Government Engagement, Support of Chinese Partner Key to Navigating China's Cybersecurity Review

Foreign Targets

The new cybersecurity review is a key tool for China to minimize the impact of growing supply chain uncertainties on the functioning of its CII. Article 9 stipulates that a cybersecurity review will evaluate the threat to national security posed by "interruption of supply of the product or service." This will be done with reference to the "reliability of the supply channel and the risks of the disruption of supply caused by political, foreign relations, trade and other such factors".

According to Kenneth Zhou, a partner at WilmerHale's Beijing office, even though the review does not explicitly target foreign suppliers, the political environment makes them natural targets for the authorities.

The U.S. is tightening export controls and many U.S. suppliers have no choice but to comply

For foreign suppliers, the key question is whether compliance with export controls imposed by their home governments is a valid reason for interrupting supply. The Measures includes language suggesting that the authorities can exercise discretion when it comes to evaluating the liability of a supplier. Article 6 stipulates that the network supplier must commit to "not interrupt supply of the product or required technical support services without just cause."

What would constitute "just cause" is not explained however. Zhou, who is also a member of the board of governors of the American Chamber of Commerce in China, says for U.S. suppliers in particular, it is very unclear whether they would be punished should they be unable to fulfill purchase orders in the future because of U.S. export controls.

"It's a difficult question for the Chinese government to answer. On the one hand, China needs foreign suppliers, especially in terms of advanced technology products and services. On the other hand, the U.S. is tightening export controls and many U.S. suppliers have no choice but to comply," he said.

Lack of Clarity

Part of the difficulty is that the scope of the review is vaguely defined. CII operators and their suppliers are responsible for flagging their own procurement transactions for review. Article 5 of the Measures stipulates that CII operators should "pre-assess" the national security risks of any procurement of network products or services before deciding whether to file for a review with a new Cybersecurity Review Office (CRO) at the CAC.

The Measures improves on the 2017 trial version of the cybersecurity review in terms of clarifying the logistics of the review process once it is underway. Article 8 states that the CRO will decide whether a review is necessary within 10 working days of receiving an application. A review involving the CRO, a panel established by the 12 government departments involved in the review, and the relevant department overseeing the CII in question, will then be completed within 45 working days in most cases.

A significant change from the 2017 trial version is the removal of any mention of a third-party assessment in the finalized Measures, says Zhou Yang, a Shanghai partner at Zhong Lun Law Firm. Under the trial version, the review process started with assessment by third-parties, which were to a certain extent supposed to be independent from the government, he says.

Unfortunately for CII operators and their suppliers, there is no detail provided of how companies should conduct their self-assessments, nor any concrete criteria for deciding whether an official review is necessary. Article 5 states that individual departments may formulate their own pre-assessment guidelines for relevant industries and sectors, so there could be further guidance on this in the future.

There is similarly little clarity about what sectors and industries constitute CII, or who exactly CII operators are – questions the government has not answered definitively since the CII term was introduced in 2017. According to Scott Yu, a Beijing partner at Zhong Lun, the central government has delegated the authority for defining CII industries and operators to local governments and industry regulators. It has published several draft documents clarifying the scope of CII industries and operators, such as the trial Guidelines on the Determination of Critical Information Infrastructure (关键信息基础设施确定指南) released in 2019, but there is still yet to be a definitive document listing these out.

This ambiguity is typical of China's legal regimes governing national security-related issues

Like the national security review for foreign investment, the cybersecurity review also threatens to delay transactions indefinitely through an extended "special review" process. Article 11 stipulates that a special review will be initiated should members of the cybersecurity review work mechanism and the relevant department overseeing the CII in question fail to reach a consensus. Article 13 says that such a special review shall be completed within 45 working days, but this could be extended in "complex circumstances."

Zhou Yang believes that certain transactions involving foreign network suppliers are likely to face different views from the reviewing departments. He cites the examples of network products and services subject to market entry restrictions such as certain cloud computing products; powerful and sophisticated network products and services such as industrial control systems and industrial internet of things (IIoT) products; and where the relevant foreign suppliers have a known record of putting back-doors in their products or services or allowing access to their products or customer data by foreign law enforcement agencies.

This ambiguity is typical of China's legal regimes governing national security-related issues, says Rachel Li, a Beijing partner at Zhong Lun. For example, the national security review for foreign investment does not list out the "key industries" it targets either; neither does it clarify the kinds of transactions that will trigger a special review not bound by any time limits.

Engage Partners and Government

To navigate these uncertainties about the scope of the review, lawyers recommend foreign network suppliers work with their Chinese counterparties and the government. WilmerHale's Zhou says a Chinese CII operator can help vouch for a foreign supplier in the review process. Although there is no official list of CII nor of CII operators, it is highly likely that many CII operators in China are state-owned enterprises (SOE) because of foreign investment restrictions in many key sectors such as telecommunications. As they are state-owned companies, many of them have direct access to the authorities as well as sway.

"If you have worked with Chinese customers in the past, the [cybersecurity review] may not be a major issue because Chinese customers can be supporters in terms of talking to the government and reducing their concerns," he said. "Support from Chinese counterparties is one of the key elements in terms of quickly completing the [review] process."

In addition, support from Chinese companies can also help address foreign suppliers' concerns about the wide scope of required documentation in the cybersecurity review. Article 7 of the Measures stipulates that the CII operator must submit procurement documents and the proposed contract to the authorities for the review. It also includes a catch-all provision allowing the authorities to obtain "other documentation as required for the cybersecurity review work." According to global corporate risk consultancy Kroll, 94% of companies operating in China had intellectual property theft as their top risk priority in 2019.

Although Article 16 states that corporate trade secrets and intellectual property will be protected during the review, Zhou recommends foreign suppliers negotiate with the government about their disclosure obligations on a case-by-case basis.

"Often for multinational companies, they may not have strong working relationships with the Chinese government as their [Chinese] counterparties do," he said. "But if you have the support of the counterparties, you may talk with the government about narrowing the scope of data to be disclosed."

Once there is support from the Chinese counterparty, Zhong Lun's Li recommends that foreign suppliers engage with the authorities early in the review process. Early engagement can help provide clarity on various uncertainties in the process, especially when the Chinese counterparty can provide access to the government. She said one of her clients is already preparing to file for a cybersecurity review and is likely to be the first review since the Measures came into effect in June.

In a situation where a foreign supplier has Chinese competitors, the situation does not look good

However, early engagement might not be advisable for all transactions. In Li's case, her client is an SOE and therefore knows for certain that it is a CII operator. But for cases where the Chinese counterparty is not an SOE, the risk of early engagement is that a cybersecurity review is triggered that otherwise would not have been.

"Our experience with other reviews is that if a company goes to the authorities with concerns and feels they may qualify for some kind of review, then the result would be that you would be encouraged or even required to file the review," Li said.

The potential risks and benefits of early engagement must be weighed up, especially when there are considerable punishments for failing to file for a cybersecurity review later found to have been required. Article 65 of the PRC Cybersecurity Law stipulates a fine of up to ten times the procurement value in addition to a fine of up to RMB100,000 ($14,000) on responsible individuals.

Still, Zhou says the overall practical impact of the Chinese government's greater scrutiny on supply chain risks is that foreign suppliers could lose business as a result. "In a situation where a foreign supplier has Chinese competitors, the situation does not look good. Many Chinese companies including leading technology companies like Huawei have already started to shift their supply chains from foreign suppliers to domestic suppliers, to the extent that domestic suppliers can satisfy their procurement needs," he said.

The government's concerns about supply chain risks are also reflected in its still unreleased Unreliable Entity List. The Ministry of Commerce has said that foreign firms that cut off supplies to a Chinese customer for "non-commercial" reasons will be blacklisted, consistent with the "just cause" exception in the cybersecurity review. However, as is the case with the cybersecurity review, the authorities have not clarified what reasons would constitute "non-commercial."

"If you're listed as an "unreliable entity," you can basically forget about doing business with Chinese customers. You won't or are very unlikely to pass the cybersecurity review," Zhou said.

Related content:

PRC Cybersecurity Law (中华人民共和国网络安全法)

China's National Security Review: a Case Study of a Supermarket Chain

Measures for Security Reviews of Network Products and Services (Trial Implementation) (网络产品和服务安全审查办法 (试 行))