Beijing News (reporter Ma Jinqian)
On July 5, the Cybersecurity Censorship Office issued a notice, carrying out a cyber security review on Yunman, Zhangang and Boss Zhipin. The office also announced on July 2 that it was conducting a cyber security review of Didi Chuxing. Didi Chuxing stopped registering new users during the review.
Recently, a series of cyber security reviews have been launched, which has aroused public concern. Reporters combing found that this is last April “network security review measures” since the release of the first round of official review action.
How is a cybersecurity review different from a general review? What will be reviewed specifically? What are the legal responsibilities for violating the method?
Question 1: How is a cybersecurity review different from a general review?
“Cyber security review is different from assessment, certification, general review and foreign investment national security review. It focuses on whether there are threats or risks affecting the security of critical information infrastructure and national security of network products or services.” Beijing University of Posts and Telecommunications Internet governance and legal research center deputy director Cui Congcong has published an article pointed out.
In recent years, cyber attacks on critical information infrastructure have been on the rise worldwide, involving finance, medical care, transportation, energy, industrial control and other fields, affecting a wide range of serious degree. Cyber security reviews have become a common practice for countries to prevent security risks to critical infrastructure.
In accordance with the National Security Law and the Cyber Security Law, 12 government departments, including the Cyberspace Administration of China and the National Development and Reform Commission, jointly issued the Measures for Cyber Security Review in April 2020.
State Internet information office director in the release of the “network security review method” is introduced, build system of network security audit in our country, the purpose is through the network security review the move, early detection and avoid purchasing products and services to the key information infrastructure operation risk and harm of critical information infrastructure supply chain security, safeguarding state security.
Yin Libo, director of the National Industrial Information Security Development Research Center, has published an article pointing out that by carrying out network security review, we can predict and check the network security risks that products and services may bring after they are put into use, prevent security incidents caused by supply chain product security vulnerabilities, and eliminate security risks from the source.
Question 2: What does the cyber security review mainly examine?
The relevant person in charge of the Cyberspace Administration of China has introduced that the cyber security review focuses on the assessment of national security risks that may be brought about by the purchase of network products and services by operators of key information infrastructure.
These include the risk of illegal control, interference or destruction of critical information infrastructure brought about by the use of products and services, as well as the risk of important data being stolen, leaked or damaged; Hazards to business continuity of critical information infrastructure caused by interruptions in the supply of products and services; The security, openness, transparency, diversity of sources, reliability of supply channels and the risk of supply disruptions due to political, diplomatic, trade and other factors; Product and service providers’ compliance with Chinese laws, administrative regulations and departmental rules; Other factors that may jeopardize the security of critical information infrastructure and national security.
According to the Measures on Cybersecurity Review, the Cybersecurity Review Office is set up in the Cyberspace Administration of China. The specific work is entrusted to China Network Security Audit Technology and Certification Center.
Question 3: Will cyber security reviews limit foreign products?
In response to the question, officials from the Cyberspace Administration of China (CAC) said that the purpose of the censorship is to safeguard national cybersecurity, not to restrict or discriminate against foreign products and services. “Opening up to the outside world is our basic state policy, and the policy of welcoming foreign products and services into the Chinese market has not changed.”
“China’s cybersecurity censorship system is designed to treat domestic and foreign suppliers equally. Any product or service that meets the cybersecurity baseline can be used in critical information infrastructure, regardless of the nationality of the supplier or the origin of the product, creating a level playing field and environment for the global market for cybergoods and services.” Cui Congcong pointed out.
In addition, Cui Congcong believes that China’s censorship measures clarify the five main considerations of censorship, which can maximize the fairness and transparency of censorship activities, and is conducive to eliminating the concerns of all parties regarding cyber security censorship system as a “policy tool.”
Q4. What are the legal liabilities for violation of the review method?
Typically, a cyber security review is completed within 45 working days, with an extension of 15 working days in complex cases. An additional 45 working days or more may be required for items under the special review process.
According to the provisions of Article 65 of the Cybersecurity Law, those who fail to declare for cybersecurity review, or use products and services that fail to pass the cybersecurity review, shall be ordered to stop using by the relevant competent authorities and imposed a fine of more than one time and less than ten times of the purchase amount; The person in charge directly responsible and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan.
According to the Measures for Cyber Security Review, operators should urge product and service providers to fulfill the commitments made in the cyber security review, and the cyber security review office should strengthen supervision in advance, during and after the incident by accepting reports and other forms. According to Mr Cui, this means overseeing the extension to the entire life cycle of online products and services.
Measures for cybersecurity review
April 27, 2020China.org.cn
The state Internet information office, the National Development and Reform Commission, Ministry of Industry and Information Technology, the Ministry of Public Security, state security, the People’s Bank of China, Ministry of Finance, the Ministry of Commerce, state administration of market supervision and management, state administration of radio, television, the watchdog, the state password administration jointly established the network security review methods, are hereby published.
Zhuang Rongwen, director of the Cyberspace Administration of China
He Lifeng, director of the National Development and Reform Commission
Miao Wei, Minister of Industry and Information Technology
Minister of Public Security Zhao Kezhi
Minister of State Security Chen Wenqing
Minister of Finance Liu Kun
Zhong Shan, Minister of Commerce
Yi Gang, governor of the People’s Bank of China
Xiao Yaqing, head of the State Administration for Market Regulation
Nie Chenxi, Director General of the National Radio and Television Administration
Tian Jing, director of the National Administration of State Secrets Protection
Li Zhaozong, head of the National Cryptography Administration
April 13, 2020
Measures for cybersecurity review
Article 1 These Measures are formulated in accordance with the State Security Law of the People’s Republic of China and the Cyber Security Law of the People’s Republic of China for the purpose of ensuring the security of the supply chain of critical information infrastructure and safeguarding national security.
Article 2 Where an operator of critical information infrastructure (hereinafter referred to as the operator) purchases network products and services that affect or may affect national security, it shall conduct a cyber security review in accordance with these Measures.
Article 3 of the network security review against network security risk and promote the combination of advanced technology application, fair and transparent process combined with the protection of intellectual property rights, pre-approved combined with continuous regulation, enterprise commitment and the combination of social supervision, from the product and service security, the national security risk of review.
Article 4 Under the leadership of Cyberspace Affairs Commission of the CPC Central Committee, State Internet information office jointly with the National Development and Reform Commission of the People’s Republic of China, the People’s Republic of China Ministry of Industry and Information Technology, the Ministry of Public Security of the People’s Republic of China, the Ministry of State Security of the People’s Republic of China, the People’s Republic of China Ministry of Finance, the Ministry of Commerce of the People’s Republic of China, the People’s Bank of China, national market supervision and management of taxation, state administration of radio, television, state The State Secrets Protection Administration and the National Cryptography Administration shall establish a working mechanism for national cybersecurity review.
The Cybersecurity Censorship Office is located in the Cyberspace Administration of China (CAC), which is responsible for formulating relevant rules and regulations for cybersecurity censorship and organizing cybersecurity reviews.
Article 5 When purchasing network products and services, an operator shall prejudge the national security risks that may be brought about by the use of such products and services. If it affects or may affect national security, it shall report to the cybersecurity review office for cybersecurity review.
The protection department of critical information infrastructure may formulate the forecast guidelines for its own industry and field.
Article 6 for declaring the procurement activities of network security audit, operators should through the procurement documents, agreements and other requirements of products and services provider with network security review, including the promise not to use to provide convenient conditions of products and services illegal access to user data, control and manipulate user equipment, without any justified reason, don’t interrupt supply or the necessary technical support services, etc.
Article 7 When applying for cybersecurity review, an operator shall submit the following materials:
(1) a declaration;
(2) an analysis report on the impact or possible impact on national security;
(3) Purchase documents, agreements, contracts to be signed, etc.;
(4) Other materials needed for cybersecurity review.
Article 8 The cyber security examination office shall, within 10 working days upon receipt of the examination declaration materials, determine whether the examination is necessary and notify the operation operator in writing.
Article 9 The cyber security review focuses on the national security risks that may arise from the purchase of cyber products and services, taking into account the following factors:
(1) Illegal control, interference or damage of key information infrastructure brought about by the use of products and services, as well as the risk of theft, disclosure or damage of important data;
(ii) Harm of interruption of product and service supply to business continuity of critical information infrastructure;
(3) the security, openness, transparency, diversity of sources, reliability of supply channels and the risk of supply interruption due to political, diplomatic, trade and other factors;
(4) Products and service providers’ compliance with Chinese laws, administrative regulations and departmental rules;
(5) Other factors that may endanger the security of critical information infrastructure and national security.
Article 10. The network security audit office think the need for network security audit, issue a written notice to the operators shall finish preliminary examination within 30 workdays as of the date of, including forming the review conclusion Suggestions and will review conclusion suggested sending unit of member of network security review mechanism, relevant key information infrastructure protection department for advice; If the case is complicated, it can be extended for 15 working days.
Article 11 Members of the cybersecurity review working mechanism and relevant key information infrastructure protection departments shall, within 15 working days from the date of receiving the review conclusions and suggestions, reply to the opinions in writing.
If the member units of the network security review working mechanism and relevant key information infrastructure protection working departments agree, the network security review office shall notify the operator of the review conclusion in written form; In case of disagreement, it shall be dealt with in accordance with the special examination procedure and the operator shall be notified.
Article 12 according to the special review procedures, the network security audit office shall listen to the relevant departments and units, analyzing evaluation, form the review conclusion advice again, and ask for member of network security review mechanism and related key information infrastructure protection department, according to the program to the central network security and information commission approved, Form the review conclusion and notify the operator in writing.
Article 13 The special examination procedures shall generally be completed within 45 working days, and may be extended appropriately in complicated cases.
Article 14 Where the Cyber Security Review Office requests supplementary materials, the operators, product and service providers shall cooperate. The time of submitting supplementary materials shall not be counted into the time of review.
Article 15 The cyber products and services that the members of the cybersecurity review working mechanism believe affect or may affect national security shall be examined by the Cybersecurity Review Office in accordance with the provisions of these Measures after being reported to the Cyberspace Affairs Commission of the CPC Central Committee for approval according to procedures.
Article 16 The relevant institutions and personnel participating in the cyber security review shall strictly protect the business secrets and intellectual property rights of the enterprises, and undertake the confidentiality obligation for the undisclosed materials submitted by the operators, product and service providers, and other undisclosed information learned during the review; Information shall not be disclosed to unrelated parties or used for purposes other than review without the consent of the providing party.
Article 17 If an operator or a network product or service provider considers that an examiner is not objective and fair, or fails to assume the confidentiality obligation for the information acquired during the examination, it may report it to the cyber security examination office or the relevant department.
Article 18 The operator shall urge the product and service providers to fulfill the commitments made in the cyber security review.
The Office of Network Security Review has strengthened supervision in advance and after the event by accepting reports and other forms.
Article 19 Where an operator violates the provisions of these Measures, it shall be dealt with according to Article 65 of the Cybersecurity Law of the People’s Republic of China.
Article 20 The operators of critical information infrastructure in these Measures refer to the operators identified by the protection department of critical information infrastructure.
The term “network products and services” as mentioned in these Measures mainly refers to core network equipment, high-performance computers and servers, large-capacity storage equipment, large-scale databases and application software, network security equipment, cloud computing services, and other network products and services that have an important impact on the security of key information infrastructure.
Article 21 Where State secret information is involved, the relevant provisions of the State on confidentiality shall apply.
Article 22 These Measures shall come into effect as of June 1, 2020, and the Measures for Security Examination of Network Products and Services (for Trial Implementation) shall be abolished at the same time.
“Network security review methods” to answer the reporter asked
Recently, the Cyberspace Administration of China, the National Development and Reform Commission and other 12 departments jointly issued the “Measures for Internet Security Review” (hereinafter referred to as the Measures). Officials of the Cyberspace Administration of China answered questions on the Measures.
Ask: Would you please introduce the background of the introduction of the method?
A: Critical information infrastructure is critical to national security, economic security, social stability, and public health and safety. The purpose of establishing the cyber security review system in China is to find and avoid risks and hazards brought by purchasing products and services to the operation of critical information infrastructure, ensure the security of the supply chain of critical information infrastructure and safeguard national security through the cyber security review. The promulgation of the Measures provides an important institutional guarantee for China to carry out network security review.
Q: What is the legal basis for cybersecurity censorship?
A: The cyber security review is a work carried out in accordance with the National Security Law and the Cyber Security Law. Article 59 of the National Security Law stipulates that the state establishes a system and mechanism for national security review and supervision, and conducts state security review on network information technology products and services that affect or may affect national security, as well as other major matters and activities. Article 35 of the Cyber Security Law stipulates that “operators of critical information infrastructure purchasing network products and services that may affect national security shall pass the national security review organized by the Cyberspace Administration of the People’s Republic of China and the relevant departments of the State Council”.
Q: What does the cyber security review focus on?
A: The cyber security review focuses on assessing national security risks that may arise from the purchase of network products and services by operators of critical information infrastructure, including: the risk of unauthorized control, interference or damage of critical information infrastructure after the use of products and services, as well as the risk of theft, disclosure or damage of important data; Hazards to business continuity of critical information infrastructure caused by interruptions in the supply of products and services; The security, openness, transparency, diversity of sources, reliability of supply channels and the risk of supply disruptions due to political, diplomatic, trade and other factors; Product and service providers’ compliance with Chinese laws, administrative regulations and departmental rules; Other factors that may jeopardize the security of critical information infrastructure and national security.
Q: Which network operators purchase products and services that need to be considered for a cyber security review?
A: If critical information infrastructure operators purchase network products and services that affect or may affect national security, they should conduct a cyber security review in accordance with the Measures.
In accordance with the Notice on Matters Related to the Safety and Protection of Critical Information Infrastructure issued by Cyberspace Affairs Commission of the CPC Central Committee, Telecommunications, radio and television, energy, finance, road water transportation, railway, civil aviation, postal, water conservancy, emergency management, health, social security, national defense science, technology and industry and other industries in the field of important network operators and information system in purchasing products and services, shall, in accordance with the “method”) to consider network security review.
Q: When do you declare for a cybersecurity review?
A: In general, critical information infrastructure operators should file for a cybersecurity review before formally signing a contract with a product or service provider. If the contract is declared for cyber security review after signing, it is recommended to indicate in the contract that the contract shall be effective only after the purchase of products and services has passed the cyber security review, so as to avoid the loss caused by the failure to pass the cyber security review.
Q: Is there a time limit for cyber security review?
A: Normally, a cyber security review is completed within 45 working days, with an extension of 15 working days in complex cases.
An additional 45 working days or more may be required for items under the special review process.
In accordance with the requirements of the Measures, the time required to provide supplementary materials does not count into the time limit for review.
Q: How are the trade secrets and intellectual property rights of critical information infrastructure operators and product and service providers guaranteed during the review process?
A: The cyber security review fully respects and strictly protects the intellectual property rights of enterprises. The regulations stipulate that relevant institutions and personnel involved in the cyber security review should strictly protect the business secrets and intellectual property rights of enterprises, and keep confidential undisclosed materials submitted by operators of key information infrastructure, product and service providers, as well as other undisclosed information learned from the review. Information shall not be disclosed to unrelated parties or used for purposes other than review without the consent of the providing party. Operators of critical information infrastructure or product and service providers may report to the cyber security review office or relevant authorities if they believe that the censors are not objective and impartial, or fail to assume confidentiality obligations for the information acquired during the review.
Q: Will cybersecurity reviews limit or discriminate against foreign products and services?
A: The Measures clearly stipulate the content to be censored, which shows that the purpose of the censorship is to safeguard national cyber security, not to restrict or discriminate against foreign products and services.
Opening up to the outside world is our basic state policy, and our policy of welcoming foreign products and services into the Chinese market remains unchanged.
Q: What legal responsibilities should be borne for violating the provisions of the Measures?
Answer: according to “network security law” 65th regulation, ought to declare network security to examine and did not declare, or use network security to examine the product that did not pass and service, be ordered to stop using by concerned competent branch, place purchases amount one time above 10 times the following fine; The person in charge directly responsible and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan.
Q: To whom do we declare cybersecurity reviews?
A: According to the Measures, the Cybersecurity Review Office is set up in the Cyberspace Administration of China. The specific work is entrusted to China Network Security Audit Technology and Certification Center.
Under the guidance of the cyber security review office, the China Cyber Security Review Technology and Certification Center shall undertake the tasks of receiving the declaration materials, conducting formal examination of the declaration materials, and conducting specific organizational examination.