Draft Security Review Measures for Network Products and Services Released
On February 4, the Cyberspace Administration of China (CAC) released a Notice on the Draft Security Review Measures for Network Products and Services for public comments (referred to as draft review measures hereafter), with a deadline of March 4, 2017. The draft security review measures are an important piece supplementing the implementation of the National Security Law and Cybersecurity Law, and aim to enhance the 'secure and controllable' levels of network products and services, guard against supply chain security risks, and safeguard national security and public interests.
The concept of a National Security Review Regime was initially introduced by CAC in 2014, triggered by a series of incidents involving Huawei and ZTE in 2012 and Snowden revelations in 2013, and claimed that important information technology products and services used in information systems in connection with national security and public interests should be subject to cybersecurity review. After more than two years brewing, CAC officially released the draft measures for public comments.
The draft measures expand the scope of the review to "information systems in connection with national security and public interests" rather than strictly following NSL and CSL, both of which stipulate that security review should only address products and services that risk national security.
The Draft Measures also target suppliers through background investigations and assessments over the suppliers’ security and trustworthiness, and mandates the Cybersecurity Review Office to release security assessment reports.
Overall, the draft measures include several undefined terms and a scope that is open to broad interpretation, have many overlapping terms that creates confusion, introduce a number of new players with no clear rationale, and list a series of articles of concerns. The draft measures have a far-reaching impact over the ICT industry and could create entry barriers for suppliers of network products and services in certain critical sectors.