USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

Similar documents
US-China Business Council Comments on The Draft Cybersecurity Law

OPTIMIZING CONNECTIVITY: Updated Recommendations to Improve China s Information Technology Environment

CHAPTER 13 ELECTRONIC COMMERCE

Inapplicability to Non-Federal Sales and Use

Comments on the Draft Policy Statement PS-ANE published online for public comment at

Section One of the Order: The Cybersecurity of Federal Networks.

China s New Cybersecurity Law

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

环球律师事务所. Ren Qing Partner GLOBAL LAW OFFICE. Beijing, June

CHAPTER 19 DIGITAL TRADE. a covered investment as defined in 1.4 (General Definitions);

DFARS Cyber Rule Considerations For Contractors In 2018

Legal framework of ensuring of cyber security in the Republic of Azerbaijan

6 CONCLUSION AND RECOMMENDATION

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Cyber Security Guidelines for Defining NIAP Scope Statements

Progress Report Negotiations on the Registrar Accreditation Agreement Status as of 1 March 2012

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Open Data Policy City of Irving

LAW OF THE REPUBLIC OF KAZAKSTAN «ON CERTIFICATION»

Standards Authorization Request Form

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release September 23, 2014 EXECUTIVE ORDER

MOTION FOR A RESOLUTION

OF ELECTRICAL AND ELECTRONICS ENGINEERS POWER & ENERGY SOCIETY

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

ISO/IEC INTERNATIONAL STANDARD. Information technology Software asset management Part 1: Processes and tiered assessment of conformance

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

26 May Victoria Learmonth Prudential Supervision Department PO Box 2498 Wellington

Cyber Security Law --- Are you ready?

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Regulating Cyber: the UK s plans for the NIS Directive

International Conference on Automation, Mechanical Control and Computational Engineering (AMCCE 2015)

(Ordinance of the Ministry of Posts and Telecommunications No. 64-November 16,

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

2. What do you think is the significance, purpose and scope of enhanced cooperation as per the Tunis Agenda? a) Significance b) Purpose c) Scope

13967/16 MK/mj 1 DG D 2B

JOINT MOTION FOR A RESOLUTION

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

HUMBOLDT COUNTY Website Accessibility Policy

Memorandum of Agreement

European Union Agency for Network and Information Security

Re: Special Publication Revision 4, Security Controls of Federal Information Systems and Organizations: Appendix J, Privacy Control Catalog

Examination Guidelines for Design (Provisional translation)

General Data Protection Regulation (GDPR)

G7 Bar Associations and Councils

BENCHMARKING PPP PROCUREMENT 2017 IN ARMENIA

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Industry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018

NAI Mobile Application Code

General Framework for Secure IoT Systems

GLOBAL INDICATORS OF REGULATORY GOVERNANCE. Scoring Methodology

Data Processing Agreement

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

BENCHMARKING PPP PROCUREMENT 2017 IN GABON

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

Sector(s) Public administration- Information and communications (50%), General public administration sector (50%)

Ⅰ.. Legal Regime on Telecommunications in China Ⅱ.. Background and Process for Making the Telecommunications Law Ⅲ.. Main Issues Addressed by the Draf

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

Navigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing

Benefits of Open Cross Border Data Flows

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

OpenChain Specification Version 1.2 pc6 (DRAFT) [With Edit Markups Turned Off]

Inter-American Port Security Cooperation Plan

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

Cyber Security and Cyber Fraud

Written Statement of. Timothy J. Scott Chief Security Officer The Dow Chemical Company

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

Funding University Inc. Terms of Service

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

China s New Cybersecurity Law: Data Protection, Data Transfer and Breach Investigations in the World s Second Largest Economy

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Scope Cyber Attack Task Force (CATF)

E-Signature Law of Iraq no. ( 78) of 2012

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Application Guideline for BOP/Volume Zone Business Support Coordinator UZBEKISTAN in FY 2015

ENISA s Position on the NIS Directive

Draft Resolution for Committee Consideration and Recommendation

WORLD TRADE ORGANIZATION

Cybersecurity Risk Management:

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

The Value of ANSI Accreditation. Top 10 Advantages. of accredited third-party conformity assessment

NASD NOTICE TO MEMBERS 97-58

The NIS Directive and Cybersecurity in

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Alberta Reliability Standards Compliance Monitoring Program. Version 1.1

Discontinuing the Metallic Handcuffs Compliance Testing Program and Request for

CANADA S ANTI-SPAM LEGISLATION: Getting ready for July 1 st, 2014

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Regulations for Compulsory Product Certification

Directive on Security of Network and Information Systems

BENCHMARKING PPP PROCUREMENT 2017 IN ALGERIA

Standard Setting and Revision Procedure

Transcription:

US-China Business Council Comments on The Draft Measures for Security Review of Online Products and Services March 6, 2017 On behalf of the more than 200 members of the US-China Business Council (USCBC), we appreciate the opportunity to provide comments to the Cybersecurity Administration of China (CAC) on the Draft Measures for Security Review of Online Products and Services (the Draft Measures). Our member companies represent a wide variety of industries, including companies that sell and purchase information security products and services, as well as companies that operate and use information networks. These diverse members are united in their commitment to promoting and participating in an open, healthy commercial environment that supports China s development and promotes the use of information technology as a driver of economic growth. USCBC and our members recognize that the drafting of these measures reflects a desire by the Chinese government to promote information security and the lawful rights of Chinese citizens and organizations. Our companies share these goals, and have global expertise in working with governments and other industry players to achieve these objectives while promoting robust industry development. Many of our members have long offered high-quality information security products and services in China, contributing actively to the development of this industry. We recognize the Draft Measures as part of a broader emerging legal framework that includes the draft cybersecurity strategy, the Counterterror Law, the Cybersecurity Law, and the National Security Law. USCBC encourages clarification of how the Draft Measures will relate to these measures, as well as other existing laws and regulations. These include, but are not limited to, China s Criminal Law, the development of China s cybersecurity review regime, and the existing MLPS framework that was promulgated by the Ministry of Public Security in 2007. USCBC appreciates the opportunity to offer additional comments on the Draft Measures. We recommend clarification of some articles; we also note that certain obligations imposed on companies and government agencies may actually hinder the cybersecurity goals of the Draft Measures. Addressing these concerns in a comprehensive manner will ensure China s information security by encouraging companies to deploy the best and most secure technology available in China. Article 1: The Draft Measures indicate network products or services are subject to a secure and controllable review. However, this article does not cross-reference key terms such as key network products and services with existing articles contained in the National Security Law of the People s Republic of China or the Cybersecurity Law of the People s Republic of China, nor does it define these terms. USCBC recommends that CAC define the extent and scope of network products and services to either confirm USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036 BEIJING Tel: 202-429-0340 Fax: 202-775-2476 Email: info@uschina.org www.uschina.org SHANGHAI

Page 2 that it is products and services provided by network operators, as defined in the Cybersecurity Law of the People s Republic of China, or otherwise clarify the term if it does not align with this definition. USCBC suggests narrowing the scope of network products by defining network products as core communications infrastructure equipment including routers, switches, bridges and inter-network gateways. We also recommend explicitly stating that terminals and edge/access equipment are excluded from the definition of network products. Article 1 further notes that the cybersecurity review is based on public interests, a term not included in the two laws cited above. Since there is no clear definition of public interests as they pertain to cybersecurity, this term is vulnerable to inconsistent interpretation and is likely to create confusion in enforcement and compliance with the law. We therefore suggest that the term public interests be deleted from the final version of the Measures. Article 2: Article 2 should clarify what online products and services are related to National Security and Public Interests. Article 23 of the Cybersecurity Law defines similar products as critical equipment for networks and dedicated products for cybersecurity. USCBC suggests the Draft Measures adopt the same terminology used in the Cybersecurity Law if the intention is to refer to the same set of products and services. Additionally, we suggest the definition of network products and services not include open source products used in information systems developed by financial and other institutions. These clarifications should also state that the review only applies to the network products and services, not the information systems using those products and services. As noted in our comments on Article 1, we suggest that public interests be deleted from the final version of the Measures. Article 3: The Draft Measures indicate that network products & services and their suppliers are subject to the cybersecurity review. We recommend CAC recognize existing global best practices of utilizing relevant international standards and best practices to ensure suppliers maintain supply chain integrity. As such, we suggest replacing their suppliers with supply chain. We further suggest CAC either issue implementing guidelines or provide supplementary information detailing the cybersecurity review methodology. Aligning the cybersecurity review methodology to international standards would be a positive initiative and meet China s goal of aligning with international standards processes. Article 4: Article 4 details risks that trigger a cybersecurity review. However, as written these risks are overly vague and better addressed by existing review and enforcement mechanisms. For example:

Page 3 Article 4.3 indicates that user information is a national security concern; user information is best protected through the enforcement of existing regulations outside the scope of national security reviews, for example, the Cybersecurity Law. Article 4.4 states that products and services which can be used for unfair competition are subject to cybersecurity review. Competition challenges would be better addressed if existing regulations were enforced by the three competition enforcement regulators (NDRC, AIC, MOFCOM). Article 4.5 covers other risks that may endanger national security and public interest. This is overly broad and could potentially cover all products and services in the market. USCBC suggests that section 3, 4, and 5 be deleted. Or, to make clarification of how the Draft Measures will relate to other existing laws and regulations. Article 6: The Draft Measures currently offer no prohibition of potential conflicts of interest or explicit protections of intellectual property submitted through the expert review process. CAC should consider additional steps to ensure trade secret information is protected during expert panel reviews and that competitors are not named as experts on review panels. To do this, USCBC recommends that additional language be added to the Draft Measures, based on the following principles: Prevent individuals with a conflict of interest in a review from serving on an expert panel. CAC should also establish rules prohibiting the naming of experts with clear conflicts of interest to applicants expert panels and requiring those with a conflict of interest be removed. Institute a formal process for applicants to dispute expert panel nominations where conflicts of interest exist. This process should include a public timeline for consideration, review, and resolution of the dispute to minimize disruptions in the investment process. Ensure that applicants can provide input on expert panel nominations. CAC should provide updated and complete lists of approved experts to companies and allow them to nominate a certain number of experts to the panel. Institute clear guidelines for requests involving sensitive company information. CAC should require experts to support information requests with substantiated facts, commercial experience, and sound science. Clear and formal processes should be created to manage such requests, including a timeline in which requests must be made and for companies to respond. Provide clear information about the rules governing certification, selection, use, and operating conduct of expert panels. This information should be distributed to officials, industry, and the public via implementing measures, public seminars, or other means. It should also include obligations for experts to withdraw from a case based on a conflict of interest. Article 6 further stipulates that the trustworthiness of suppliers is a factor in the cybersecurity review. Without a definition, the term is difficult to evaluate. We suggest replacing and the security and trustworthiness of the suppliers with including the use of relevant international standards to address supply chain risks. Article 8:

Page 4 Article 8 notes that both national industry associations and the voices of market entities can trigger cybersecurity reviews. USCBC is concerned that these terms are overly broad and might be abused by some enterprises to achieve an unfair competitive advantage. We suggest deleting or any national industry association, or based on the voices of market entities to limit these competitive concerns. USCBC further recommends that CAC clearly articulate the process through which the organization under review can appeal a negative review result. Article 8 also stipulates that the results of the cybersecurity review will be made public. USCBC suggests that all information available publicly be approved by the organization under review and only general product and service information which does not contain information that might be considered trade secrets be made public. Article 9: Article 9 defines key sectors subject to the cybersecurity review by relevant ministries, but the sectors specified differ from the industry sectors defined as Critical Information Infrastructure under Article 31 of the China Cybersecurity Law. USCBC suggests CAC align the key sectors with the industry sectors defined as Critical Information Infrastructure under Article 31 of the China Cybersecurity Law for consistency and to avoid potential confusion. Article 10: Article 10 indicates that government departments and key sectors will give priority to products which have passed the cyber security review. We recommend that CAC define the meaning of give priority, and limit this requirement to only Critical Information Infrastructure as defined under the China Cyber Security Law rather than all companies in those sectors. We further suggest this requirement apply only to the purchase of new equipment. Article 11: Article 11 indicates that any product or service procured by the operators of critical information infrastructure (CII) should undergo cybersecurity review. The Draft Measures cover a broad range of CII while simultaneously leaving the specific scope to be determined by other regulations. We suggest CII be fully defined and a list of all industries considered CII be published for public comment. We also suggest that regulators further clarify the departments in charge of CII protection, particularly for cross-sector network products. Article 13: Article 13 requires third party institutions and other relevant units and personnel have an obligation to keep any information obtained from the security review secure and secret, and are not permitted to use this information for purposes outside of the cybersecurity review. We further recommend that expert panelists should be required to return or destroy all data collected during their work on an expert panel. Regulations should outline specific consequences when such provisions are violated. CONCLUSION

Page 5 USCBC thanks the Cybersecurity Administration of China for providing this opportunity to comment on the draft regulations. We hope that these comments are constructive and useful to the Cybersecurity Administration of China as it reviews the draft measures. We would appreciate the opportunity for further dialogue on these issues and are happy to follow up as appropriate. The US-China Business Council END Contact: Jake Parker, Vice President, China Operations Tel: 010-6592-0727 Fax: 010-6512-5854 E-mail: jparker@uschina.org.cn

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback