The Cyberspace Administration of China Released the First Batch of Network Products that Are Subject to Security Review

CERT-LatestNews Malware Security News SocialEngineering ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic

Dechert LLP

The Cyberspace Administration of China (“CAC”) recently released the first batch of “Catalog” – a listing of the specific network products that have been identified for review under China’s New Cybersecurity Law. This article summarizes these new equipment provisions, as the CAC continues to provide updates on China’s cybersecurity review mechanism’s specific provisions.

China’s recently established cybersecurity legal regime requires that, inter alia, (i) network products and services shall comply with the mandatory requirements of relevant national standards (Art.22, PRC Cybersecurity Law); (ii) key/critical network equipment and specialized cybersecurity products shall be security-certified or examined before being sold or supplied (Art.23, PRC Cybersecurity Law); (iii) the cyberspace administration authority shall release a catalog listing the critical network equipment and specialized cybersecurity products that are subject to such security review and certification (Art.23, PRC Cybersecurity Law); and (iv) critical network products and services include those that concern the national security (Art.2, Measures for Security Review of Network Products and Services, the “Measures”, effective as of June 1, 2017).

On June 9, 2017, the CAC released on its website an “Announcement on Releasing the ‘Catalog of Critical Network Equipment and Specialized Cybersecurity Products (First Batch)'”, with the Catalog being attached to the Announcement as an annex and dated June 1, 2017. The June 1 date on the Catalog annex indicates that, as a legal matter, the Catalog took effect as of June 1, the same date that the PRC Cybersecurity Law and Measures became effective.

The Announcement

The CAC’s Announcement clarified that the Catalog was prepared jointly by several Chinese government authorities, including the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Certification and Accreditation Administration of the PRC. It reaffirmed that equipment and products falling under the Catalog shall be security-certified/examined by a qualified institution before being sold or supplied (Art.1).

The Announcement further clarifies that: (Art.3)

  • Where a critical network equipment/specialized network security product is to be security-examined: once the equipment passes the examination, the examining institution shall report the result (including those equipment/products that have already passed the examination and were remaining in their valid term before the issuance of the Announcement) to the Ministry of Industry and Information Technology and the Ministry of Public Security of the PRC;
  • Where a critical network equipment/specialized network security product is to be security-certified: once the equipment is certified, the certifying institution shall report the result (including those equipment/products that have already been certified and were remaining in their valid term before the issuance of the Announcement) to the Certification and Accreditation Administration of the PRC.

The Catalog (First Batch)

The Catalog annexed to the Announcement indicates that it is the first batch of equipment/products identified for cybersecurity review, and one could reasonably expect that there will be further equipment/products being added to the list via a second, third or fourth releases. The Catalog is one of the central features of the cybersecurity law’s enforcement scheme because it shows what parts of a network’s architecture and operation the government is interested in monitoring and regulating.

The first batch of equipment/products identified in the Catalog includes the following (informal translation, for reference purpose only):

 

  Catalog of Equipment or Products

Scope

Critical Network Equipment

1.        Router

Throughput of the whole system (two-way) ≥12Tbps

Routing table capacity of the whole system ≥ 550k routes 

2.        Switch

Throughput of the whole system (two-way) ≥30Tbps

Packet switching rate of the whole system ≥10Gpps

3.        Server (Rack Type)

CPU ≥8

Single CPU core 14

Memory capacity 256GB

4.        Programmable Logic Controller (PLC Equipment)

Controller execution time ≤0.08 microseconds

Specialized Cyber Security Products

5.        Data Backup Machine

Backup capacity ≥ 20T

Backup speed ≥ 60MB / s

Backup time interval ≤ 1 hour

6.        Firewall (Hardware)

Whole firewall throughput ≥80Gbps

Maximum number of concurrent connections ≥ 3 million

New connections per second ≥80Gbps

7.        WEB Application Firewall (WAF)

Throughput of the whole application ≥6Gbps

Maximum number of HTTP concurrent connections ≥ 2 million

8.        Intrusion Detection System (IDS)

Maximum inspection rate ≥15Gbps

Maximum number of concurrent connections ≥ 5 million

9.        Intrusion Prevention System (IPS)

Maximum inspection rate ≥20Gbps

Maximum number of concurrent connections ≥ 5 million

10.     Security Isolation and Information Exchange Products (Gatekeeper)

Throughput ≥1Gbps

System delay ≤ 5ms

11.     Anti-Spam Products

Connection processing rate (connection / sec) > 100

Average delay <100ms

12.     Network Integrated Audit System

Capturing speed ≥5Gbps

Record storage capacity ≥ 50k / sec

13.     Network Vulnerability Scanner

Maximum number of concurrent scan of IP ≥60

14.     Secure Database System

TPC-E tpsE (Transactions per second) ≥4500

15.     Web Site Recovery Product (Hardware)

Time of recovery ≤2ms

Longest site path ≥ Level 10

http://www.jdsupra.com/legalnews/the-cyberspace-administration-of-china-32171/

Tagged