China to Start Security Checks on Technology Companies in June
China will launch new security reviews on foreign and domestic technology suppliers starting June 1, implementing a key element of its new cybersecurity law aimed at tightening state control over technology and information.
The review will apply to companies that provide network products and services. As such, it will likely include companies such as International Business Machines Corp. and Microsoft Corp. that sell hardware and software in China.
Although the standards are more restrictive than current practices, the measures announced this week are less restrictive than draft measures circulated for industry comment in February.
The measures will apply to foreign companies providing hardware or services to Chinese companies in sectors including energy, transportation and finance, as well as those selling to government agencies, public services and other "critical infrastructure." Those suppliers will have to submit their products and services for review to a new committee administered by China's internet regulator, the Cyberspace Administration of China.
Product security will be evaluated by benchmarks including vulnerability to tampering, supply-chain risks and customer-information protection. The committee can also turn down a product for unspecified risks to national security.
The checks are being implemented to ensure technology is "secure and controllable," the Cyberspace Administration wrote in the announcement dated Tuesday. The term "secure and controllable" has been controversial, with foreign companies saying they have come under pressure in Beijing to reveal proprietary information such as source code to prove their products are secure.
The U.S. government also requires strict security checks for technology products used by the military and other sensitive government departments. But such mandatory checks don't extend into a broad range of industries like in China.
Chinese regulators toned down some of the language in response to industry comment. The scope of the rules was narrowed from national security and public welfare to just national security. A line specifying that government departments can't purchase technology products that didn't pass review was dropped.
But as with many Chinese regulations, the Network Products and Services Security Review procedures are vague and broad enough to give authorities significant leeway. The measures are marked for "trial implementation," suggesting they may be modified.
Write to Eva Dou at eva.dou@wsj.com
(END) Dow Jones Newswires
May 03, 2017 04:30 ET (08:30 GMT)