The Cyberspace Administration of China (CAC) issued a new draft cybersecurity regulation on 21 May 2019. This draft is a planned extension of the Cybersecurity Law issued in 2017 that placed greater restrictions on foreign firms operating in China. The new regulation creates the requirement for review of imported network equipment to determine if such equipment represents a risk to national security. The vagueness of the language indicates that the new law could be used to block the import of almost any US - manufactured network hardware.
The language of this draft sets up the requirement for review if, “operators [are] procuring network products and services that could influence national security.” Some provisions indicate this would include any equipment that might face, “supply chain security threats.” This presumably means that equipment which could be manufactured with corrupt components, or were technically compromised enroute, would be potential national security risks. The draft additionally calls for review if, “the supply chain security of a product or service could be disrupted due to non-technical factors like politics, diplomacy, and trade.” The draft also includes catch-all language that would trigger a review if, “other risks and dangers” were suspected. Any suspicious imports are to be reported to the CAC Cybersecurity Review Office, and all cases will be submitted from the CAC up its chain to the Central Cybersecurity and Informatization Commission for approval.
The draft was issued one week after the US executive order that blocked US companies from doing business with Huawei for national security reasons. The timing suggests that this regulation is being put into place as a counter to US actions, setting the conditions for blocking US equipment imports into China in retaliation for the moves against Huawei.
Full report link: IR-19-051 CN Modifies CyberLaws Retaliation for Huawei Ban FINAL.pdf