According to Article 35 of the Cybersecurity Law, China will implement a security review system for the critical information infrastructure, to implement this system China has already published the Review Measures for Network Products and Services Security and the Regulation of the Critical Information Infrastructure. In May 2020, to support the implementation of the critical information infrastructure protection system, CAC jointly with 12 Chinese government departments published the Measures for the Cybersecurity Review.
What kinds of network operators should carry out the security review?
The Measures require that CII operators who purchase network products and services that may or may not affect national security must conduct a network security review. The scope of network products and services includes core network equipment, high-performance computers and servers, mass storage devices, large databases and application software, network security equipment, cloud computing services, and other network products and services that may have an important impact on CII security.
Who is responsible for the cybersecurity review?
- The Cybersecurity Review Office, hosted by CAC, is responsible for:
- Formulating relevant system specifications for cybersecurity review and organizing cybersecurity review;
- Conducting a preliminary network security review and forming a review conclusion recommendation;
- Accepting reports of misconduct in the review by network product and service providers.
- The national cybersecurity review work mechanism is composed of 12 departments. They are responsible for:
- Reviewing the preliminary review conclusion recommendations of the Cybersecurity Review Office;
- Proposing to the Cybersecurity Review Office to initiate a cyber security review.
- The critical information infrastructure protection departments are responsible for:
- Identifying CII operators;
- Developing guidelines for the industry to predict the national security risks that network products and services may bring after being put into use;
- Reviewing the preliminary review conclusion recommendations of the Cybersecurity Review Office.
- The Office of the Cybersecurity and Informatization Committee of the Central Committee of the Communist Party of China is the executive body of the Cybersecurity and Informatization Committee of the Central Committee of the Communist Party of China. It is responsible for:
- Leading the national cybersecurity review work mechanism;
- Reviewing and approving the review conclusion recommendations issued by the Cybersecurity Review Office in accordance with special procedures;
- Approving the start of the network security review according to the opinions of members of the network security review working mechanism,
How to start the network security review?
According to the Measures, cybersecurity reviews can be initiated in two ways:
- If the CII operator believes that the use of purchased network products and services affects or may affect national security, it should apply to the Cyber Security Review Office, and the Cyber Security Review Office will notify the CII operator whether to initiate the review; or
- If a member of the cybersecurity review working mechanism believes that network products and services affect or may affect national security, the member of the cybersecurity review working mechanism will requests the cybersecurity review office to initiate the review, but it must be approved by the Central Cybersecurity and Informatization Committee.
What is the review procedure?
The review procedures are divided into ordinary procedures and special procedures:
- Ordinary procedures: The Cybersecurity Review Office will complete the initial review within a maximum of 45 working days and send its review conclusions and recommendations to the cyber security review work mechanism members and relevant critical information infrastructure protection departments for comments. The members of the network security review working mechanism and relevant critical information infrastructure protection departments must reply with their opinions in writing within 15 working days. If the opinions of the members of the cybersecurity review work mechanism and the relevant critical information infrastructure protection departments are consistent with the review conclusion recommendations of the Cybersecurity Review Office, the cybersecurity review office will notify the operator of the review conclusion in writing.
- Special procedures: If the members of the network security review mechanism and relevant critical information infrastructure protection departments do not agree, special procedures will be applied. According to the special procedures, the Cybersecurity Review Office will conduct a reassessment, solicit opinions from the cyber security review mechanism members and relevant critical information infrastructure protection departments, and report to the Central Cybersecurity and Informatization Committee for approval before notifying CII operators of the review conclusion.
What factors will be considered in the review?
The Measures stipulate that when conducting a security assessment for the procurement of network products and services, the following factors should be considered:
- The risk of CII being illegally controlled, subject to interference or destruction, and the theft, leakage, or damage of important data;
- Damage to CII business continuity caused by the interruption of the product and service supply chain;
- The safety, openness, transparency, diversity of sources, reliability of supply channels, and the risk of supply disruption due to political, diplomatic, and trade factors;
- Product and service providers’ compliance with Chinese laws, administrative regulations and departmental regulations;
- Other factors that may endanger CII and national security.
For the Chinese version of the Measures, please see: http://www.cac.gov.cn/2020-04/27/c_1589535450769077.htm
By Luna ZHAO on June 12, 2020.