《网络安全审查办法》的实施与应对

发布时间: 2020.06.15


【导读】


关键信息基础设施的安全和稳定运行对国家安全和公共利益的保障至关重要。国家互联网信息办公室、国家发改委等12个部门联合发布的《网络安全审查办法》对网络安全审查制度的范围和实施做出了进一步细化的规定。本文以《网络安全审查办法》的实施与应对为主脉络,分析了审查原则、审查启动、审查程序、审查时考量的相关因素等相关问题。此外,本文还基于行业实践,分别从关键信息基础设施运营者(采购方)和网络产品和服务供应商两个角度,分析了如何通过采购流程和采购协议的设计和改进更好的落实《网络安全审查办法》的相关要求。


此外,希望进一步了解审查程序的读者,也可联系本文作者获取《网络安全审查办法》——程序分析篇简讯。




 

1. Introduction


On 27 April 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the Cybersecurity Review Measures[1] (the “Measures”), which will come into effect on 1 June 2020. The Measures are an important implementing regulation to give effect to the China Cybersecurity Law[2] (the “CSL”) and the National Security Law of China[3].


According to the Measures, a security review is required if the procurement of network products and services by an operator of critical information infrastructure (“CII”) may have an impact on national security.


Since the release of the final text of the Measures, there have been a fair amount of commentaries focusing on the compliance obligations of CII operator but relatively few discussions on how suppliers of network products and services might be affected. This article will discuss both. First, it will look into those essential elements from compliance aspect, and then discuss the wider implications of the Measures from procurement aspect, with a particular emphasize on its possible impact on the procurement timeline and the respective obligations of the procurer and the supplier.


 

2. Scope of Coverage



2.1 Key Concepts


The Measures cover “the procurement of network products and services by a CII operator which has an impact or may have an impact on national security”.


Its exact scope clings upon three concepts: (i) CII operator, (ii) network products and services, and (iii) impact on national security. A substantive assessment will need to be carried out to determine the impact on national security (which will be discussed in the following sections), and in this section we will mainly focus on the concepts of “CII operator” and “network products and services”.



2.2 CII Operator


It is of particular concern to both domestic and foreign-invested businesses whether or not they may be classified as an operator of CII. This is understandable as an operator of CII will be subject to more onerous cybersecurity obligations than a network operator under the CSL[4]. The expressions used to delimit the boundary of CII operator are not always consistent among the provisions of the CSL, the CII Security Protection Regulations (Draft)[5], the Implementation Guidance on National Cybersecurity Inspection and so on[6].


The current approach is for the authorities to proactively identify and inform a business if they consider that the business falls into the category of CII operator, and the priority is largely placed on those network systems who have completed Level 3 filing under the Multi-level Protection System. The publicly available information suggests that the authorities adopt a restrictive approach to identifying CII operators[7].


Currently, except for those operators already identified as CII operator, it would be difficult for other businesses to predict with certainty through self-assessment if they constitute CII operator solely based on the broadly couched provisions under the CSL. The situation will probably be improved when regulations in the pipeline and additional guidance are released at a later stage.



2.3  Network Products and Services


Theoretically speaking, any network products and services may be implicated in certain risks which may cause security threat to a network, but it is also apparent that the Measures intend to strike a balance between safeguarding cybersecurity and promoting advanced technology, and this requires the Measures to carefully define the types of network products and services that will be covered.


The definition under the Measures offers a list of generic names for those products and services, namely core network equipment[8], high-performance computers and servers, mass storage equipment, large-scale databases and application software, cybersecurity equipment, cloud computing services, and other network products and services which have a significant impact on the security of CII.


It appears that more detailed technical specifications are needed to further refine the scope of the products and services[9].



2.4 Impact on National Security


The substantive assessment will be discussed in the following sections, and here we would like to just add that to meet the criterion of “impact on national security”, it appears that at least the severity of the risks and the probability of occurrence need to reach certain thresholds. In other words, the range of factors provided in the Measures will determine how wide the net of “national security” will be cast.



2.5  Control Devices


The three key concepts are essentially control devices as to the ambit of jurisdictional control of the Measures. If we recall again the legislative intent of the Measures, there should be an inclination that the three key concepts should be defined with precision in order to properly define the jurisdictional control of the Measures. The provisions of the Measures also reflect such a prudent policy consideration.


In the meantime, the three control devices are also fluid concepts that are open to re-definition and further interpretation. Any change in the caliber of any of the three key concepts will lead to a significant change in the scope of coverage of the Measures.


 

3. Initiation of the Review Procedure



3.1


The review procedure may be initiated by either (i) a CII operator who procures network products and services or (ii) a member or members of the cybersecurity review working mechanism, subject to the approval of the Central Cyberspace Affairs Commission[10].



3.2


The most noticeable difference is that the initiation by the member(s) of the cybersecurity review working mechanism will be subject to an additional check and balance from the top regulator.



3.3


The same set of review procedure will apply irrespective of by whom it is initiated.


 

4. Substantive Assessment Criteria



4.1 Factors to be Considered


The following factors[11] need to be taken into account assuming that the products and services are being used:


(a) risks that the CII is illegally controlled, interfered with or destroyed, or that important data is stolen, leaked or destroyed;

(b) the damage to the CII’s business continuity in the case of suspension of supply or services;

(c) the safety, openness, transparency, diversity of sources of the products or services, the reliability of supply channels, and the risks of supply interruption due to political, diplomatic, trade and other factors;

(d) compliance with the PRC laws and regulations by the provider of products and services;

(e) other factors that may endanger the CII’s security and national security.



4.2 Focal Points of Review


Each of those factors indicates the respective focal point of review for a specific product and service from various aspects. The first three factors deal with the adverse consequences the product and service may bring about to the CII’s security in an ascending order. The first factor mainly focuses on the functions of the CII and data which the CII controls, which may be said it is centered around the CII per se. The second factor obviously goes further to anticipate if the CII’s business continuity would be affected, implying that its effect on upstream and downstream (including end users) stakeholders would be considered. The third factor stretches even wider to consider potential effect on the security and stability of the supply chain, which entails the consideration and interplay of strategic factors.


As to the compliance with the PRC laws and regulations, the provider’s compliance with the Multi-level Protection System as provided in the CSL is obviously one of the relevant criteria. Other criteria may well include both cybersecurity and regulatory aspects, for example, whether ICP filing or license has been obtained or whether the license or permit required for a specific business activity has been obtained.


The last factor is an all-embracing provision, and it remains to be seen in practice how it will interact with the foregoing four factors。


 

5. Procedure


The Measures improve the clarity of the procedure, and the particulars on the composition of the members of the cybersecurity review working mechanism and the relevant CII protection department, and the mechanism of inter-agency collaboration would probably be further refined during implementation. 


 

6. Violations


Contravention of the Measures may be subject to the penalties set out in Article 65 of the CSL.


Attention should be paid to the calculation method of the fine on the CII operator, which is one to ten times the amount of the procurement, so the higher amount the procurement, the heavier the penalty in the case violations.


In addition, a fine of CNY10,000 to 100,000 may be imposed on the responsible person directly in charge and other persons held directly liable. Allocation of liability among directly responsible persons might not be as straightforward as it is thought, and it will be a case-specific analysis. The point to highlight here is the difference in the manner of power delegation and the organizational structure of a business would probably lead to different outcomes of liability allocation.


One should not underestimate the drastic consequences which could be brought about by the said Article 65 since the competent authority will issue an order preventing the CII operator from using the network product and service in the case of contravention. This will likely trigger a series of contractual consequences via-a-vis the supplier, including termination of the contract and damages sought by the supplier.


The above penalties are cumulative.


 

7. Impact on CII Operator


In this section we will shift the focus from the Measures itself to how it might affect the CII operator (i.e. the procurer) in the commercial reality. Firs of all, the procurer will need to collect sufficient information to determine if a review would be required. In the first place, the procurer will likely do so by requesting additional documentation from the supplier to demonstration compliance of the products and services. If the procurer is prima facie satisfied with the security of the products and services, it may go further to carry out a more complete analysis having regard to the range of factors stated in the Measures, and may probably use technical means to verify and audit the products and services. Although how far the CII operator should go to demonstrate it has fulfilled the obligations in the Measures is not yet clear, it is quite certain that simply relying on the contractual undertakings of the supplier would hardly suffice.


Further, if the CII operator considers that it should file an application for review, it will then need to reserve sufficient time to clear the process and negotiate the procurement contract, for example, adding tailored clauses to carefully structure such clauses as conditions precedent, termination and breach of contract to ensure that risks and uncertainties are properly allocated between the parties. Of course, the CII operator has to be prepared for both eventualities – is there an alternative supplier of services and products if the review is not passed?


What is equally important is that the CII operator should not overlook to bind the supplier in the procurement contract to cooperate[12] and provide supplementary materials as requested by the Cybersecurity Review Office.


 

8. Impact on Supplier of Network Products and Services


From the standpoint of a supplier, one of the issues coming to the fore is to what extent it will need to cooperate with the CII operator to address its security concerns. The issue would often become more complicated in the real procurement context. It is mainly because the CII operator would tend to impose two types of obligations in the contract – compliance obligation and contractual obligation. The former generally reflects the statutory obligations imposed on the CII operator, which are imposed on the supplier by the CII operator via contractual means. More problematic is the latter type of obligation as the CII operator would naturally tend to extract as much advantage as possible from the supplier. For example, it is not uncommon to observe a comprehensive right to audit clause in sweeping language to allow the procurer to audit the product and any associated systems or networks. The supplier may well need to re-consider if it is desirable to negotiate and deal with the two types of obligations separately in light of the Measures.


 

9. Non-discrimination and Protection of IP and Trade Secrets


The Measures also contain provisions with respect to protection of trade secrets and intellectual property rights, and emphasize the confidentiality obligation of the institutions and persons involved during the review process. Echoing the principles in the Foreign Investment Law of China and its implementation regulations, the Measures aim to create a level-playing filed for both domestic and foreign firms.


 

10. Looking-forward


The Measures are intended to enhance the security protection of network products and services procured by CII operators. Its successful implementation will depend on how well a balance can be achieved among security, efficiency and commercial certainty. At working level, a public register of CII operators, transparent and streamlined review procedure, timely announcement of the review outcomes, and efficient inter-agency collaboration are the cornerstones of a sound regulatory regime.


本文首发于《律商联讯》


[1] Full text can be accessed at http://www.cac.gov.cn/2020-04/27/c_1589535450769077.htm. The draft was released for public consultation on 24 May 2020. The Measures replaced the Measures on Security Review on Network Products and Services (Trial Implementation).

[2] Article 35

[3] Article 59

[4] Article 35, the CSL

[5] There was news reporting that the draft regulation would be released in the second half of 2019. http://news.cctv.com/2019/08/22/ARTIXWrhUos1qkHZNpOgf3xK190822.shtml

[6] The Notice on Matters relating to Protection of CII is another reference, but further guidance would be required to give certainty and clarity concerning the exact ambit of CII protection.

[7] See the Implementation Report at http://npc.people.com.cn/n1/2017/1225/c14576-29726949.html

[8] Part of the products can be found in the Catalog of Critical Network Equipment and Cybersecurity Products (First Batch)

[9] Pursuant to the Measures, the relevant CII protection department may formulate sector-specific guidance to help the CII operators to determine whether or not an application would need to be filed.

[10] Articles 5 and 15, the Measures

[11] Article 9, the Measures

[12] Article 14, the Measures

作者介绍

赵中星


大成北京总部 顾问

e-mail:zhongxing.zhao@dentons.cn

作者介绍

张建民


大成北京总部 合伙人

e-mail:jianmin.zhang@dentons.cn

作者介绍

黄章令


大成厦门分所 律师

e-mail:zhangling.huang@dentons.cn

大成能为您做什么?

联系我们 +