New Regulation Strengthens Cyber Supply Chain Security In China.
Legal News & Analysis - Asia Pacific - China - Regulatory & Compliance
8 June 2020
The Cyberspace Administration of China (CAC) and eleven other ministries jointly published the Cybersecurity Review Measures (Review Measures) on 13 April 2020. These replace the previous regulations on the security review of network products and services (click here for our comments on the previous regulations) and impose more stringent scrutiny over the cyber supply chain of critical information infrastructure (CII) operators. The Review Measures will come into force on 1 June 2020.
In this e-bulletin we highlight the key issues of the Review Measures and set out our observations on the regime.
The National Security Law and China’s Cyber Security Law require a security review regime to be established for network products and services used by CII operators. As a result, in May 2017, the CAC issued measures for reviewing procurement of network products and services used by CII operators (2017 Measures). However, implementation has been relatively slow as the scope of CII has not been established.
The Chinese government lined up twelve ministries (covering cybersecurity, economic policy, the telecom and technology industry, public security, national security, finance, foreign investment, market regulation, television and radio, state secret and encryption) to update the 2017 Measures. The new Review Measures, coming less than three years’ after the publication of the 2017 Measures, show that supply chain security for CII has become a priority on the government’s agenda.
I. Scope of CII still to be defined
Whilst the Review Measures purport to strengthen the supply chain security of CII, supporting regulations on identifying and regulating CIIs have yet to be published. Further, the scope of CII Protection Departments, who are responsible for identifying CII, is not clear. It will be difficult to enforce the Review Measures given the lack of clarity as to who the CII operators are and how to identify them.
So far, there is only a broad description of CII in the Cybersecurity Law. This provides that CII includes information infrastructure in public communication and information services, energy, transport, water resources, finance, public utilities, electronic-government and other important industries and sectors, the destruction and data leakage of which may seriously harm national security, the economy and individual’s livelihoods and public interest. The CAC published a consultation draft of regulations on CII protection in July 2017 but there has been little progress since. The publication of the Review Measures could accelerate the legislative process to finalise and implement these.
II. Review procedure and standards need to be clarified
The Review Measures set out the main risk factors that will be taken into account in the review, but lack any detailed standards to assess whether any of the risks will be triggered. The CII Protection Departments are responsible for drafting guidance for determining the national security risks of using network products and services in a particular sector or industry. However, without any regulation on CII protection nor a clear remit for the CII Protection Departments, we would not expect any such guidance to be published soon.
The role of the Working Group in the review process also requires clarification. It should be made clear whether the duties of the Working Group will be performed by all of its members or a selected/designated few; and whether such duties will be performed by the members collectively or individually. For instance, when the Cybersecurity Review Office completes its initial review, should its opinion be submitted to all members of the Working Group for comments; and will the Working Group issue a joint opinion or will each member of the Working Group issue its own? Similar questions arise when members of the Working Group initiate the review.
III. Uncertainty for suppliers
Suppliers of certain network products and services to CII operators are now facing the possibility of their products and services being put under scrutiny and even supply contracts being annulled as a result of a cybersecurity review. As mentioned above, suppliers will be obliged under the terms of the supply contract to provide assistance with the cybersecurity review and to give undertakings as to the security and reliability of the network products and services.
The cybersecurity review regime puts great emphasis on the supply of the network products and services not being disrupted, in particular, for “political, diplomatic and trade” reasons. In the context of the tensions in international relations, certain foreign or foreign-invested suppliers are initially likely to bear the brunt of the cybersecurity review regime given the increasing likelihood of their supply being disrupted. However, Chinese suppliers that use foreign manufactured or IP protected components, may also struggle to prove that their supply will not be disrupted if the supply of components could be cut off. Suppliers to CII operators could increasingly use locally manufactured or IP-protected components in their network products and services in order to satisfy the requirements of the cybersecurity review.
CII operators and their suppliers should include in the supply contract provisions to deal with the possibility that the supply order may be subjected to a cybersecurity review and the consequences of a negative opinion being issued, as well as the risks of commercial secret and intellectual property being divulged review process.
Whilst the security review regime established by the Review Measures strengthens the cyber supply chain security for CII, it also creates uncertainty for suppliers of network products and services to CII operators. Although the lack of regulations on CII protection may prevent imminent fully-fledged enforcement of the Review Measures, we would recommend CII operators and suppliers prepare for their implementation
For further information, please contact:
James Gong, Herbert Smith Freehills