Zhao Zeliang's Thoughts on Cybersecurity Review Regime

On September 7, in a press conference for the Wuhan "Cybersecurity Technology Summit," CAC Cybersecurity Coordination Bureau Director-General Zhao Zeliang made public statements with regard to China's Cybersecurity Review Regime, stressing that the review regime equally applies to all and is not directed against any particular country or enterprise. Zhao further noted that with time, foreign companies no longer view the regime, which was announced in May 2014, as worrisome, and have instead shifted to an attitude of "understanding and cooperation".

However, in his remarks, Zhao also stated that the Snowden incident proves how certain countries with technological advantages can use ICT products to manipulate the system and gain illegitimate interests in large-scale collection of personal information and data, implicitly calling out the US among the sources of the problem. He then went on to say that in order to have leverage in this type of environment, China must establish its own review regime which entails regulations, binding a code of conduct and standards.

Relevant standardization work with regard to the review regime includes the in-effect GB/T 31167-2014 "Information Security Technology - Security Guide of Cloud Computing Services" and GB/T31168-2014 "Information Security Technology - Security Capability Requirements of Cloud Computing Services." "Personal Information Protection Norms" are currently being drafted along with other upcoming standards research as noted in the Several Opinions on Strengthening National Cybersecurity Standards Work that CAC released at the end of August. Hopefully the national standardization work will bring a certain level transparency and clarity to the review regime, and provide opportunities for industry consultation to help streamline the process to ensure realization of the stated "non-discriminatory" intent.

The focus of the review regime is product "security and controllability", aimed at preventing product providers from conveniently controlling, interfering or interrupting user systems illegally, as well as collecting, storing, processing and using user information illegally. The subject scope of the review includes both important information technology products and their providers. The review regime is already applied to cloud computing services for the Party and government agencies, and will continue to be implemented with broader coverage of the industry.