China has implemented new rules for buying tech equipment in a move to bolster the country's cybersecurity.
The new rules, announced yesterday by the Cyberspace Administration of China (CAC), requires "critical information infrastructure operators" to undergo a review for any tech products or services that "affect or may affect" national security".
Under the new rules, companies must submit procurement documents, purchase agreements, and an analysis of the deal's potential national security impact for government review before signing a contract. The review process is expected to take up to 45 working days, but may take up to three months to resolve in more complicated cases.
The regulation's wording says the Chinese government will consider "political, diplomatic, and trade factors" as part of any review.
The review will involve both "pre-examination" and, ominously, "continuous supervision". The CAC did not respond to The Register's request for clarification of just what those phrases mean.
An obvious consequence of the rules is that Chinese companies might buy local instead of putting themselves at risk of lengthy reviews. If many do so, it will be bad news for foreign tech companies. Many of those come from the USA, which is negotiating new trade arrangements with China after making it very hard for Chinese companies Huawei and ZTE to do business on its soil, or for Chinese companies to use American tech. Today the USA also shook its fist at four Chinese telcos.
Robyn Chatwood, a cybersecurity expert at law firm Dentons, argues that China's attempts to beef up its cybersecurity predate the trade tensions with the US. She points out that the new regulation replaces a set of 2017 trial measures from before the trade wars began, which called for reviews of "supply chain" and "security" risks in production, testing, delivery or technical support.
"The direction of travel in China is about data protection generally. You've certainly got that background context of the trade war," Chatwood said. "But I don't think the regulation is targeting anyone - it's just that the US dominates these areas so it impacts them the most heavily."
Jim Fitzsimmons, a director at cyber consultancy at Control Risks, agreed. "They were going to do this anyway," he said. "This is part of a bigger programme. The motivation behind all these things is how poor cybersecurity is in China. The government has identified this as a strategic risk and these are all the things they're trying to do to fix it."
He argued that China's policies are not so different from other countries'. "Any country when they think of their own [critical information infrastructure], they want to make sure they're doing the right thing around protecting and evaluating so they're not introducing risk to their system. But some countries are further down the road and more explicit. China is different in how it presents these things and put these things forward."
The Chinese government defines critical information infrastructure operators loosely to include energy, telecommunications, transportation, finance, defense, military, administrative management, as well as cloud computing, big data, and the Internet of Things.
The new policy comes into effect from June 1. The previous regulations can be found here. ®