Beijing News (Reporter Ma Jinqian)
On July 5, the Cyber Security Review Office issued an announcement to implement cyber security review on "Full Shipment", "Truck Gang", and "Direct Employment by BOSS". On July 2, the office also issued an announcement to implement a cyber security review of Didi Travel. During the review period, "Didi Travel" stopped new user registration.
Recently, network security reviews have been continuously launched, which has aroused social concern. The reporter combed and found that this was the first round of review operations officially launched since the "Network Security Review Measures" was issued in April last year.
How is cyber security review different from general review? What are the specific contents to be reviewed? What legal responsibilities will be borne for violating the measures?
Question 1: What is the difference between cyber security review and general review?
"Network security review is different from evaluation and certification, and it is also different from general review and foreign investment national security review. It focuses on reviewing whether network products or services have threats or risks that affect the security of critical information infrastructure and national security." Beijing University of Posts and Telecommunications Internet Cui Congcong, deputy director of the Center for Governance and Law Research, once pointed out in an article.
In recent years, cyber attacks on critical information infrastructure have been on the rise worldwide, involving financial, medical and health, transportation, energy, industrial control and other fields, with a wide range and serious impact. Carrying out cyber security reviews has become a common practice for countries to prevent security risks of critical infrastructure.
In accordance with the National Security Law and the Cyber Security Law, in April 2020, 12 departments including the National Internet Information Office and the National Development and Reform Commission jointly issued the Cyber Security Review Measures.
The relevant person in charge of the State Internet Information Office once introduced when the "Cyber Security Review Measures" was released that my country has established a cyber security review system with the purpose of adopting the cyber security review initiative to detect early and avoid purchasing products and services for the operation of critical information infrastructure. Bring risks and hazards, ensure the security of the critical information infrastructure supply chain, and maintain national security.
Yin Libo, director of the National Industrial Information Security Development Research Center, once published an article and pointed out that by conducting network security reviews, it is possible to predict and check the network security risks that may arise after products and services are put into use, and to prevent security incidents caused by product security vulnerabilities in the supply chain. , Eliminate safety hazards from the source.
Question 2: What are the main contents of the cyber security review?
The relevant person in charge of the National Internet Information Office once introduced that the network security review focuses on assessing the national security risks that may arise from the procurement of network products and services by key information infrastructure operators.
These include the risks of illegal control, interference or destruction of critical information infrastructure after the use of products and services, as well as the risk of important data being stolen, leaked, or destroyed; the interruption of product and service supply will affect the business continuity of critical information infrastructure. Hazards; product and service safety, openness, transparency, diversity of sources, reliability of supply channels, and the risk of supply interruption due to political, diplomatic, trade and other factors; product and service providers comply with Chinese laws and administration Regulations and departmental rules; other factors that may endanger the security of critical information infrastructure and national security.
According to the "Network Security Review Measures", the Cyber Security Review Office is located in the National Internet Information Office. The specific work is entrusted to the China Network Security Review Technology and Certification Center.
Question 3: Will the cyber security review restrict foreign products?
The relevant person in charge of the National Internet Information Office once responded to this issue and stated that the purpose of network security review is to maintain national network security, not to restrict or discriminate against foreign products and services. "Opening to the outside world is our basic national policy, and the policy of welcoming foreign products and services into the Chinese market has not changed."
"The design of my country's cyber security review system treats domestic suppliers and foreign suppliers equally. As long as products or services that meet the cyber security baseline can be used in critical information infrastructure, regardless of the supplier’s nationality and product origin, this Created a fair competition place and environment for the global network product and service market." Cui Congcong pointed out.
In addition, Cui Congcong believes that my country's review methods clarify the five main considerations of review, which can ensure the fairness and transparency of review activities to the greatest extent, and help eliminate all parties' concerns about using the cyber security review system as a "policy tool."
Question 4: What legal responsibilities will be borne for violating the review method?
Under normal circumstances, the network security review is completed within 45 working days, and it will be extended by 15 working days if the situation is complicated. It may take 45 working days or longer to enter the review project of the special review process.
According to Article 65 of the "Cyber Security Law", if a network security review is required but not declared, or if products and services that have not passed the network security review are used, the relevant competent authority shall order the suspension of use and impose a purchase amount of more than ten times. A fine of not more than 10,000 yuan; the directly responsible person in charge and other directly responsible persons shall be fined not less than 10,000 yuan but not more than 100,000 yuan.
The "Cyber Security Review Measures" require that operators should urge product and service providers to fulfill their commitments made in the cyber security review, and the Cyber Security Review Office strengthens prior and subsequent supervision by accepting reports and other forms. Cui Congcong believes that this means that supervision extends to the entire life cycle of network products and services.
Cyber Security Review Measures
April 27, 2020 Source: China Netcom
National Internet Information Office, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, Ministry of National Security, Ministry of Finance, Ministry of Commerce, People's Bank of China, State Administration for Market Regulation, State Administration of Radio and Television, State Security Administration, State The Cryptography Administration jointly formulated the "Network Security Review Measures", which is hereby announced.
Zhuang Rongwen, Director of the National Internet Information Office
He Lifeng, Director of the National Development and Reform Commission
Miao Wei, Minister of Industry and Information Technology
Minister of Public Security Zhao Kezhi
Chen Wenqing, Minister of National Security
Minister of Finance Liu Kun
Minister of Commerce Zhong Shan
Yi Gang, Governor of the People's Bank of China
Xiao Yaqing, Director of the State Administration for Market Regulation
Nie Chenxi, Director of the State Administration of Radio and Television
Tian Jing, Director of the State Secrecy Bureau
Director of the National Cryptography Administration Li Zhaozong
April 13, 2020
Cyber Security Review Measures
Article 1 In order to ensure the security of the critical information infrastructure supply chain and maintain national security, these Measures are formulated in accordance with the National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China.
Article 2 Key information infrastructure operators (hereinafter referred to as operators) purchasing network products and services that affect or may affect national security shall conduct a network security review in accordance with these Measures.
Article 3 Cybersecurity review adheres to the combination of preventing cybersecurity risks and promoting the application of advanced technology, the combination of fairness and transparency in the process with the protection of intellectual property rights, the combination of pre-review and continuous supervision, and the combination of corporate commitments and social supervision. Review the security of services and possible national security risks.
Article 4 Under the leadership of the Central Cyber Security and Information Commission, the National Internet Information Office in conjunction with the National Development and Reform Commission of the People’s Republic of China, the Ministry of Industry and Information Technology of the People’s Republic of China, the Ministry of Public Security of the People’s Republic of China, and the National Security of the People’s Republic of China The Ministry of Finance, the Ministry of Finance of the People’s Republic of China, the Ministry of Commerce of the People’s Republic of China, the People’s Bank of China, the State Administration for Market Regulation, the State Administration of Radio and Television, the State Security Administration, and the State Cryptography Administration have established a national cyber security review mechanism.
The Cyber Security Review Office is located in the National Internet Information Office and is responsible for formulating relevant regulations and rules for cyber security review and organizing cyber security reviews.
Article 5 operator purchases network products and services, it shall predict the national security risks that may arise after the products and services are put into use. Those that affect or may affect national security should report to the Cyber Security Review Office for a cyber security review.
The key information infrastructure protection work department may formulate pre-judgment guidelines for this industry and this field.
Article 6 For purchasing activities that are declared for cyber security review, operators shall require product and service providers to cooperate with cyber security review through procurement documents, agreements, etc., including a promise not to use the convenience of providing products and services to illegally obtain user data, Illegal control and manipulation of user equipment, and not interrupting product supply or necessary technical support services without justifiable reasons.
Article 7 Operators applying for network security review shall submit the following materials:
(1) Declaration form;
(2) Analysis reports that affect or may affect national security;
(3) Procurement documents, agreements, contracts to be signed, etc.;
(4) Other materials required for network security review work.
Article 8 The Cyber Security Review Office shall, within 10 working days after receiving the review application materials, determine whether review is necessary and notify the operator in writing.
Article 9 Cyber security review focuses on assessing the national security risks that may arise from the procurement of network products and services, mainly considering the following factors:
(1) The risks of illegal control, interference or destruction of key information infrastructure brought about by the use of products and services, and the risk of important data being stolen, leaked, or destroyed;
(2) The damage to the business continuity of critical information infrastructure from the interruption of the supply of products and services;
(3) The safety, openness, transparency, diversity of sources of products and services, the reliability of supply channels, and the risk of supply interruption due to political, diplomatic, trade and other factors;
(4) Product and service providers' compliance with Chinese laws, administrative regulations, and departmental rules;
(5) Other factors that may endanger the security of critical information infrastructure and national security.
Article 10 If the Cyber Security Review Office believes that a cyber security review is necessary, it shall complete the preliminary review within 30 working days from the date of issuing a written notice to the operator, including the formation of review conclusions and recommendations and the review conclusions and recommendations to be sent to cyber security Member units of the review working mechanism and relevant key information infrastructure protection work departments solicit opinions; if the situation is complicated, it can be extended by 15 working days.
Article 11 member units of the 160ebb039e6fb3 network security review work mechanism and relevant critical information infrastructure protection work departments shall reply in writing within 15 working days from the date of receipt of the review conclusions and recommendations.
If the member units of the cyber security review working mechanism and relevant critical information infrastructure protection work departments agree, the Cyber Security Review Office shall notify the operator of the review conclusion in writing; if the opinions are inconsistent, they shall be dealt with in accordance with the special review procedure and the operator shall be notified.
Article 12: in accordance with special review procedures, the Cyber Security Review Office shall listen to the opinions of relevant departments and units, conduct in-depth analysis and evaluation, again form review conclusions and recommendations, and solicit network security review working mechanism member units and related key information foundations The opinions of the facility protection work department shall be submitted to the Central Network Security and Informatization Committee for approval according to the procedures, and the review conclusion shall be formed and the operator notified in writing.
Article 13 The special review procedure should generally be completed within 45 working days, and can be extended appropriately if the situation is complicated.
Article 14 If the Cyber Security Review Office requires supplementary materials, operators, product and service providers shall cooperate. The time for submitting supplementary materials is not included in the review time.
Article 15 Cybersecurity review work mechanism member units believe that network products and services that affect or may affect national security shall be submitted by the Cybersecurity Review Office to the Central Cyber Security and Information Commission for approval in accordance with procedures, and shall be conducted in accordance with the provisions of these Measures Review.
Article 16 Relevant institutions and personnel involved in cyber security review shall strictly protect the business secrets and intellectual property rights of the enterprise, and the undisclosed materials submitted by operators, product and service providers, and other undisclosed information learned during the review Undertake confidentiality obligations; without the consent of the information provider, it may not be disclosed to unrelated parties or used for purposes other than review.
Article 17 Operators or network product and service providers who believe that the reviewers have failed to be objective and fair, or fail to assume the confidentiality obligation for the information learned during the review, may report to the Cyber Security Review Office or relevant departments.
Article 18 Operators shall supervise and urge product and service providers to fulfill the commitments made in the network security review.
The Cyber Security Review Office strengthened the supervision before and after the incident by accepting reports and other forms.
Article 19 Operators who violate the provisions of these Measures shall be dealt with in accordance with Article 65 of the "Network Security Law of the People's Republic of China".
Article 20 Critical information infrastructure operators in these Measures refer to operators recognized by the critical information infrastructure protection work department.
The network products and services mentioned in these Measures mainly refer to core network equipment, high-performance computers and servers, large-capacity storage equipment, large databases and application software, network security equipment, cloud computing services, and other important information infrastructure security Network products and services.
Article 21 involving state secret information shall be implemented in accordance with the relevant state confidentiality regulations.
Article 22 These Measures shall be implemented on June 1, 2020, and the Measures for the Security Review of Network Products and Services (Trial) shall be repealed at the same time.
"Cyber Security Review Measures" to answer reporters' questions
Recently, 12 departments including the State Internet Information Office and the National Development and Reform Commission jointly issued the "Cyber Security Review Measures" (hereinafter referred to as the "Measures"). Relevant persons in charge of the State Internet Information Office answered questions from reporters on issues related to the Measures.
: Could you please introduce the background of the "Measures"?
Answer: Critical information infrastructure is essential to national security, economic security, social stability, public health and safety. my country has established a cyber security review system with the aim of using cyber security review to detect and avoid the risks and hazards that the procurement of products and services will bring to the operation of critical information infrastructure, to ensure the security of the critical information infrastructure supply chain, and to maintain national security. The promulgation of the "Measures" provides an important system guarantee for my country's network security review work.
: What is the legal basis for network security review?
Answer: The cyber security review is a work carried out in accordance with the National Security Law and the Cyber Security Law. Article 59 of the National Security Law stipulates that the state shall establish a national security review and supervision system and mechanism to conduct national security reviews on network information technology products and services that affect or may affect national security, as well as other major matters and activities . Article 35 of the "Cyber Security Law" stipulates that "Operators of critical information infrastructure purchasing network products and services that may affect national security shall pass the national security review organized by the national cybersecurity and informatization department in conjunction with relevant departments of the State Council."
: What are the main contents of the network security review?
Answer: The network security review focuses on assessing the possible national security risks of the procurement of network products and services by key information infrastructure operators, including: the illegal control, interference or destruction of key information infrastructure caused by the use of products and services, and The risk of important data being stolen, leaked, or destroyed; product and service supply interruption harms the business continuity of critical information infrastructure; product and service security, openness, transparency, diversity of sources, and reliability of supply channels And the risk of supply interruption due to political, diplomatic, trade and other factors; product and service providers’ compliance with Chinese laws, administrative regulations, and departmental regulations; and other factors that may endanger the security of critical information infrastructure and national security.
network security review when purchasing products and services?
Answer: Critical information infrastructure operators who purchase network products and services that affect or may affect national security should conduct a network security review in accordance with the "Measures."
In accordance with the spirit of the "Notice on Matters Concerning the Safety Protection of Critical Information Infrastructure" of the Central Network Security and Information Technology Commission, telecommunications, radio and television, energy, finance, road and water transport, railways, civil aviation, postal services, water conservancy, emergency management, health and health When procuring network products and services, important network and information system operators in such industries as social security, national defense, science and technology industry should consider applying for network security review in accordance with the requirements of the Measures.
160ebb039e730bQ: When will you
Answer: Under normal circumstances, critical information infrastructure operators should apply for a cyber security review before they formally sign contracts with product and service providers. If you apply for a cyber security review after signing the contract, it is recommended to indicate in the contract that this contract can only take effect after the product and service purchases pass the cyber security review to avoid losses due to failure to pass the cyber security review.
Q: Is there a time limit for the cyber security review?
Answer: Normally, the network security review is completed within 45 working days, and it will be extended by 15 working days if the situation is complicated.
It may take 45 working days or longer to enter the review project of the special review process.
According to the requirements of the "Measures", the time for supplementary materials is not included in the review time limit.
Q: How to ensure the business secrets and intellectual property rights of key information infrastructure operators and product and service providers during the review process?
Answer: The network security review fully respects and strictly protects the intellectual property rights of enterprises. The Measures stipulate that relevant institutions and personnel participating in cyber security reviews shall strictly protect business secrets and intellectual property rights, undisclosed materials submitted by key information infrastructure operators, product and service providers, and other information learned during the review. Undisclosed information bears the obligation of confidentiality; without the consent of the information provider, it may not be disclosed to unrelated parties or used for purposes other than review. Critical information infrastructure operators or product and service providers who believe that the reviewers have failed to be objective and fair, or fail to assume the confidentiality obligation for the information learned during the review, may report to the Cyber Security Review Office or relevant departments.
Q: Will cyber security reviews restrict or discriminate against foreign products and services?
Answer: The "Measures" clearly stipulate the content to be reviewed. It can be seen from this that the purpose of network security review is to maintain national network security, not to restrict or discriminate against foreign products and services.
Opening to the outside world is our basic national policy, and our policy of welcoming foreign products and services into the Chinese market has not changed.
: What are the legal responsibilities for violating the "Measures"?
Answer: According to Article 65 of the "Cyber Security Law", those who should declare for cybersecurity review but fail to declare, or use products and services that have not passed the cybersecurity review, shall be ordered by the relevant competent authority to stop using them, and the purchase amount will be doubled A fine of not more than ten times the above; the person in charge and other directly responsible persons shall be fined not less than 10,000 yuan but not more than 100,000 yuan.
: To whom does the cyber security review report?
Answer: According to the "Measures", the Cyber Security Review Office is located in the National Internet Information Office. The specific work is entrusted to the China Network Security Review Technology and Certification Center.
The China Cybersecurity Review Technology and Certification Center, under the guidance of the Cybersecurity Review Office, undertakes tasks such as receiving application materials, conducting formal review of the application materials, and organizing specific review work.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。