前哨按语

2018年8月2日,美国华盛顿知名智库战略与国际研究中心(CSIS)发布报告《中国网络安全标准对在华营商的影响》(How Chinese Cybersecurity Standards Impact Doing Business In China),作者是该智库技术政策项目高级研究员萨姆·萨克斯(Sam Sacks)。该报告评估了中国近年来出台的网络安全标准可能对在华外国公司的影响,指出这些标准会给外国公司带来一系列挑战,并认为在美中贸易局势日益紧张的情况下,网络安全审查很可能是中国政府首选的反击“工具”。前哨翻译了报告的摘要以供参阅。

中国网络安全标准对在华营商的影响

报告摘要

萨姆·萨克斯(Sam Sacks)

刘金瑞 译

报告摘要:

  • 近年来中国政府出台了近300件网络安全新标准。这些标准涵盖了软件、路由器、交换机、防火墙等各种产品。

  • 这些标准使得中国对于外国公司来说成为一个日益困难的市场。这一点并不仅是就向政府或者国有企业销售产品而言,而是涉及中国所有依赖于信息与通信技术基础设施的商业市场,从制造业到交通运输业都是如此。

  • 这些网络安全新标准给外国公司带来了一系列的挑战。中国政府可以使用这些标准向公司施压,进行侵入性产品审查,其中可能需要敏感的知识产权和源代码(即使没有书面写明)作为验证和测试的一部分。为了符合某些网络安全标准,外国公司可能需要为了中国市场重新设计产品,这可能并不符合国际标准。中国的网络安全标准也为中国竞争者创造了竞争优势。首先,中国竞争者对于提供敏感信息给政府以符合这些标准,可能并不像外国公司那样在意。其次,中国监管者可能仅仅因为中国公司是本地的、不受外国政府的影响(不管是不是真的,中国对外国技术的存在某些怀疑)而更“可控”,就将中国公司视为更加安全。

  • 虽然大多数这些标准的官方说法是“推荐性的”,但在实践中很多标准可能是在中国开展商业活动所必要的。例如,这些标准被列为政府或国有企业采购的要求。除了政府客户之外,某些中国客户也可能不会从缺乏标准认证的供应商那里采购。比如就出现过客户交易不通过是因为产品缺乏认证的事例。当某些标准被行政法规援引作为配套规定时,这些标准也变成必要的。政府可能对公司违反这些标准的行为进行检查,即使这些标准官方说法并不是必要的。从销售的角度看,这存在巨大的成本。

  • 中国政府在许多中国法律和行政法规中使用模糊语言,以避免诸如与世界贸易组织(WTO)规定相冲突等问题;且同时赋予政府最大限度的灵活性以及适时使用较重规定的自由裁量权。中国政府可能也依赖于将大部分标准定为推荐性的以避免遭到抵制。仅在2017年,就有超过1000件中国标准(不限于网络安全标准)在提交世界贸易组织时由强制性国家标准降为推荐性标准。

  • 随着美中之间紧张局势加剧,与新的网络安全审查制度相关的标准,很可能会成为中国政府在贸易战中用来打击美国公司的首选工具之一。这些标准为中国政府推迟市场准入必需的认证或许可提供了机会,也为关停已经在中国取得成功的公司提供了可能。

  • 如果中国政府将网络安全标准作为贸易战比如2018年美中关税大战的报复工具,将给美国公司带来几乎无法估量的成本。不同于关税的是,政府在结束贸易战谈判中不会谈及如何调整这些标准的适用问题。结果就是,中国政府可能利用这些标准去移动外国公司在华运营的基线,这样就会在双边紧张局势过去之后产生长期影响。

  • 战略与国际研究中心(CSIS)在2015年中国网络安全法起草初期,就制定了针对日益增多的中国网络安全标准的分析和追踪框架。这一框架将这些标准分为八大类:

    1. 网络产品和服务的网络安全审查

    2. 网络关键设备和网络安全专用产品的认证和评审

    3. 安全和可控的产品和服务

    4. 等级保护制度

    5. 关键信息基础设施网络安全保护

    6. 跨境数据流动

    7. 个人数据和重要数据保护

    8. 加密

  • 由于中国仍处于努力建立网络安全标准体系的初期,因此可能会涌现更多的网络安全标准。政府如何检查公司不守标准的行为、这些标准对商业运营的影响以及这些标准如何纳入监管程序等,这些重要问题将会仍然存在。需要监控的一个关键问题是,中国政府将在多大程度上为外国公司提供可理解的程序去遵循,以避免根据新标准对外国公司进行任意检查。

  • 如果中国在接受国内标准的同时接受国际标准,会使在全球扩展业务的中国公司获益。否则,为了符合国内标准和国际标准,中国公司必须建立两套产品,这将中国公司处于劣势。

The Issue:

  • The Chinese government has issued close to 300 new national standards related to cybersecurity over the past several years. These standards cover products ranging from software to routers, switches, and firewalls.

  • These standards contribute to making China an increasingly difficult market for foreign firms to operate. This holds true not just for selling to government or state-owned enterprise (SOE) customers, but across the commercial market in China, spanning all sectors reliant on (ICT) infrastructure, from manufacturing to transportation.

  • The cybersecurity standards create a suite of challenges. The Chinese government can use standards to pressure companies to undergo invasive product reviews where sensitive intellectual property (IP) and source code (even if not explicity written) may be required as part of verification and testing. To comply with some standards, foreign firms may need to redesign products for the China market where they are not compatible with international standards. Chinese standards also create a competitive advantage for Chinese competitors for two reasons. First, they may not have the same concerns foreign companies do about providing sensitive information to the government as a condition of meeting the standards. Second, Chinese regulators may also deem Chinese companies as being more secure under the vague criteria contained in the standards simply because they are local and therefore perceived to be more “controllable” without influence from foreign governments (something China suspects of foreign technology, regardless of whether it is true).

  • Although officially most standards are deemed “recommended,” in practice many may often be required to do business in China. This is the case when standards are listed as procurement requirements for government or SOEs. Beyond government customers, some Chinese customers may not buy from vendors who lack a certification associated with certain standards (which varies widely by business or product). There have been cases in which customer deals do not go through because a product lacks a certain certification, for example. Standards also become required when paired with regulations that reference those standards. The government may audit companies against standards, even if those standards are not officially required. There may be a significant cost from a sales perspective.

  • Beijing uses vague language in standards, like in many Chinese laws and regulations, to avoid issues, such as World Trade Organization (WTO) challenges, while allowing the government maximum flexibility and discretion to apply onerous provisions when it sees fit. Beijing may also rely on the fact that most standards are recommended to avoid backlash. Over 1000 Chinese standards (not just cybersecurity standards) submitted to the WTO were downgraded from required national standards to recommendations in 2017 alone.

  • As bilateral U.S.-China tensions intensify, standards related to a new system of cybersecurity reviews are likely to be among the first tools Beijing may use to retaliate against U.S. companies in a trade war. They offer openings for the Chinese government to delay certifications or licenses needed for market access or to shut down a company which may already be successful in China.

  • If Beijing were to use cybersecurity standards as a tool of retaliation—during the 2018 U.S.-China tariff escalation, for example—it would be almost impossible to quantify the cost. Unlike tariffs, the government would likely not adjust how these standards are applied in negotiating to end a trade war. As a result, Beijing could use standards to shift the baseline for foreign firms operating in China in ways that would have an effect long after a period of short-term bilateral tension has passed.

  • CSIS created a framework for analyzing and tracking the growing body of cybersecurity standards which have come out since the early stages of drafting the Cybersecurity Law in 2015. Our framework examines standards across eight schemes:

  1. Cybersecurity Review of Network Products and Services

  2. Certification and Evaluation for Network Key Devices and Cybersecurity-Specific Products

  3. Secure and Controllable Products and Services

  4. Multi-Level Protection Scheme (MLPS)

  5. Critical Information Infrastructure (CII) Cybersecurity Protection

  6. Cross-Border Data Transfer

  7. Personal Data and Important Data Protection

  8. Encryption

  • Many more standards are likely to come as Beijing is still only in the early stages of a national effort to build out its cybersecurity standards regime. Important questions remain about how authorities will audit companies against the new standards, their effect on business operations, and how these standards fit into the regulatory process. A key question to monitor is the extent to which Beijing will lay out understandable processes for foreign firms to follow to prevent arbitrary auditing against the new standards.

  • Chinese companies seeking to expand globally would benefit from China accepting international standards in parallel with domestic standards. Chinese companies are at a disadvantage by having to build two sets of products to be compatible with domestic and international standards.

声明:本文来自网络法前哨,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。