We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

China's new rules on security review of network products and services fail to alleviate foreign investor concerns

27 June 2017

Cyber security

China's new rules on security review of network products and services fail to alleviate foreign investor concerns

On 2 May 2017, the Cyberspace Administration of China ("CAC") issued The Network Products and Services Security Review Measures (for Trial Implementation) ("Review Measures"), which took effect on 1 June 2017.  Under the Review Measures, a Network Security Review Office ("NSR Office") will be established that will select network products and services that must undergo a network security review ("Security Review") that places emphasis on their (and their supply chain's) security, controllability, transparency, and other facets.  Network products and services must pass such Security Review in order to be eligible to be procured by certain industries (such as the finance, energy and communications sectors) or by other operators of "critical information infrastructure" ("CII"), if such procurement may have an impact on national security.

The background to the Review Measures is that The People's Republic of China Cyber Security Law ("Cyber Security Law") adopted on 7 November 2016, which also took effect on 1 June 2017, requires that network products and services purchased by operators of CII (the definition of which is somewhat vague and unsatisfactory, see our previous analysis here) must undergo a national security review if such network products and services "might potentially have an impact on national security", failing which the CII operator risks being ordered to discontinue use and/or being subject to quite stiff fines (up to ten times the purchase price) and, in a formulation reminiscent of the PRC Criminal Law, the persons directly in charge and other directly responsible persons will be liable to pay personal fines of between RMB 10,000 and 100,000.

Thus, since the promulgation of the Cyber Security Law, it has been known that a Security Review regime would be introduced for certain network products and services, potentially impacting both the businesses who are manufacturers of such products and providers of such services as well as the users (or prospective users) of those products and services.

How this regime would look has been one of several major areas of concern for foreign investors arising out of the implementation of the Cyber Security Law. Given the recent direction China has taken in this regard, and a previous campaign to introduce the "secure and controllable" (or "secure and reliable") concept in the banking, securities and insurance sectors, there were legitimate concerns that a new program of security review might be skewed in favour of "local" manufacturers and thus become a back door means of imposing essentially protectionist policies. In the case of the previous "secure and controllable" campaign, in some sectors, even though the campaign was eventually suspended, some such protectionist effects were felt, as it seemed that some businesses in China may have taken the view in light of impending requirements that buying local products was a better, lower risk purchasing strategy than buying products manufactured overseas or by foreign-invested enterprises ("FIEs") in China, or they were penalized in tendering processes in China if they were not deemed "secure and controllable", so these concerns are quite real.

The CAC issued a draft version of the Review Measures ("Draft Measures") for comment on 4 February 2017 (see our briefing here), which aimed to give shape to such Security Review. The final version of the Review Measures carries the Draft Measures forward with some clarifications and improvements, but, like the Draft Measures, continues to leave the majority of critical questions unanswered, including: 

  • More precision around which products and services might be viewed as having an impact on national security and therefore potentially subject to Security Review
  • More precision around which companies are considered to be CIIs and therefore potentially limited in their procurement options
  • Whether there will be a protectionist slant in the Security Reviews, such that their practical implementation will make it difficult for foreign or FIE manufacturers to compete; and
  • How intrusive Security Review will be to the proprietary information underlying the network product or service, and concerns about disclosure or leakage of proprietary information.

Perhaps the biggest concern is that the Review Measures also do not set out the specific standards and procedures applicable to Security Review. On an optimistic view, more legislation (perhaps in the form of further CAC implementing rules) is likely to follow, bringing greater clarity. A more cynical view is that certain obvious gaps will persist in any event, and in practice will simply be filled in by opaque, subjective interpretation.

Uncertain scope of application

Most broadly, Article 2 of the Review Measures states that network products and services are subject to Security Review if they are: (1) "important"; and (2) procured for networks or information systems relating to national security.  However, no standards are set forth for defining when either of these elements are met, leaving these elements open to a high degree of subjective interpretation.

Article 8 goes on to state that the "subjects of a review" will be determined by the NSR Office which will, "according to procedures" (which are not defined), determine the specific subjects of a review based on (i) the requirements of the State (i.e. to-be-issued rules), (ii) the recommendations of nationwide industry associations, and (iii) feedback from users.

The NSR Office, then, appears to have broad discretion, both in terms of deciding which network products and services are subject to Security Review and the procedures by means of which such determination is made, which creates significant uncertainty.

That said, vesting such decision in the NSR Office appears to be a significant improvement over the Draft Measures, which did not clearly state that the NSR Office would select which network products and services would be subject to Security Review, leaving greater doubt as to whether or when a network product or service would become subject to review.  Now it appears to be clear that a network product or service is not subject to review until the NSR Office decides that it is.

Another improvement over the Draft Measures is that the parameters in Article 2 are now only defined in terms of "relating to national security" and not also in terms of "relating to the public interest", with all the additional uncertainty which that phrase would have entailed.

Consequences of not passing security review

Network products and services subject to Security Review must pass such Security Review or be subject to market access restrictions.  In particular, failure to pass Security Review means that key industries such as public communications and information services, energy, transport, water, finance, public services and e-government systems, as well as other operators of CIIs, would not be able to procure such network products and services, if such purchase might have an impact on national security.  Whether there might be an impact on national security will be determined by the government departments in charge of protecting the security of CII.

This procurement restriction is somewhat scaled back from the procurement restrictions in the Draft Measures, which also stipulated that the communist party, government authorities, and key industries (whether or not considered to be operators of CII) had to give priority to purchasing network products and services which had passed Security Review, and were forbidden from purchasing any network products and services which had not passed. Query, however, whether this will make a substantial difference in practice, if, for example, (i) communist party and government authorities follow these procurement requirements anyway for policy reasons and (ii) CII is interpreted broadly in practice.

What does Security Review involve?The Review Measures implicitly require that network products and services must be "secure" and "controllable" and have "transparent" security mechanisms and technology, and require the assessment of the following potential risks: 

  • Risks implicit to the products and services themselves, as well as the risk that such products or services might be subject to unlawful control, interference or operational shutdowns
  • Supply chain security risks occurring during the course of manufacturing, testing, delivery and technical support in relation to the products and key components thereof
  • The risk that the product or service provider might be able to use the provision of such product or service as a means to unlawfully collect, store, process or use related user information
  • The risk that the product or service provider might be able to take advantage of users' reliance on such product or service to the detriment of network security or the user's interests; and
  • Other risks which may jeopardize national security.

If you read this list it is clear that foreign manufactured goods or goods manufactured by FIEs are more likely to be at risk of failing security review. Some risks in this list may be intended to cover a number of risks that are fairly focused towards national security concerns, for example, whether the products or services might contain functional risks, contain software "back doors", "logic bombs" and other code that may have been deliberately installed with a view to allowing data extraction or remote operation, or that might be at risk of being hacked, infected by viruses, controlled or turned off remotely.  Outside of the product or service itself, production and supply chain risks are also considered as well, potentially including assessing the risk that knowledge of the security features of the technology such as encryption/decryption keys has "leaked" or has otherwise become known outside the developer's organization, or that software or firmware, whether open source or sourced from a third party, has not been properly screened prior to its use in the product. Risks concerning technical support of a product could point to the product's reliance on remote support, whether within or outside of China, or to the customer's access to source code, and so may be a further point of concern about the Security Review for foreign technology providers in particular.

However, a number of the risks highlighted are not ones which would ordinarily be seen as a direct concern from a national security perspective, for example issues like data protection (as in the 3rd bullet) and consumer protection (as in the 4th bullet).  The Draft Measures had also added unfair competition, another item not within the typical purview of national security, but happily this controversial point was not retained in the Review Measures.  These areas which fall outside of the bounds of national security are already extensively addressed in other parts of Chinese law (e.g. The People's Republic of China Protection of Consumers Law), so it is difficult to see why they should form part of a review whose goal is the preservation of national security. In short, the legislators seem to be mixing up concepts.

It is worth pointing out that the risks addressed above form a non-exhaustive list, as the 5th bullet point provides a sweep up which enables anything else to be added as a factor that may have been omitted from the legislation but that may subsequently be determined to constitute a national security risk as determined by the CAC or the institutions or experts making the determination.

Security review process framework

The Review Measures set out a multi-layered, multi-institutional approach to Security Review which is materially identical to what was provided in the Draft Measures.

The top layer is the CAC, the issuer of the Review Measures.

The next layer down is a Network Security Review Committee ("NSR Committee") which will be responsible for deliberating on major Security Review policies, uniformly organizing network security review efforts, and coordinating major Security Review issues.

The next layer down is the NSR Office. The NSR Office is in charge of the specific organization and implementation of Security Reviews. The NSR Office will arrange for two other groups of actors, namely (1) third-party institutions and (2) experts, to actually conduct Security Reviews.

Third-party institution review apparently comes first. Such third-party institutions are to be designated by an as-yet unspecified organ of the state (so are not independent in any sense) and clearly there is a risk of decisions being driven by factors such as a preference for State-owned enterprises or other forms of undue influence. The third-party institution will conduct a third-party evaluation. After that, a committee of experts (formed by the NSR Committee), taking the third-party evaluation as a basis, will conduct an overall assessment of (1) the security risks of a given network product or service, as well as (2) the security and reliability of the provider of such product or services. In a partial nod to greater transparency, security review results will be then published by the NSR Office "within a defined scope", so presumably with the parts relating to national security (however that may be interpreted) redacted.

Government authorities in "key industries and sectors" such as finance, telecommunications, energy, communications and so forth (and therefore potentially others) are responsible for Security Reviews in their respective industries and sectors. The Review Measures, like the Draft Measures, fail to answer whether involvement of sector-specific authorities in Security Reviews puts those reviews on a separate track from other industries, or whether their participation is an additional layer, and how products and services that are used across multiple industries will be treated.

The fact of sector-specific authorities having responsibility for Security Reviews does not augur well for overseas or FIE manufacturers who may, in the industry-organised reviews, come up against some of the government and regulatory bodies that historically have been less open to foreign investment. Many of the officials in those bodies and/or in the ranks of review institutions or experts will have worked in, or spent time with their domestic competitors (those who have worked overseas or for FIEs or overseas manufacturers are likely to be in the minority), which may lead to conflicts of interest or bias towards domestically produced products or those using indigenous technologies. Other risks are exactly the same as those that have plagued invitation to tender bid panels in China: manufacturers and other interested parties will try to pre-determine the outcome by identifying and seeking to influence the members of the group who make the final decision. Article 11 alludes to this risk by requiring these third party institutions to conduct an objective, impartial and fair evaluation of the product, service and supply chain, and allowing suppliers to make complaints to the NSR Office or other relevant departments if they think they have been treated unfairly, but even so, the potential for "gaming" the system through undue influence is undeniable, and no clear mechanisms or punishments are set forth as to how the NSR Office or other relevant departments should handle complaints.

Security of proprietary information

Under the Review Measures, network product and service providers are required to cooperate with network security reviews and take responsibility for the veracity of all information provided in such reviews. Review will undoubtedly include disclosure of certain product/service information, some of which may be sensitive and/or proprietary and constitute valuable intellectual property rights ("IPR"). This raises concerns about the security of such disclosed information and potential theft or loss of IPR as a pre-condition to gaining market access. It also raises the issue of whether source code will be required to be disclosed as part of the Security Review.

Both the Draft Measures and Review Measures attempt to provide some comfort in this regard by providing that third party institutions and other relevant entities and personnel (e.g. experts) are obligated to maintain the security and confidentiality of any information to which they have access during the course of a security review, and must not use such information for purposes other than performing network security review.  The Review Measures further add that if network product and service providers believe that third-party institutions and other relevant organizations and personnel have failed to keep information confidential, the providers may report such misconduct to the NSR Office or relevant departments.  However, how such report would be handled after being received, and whether any specific penalties might apply, is not stipulated, making this somewhat "toothless".

Accordingly, we expect that the provisions on confidentiality in the Review Measures will provide little real comfort in relation to the concerns around submission of proprietary information and disclosure of IPR (including source code). Understandably, some multi-national companies providing network products and services may prefer to only provide non-front-line or a limited range of products in China to mitigate the risk of disclosures of "crown jewels" IPR.

Conclusion

The Review Measures, while an improvement on the Draft Measures in some respects, unfortunately still contain many of the flaws identified in the Draft Measures in relation to the new Security Review process, for example:

  • No further clarity on which products and services are subject to Security Review
  • A national security review test that conflates areas already addressed elsewhere in Chinese law and which do not belong in the national security review context
  • A multi-layer government-driven bureaucracy organizes the review process and chooses all the participants, with no safeguards on independence built in at any stage; this essentially creates an environment where FIEs and foreign manufacturers are players in a game where they have no input on the rules of the game but can be called to the field at any time
  • No clear machinery to prevent government officials with conflicts of interest (e.g. ties to industry participants whose equipment or services is under review) from participating in the review process
  • Many industries which have historically tended to be most closed to foreign investment will organize and carry out their own sector-based review processes
  • No definitive list of the "key industries" or final definition of operators of CII which will be under an obligation to purchase certified equipment and services, so the list can be extended based on subjective interpretation
  • No provision imposing specific punishments on participants who fail to conduct an "objective, impartial and fair evaluation" other than the very weak "being held responsible for the results of their evaluations"; essentially bringing all the negatives of the tendering process in China to the sector with none of the safeguards built into the legislation around tendering
  • No mention of whether source code can be requested, but an obligation to cooperate  with the various reviewing bodies means that if requested, network product and service providers have an obligation to provide it
  • No safeguards built in to prevent corruption in the process or gaming the system through undue influence (although arguably partially covered by existing legislation); and
  • No mention of any review or appeal procedure for an interested party who feels the outcome of a Security Review was seriously flawed, other than to make a report with the NSR office or other relevant department, which is essentially asking the NSR to overturn its own decision.
All in all, despite some incremental improvements, the Review Measures, like the Draft Measures, still fail to address or alleviate FIE or overseas manufacturer concerns that came out of the passing of the Cyber Security Law in relation to Security Review, leaving many of the uncertainties hanging and key issues unanswered.


Contacts

Loading data