China’s “Cyber Security Review Measures” (hereinafter referred to as the “Review Measures”) were released on April 13, 2020, and took effect on June 1 of the same year. The predecessor was the “Measures for Security Review of Network Products and Services (Trial)” that was implemented in 2017. From the trial to the formation, the practice and exploration in the past three years have finally sublated, condensed and sublimated into the new regulations. In July 2021, the Cyberspace Administration of the People’s Republic of China once again issued the “Measures for Cybersecurity Review (Draft for Comments)”. The focus of this revision is to implement the relevant content of the “Data Security Law” on data security review, but it is undeniable that , the core concern of the “Review Measures” remains the supply chain security of critical information infrastructure.
The core issue addressed by the “Review Measures” is: the security issues that may be brought about by the use of products or services in critical information infrastructure. In other words, the review was initiated because a specific CII operator may have brought “vulnerability” to the CII by procuring specific network products and services, rather than the product or service itself. security issues. The latter is mainly addressed by Articles 22, 23 and 36 of the Cybersecurity Law and its supporting systems. Following this basic logic, we can get a good grasp of all aspects of the censorship system established by China’s “Censorship Measures”.
The object of review is clear
In the “Review Measures”, the goal of security review is “to ensure the security of the critical information infrastructure supply chain and maintain national security”, and the review will focus on the risks that products and services bring to critical information infrastructure in terms of supply chain security. Therefore, the object of review is always the specific products or services procured by critical information infrastructure operators. To this end, the “Review Measures” also clarified the scope of products or services. Article 21 stipulates: “The network products and services referred to in these Measures mainly refer to core network equipment, high-performance computers and servers, large-capacity storage equipment, large-scale Database and application software, network security equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructure.” For the review of critical information infrastructure suppliers, the “Review Measures” mainly examine their “compliance with China’s laws, administrative regulations and departmental rules”.
To sum up, the scope of review objects in China is clear, and the review objects are mainly specific products or services, supplemented by suppliers. Suppliers cannot be reviewed independently of the specific products or services they offer. Therefore, China does not proactively initiate an independent review or risk assessment of a particular supplier.
specific evaluation elements
First, the core of the “Review Measures” is to examine “specific products or services + specific usage scenarios”. This reflects an advanced understanding of security, that is, “network security is relative rather than absolute”. Likewise, the security of products and services is relative. Whether it is safe or not depends to a large extent on factors such as the subject of the product and service, the purpose of use, the method of use, and the reliability of the product supply channel. There is no absolute and constant benchmark for measuring safety. Therefore, the “Review Measures” focus on reviewing whether the procurement and use of specific products and services will result in the following two consequences. First, the critical information infrastructure is illegally controlled, interfered or destroyed, and the risk of important data being stolen, leaked, or damaged (Article 9, paragraph 1); Continuity hazards (Article 10, paragraph 2).
Secondly, Article 10, Item 3 of the “Review Measures” reviews “the security, openness, transparency and diversity of sources of products and services”. It can be roughly understood as follows: security refers to the risks of intrusion, damage, destruction, tampering, manipulation, etc. of products and services themselves; openness refers to the compatibility and interoperability of products and services; transparency refers to products and services. Whether the internal working principles and mechanisms can be understood, intervened, or controlled by network operators; diversity of sources refers to avoiding over-reliance issues.
Finally, the third item of Article 10 of the “Review Measures” reviews the “reliability of supply channels and the risk of supply interruption due to political, diplomatic, trade and other factors”, which is essentially a further review of various factors that may cause supply interruption. . For example, Microsoft has stopped the security update service for the XP operating system, which is a security risk to the information systems of the party and government agencies that use the XP system in large numbers; another example is the ability of the United States to control the global supply chain of chips through export control measures, and to specific key information bases The potential impact of whether a certain chip purchased can be continuously supplied.
It can be seen that there is no country-specific factor in China’s risk considerations. The focus of cybersecurity reviews is always on specific products and services, and the vulnerabilities that may be introduced after the products or services are used in specific critical information infrastructures. It can be said that network security review is mainly a technical and objective assessment.
The review is initiated by the operator
In the “Review Measures”, the main elements for the initiation of the review are “When operators purchase network products and services, they shall prejudge the national security risks that may arise after the products and services are put into use. If they affect or may affect national security, they shall Report a cybersecurity review to the Cybersecurity Review Office.” The subject of the review and declaration is clearly the “critical information infrastructure operator” as the purchaser. Moreover, the purchaser takes the initiative to “prejudge the national security risks that products or services may bring” and decides whether to declare and review accordingly, which has become one of its legal obligations. Buyers should take the initiative to manage their own supply chain risks through legal work, for example, as stipulated in Article 7: “Product and service providers should be required to cooperate with cybersecurity review through procurement documents, agreements, etc. Illegal acquisition of user data, illegal control and manipulation of user equipment, and non-interruption of product supply or necessary technical support services without justifiable reasons.”
Combining the above statutory obligations, we can see the role positioning of the purchaser in the “Review Measures”: since the specific products and services are independently selected by the purchaser, the purchaser should become the main body of responsibility (the so-called principle of consistency of rights and responsibilities) Therefore, buyers should actively manage and reduce supply chain security risks within their capabilities. In addition, China’s institutional arrangements greatly respect the risk judgment and business decisions of key information infrastructure operators based on their own operating scenarios, and avoid the government’s indiscriminate and large-scale intervention in the daily procurement behavior of enterprises. In other words, only when a product or service is used in a certain scenario, the security risk caused by it exceeds the operator’s ability, and the network security review mechanism will be activated. Such regulations, in turn, prevent the public power from taking the initiative to intervene in the supply market of network products and services in advance, and take the initiative to evaluate the risk status of suppliers and supplier diversity, so as to prevent the supply market of network products and services from becoming a highly planned and highly planned supply market. regulated market, thereby losing market vitality and innovation momentum.
Cautious review conclusion
Because the core of the “Review Measures” is to examine “specific products or services + specific usage scenarios”. Therefore, the conclusion of the review is whether a specific product or service can be used in a specific scenario. In other words, even if a single cybersecurity review fails, it does not necessarily lead to the failure of the product or service in cybersecurity reviews initiated by other critical information infrastructure operators. Under the guidance of the above ideas, in order to avoid the overall impression that a product or service is unsafe to the outside world, in most cases, the results of the network security review will only be “notified in writing to the operator of the review conclusion” (12th Article), and will not be disclosed to other operators or the community. The reason for this conclusion is that the object of review under the Review Measures is always the specific products or services procured by critical information infrastructure operators. Therefore, even if a single review fails, it will not cause the supplier’s entire line of products or services to be rejected by all key information infrastructure operators, resulting in a situation of “failure in one review, and a total loss”.
In short, China’s cybersecurity review does not take the supplier’s risk profile as a logical starting point for security, nor does it “discuss the matter on a case-by-case basis,” much less cause a “labeling” effect. Failure to pass a single review only means that a specific critical information infrastructure operator should not use a specific product or service in a certain scenario or link, and will not affect all products or services of the supplier at the same time, thus avoiding the need for The effect of “collateral damage”. The relevant system design also incentivizes the operator to improve the safety level by respecting the operator’s autonomous safety decision-making. This will help maintain the diversity of the supply market for network products and services, encourage network operators from different countries to compete and innovate with each other, and provide a steady stream of impetus for the sustainable development of the supply market.