On April 27, 2020 (the official original text was written on April 13), the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, the Ministry of Finance, the Ministry of Commerce, China Twelve departments of the People’s Bank of China, the State Administration for Market Regulation, the State Administration of Radio and Television, the State Secrecy Administration, and the State Cryptography Administration jointly issued the “Measures for Cybersecurity Review” (hereinafter referred to as the “Official Draft of the New Measures”).

On May 21, 2019, the Cyberspace Administration of China issued the “Measures for Cybersecurity Review (Draft for Comments)” (hereinafter referred to as the “Draft for Comments on the New Measures”). Both the draft for comments on the new measures and the official draft of the new measures explicitly abolish the “Measures for the Security Review of Network Products and Services (for Trial Implementation)” issued on May 2, 2017 (hereinafter referred to as the “Old Measures”). This article will introduce the main highlights of the official draft of the new measures as the main line, and also comment on the similarities and differences between the new measures and the old measures.

Point 1: One class of applicable subjects

Article 2 of the Old Measures stipulates that important network products and services purchased from networks and information systems that are related to national security shall undergo a network security review, that is, all network operators purchasing products and services related to national security are required to undergo a network security review. . The new approach draft and the official draft of the new approach both focus their scope of application on critical information infrastructure operators. According to Article 2 of the New Measures, critical information infrastructure operators shall conduct a network security review if they purchase network products and services that affect or may affect national security. In the literal sense, a “critical information infrastructure operator” refers to an enterprise that operates a “critical information infrastructure”.

According to the Cybersecurity Law and the Regulations on the Security Protection of Critical Information Infrastructure (Draft for Comments), “critical information infrastructure” refers to a situation that, once damaged, loses its function, or leaks data, may seriously endanger national security, national economy and people’s livelihood, and public health. Interested in network facilities and information systems. Article 31 of the Cybersecurity Law and Article 18 of the Regulations on the Security and Protection of Critical Information Infrastructure (Draft for Comment) both list industries and fields that may be identified as critical information infrastructure, including energy, finance, Transportation, water conservancy, health care, education, social security, environmental protection, cloud computing, big data, national defense science and industry, large-scale equipment, chemical industry, food and drugs, news, etc.

The relevant person in charge of the State Internet Information Office pointed out when answering a reporter’s question about the official draft of the new measures, according to the “Notice on Matters Concerning the Security Protection of Critical Information Infrastructure” issued by the Central Network Security and Informatization Commission, telecommunications, radio and television, energy, Important network and information system operators in industries such as finance, road and water transportation, railways, civil aviation, postal services, water conservancy, emergency management, health, social security, national defense, science, technology and industry should consider declaring network security when purchasing network products and services review.

It should be noted that in June 2016, Article 3.2 of the Operational Guidelines for National Cybersecurity Inspections issued by the Office of the Central Cybersecurity and Informatization Leading Group clarified the three steps for determining critical information infrastructure. The second is to determine the information system or industrial control system that supports the key business, and the third is to determine the degree of dependence of the key business on the information system or the industrial control system, and the possible losses caused by the occurrence of a cybersecurity incident in the information system.

According to Article 19 of the official draft of the new measures, the identification of critical information infrastructure operators is the responsibility of the critical information infrastructure protection department. In combination with the provisions of Article 19 of the Regulations on the Security Protection of Critical Information Infrastructure (Draft for Comment), the national cybersecurity and informatization department, together with the State Council’s telecommunications authority, the public security department and other departments, has formulated guidelines for the identification of critical information infrastructure. The determination is mainly made by the industry competent department or regulatory department, and needs to be combined with relevant expert opinions, and may require specific analysis of specific issues. This article will not repeat them redundantly.

But in general, if the network equipment operated by an enterprise is damaged, loses its function, or leaks data, which may seriously endanger national security, national economy and people’s livelihood, and public interests, these enterprises are likely to be identified as critical information infrastructure operators. By. Then, they need to pay attention when purchasing network products and services. If the purchased products or services may affect national security, they may be regulated by this method.

Point 2: Two types of startup methods

Both the draft for comments and the official draft of the new measures stipulate two types of ways to initiate cybersecurity review, which are introduced separately below:

The first category, initiated by critical information infrastructure operators. When a critical information infrastructure operator purchases network products and services, and through self-judgment, believes that the purchased products and services may bring security risks to the country after being put into use, and affect or may affect national security, they shall prepare a security risk report. After that, make a declaration to the Cybersecurity Review Office and enter the government review process. According to the official draft of the new measures, the critical information infrastructure protection department can formulate prediction guidelines for the industry and the field to better help relevant companies grasp the scale of risk prediction and not delay the appropriate time for declaration and review.

The second category: initiated by member units of the network security review working mechanism. When the member units of the cybersecurity review working mechanism (specified in the following section) believe that it affects or may affect national security, the Cybersecurity Review Office shall report to the Central Cybersecurity and Informatization Commission for approval in accordance with procedures, and initiate the review process. “

Regarding the dimensions and factors that critical information infrastructure operators or member units of the cybersecurity review working mechanism judge that products and services may affect or may affect national security, the official draft of the new measures mainly puts forward the following perspectives:

1) Whether the use of network products and services will adversely affect critical information infrastructure, including whether the use of such network products may lead to illegal control, interference, and destruction of critical information infrastructure, as well as the theft, leakage, or damage of important data Wait;

2) Whether the supply interruption of network products and services will affect the continuity of critical information infrastructure business;

3) Whether the products and services themselves have security, openness, transparency, diversity and reliability of sources, and whether they may lead to supply interruptions;

4) Whether product and service providers comply with Chinese laws, administrative regulations and departmental rules;

5) Other factors that may endanger the security of critical information infrastructure and national security.

The above points are mainly for evaluating and predicting whether the related products and services purchased by critical information infrastructure operators will cause damage to or attack the network that constitutes the critical information infrastructure after they are put into production and used. Whether there will be other security risks or hidden dangers of data leakage after the relevant services, whether it may cause discontinuities or supply chain interruptions in the business of these national pillar enterprises and key industrial economies, and whether the products and services themselves are reliable, and whether they are vulnerable or not. Attackability, limited supply in turn have an impact on the security and stability of the entire critical information infrastructure. If it is judged that any factor is involved, a cybersecurity review should be initiated, whether initiated by the company itself or by a government regulator.

Point 3: Three types of review subjects

The old measures stipulated that the Cyberspace Administration of China and relevant departments should jointly establish a network security review committee to conduct unified organization of network security review. The official draft of the new measures stipulates that the Central Cyber ​​Security and Informatization Committee will lead the cyber security review work in a unified manner, and the National Cyber ​​Security Review Office will jointly establish a network security review working mechanism with 11 departments and agencies directly under the State Council. review system. That is to say, the official draft of the new measures provides a detailed and clear supplement to the specific meaning of the “relevant departments” mentioned in Article 5 of the old measures. At the same time, according to Article 4 of the official draft of the new measures, the Central Cybersecurity and Informatization Committee is responsible for unified leadership and decision-making, while the Cybersecurity Review Office is located in the Cyberspace Administration of China, responsible for formulating relevant system norms for cybersecurity review, and organizing network Security review.

In terms of the relationship between review subjects, the review system shown above is basically the same as the draft for comments on the new measures. However, compared with the draft for comments on the new measures, the official draft of the new measures adds relevant critical information infrastructure protection departments after the member units of the network security review working mechanism. During the special review process, the Cybersecurity Review Office needs to solicit opinions from both the member units of the cybersecurity review working mechanism and the relevant critical information infrastructure protection work departments.

The official draft of the new measures does not set special funds to define “member units of the cyber security review working mechanism” and “relevant key information infrastructure protection departments”, but according to Article 4 of the official draft of the new measures, “member units of the network security review work mechanism” It should include all issuing agencies, except the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, the Ministry of Commerce, the Ministry of Finance, the Ministry of Commerce, the People’s Bank of China, and the State Market Supervision 11 departments or agencies directly under the State Council, including the General Administration of Administration, the State Administration of Radio and Television, the State Security Bureau, and the State Cryptography Administration. In addition, according to Article 20 of the official draft of the new measures, a critical information infrastructure operator refers to an operator identified by the critical information infrastructure protection department. For example, referring to the “Notice of the General Office of the Ministry of Water Resources on Printing and Distributing the “Key Points of the Water Conservancy Network Information Work in 2020”, the key information infrastructure protection department may include the water conservancy department. Therefore, it is necessary to determine the critical information infrastructure protection department according to the industry to which the specific critical information infrastructure belongs, and in some cases, listen to and obtain their professional opinions and suggestions on the matters reported by the subordinate units of the industry under their jurisdiction. also seems necessary.

Point Four: Four Review Principles

Compared with the old measures, the new measures have added descriptions such as “promoting the application of advanced technology” and “protecting intellectual property rights” in the draft for comments, aiming to create a good business environment for enterprises. This principle is used in the official draft of the new measures. . The official draft of the new measures requires relevant institutions and staff participating in the cybersecurity review to strictly protect trade secrets and intellectual property rights, and to keep undisclosed information and undisclosed materials submitted by critical information infrastructure operators strictly confidential.

In addition, the official draft of the new measures also clearly requires that critical information infrastructure operators and network product and service providers may report to the Cybersecurity Review Office or relevant departments if they believe that the reviewers are not objective and impartial or fail to fulfill their confidentiality obligations. Such regulations can allow enterprises to self-declare more confidently. Through active declaration, they can predict and prevent risks in advance, benefiting both enterprises and the country.

It should be noted that the official draft of the new measures deletes the “improving the security and controllable level of critical information infrastructure” proposed in the draft, and replaces it with “ensure the security of the critical information infrastructure supply chain”, which may also reflect the security review. Shifts in foundations and principles. According to the response of the relevant person in charge of the Cyberspace Administration of China to reporters’ questions on the official draft of the new measures, the purpose of the cybersecurity review is to maintain national cybersecurity, not to restrict or discriminate against foreign products and services. Previously, the draft of the new measures took “the situation that the product and service providers are funded and controlled by foreign governments” as a review standard, but the official draft of the new measures deleted such expressions and paid more attention to the quality of network products and services themselves. Supply chain security, rather than restricting or discriminating against foreign products and services. As a result, foreign companies providing products and services to critical information infrastructure operators will be less hindered.

To sum up, the establishment of the cybersecurity review system and process aims to (1) implement cybersecurity review, ensure national security, and reduce hidden risks; (2) ensure the security of the supply chain of critical information infrastructure; at the same time, (3) protect the business secrets of enterprises; and (4) protect the intellectual property rights of enterprises. .

Point 5: A review process

Articles 3 and 6 of the Old Measures stipulate that the cybersecurity review shall be conducted in the form of third-party evaluation and expert evaluation. The evaluation is conducted by an officially certified third-party organization to form a preliminary evaluation report. The expert committee will then conduct a comprehensive assessment of the security risks of the product and service and the security and trustworthiness of the provider based on the third-party evaluation report. These two provisions have been deleted in the draft for comments on the new measures. Although there are two ways to initiate the review, in the end, the review and control should be led by the government.

In the draft for comments on the new measures, the implementation of the review is delegated to the Cybersecurity Review Office, which is responsible for cybersecurity review, and the Central Cybersecurity and Informatization Committee exercises the final approval decision-making power. When there are different opinions or conflicts of interest between different agencies on the reported content, the establishment of a unified decision-making body is more conducive to the formation of a high degree of unity of opinion, which increases the credibility and efficiency of the cybersecurity review report, and avoids Too many joint decision-making bodies have led to delays in approval and mutual buck-passing. Therefore, the official draft of the new measures still retains a complete set of procedures for the cybersecurity review under different initiation methods proposed in the draft for comments on the new measures.

First, it is initiated by critical information infrastructure operators. Critical information infrastructure operators should send declaration materials (including declaration forms, risk analysis reports, procurement documents or agreements or contracts to be signed, and other materials deemed necessary to support the review) to the Cyber ​​Security Review Office (which is established on the Internet). Information Office, the specific work is entrusted to the China Cyber ​​Security Review Technology and Certification Center). China Cyber ​​Security Review Technology and Certification Center, under the guidance of the Cyber ​​Security Review Office, is responsible for receiving the application materials. Within 10 working days after receiving the above application materials, it will conduct a formal review of the application materials to determine whether it is necessary to enter the substantive Review and notify critical information infrastructure operators in writing. If a substantive review is required, the next step review will be organized specifically. The Cybersecurity Review Office shall complete the preliminary review within 30 working days (if the situation is complicated, it can be extended by 15 working days), including sending the review conclusions and recommendations to the member units of the cybersecurity review mechanism and relevant critical information infrastructure protection work departments for solicitation. Opinion. Member units of the cybersecurity review mechanism and relevant critical information infrastructure protection departments shall reply in writing within 15 working days from the date of receipt of the review conclusion and recommendation.

If the member units of the cybersecurity review working mechanism and the relevant critical information infrastructure protection work department agree, the Cybersecurity Review Office will notify the critical information infrastructure operator in writing of the review conclusion; if the two disagree, enter the special review procedure and notify the critical information infrastructure operator in writing. After entering the special review process, the Cyber ​​Security Review Office will further listen to the opinions of relevant departments and units, conduct in-depth analysis and evaluation, and form review conclusions and recommendations again. After comments are made, they shall be reported to the Central Cyber ​​Security and Informatization Committee for approval in accordance with procedures, and a review conclusion shall be formed and notified to the operator in writing. In principle, the special review should also be completed within 45 working days, and it can be appropriately extended if the situation is complicated (however, neither the official draft of the new measures nor the draft for comments on the new measures have stated the maximum time limit). At the same time, it should be noted that the time for submitting supplementary materials is not included in the above review time.

Second, it is initiated by member units of the cybersecurity review working mechanism. If any department of the State Council or an institution directly under the State Council believes that network products and services have an impact or may have an impact on national security, the Cybersecurity Review Office shall report to the Central Cybersecurity and Informatization Commission for approval according to procedures, and conduct a review in accordance with the measures.

The following figure shows the review process when the two types of subjects start the network security review respectively.

Point 6: Procurement Contract

Article 7 of the Draft for Comments on the New Measures requires critical information infrastructure operators to sign contracts with network product and service providers, and may require network product and service providers to cooperate with network security reviews. The official draft of the new measures basically follows this practice, and at the same time refines the obligation of cooperation, including requiring network product and service providers to promise not to illegally obtain user data, illegally control and manipulate user equipment by taking advantage of the convenience of the products and services they provide. , do not interrupt product supply or necessary technical support services without justifiable reasons.

Network product and service providers who sign contracts with critical information infrastructure companies are often worried about whether they will undertake excessive contractual obligations. Because critical information infrastructure operators often impose more stringent requirements on suppliers of their network products, including adding more obligations and responsibilities to contract terms, because of the “shangfang sword” of cybersecurity review.

Although network product and service providers themselves do not belong to the applicable subjects of the “Cyber ​​Security Review Measures”, since they provide network products and/or services to critical information infrastructure operators, they are also advised to be familiar with the formal draft of the new measures. Regulations so as not to impose additional obligations on the terms and conditions of the purchase contract.

First, network product and service providers need to understand the scope of network products and services that may be subject to cybersecurity review, including: core network equipment, high-performance computers and servers, large-capacity storage devices, large databases and application software, Network security equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructure.

According to Articles 3.1 and 3.2 of the “General Requirements for the Security of Information Security Technology Network Products and Services (Draft for Comment)”, “network products” refer to the collection, storage, transmission, Hardware, software and systems for exchange and processing, such as computers, information terminals, industrial control and other related equipment, as well as basic software, system software, etc.; “Network service” refers to the information technology development and application activities provided by the supplier to meet the requirements of the buyer, And a series of activities that use network technology as a means to support the business of the demander, such as cloud computing services, network communication services, data processing and storage services, information technology consulting services, design and development services, information system integration implementation services, information system operation and maintenance services service etc.

Second, network product and service providers need to clarify the difference between network products and services and network-critical equipment and network security-specific products. Network key equipment and network security special products are concepts first proposed by the “Network Security Law”, but no specific definition is given. Its predecessor is “computer information system security special products” required by the public security and other departments , that is, special hardware and software products used to protect the security of computer information systems (see Article 28 of the Regulations on the Security Protection of Computer Information Systems). With the development of information technology, as the security scope guaranteed by the law extends from the information system to the entire network, the concepts of network key equipment and network security products have been expanded accordingly. It can be inferred that it belongs to one of the network products and services used for network security protection.

According to Article 23 of the “Cybersecurity Law”, the national cybersecurity and informatization department, together with the relevant departments of the State Council, formulates and publishes a catalog of key network equipment and products dedicated to network security. In June 2017, the Cyberspace Administration of China, together with the Ministry of Industry and Information Technology, the Ministry of Public Security, the National Certification and Accreditation Administration Commission and other departments, promulgated the “Catalogue of Network Critical Equipment and Network Security Special Products (First Batch)”, which for the first time clarified network critical equipment and network security. Types of special products, including routers, switches, servers (rack-mounted), PLC equipment 4 kinds of network key equipment, as well as data backup all-in-one, firewall, intrusion detection system and other 11 kinds of network security special products.

If suppliers of network key equipment and network security products listed in the catalogue are provided, they can only sell or provide products after obtaining security certification or meeting the requirements of security testing in accordance with the mandatory requirements of relevant national standards. Therefore, if the critical information infrastructure operator purchases network-critical equipment and network security-specific products, in addition to the network security review mentioned above, it may also require that the equipment and products promised in the contract have already obtained security Certification or test certificate.

Thirdly, the draft of the new measures stipulates that the contract between the critical information infrastructure operator and the provider of network products and services can take effect after passing the network security review. The official draft of the new measures has deleted this content, possibly considering the consistency and rigor with existing regulations. However, when the relevant person in charge of the Cyberspace Administration of China answered a reporter’s question about the official draft of the new measures, it was suggested that operators of critical information infrastructure should apply for cybersecurity review before formally signing contracts with product and service providers. Although the official draft of the new measures seems to have relaxed the agreement on contract performance, for network product and service providers, they cannot relax their vigilance, because the time for signing the contract may be delayed due to review, and it is not ruled out that the contract will be signed in the already provided After the product or service is purchased, the contract cannot be signed during the approval and review process. It may also cause a lot of cost losses because the final review cannot be passed. Therefore, network product and service providers should strengthen their own security capabilities of products and services, and make adequate estimates. There may be risks that may arise if the contract is not signed and entered into the trial operation of the project.

Point 7: Consequences of Violation

The official draft of the new measures retains the penalty clauses in the draft for comments of the new measures, and clarifies the basis for penalty, namely Article 65 of the Cybersecurity Law. According to this article, if a critical information infrastructure operator has network products or services that have not been reviewed or that have failed to pass the review, the competent authority may order it to stop using it and impose a fine of not less than one time but not more than ten times the purchase amount; The directly responsible person in charge and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan. Since the double punishment system will have direct punishment consequences for both the enterprise and the responsible personnel, it cannot be ignored, and it is necessary to be vigilant. For enterprises that may be identified as critical information infrastructure operators, they should start from the procurement process of network products or services, prepare application materials and conduct network security review according to the requirements of the official draft of the new measures, otherwise they need to bear the corresponding consequences of violations .

In general, the official draft of the new measures replaces the old measures, and narrows the scope of subjects that need to undergo cybersecurity review, which not only helps reduce administrative pressure, but also helps reduce corporate compliance costs. At the same time, while focusing on protecting the safe and stable operation of the country’s key information infrastructure, ensure the uninterrupted supply chain of enterprises, establish an effective review mechanism, and avoid the possible national security caused by the purchase of network products and services by key information infrastructure operators. risk.

As the current implementation of relevant laws and regulations on critical information infrastructure needs to be further improved, for enterprises, the specific implementation of the “Cyber ​​Security Review Measures” is expected to further promulgate relevant laws and regulations related to critical information infrastructure in the future. Its detailed rules also depend on the relevant industry authorities to further issue relevant guidelines to provide detailed explanations of the requirements in the “Network Security Review Measures”.

Source Universal Law Firm