On February 4, 2017, the Cyberspace Administration of China published a draft of its proposed Measures for the Security Review of Network Products and Services (the “Draft”). Under the Cybersecurity Law of China, if an operator of key information infrastructure purchases network products and services that may affect national security, a security review is required. The Draft provides further hints of how these security reviews may actually be carried out, and is open for comment until March 4, 2017.
According to the Draft, any critical network products and services used in information systems or purchased by operators of key information infrastructure that may affect national security and the public interest are subject to a network security review.
The Draft would establish a potentially significant standard that would be commonly applied in security assessments performed under the Cybersecurity Law. These security assessments would focus on verifying that products or services are “secure and controllable.” The concept of “security and controllability” has appeared before, both in the State Security Law of China and in guidelines for the banking and telecommunications sectors, but here it is being applied in the context of the new Cybersecurity Law.
It remains to be seen how this term would be interpreted in the context of the new Cybersecurity Law. The exact requirements to determine if a product or service is “secure and controllable” are still not provided in the Draft, and even after being established, may evolve over time. However, under the Draft, the process of determining whether a product or service is “secure and controllable” would take the form of a risk assessment, under which the following risks would be principally analyzed: (1) the risk that the product or service may be illegally controlled, interfered with or suspended, (2) the risks arising during development, delivery and technical support of the product or service, (3) the risk that the provider of the product or service may use it to illegally collect, store, process or use the personal information of its users, (4) the risk that the provider of the product or service may engage in unfair competition or infringe upon the interests of users, by taking advantage of their reliance on the product or service and (5) any other risks that may jeopardize national security or the public interest.
The Cyberspace Administration of China will establish a network security review commission, which will cooperate with third-party institutions to evaluate these risks.