China issued cybersecurity review measures to protect supply chain security
Back to Technology Law Committee publications
Yang Zhou
Zhong Lun, Shanghai
zhouyang@zhonglun.com
Legislative structure
On 27 April 2020, the Cyberspace Administration of China (CAC), together with 11 other departments, promulgated Measures for Cybersecurity Review (the 'Measures')which will come into effect on 1 June 2020, replacing a previous trial version.
China issued the Cybersecurity Law (CSL) in November 2016. Its Article 35 provides that critical information infrastructure (CII) operators shall go through a cybersecurity review if they obtain network products or services that may threaten national security. There is a series of implementing rules under CSL, one of which is the cybersecurity review measures applicable to CII operators. Another is the rule for defining CII operators, which has yet to be issued.
In the absence of a definition for CII operators, suppliers will be unable to tell whether they are dealing with CII operators. If Chinese customers are identified as CII operators and the products or services might contain national security risks, transactions with the Chinese customers will be subject to cybersecurity review. Should the transactions not pass this review, the Chinese customers will be unable to obtain the relevant products and services. This means, suppliers face uncertainties when dealing with Chinese customers.
Cybersecurity review
There are two ways in which the cybersecurity review can be initiated. CII operators who anticipate national security threats in their transactions should apply for a cybersecurity review with the Cybersecurity Review Office of the CAC ('Office').
On the government side, under the leadership of the Central Cyberspace Affairs Commission, the CAC, in partnership with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the State Administration of Radio, Film and Television, the National Administration of State Secrets Protection and the State Cryptography Administration, has established a cybersecurity review working mechanism.[1] When any member of such a working mechanism believes that certain network products or services will affect or are likely to affect national security, they are to inform the Office. The Office shall further report to the Central Cyberspace Affairs Commission and initiate the review process following the latter’s approval.[2]
The review process consists of a preliminary review, a further review and a special review, if applicable. The Office shall complete the preliminary review in 30 working days. In complicated circumstances, the period may be extended for 15 working days.[3] After the preliminary review, the Office shall submit the preliminary review opinions to the members of the working mechanism as well as the relevant CII protection authorities for further review, which will take another 15 working days. If the working mechanism and the relevant CII protection authorities concur with the preliminary review opinions, the further review will be conclusive, and the Office will inform the CII operators.[4] Otherwise, the Office shall conduct a special review to be completed within 45 working days or a little longer in complex circumstances.[5] As such, the cybersecurity review period will range from 45 working days to 105 working days or even longer.
The criteria
The cybersecurity review will focus on the evaluation of potential national security risks by examining the following factors:[6]
• risks of illegal control over, disturbance or destruction of CII and risks of important data being stolen, divulged or damaged after the use of products and services;
• damages caused by supply interruption of products or services to the continuity of CII business;
• the security, openness, transparency, and diversity of sources of the products or services, reliability of supply channels, and the risk of supply interruption as a result of political, diplomatic, trade or other factors;
• compliance with Chinese laws, administrative regulations and departmental rules by product or service providers; and
• other factors that may endanger the security of CII or national security.
As far as the risk of supply interruption as a result of political, diplomatic and trade factors is concerned, according to the statement made by a CAC official in a press release, its objective is not to block foreign products from entering China’s market but to safeguard national cybersecurity.
Impact on suppliers
The network products and services under the Measures mainly refer to core network equipment, high-performance computers and servers, massive storage equipment, large databases and application software, network security equipment, cloud computing services, and other network products or services that may have significant impacts on the security of CII.[7]
Pursuant to the Measures, there shall be the following terms and conditions in the procurement agreements which the suppliers shall undertake:[8]
• to cooperate in the cybersecurity review;
• not to obtain user data illegally, illegally control and manipulate user equipment by taking advantage of providing products and services; and
• not to suspend product supply or necessary technical support without legitimate reasons.
At government level, authorities may request that suppliers share information.[9] Meanwhile, relevant institutions and personnel shall keep trade secrets and intellectual property rights in strict confidence and not disclose confidential information to unrelated parties or use such information for other purposes.[10]
Shortly after China issued the Measures, the United States Bureau of Industry and Security announced three new rules which impose great restrictions on exports to China. This means that more US products will be subject to US government review before export. Consequently, Chinese CII operators who want to obtain US network products and services, must anticipate that the supply of such products and services could be interrupted. Suppliers must assess their home countries’ export control rules to evaluate the risk of supply disruption to Chinese customers.
Notes
[1] Article 4, the Measures for Cybersecurity Review.
[2] Article 15, the Measures for Cybersecurity Review.
[3] Article 10, the Measures for Cybersecurity Review.
[4] Article 11, the Measures for Cybersecurity Review.
[5] Article 13, the Measures for Cybersecurity Review.
[6] Article 9, the Measures for Cybersecurity Review.
[7] Article 20, the Measures for Cybersecurity Review.
[8] Article 6, the Measures for Cybersecurity Review.
[9] Article 14, the Measures for Cybersecurity Review.
[10] Article 16, the Measures for Cybersecurity Review.