MIIT issues the draft implementing measures on security examination of critical network equipment
The Ministry of Industry and Information Technology (“MIIT”) issues the draft Implementing Measures on Security Examination of Critical Network Equipment (“Draft”) on 5 June 2019.
Critical Network Equipment (“CNE”) refers to the network equipment listed in the Catalogue of Critical Network Equipment and Specialised Network Security Products (the “Catalogue”). In accordance with the PRC Cybersecurity Law, all products and equipment listed in the Catalogue shall either obtain a security certificate or pass security examination prior to sale or providing the products and equipment. The Draft provides that if an enterprise chooses to go through security examination, it shall be subject to the regulations of the Draft.
An enterprise shall submit all required documents to the MIIT, provide a CNE testing sample to a qualified security examination institution, and obtain a security examination report from the institution. The MIIT will review the reports and publish lists of CNEs that pass the security examination. The result of a security examination is valid for 3 years.
MIIT issues the draft administrative provisions on network security vulnerabilities
The MIIT issues the draft Administrative Provisions on Network Security Vulnerabilities (“Provisions”) on 18 June 2019.
If any network service, product provider or network operator (collectively “Network Operator”) discovers or acknowledges that there are network security vulnerabilities in its service, product or system, it shall immediately verify the vulnerabilities and take repair or preventive measures within 90 days (for network products) or 10 days (for network services or systems). If users or relevant technical partners need to make repairs or take preventive measures, the Network Operator shall notify these affected parties and provide necessary technical support. The Network Operator shall also share information regarding the vulnerabilities and the remedial measures taken to the MIIT and other relevant authorities.
In respect of any third party organisations or individuals, it shall not release any vulnerabilities before the Network Operator publish its repair or preventive measures to society or users, shall not deliberately exaggerate the hazards and risks of vulnerabilities, and shall ensure all the information released to the public are accurate and only to the extent of necessary.
MIIT launches the special action plan for nationwide data security inspections
The MIIT issues the Special Action Plan for Increasing the Network Data Protection Capacities in the Telecom and Internet Industry (“Action Plan”) on 1 July 2019.
The Action Plan lasts for one year, the competent relevant authorities will focus on the following aspects: (i) requiring basic telecom enterprises and influential internet enterprises to conduct data security compliance assessments which are suitable to their business models and can address the data security risks raised by the internet of things, satellite internet, AI and other new technologies and applications; (ii) removing Apps that have illegal or improper activities regarding collection or use of personal information, and urging App store operators to verify the authentic identity of users and recommend Apps that obtain data security certificates; (iii) monitoring and conducting enforcement investigations on data leakage and other data security incidents; (iv) guiding pilot enterprises to establish internal data lists and data classification management systems, and establishing industry data protection catalogues in accordance with the sensitivity of the data and the harm that may result from data breaches; and (v) strengthening the supervision on the establishment of enterprises’ internal data security management systems and the data international cooperation activities.
NPC issues the draft cryptography law of the PRC
The Standing Committee of National People's Congress issues the draft Cryptography Law of the PRC (“Cryptography Law”) on 5 July 2019.
Cryptography is defined as products, technology and services using specific transformations to ensure encrypted protection or security authentication. Cryptography is divided into core, common and commercial cryptography. Core and common cryptography, are state secrets which are themselves used to protect state secrets, and therefore subject to strict and unified administration. Commercial cryptography may be used by citizens, legal persons and other organisations to ensure network and information security.
If any commercial cryptography relates to national security, national welfare and the people’s livelihood, or public interest, the cryptography shall be listed in the Catalogue of Critical Network Equipment and Specialised Network Security Products, and shall only be sold or provided after obtaining a security certificate or passing a security examination. If a cryptography service is provided for critical network equipment or specialised network safety products, the service shall obtain a security certificate or pass security examination. When any critical information infrastructure operator or national organ procures or uses any internet service or product relating to commercial cryptography, which may affect national security, the internet service or product shall go through a national security check.
China will implement both import-licensing and export controls on commercial cryptography which relates to national security or the public interest.
Please click here to read the full text (Chinese only) of the Cryptography Law.
CAC issues the security assessment measures of cloud computing service
The Cyberspace Administration of China (“CAC”), jointly with 3 other authorities, issues the Security Assessment Measures of Cloud Computing Service (“Measures”) on 22 July 2019. The Measures will come into effect on 1 September 2019.
The Measures apply to the security assessments of cloud computing software and hardware, as well as the relevant management systems (collectively the “Cloud Platforms”), which are used to provide cloud services to political parties, government organs, and critical information infrastructure operators.
The focus of security assessments include: credit and operation status of service providers; background and stability of the personnel of service providers, in particular the personnel who have access to users data and metadata; security of supply chain technologies, products and services of Cloud Platforms; the security management capability of service providers and the security defense status of Cloud Platforms; the feasibility and convenience of data portability; and the business continuity of service providers.
The results of security assessments will be issued by professional institutions, and will be reviewed and published by an organisation under the CAC. The result of an assessment will be valid for 3 years.
However, the Measures do not specify whether passing the security assessments will become a condition for providing cloud services to the political parties, government organs, and critical information infrastructure operators.
Please click here to read the full text (Chinese only) of the Measures.