China Reveals More Details on Its Impending Cyber Security Law

Source Link

Ron Cheng , 

With the impending summer effective date of China’s Cyber Security Law (the Law), the Cyber Administration of China (the CAC) issued clarifying draft “Inspection Measures on Network Products and Services” (the Draft, available here) on February 4, 2017. We previously discussed the Law here and provide details about the Draft.

Origins and focus of the Draft

The Draft focuses on safety certification and inspections, as well as the obligations of “critical information infrastructure operators” (CIIOs) to undergo certain inspections. The Draft’s focus on security inspection began with CAC’s network security self-inspection initiative for critical information infrastructures, announced in July 2016 (official report available here). Comments on the Draft -- to the extent made public -- will help inform this important administrative process.

The Draft expands safety inspection requirements in the Law

In some respects, the Draft appears to be broader than the Law itself. While the Law requires only “network security products and services procured by critical information infrastructure operators (CIIOs)” to pass inspection, the Draft adds that “important network products and services” used by information systems that affect national security and the public interest are subject to its inspection requirements. Otherwise, the term “network products and services” are not defined in the Draft or the Law.

China will establish a Network Security Inspection Committee

The CAC, together with unspecified administrative departments, will establish a “network security inspection committee.” The committee will administer inspection policies and oversee network security inspections .

With the impending summer effective date of China’s Cyber Security Law (the Law), the Cyber Administration of China (the CAC) issued clarifying draft “Inspection Measures on Network Products and Services” (the Draft, available here) on February 4, 2017. We previously discussed the Law here and provide details about the Draft. Origins and focus of the Draft The Draft focuses on safety certification and inspections, as well as the obligations of “critical information infrastructure operators” (CIIOs) to undergo certain inspections. The Draft’s focus on security inspection began with CAC’s network security self­inspection initiative for critical information infrastructures, announced in July 2016 (official report available here). Comments on the Draft — to the extent made public — will help inform this important administrative process. The Draft expands safety inspection requirements in the Law In some respects, the Draft appears to be broader than the Law itself. While the Law requires only “network security products and services procured by critical information infrastructure operators (CIIOs)” to pass inspection, the Draft adds that “important network products and services” used by information systems that affect national security and the public interest are subject to its inspection requirements. Otherwise, the term “network products and services” are not defined in the Draft or the Law. Ron Cheng Contributor Ron Cheng is a partner at O'Melveny and a former federal prosecutor. Opinions expressed by Forbes Contributors are their own. China will establish a Network Security Inspection Committee The CAC, together with unspecified administrative departments, will establish a “network security inspection committee.” The committee will administer inspection policies and oversee network security inspections . Third­Party inspection The Draft also calls for evaluations to be conducted by third parties and the retention of an expert inspection committee. Third­party evaluators will need to refer to industry standards on controllability, transparency and credibility. The expert inspection committee will be responsible for evaluating security risks and security reputations for network products and services. These third­party organizations must keep confidential information collected in these investigations. Network product and service providers must cooperate with inspections. A network security inspection office (either under the CAC or created by the network security inspection committee) will report on the results of these inspections. Inspection of CIIOs As for CIIOs, the Draft calls upon supervising authorities for finance, telecommunication, energy, and other critical industries to conduct security inspections on network products and services. The Draft also requires CIIOs to ensure network security products and services pass inspection, if national security could be affected. While those operators are not defined, the Draft delegates authority to bureaus that handle protection of those infrastructures to determine what products and services could affect national security. According to the Draft, inspections should address the following risks: (i) the risk of illegal control, interference or interruption to the operations of these products and services; (ii) the risk in the research, delivery and technical support of products and critical components; This article is available online at: 2017 Forbes.com LLC™ All Rights Reserved (iii) the risk of providers using these products and services to illegally collect, store, process or use users’ information; (iv) the risk that providers unfairly compete or impair their users’ interests; and (v) a catch­all for “other risks that could endanger national security and public interests.” Even if adopted, the Draft is not likely to be the last word on the Law, whether from the CAC or another regulatory body. As the Draft suggests, the scope of Chinese regulation could differ in some measure from the Law itself.