China is moving forward with its plans to vet all Internet service providers and networking hardware for what it claims is cyber security reasons.
The Cyberspace Administration of China issued a draft outline of ‘Measures for Security Reviews of Network Products and Services’ on Saturday, as Beijing prepares to enact several laws that would increase its control over cyberspace.
The law of the land
In addition to its plans to require “critical information infrastructure operators” to store personal information and business data within China, provide “technical support” to security agencies, and go through national security reviews, CAC has further ambitions.
The Administration will work with other agencies “to increase the controllability of network product and service security, to prevent supply chain security threats, and to preserve national security and the public interest,” CAC writes (translated by China Law Translate).
The agency wants to provide “enterprise assurances and social oversight, combine third-party assessments and government supervision and management; combine laboratory testing, on-site inspections, online testing, background investigations; in carrying out network security reviews of network products and services.”
CAC wishes to establish a Network Security Review Committee and a Network Security Review Experts Committee, which will work with the State Internet Information Office to “carry out comprehensive assessment of network products’ and services’ security risks and their providers’ security credibility status, based on third-party assessments.”
In addition, “competent departments for key industries such as finance, telecommunications and energy, are to organize and carry out network safety review efforts in that industry or field, based on the requirements of State network security review work.”
Any network products that fail reviews will not be available for purchase by the government or ‘key industries.’
“Whether network products and services that are purchased by critical information infrastructure operators might impact national security is determined by the departments working on critical information infrastructure protections,” it continues.
The Network Security Review Office will occasionally publish reports on its security assessments, but there does not seem to be a set schedule or criteria for release. The document concludes: “The State Internet Information Office is responsible for interpretation of these Measures.”
Zuo Xiaodong, VP of the China Information Security Research Institute and an adviser on Internet policies, told the South China Morning Post: “Many countries screen information products and services because of security concerns, though they might not call it censorship,”
He pointed to the fact that Huawei and ZTE are unable to work on US governmental contracts due to security concerns.
Western corporations, however, have been less than enthused with the direction China’s cyber security laws seem to be heading. More than 40 global business groups petitioned Chinese Premier Li Keqiang last August, while last December companies including Microsoft, Intel and IBM have filed objections against a law that could see them forced to hand over proprietary source code.