New Regulation Strengthens Cyber Supply Chain Security In China.

Legal News & Analysis - Asia Pacific - China - Regulatory & Compliance

 New Regulation Strengthens Cyber Supply Chain Security In China.

 

8 June 2020

 

Asia Pacific Legal Updates
 

Introduction
 

The Cyberspace Administration of China (CAC) and eleven other ministries jointly published the Cybersecurity Review Measures (Review Measures) on 13 April 2020. These replace the previous regulations on the security review of network products and services (click here for our comments on the previous regulations) and impose more stringent scrutiny over the cyber supply chain of critical information infrastructure (CII) operators. The Review Measures will come into force on 1 June 2020.

 

In this e-bulletin we highlight the key issues of the Review Measures and set out our observations on the regime.

 

BACKGROUND

 

The National Security Law and China’s Cyber Security Law require a security review regime to be established for network products and services used by CII operators. As a result, in May 2017, the CAC issued measures for reviewing procurement of network products and services used by CII operators (2017 Measures). However, implementation has been relatively slow as the scope of CII has not been established.

 

The Chinese government lined up twelve ministries (covering cybersecurity, economic policy, the telecom and technology industry, public security, national security, finance, foreign investment, market regulation, television and radio, state secret and encryption) to update the 2017 Measures. The new Review Measures, coming less than three years’ after the publication of the 2017 Measures, show that supply chain security for CII has become a priority on the government’s agenda.

 

 

HIGHLIGHTS OF KEY PROVISIONS

 

I. What falls within the scope of the security review?

 

The Review Measures require the procurement of network products and services by CII operators which impact or may impact national security to undergo a security review. By comparison, the 2017 Measures were broader in scope, requiring the purchase of “important network products and services” for network and information systems “relevant” to national security to undergo a security review.

 

The Review Measures set out the scope of the network products and services, which include core network equipment, high-performance computers and servers, large-volume storage equipment, large databases and software, network security equipment, cloud computing services and other network products and services that may have a significant impact on the security of CII.

 

II. Who is responsible for carrying out security reviews?

 

The Review Measures contain new procedures for the security review involving the following bodies:

 

  •  

Cybersecurity Review Office, which is established within the CAC and is responsible for:

 

 

(i)

formulating regulations and guidance for cybersecurity reviews and initiating the reviews;

 

 

(ii)

conducting cybersecurity reviews and forming an initial opinion; and

 

 

(iii)

dealing with complaints from network product and service providers as to misconduct during the review.

 

  •  

Cybersecurity Review Working Group, which is led by the Central Cyberspace Affairs Commission with representatives from all twelve ministries that jointly published the Review Measures. The Working Group is responsible for:

 

 

(i)

reviewing the initial review opinions prepared by the Cybersecurity Review Office; and

 

 

(ii)

proposing that the Cybersecurity Review Office initiate cybersecurity reviews.

 

  •  

CII Protection Departments, which are the departments designated to protect CII in particular sectors or industries, and are responsible for:

 

 

(i)

identifying CII operators;

 

 

(ii)

drafting guidance for determining the national security risks of using network products and services; and

 

 

(iii)

reviewing the initial review opinions prepared by the Cybersecurity Review Office.

 

  •  

Office of the Central Cyberspace Affairs Commission, the executive body of the Commission and also functions as a ministry of government as the CAC (the Commission is established within the Communist Party of China with responsibility for cybersecurity and information technology), which will:

 

 

(i)

lead the Working Group;

 

 

(ii)

review and approve the initial review opinions issued by the Cybersecurity Review Office under the special procedure (discussed below); and

 

 

(iii)

approve the initiation of cybersecurity reviews upon the recommendation of the Working Group members.

 

III. How will the cybersecurity review be initiated?

 

Under the Review Measures, a cybersecurity review may be initiated in two ways:

 

  •  

a CII operator may apply to the Cybersecurity Review Office if it considers the use of products and services impacts or may impact national security, and the Cybersecurity Review Office will notify the CII operator whether it will initiate a review; or

 

  •  

a member of the Working Group may report the use of network products and services to the Cybersecurity Review Office if the Working Group considers that the network products and services impact or may impact national security. This will initiate the review, subject approval from the Office of the Central Cyberspace Affairs Commission.

 

IV. What is the review procedure?

 

There are two review procedures, the ordinary procedure and the special procedure:

 

  •  

Ordinary procedure – The Cybersecurity Review Office will complete an initial assessment and send its proposed opinion to the Working Group members and relevant CII Protection Department for review within a maximum of 45 business days. The Working Group members and relevant CII Protection Department are required to issue a written opinion within 15 business days. The Cybersecurity Review Office will then notify the CII operator in writing of the formal review opinion if it is consistent with its proposed opinion.

 

  •  

Special procedure – This applies if the opinion of the Working Group members and relevant CII Protection Department issued under the ordinary procedure is inconsistent with that of the Cybersecurity Review Office. Under the special procedure, the Cybersecurity Review Office will conduct a re-assessment, consult with the Working Group members and relevant CII Protection Department, and submit its opinion to the Office of the Central Cyberspace Affairs Commission. The Cybersecurity Review Office will notify the CII operators of the review opinion after approval by the Office of the Central Cyberspace Affairs Commission.

 

The review process is lengthy. The special procedure may take up to an additional 45 business days to complete on top of the 60 business days taken by the ordinary procedure and may be extended in certain circumstances. In addition, the time taken by the CII operators and their suppliers in preparing the materials required by the Cybersecurity Review Office is not factored into the time limit for the review.

 

V. What factors will the review take into account?

 

The Review Measures provide that the following factors be considered when assessing the national security risks of procuring network products and services:

 

 

(i)

the risks of the CII becoming illegally controlled, disrupted or destroyed or important data being stolen, divulged or lost;

 

 

(ii)

the harm to continuity of the CII operation caused by any disruption of supply;

 

 

(iii)

the security, openness, transparency and diversity of sources of the products and services; the reliability of the supply channel; and the risks of supply being disrupted due to political, diplomatic or trade reasons;

 

 

(iv)

compliance of the products and services provider with Chinese laws, regulations and rules; and

 

 

(v)

other factors that may harm CII security and national security.

 

VI. What materials must a CII operator submit?

 

The CII operator is required to submit the following:

 

 

(i)

an application letter;

 

 

(ii)

an analysis report on the impact or potential impact of the network products and services on national security;

 

 

(iii)

the procurement documents, agreements and contracts; and

 

 

(iv)

such other materials as may be required.

 

VII. What are the obligations of a supplier to a CII operator?

 

The CII operator may require that the supply agreement and procurement document obliges the supplier of network products and services to assist and collaborate with it in the cybersecurity review. The supplier may also be required to give undertakings that it will not illegally obtain user data or control or manipulate user’s equipment and will not disrupt supply or technical support without legitimate reasons.

 

Suppliers may also be required by the CII operators to provide information and documents to prove (a) aspects such as the security, openness, transparency and reliability of the network products and services; and (b) the supplier’s track record of compliance with Chinese laws, regulations and rules

.

 

OUR OBSERVATIONS

 

I. Scope of CII still to be defined

 

Whilst the Review Measures purport to strengthen the supply chain security of CII, supporting regulations on identifying and regulating CIIs have yet to be published. Further, the scope of CII Protection Departments, who are responsible for identifying CII, is not clear. It will be difficult to enforce the Review Measures given the lack of clarity as to who the CII operators are and how to identify them.

 

So far, there is only a broad description of CII in the Cybersecurity Law. This provides that CII includes information infrastructure in public communication and information services, energy, transport, water resources, finance, public utilities, electronic-government and other important industries and sectors, the destruction and data leakage of which may seriously harm national security, the economy and individual’s livelihoods and public interest. The CAC published a consultation draft of regulations on CII protection in July 2017 but there has been little progress since. The publication of the Review Measures could accelerate the legislative process to finalise and implement these.

 

II. Review procedure and standards need to be clarified

 

The Review Measures set out the main risk factors that will be taken into account in the review, but lack any detailed standards to assess whether any of the risks will be triggered. The CII Protection Departments are responsible for drafting guidance for determining the national security risks of using network products and services in a particular sector or industry. However, without any regulation on CII protection nor a clear remit for the CII Protection Departments, we would not expect any such guidance to be published soon.

 

The role of the Working Group in the review process also requires clarification. It should be made clear whether the duties of the Working Group will be performed by all of its members or a selected/designated few; and whether such duties will be performed by the members collectively or individually. For instance, when the Cybersecurity Review Office completes its initial review, should its opinion be submitted to all members of the Working Group for comments; and will the Working Group issue a joint opinion or will each member of the Working Group issue its own? Similar questions arise when members of the Working Group initiate the review.

 

III. Uncertainty for suppliers

 

Suppliers of certain network products and services to CII operators are now facing the possibility of their products and services being put under scrutiny and even supply contracts being annulled as a result of a cybersecurity review. As mentioned above, suppliers will be obliged under the terms of the supply contract to provide assistance with the cybersecurity review and to give undertakings as to the security and reliability of the network products and services.

 

The cybersecurity review regime puts great emphasis on the supply of the network products and services not being disrupted, in particular, for “political, diplomatic and trade” reasons. In the context of the tensions in international relations, certain foreign or foreign-invested suppliers are initially likely to bear the brunt of the cybersecurity review regime given the increasing likelihood of their supply being disrupted. However, Chinese suppliers that use foreign manufactured or IP protected components, may also struggle to prove that their supply will not be disrupted if the supply of components could be cut off. Suppliers to CII operators could increasingly use locally manufactured or IP-protected components in their network products and services in order to satisfy the requirements of the cybersecurity review.

 

CII operators and their suppliers should include in the supply contract provisions to deal with the possibility that the supply order may be subjected to a cybersecurity review and the consequences of a negative opinion being issued, as well as the risks of commercial secret and intellectual property being divulged review process.

 

CONCLUSION

 

Whilst the security review regime established by the Review Measures strengthens the cyber supply chain security for CII, it also creates uncertainty for suppliers of network products and services to CII operators. Although the lack of regulations on CII protection may prevent imminent fully-fledged enforcement of the Review Measures, we would recommend CII operators and suppliers prepare for their implementation

 

herbert smith Freehills

 

For further information, please contact:

 

James Gong, Herbert Smith Freehills

james.gong@hsf.com