The Cyberspace Administration of China Released the First Batch of Network Products that Are Subject to Security Review
The Cyberspace Administration of China ("CAC") recently released the first batch of "Catalog" - a listing of the specific network products that have been identified for review under China's New Cybersecurity Law. This article summarizes these new equipment provisions, as the CAC continues to provide updates on China's cybersecurity review mechanism's specific provisions.
China's recently established cybersecurity legal regime requires that, inter alia, (i) network products and services shall comply with the mandatory requirements of relevant national standards (Art.22, PRC Cybersecurity Law); (ii) key/critical network equipment and specialized cybersecurity products shall be security-certified or examined before being sold or supplied (Art.23, PRC Cybersecurity Law); (iii) the cyberspace administration authority shall release a catalog listing the critical network equipment and specialized cybersecurity products that are subject to such security review and certification (Art.23, PRC Cybersecurity Law); and (iv) critical network products and services include those that concern the national security (Art.2, Measures for Security Review of Network Products and Services, the "Measures", effective as of June 1, 2017).
On June 9, 2017, the CAC released on its website an "Announcement on Releasing the 'Catalog of Critical Network Equipment and Specialized Cybersecurity Products (First Batch)'", with the Catalog being attached to the Announcement as an annex and dated June 1, 2017. The June 1 date on the Catalog annex indicates that, as a legal matter, the Catalog took effect as of June 1, the same date that the PRC Cybersecurity Law and Measures became effective.
The Announcement
The CAC's Announcement clarified that the Catalog was prepared jointly by several Chinese government authorities, including the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Certification and Accreditation Administration of the PRC. It reaffirmed that equipment and products falling under the Catalog shall be security-certified/examined by a qualified institution before being sold or supplied (Art.1).
The Announcement further clarifies that: (Art.3)
- Where a critical network equipment/specialized network security product is to be security-examined: once the equipment passes the examination, the examining institution shall report the result (including those equipment/products that have already passed the examination and were remaining in their valid term before the issuance of the Announcement) to the Ministry of Industry and Information Technology and the Ministry of Public Security of the PRC;
- Where a critical network equipment/specialized network security product is to be security-certified: once the equipment is certified, the certifying institution shall report the result (including those equipment/products that have already been certified and were remaining in their valid term before the issuance of the Announcement) to the Certification and Accreditation Administration of the PRC.
The Catalog (First Batch)
The Catalog annexed to the Announcement indicates that it is the first batch of equipment/products identified for cybersecurity review, and one could reasonably expect that there will be further equipment/products being added to the list via a second, third or fourth releases. The Catalog is one of the central features of the cybersecurity law’s enforcement scheme because it shows what parts of a network’s architecture and operation the government is interested in monitoring and regulating.
The first batch of equipment/products identified in the Catalog includes the following (informal translation, for reference purpose only):
Critical Network Equipment
1. Router
Scope: Throughput of the whole system (two-way) ≥12Tbps
Routing table capacity of the whole system ≥ 550k routes
2. Switch
Scope: Throughput of the whole system (two-way) ≥30Tbps
Packet switching rate of the whole system ≥10Gpps
3. Server (Rack Type)
Scope: CPU ≥8
Single CPU core ≥14
Memory capacity ≥ 256GB
4. Programmable Logic Controller (PLC Equipment)
Scope: Controller execution time ≤0.08 microseconds
Specialized Cyber Security Products
5. Data Backup Machine
Scope: Backup capacity ≥ 20T
Backup speed ≥ 60MB / s
Backup time interval ≤ 1 hour
6. Firewall (Hardware)
Scope: Whole firewall throughput ≥80Gbps
Maximum number of concurrent connections ≥ 3 million
New connections per second ≥80Gbps
7. WEB Application Firewall (WAF)
Scope: Throughput of the whole application ≥6Gbps
Maximum number of HTTP concurrent connections ≥ 2 million
8. Intrusion Detection System (IDS)
Scope: Maximum inspection rate ≥15Gbps
Maximum number of concurrent connections ≥ 5 million
9. Intrusion Prevention System (IPS)
Scope: Maximum inspection rate ≥20Gbps
Maximum number of concurrent connections ≥ 5 million
10. Security Isolation and Information Exchange Products (Gatekeeper)
Scope: Throughput ≥1Gbps
System delay ≤ 5ms
11. Anti-Spam Products
Scope: Connection processing rate (connection / sec) > 100
Average delay <100ms
12. Network Integrated Audit System
Scope: Capturing speed ≥5Gbps
Record storage capacity ≥ 50k / sec
13. Network Vulnerability Scanner
Scope: Maximum number of concurrent scan of IP ≥60
14. Secure Database System
Scope: TPC-E tpsE (Transactions per second) ≥4500
15. Web Site Recovery Product (Hardware)
Scope: Time of recovery ≤2ms
Longest site path ≥ Level 10