On February 4, the Cyberspace Administration of China issued a draft of the Network Products and Services Security Review Measures for public comment: the draft measures remain open for comments until March 4, 2017. The draft measures are follow-on legislation to China's cybersecurity law adopted on November 7, 2016, which will take effect on June 1. The draft measures bring China one step closer to implementing a security review regime with respect to network products and services (and their providers), a process first set in motion by the cybersecurity law.
The draft measures state that China will set up a network security review committee to centrally organize the security review work. Since the promulgation of the cybersecurity law, it has been known that a security review regime would be introduced for certain network products and services, potentially impacting both the businesses that manufacture such products and that provide such services as well as the users (or prospective users) of those products and services. The draft measures aim to give shape to such security review.
This network security review is a deterrent and based on the relative subjective standards of the audit and investigation system. It is not like the traditional market access or procurement certification system. In the past, the standards or policies for the evaluation and certification of information security products were aimed at "information security products"such as anti-virus protection, cryptographic technology, intrusion detection and firewalls. The risk of network security, however, is not limited to security products, and often is in non-security information technology products, systems and services during the running stage. The network security review, therefore, also emphasizes the supervision during and after the usage of the product and service, to ensure the network products' and services' operational safety.
There is similarity between the network security review and the foreign investment security review system in the closeness of standards and processes. Compared with the foreign investment security review system, which only occurs in foreign investment transactions, the network security review is mainly for network products and services.
Who will conduct the network security review?
According to the draft, the National Internet Information Office, in conjunction with the relevant departments, will set up a Network Security Review Committee, which will responsible for formulating the network security review policies, and the coordination of important network security review related issues. It seems a hierarchical organization will be adopted to conduct the reviews. The Network Security Review Committee will hire relevant experts to form an expert committee on network security reviews; this expert committee will evaluate the security and trust level of network products and services. The National Network Information Office advises that such network security reviews are not just an administrative examination or approval, but are supervision to the network products and services during their development and running phases. It will conduct laboratory testing, on-site inspections, online monitoring and background surveys as part of the review.
What kind of network products and services will be reviewed?
The draft measures require that important network products and services that are related to national security and public interest should participate in the network security review. The National Network Information Office advised that not all network products and services would be reviewed. Moreover, the focus of such security reviews is whether a network product or service is “secure and controllable,” whether it affects the national security or public interests — mainly to see whether the use of the product or service will endanger the state power and sovereignty and safety, whether it will endanger the interests of the broad masses of the people, and whether it will affect the national economic sustainable development and other major national interests. No clear boundary has been defined for “public interest."
Is there any impact to government authorities and key industries?
The draft measures state that government departments as well as key industries should purchase the network products and services that have passed the security review, but should not purchase those that have failed the security review. According to the vice president of China Institute of Information Security, this provision means that if a network product and service may affect national security, but it didn’t pass the security review, the product and service will be listed in a procurement "blacklist" for government departments. However, it does not mean that all the network product and services used by government departments shall be subject to the security review.
Is there a trade protection barrier?
The draft measures point out that if the network products or services purchased by critical information infrastructure operators may affect national security, their product or the service must pass the security review. The National Network Information Office explained that the purpose of implementing the network security review is for the product or service provider to prove their product secure and improve users’ confidence. It is not the intention that the network security review will set obstacles for foreign products into the Chinese market. On the contrary, such security reviews will improve users’ confidence in product safety and promote the expansion of enterprise products market. Network security reviews will equally treat both domestic and foreign enterprises and products and will not restrict foreign products into the Chinese market.
What is “secure and controllable”?
The National Security Law, issued July 2015, first introduced the concept “Secure and controllable.” It means the network products and service providers shall not use the provision of products and services to facilitate illegal access to user information, cannot damage users’ own information autonomy or domination, and shall not illegally control users’ systems or equipment. It is not allowed to use users' dependence on products and services to implement unfair competition, seek improper benefits, such as stopping the necessary security services, or engage in monopoly operations. The fundamental purpose is to maintain user information security and to safeguard national security and the legitimate rights and interests of the people.
How will security reviews be conducted?
The network security review office will commence conducting network security reviews in accordance with the requirements from relevant state departments, recommendations of the national industry associations and market response. At the same time, finance, telecommunications, energy and other key industry authorities should organize the security review for their own industry.
It is not difficult to see that the scope of this network security review has gone beyond the "critical information infrastructure" and is closer to Article 59 of the National Security Act — “for foreign investments, key technologies, network information technology products and services, important construction projects and major events that affect or may affect national security, a national security review is required.” Thus, the implementation of network security review at the same time meets the requirements of both national security law and network security law.