dovetail with the role of various CIIP Departments in determining what products and services are subject to security review.
Article 7 contemplates the State's determination (国家依法认定) of third party institutions that will be authorized to undertake the third party security reviews required under the Measures. Some State research institutes and other organizations engaged in the conduct of security evaluations and certifications under currently applicable law are expected to be designated under Article 7, but this is not specified.
Looking forward
As the CSL took effect on June 1, 2017, Chinese regulators are under pressure to develop implementing rules and standards to permit practical enforcement of the CSL, including the application of Article 35 of the CSL.
The Measures are only a half-step in regard to implementation of Article 35. Meaningful guidance on the threshold question of what constitutes CII awaits. An important milestone will be issuance of the finalized CII Regulations. As they seek to assess whether they are likely to be regulated as operators of CII, companies should look out for these and for the guidelines for recognition of CII that the Draft CII Regulations contemplate are to be issued by the CAC, MIIT and MPS. Nonetheless, concrete guidance relevant to that assessment may need to wait for the CIIP Department in the relevant sector to specify the scope of CII in that sector. Guidance from each relevant CIIP Department on what network products and services are subject to security review also awaits, as does important institutional work, including the establishment and resourcing of CIIP Departments in each relevant central government ministry.
This does not mean that Article 35 of the CSL will not be enforced until all of this standard-setting and institution-building is complete, which the Q&A suggests might not occur until May next year. Companies should also look out for pilot efforts by the CAC and other government departments, which might involve security review mechanisms being mandated for specified networks and specified products and services. Experience with pilot efforts may in turn be used to guide the CAC and other agencies in their standard-setting work. The prospect of pilot enforcement of a CSL provision that remains subject to so many unanswered questions is unsettling for network operators and IT suppliers alike.
Paul McKenzie, Managing Partner, Beijing,
Gordon Milner, Partner, Hong Kong, and
Wei Zhang, Associate, Beijing
Morrison & Foerster
Notwithstanding a lengthy consultation process that commenced in July 2015 when the first draft was published, the PRC Cybersecurity Law (CSL) suffers from significant gaps and ambiguities in practical implementation. Many commentators expected these shortcomings to be addressed through implementing rules issued before the CSL came into effect. The enforcement of many of its key provisions, such as the data localization requirement under Article 37 and the security review requirement under Article 35, depend on implementing measures. Yet, between November 1, 2016, when the CSL was promulgated, and June 1, 2017, when it entered into effect, mostly only draft measures addressing limited questions were issued.
The one exception was with respect to Article 35. The Measures for the Security Review of Network Products and Services (Trial Implementation) (网络产品和服务安全审查办法(试行) (Measures), setting out some details for the security review under Article 35, are the only implementing measures to have been issued to date in final form. The Measures were published by the Cyberspace Administration of China (CAC) in May and came into effect, together with the CSL, on June 1. They do not expressly refer to Article 35 but the language of the Measures permits the inference that they relate to and operate within the scope of Article 35.
Article 35 of the CSL requires operators of “critical information infrastructure” (关键信息基础设施) (CII) to complete a national security review when purchasing network products and services that “may affect national security”, but does not specify either the scope of or procedure for such review. The Measures provide some guidance on these issues but still leave significant ambiguity, due to both loose drafting and various key issues being expressly left to be determined. Significant additional guidance from the CAC and other government agencies will be required before a network operator can properly assess whether its network falls within the scope of the Measures and, if so, what specific products and services are subject to review—and how to go about completing that review.
Scope and definition of CII
While the drafting of the Measures is loose in this respect, it would appear that they ought to apply, as Article 35 of the CSL does, only to operators of networks falling within the scope of CII.
Precisely what types of computer networks fall within the scope of CII, and therefore precisely which companies are governed by Article 35 and other significant provisions, is perhaps the most significant open question in relation to the CSL. The Measures do not offer an answer to this question.
The CSL defines CII generally to include networks and systems used in important industries such as public communications and information services, energy, transportation, water resources, finance, public utilities, and e-government affairs that, if they were to suffer damage, loss of function or data breach, might seriously endanger national security, national welfare and people's livelihood, or the public interest. The CSL contemplates that the State Council will separately issue regulations that describe the scope of CII with more specificity. Such separate regulations have not yet been issued, although a draft was published on July 11.
The draft Regulations for Security Protection of Critical Information Infrastructure (关键信息基础设施安全保护条例(征求意见稿)) (Draft CII Regulations) list networks and information systems operated by the following entities as likely to be viewed as CII:
- government authorities;
- entities in sectors such as energy, finance, transportation, water resources, hygiene and healthcare, education, social insurance, environmental protection, public utilities;
- operators of information networks such as telecommunications networks, broadcast networks, and the Internet;
- entities providing cloud computing, big data and other public information network services;
- R&D and manufacturing entities in sectors such as science and technology for national defense industry, large plant and machinery, chemicals, and food and drugs;
- news organizations such as radio stations, television stations and news agencies; and
- other “key entities” (重点单位).
The Draft CII Regulations repeat the condition in the CSL that a network or information system will only be treated as CII if damage, a loss of function or a data breach involving the network or system might seriously endanger national security, national welfare and people's livelihood, or the public interest, but do not offer guidance as to how this will be assessed. Instead, the Draft CII Regulations make clear that the specific scope of CII will be determined on a sector-by-sector basis and set forth the following additional work that is needed to fully define the scope of CII in each sector:
- the CAC, the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS) will promulgate guidelines for the recognition of CII; and
- government authorities responsible for specific sectors will follow these guidelines in their specification of CII in their respective sectors.
The Draft CII Regulations do not stipulate the timeframe within which this additional work will be completed. Some indirect guidance on this issue was offered at the end of May in the form of a media interview with a senior official at the Cybersecurity Coordination Bureau (网络安全协调局) of the CAC posted on the CAC website (Q&A). The CAC official stated that the government work required to define the scope of CII and the protective measures to be adopted by operators of CII would be completed no later than May 31, 2018. In relation to the potential breadth of the definition of CII, the official offered little guidance other than to say that the scope of CII is likely to be narrower than the scope of networks covered by China's existing system of tiered network security standards.
Apart from the Q&A, the only other clue as to the likely scope of CII is in the form of pilot enforcement efforts. Based on unofficial Internet sources, it would appear that certain government departments have already started to undertake security inspections and investigations on certain networks and IT systems on the basis of guidance on the scope of “CII” set out in an internal CAC notice. Unfortunately, the notice itself is not publicly available, although certain documents are in circulation that purport to be appendices to the notice. Among other things, these appendices include a document entitled Guidelines for Determination of Critical Information Infrastructure (关键信息基础设施确定指南) (Purported CII Guidelines). The Purported CII Guidelines do not provide definitive guidance on the scope of the CII, but do provide important insight on the perspective of a key enforcement agency in relation to the question. Various characteristics are set out in the Purported CII Guidelines to assist government departments to identify IT systems for inspection as part of the pilot program. These include, for example:
- certain types of government network;
- data centers of a particular scale;
- systems that, if affected by a network incident, would result in the well-being or livelihood of sizable proportion of the local community;
- websites with daily page-views above a stated number.
The Purported CII Guidelines have not been formally issued and, even if the document in circulation is genuine, only relate to a specific pilot program and should not be taken as offering a definitive explanation of CII. As such, companies should view the Purported CII Guidelines, at most, as evidencing the types of considerations that may guide the CAC and other government departments in the work remaining to be done in order to define CII.
Affected products and services
As noted above, Article 35 of the CSL provides that a security review is required for network products and services procured by CII operators that “might have an effect on national security”. An additional key issue therefore is how a potential effect on national security will be assessed.
The Measures start to address this issue, although in a somewhat oblique manner, through Article 4, which addresses the criteria to be used when a security review is undertaken in relation to a product or service. The same or similar standards are also expected to be relevant in addressing the threshold question of whether a product or service is subject to a security review requirement.
In any event, the Measures make clear that determining what particular products and services might have an effect on national security and are therefore subject to security review will be done on a sector-by-sector basis by the “critical information infrastructure protection department” (关键信息基础设施保护工作部门) (CIIP Department) in the ministry responsible for the particular sector.
The CSL contemplates that CIIP Departments will be set up within the government departments with oversight of CII in different sectors. No sector-specific catalogue of network products and services subject to national security review has been issued yet, and indeed it is not clear whether relevant government ministries have set up CIIP Departments yet.
Criteria for the security review
Article 4 of the Measures describes as the key focus of the security review the evaluation of the “security (安全性) and controllability (可控性)” of the relevant product or service. The “security and controllability” criteria include considerations on security and controllability risks inherent to the product or service, security risks that relate to the supply chain, risks related to user information, and risks of the user's interests being harmed by the product or of the service provider by taking advantage of the user's reliance on the product or service.
There has been some variation in the terminology employed in different official documents. The term “controllability” (可控性) is not used in the CSL, although it does appear in various government policy documents pre-dating the CSL. The CSL uses instead the term “reliable” (可信) as part of the term “secure and reliable” (安全可信). The Q&A seems to downplay the difference in terms. It restates that the security review will evaluate whether relevant products or services are “secure and controllable” (安全可控), and then offers the view that the terms “secure and reliable” (安全可信) and “secure and controllable” (安全可控) (as well as a third– “independent and controllable” (自主可控)) should all be understood to describe products and services that assure:
- the user's control of its data–the product or service provider may not take advantage of the functioning of the product or service in order to interrupt the user's control of its own data, in order to illegally obtain the user's important data;
- the user's control of its information system–the product or service provider may not illegally control and manipulate a user's equipment, violating the user's right to control the equipment and system owned or used by the user; and
- the user's right to choose other products/services–the product or service provider may not restrict the user's right to choose other products or services by taking advantage of a user's reliance upon the product or service, or force the user to procure upgrading or replacement by stopping provision of reasonable technical support.
International technology companies have a serious concern that the application of these standards of “security (安全性) and controllability (可控性)” during the security review process might effectively exclude their IT products and technical services from the Chinese market. In the Q&A, the CAC official stressed that both domestic and foreign IT products should be equally capable of meeting these requirements, and denied that the security review process would result in any potential discrimination against, or blockage of market access for, foreign-developed technology or products.
Review procedures and government oversight
The Measures contemplate that multiple government departments both inside and outside the CAC itself will be involved in the formulation of policies and rules for and in the conduct of security reviews.
Based on the somewhat disorganized provisions in the Measures, it appears that a security review process supervised by a cybersecurity review committee (网络安全审查委员会) and specifically organized by the cybersecurity review office (网络安全审查办公室) (Article 5), might involve the following:
- The cybersecurity review office initiates a security review process by determining a “review subject through procedures” (Article 8);
- A third-party institution designated by the cybersecurity review office conducts the security review (Articles 7, 8 and 11);
- The cybersecurity review expert panel (网络安全审查专家委员会) designated by the cybersecurity review office proceeds with an integrated evaluation based on the security review results done by the third-party institution (Articles 6 and 8);
- The cybersecurity review office releases or circulates the final security review conclusions (Article 8).
However, the specific roles of these departments, and how they will interact with each other, are not fully clear. For instance, the Measures do not explain how the role of the cybersecurity review office in determining “review subjects (审查对象) through procedures (按程序)”, as provided in Article 8, will dovetail with the role of various CIIP Departments in determining what products and services are subject to security review.
Article 7 contemplates the State's determination (国家依法认定) of third party institutions that will be authorized to undertake the third party security reviews required under the Measures. Some State research institutes and other organizations engaged in the conduct of security evaluations and certifications under currently applicable law are expected to be designated under Article 7, but this is not specified.
Looking forward
As the CSL took effect on June 1, 2017, Chinese regulators are under pressure to develop implementing rules and standards to permit practical enforcement of the CSL, including the application of Article 35 of the CSL.
The Measures are only a half-step in regard to implementation of Article 35. Meaningful guidance on the threshold question of what constitutes CII awaits. An important milestone will be issuance of the finalized CII Regulations. As they seek to assess whether they are likely to be regulated as operators of CII, companies should look out for these and for the guidelines for recognition of CII that the Draft CII Regulations contemplate are to be issued by the CAC, MIIT and MPS. Nonetheless, concrete guidance relevant to that assessment may need to wait for the CIIP Department in the relevant sector to specify the scope of CII in that sector. Guidance from each relevant CIIP Department on what network products and services are subject to security review also awaits, as does important institutional work, including the establishment and resourcing of CIIP Departments in each relevant central government ministry.
This does not mean that Article 35 of the CSL will not be enforced until all of this standard-setting and institution-building is complete, which the Q&A suggests might not occur until May next year. Companies should also look out for pilot efforts by the CAC and other government departments, which might involve security review mechanisms being mandated for specified networks and specified products and services. Experience with pilot efforts may in turn be used to guide the CAC and other agencies in their standard-setting work. The prospect of pilot enforcement of a CSL provision that remains subject to so many unanswered questions is unsettling for network operators and IT suppliers alike.
Paul McKenzie, Managing Partner, Beijing,
Gordon Milner, Partner, Hong Kong, and
Wei Zhang, Associate, Beijing
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now