Report to whom? Competing security vulnerability rules of the US and China
On 26 May 2022, the Bureau of Industry and Security (BIS) under the U.S. Department of Commerce revised Section 740.22 Authorised Cybersecurity Exports, among other things, of the Export Administration Regulations (US ACE Rules). The new US ACE Rules impose more restrictions on countries named in its “Country Group D” list (so-called “Countries of Concern”), where mainland China has sat for a number of years. Described as a “long-awaited” change, the US ACE Rules establish a complex series of controls over Chinese entities, including a substantial limitation regarding China’s access to information about cyber vulnerabilities.
Focuses of the new US rule
The US ACE Rules require entities to obtain a license from BIS before they may export certain cybersecurity-related items to, or conduct any activities related to vulnerability disclosure to, any Chinese entity associated with the Chinese government. Such cybersecurity items are those that can be used in furtherance of malicious cyber activities, including software, hardware, technology, and certain IP network communications surveillance tools. To put it another way, any US company co-operating or doing business with a Chinese entity partially operated or owned by the Chinese government will need to apply for a license from BIS before sending any alert or notice regarding security vulnerabilities in its products or services to that Chinese business partner.
The implementation of this new rule has raised firm concerns among some of the US’ internet giants that have substantial businesses in China. For instance, Microsoft has publicly commented that the new rule’s licensing requirements are “so complex and burdensome” that they will “chill collaboration on cybersecurity issues or activities to address incidents and vulnerabilities,” as US exporters will be required to check whether an entity is affiliated with a government before communicating with it. Microsoft’s suggestion to either remove or modify such requirement was rejected by BIS based on reasons related to the US national security and foreign policy interests.
Conflicting rules – the US v. China
The US ACE Rules appear to create a practical conflict with China’s Administrative Provisions on Security Vulnerabilities in Network Products, which took effect last September (PRC Vulnerability Rules). While the US ACE Rules require a license for any activities related to vulnerability disclosure, the PRC Vulnerability Rules require certain internet service/product providers – which would cover US groups’ Chinese subsidiaries – to report security vulnerabilities to Chinese authorities within 2 days of discovery.
From a mere timing perspective, it will undoubtedly be challenging for any multinational corporation (MNC) to comply with both rules concurrently.
Violation of the US ACE Rules can lead to serious consequences under the Export Administration Regulations, both civil and criminal, including fines and criminal prosecution. On the other hand, US companies’ Chinese subsidiaries that are subject to the supervision of Chinese authorities could face fines or other administrative penalties under the PRC Cybersecurity Law for failing to report a vulnerability.
PRC rules - recap on the regulation
1. Scope of regulation
The PRC Vulnerability Rules apply to network product providers and network operators, as defined in the PRC Cybersecurity Law and relevant national standards, within the PRC.
- Network product providers are “hardware, software or systems that, as part of the network, realise network functions, collect, store, transmit, exchange and process information according to certain rules and procedures.” These products, as we understand, cover “computers, communication equipment, information terminals, industrial control network equipment, system software and application software.” Therefore, the concept of network product providers catches providers of all these products, including the Chinese subsidiaries of international IT and software companies.
- Network operators are “any information system, website and app operators” in China. Any entities registered in the PRC with an information system, even as simple as a company website, can constitute a network operator.
As we can see, network product providers would be a much smaller group than network operators. The former clearly addresses the suppliers of basic hardware and software of networks, while the latter covers the operators of various information networks.
Foreign-invested enterprises in mainland China are captured under the PRC Vulnerability Rules, but the rules do not seem to assert extraterritorial application on overseas registered entities.
As most companies operating in China will generally be treated as a network operator, only certain general obligations under the PRC Vulnerability Rules will apply to them, including:
- Being encouraged to inform network product providers of any security vulnerabilities in their products (i.e., no hard obligation to report vulnerabilities to government authorities and no express sanction for failing to report).
- Taking immediate remedial actions upon discovery of security vulnerabilities.
Network product providers
The PRC Vulnerability Rules include some additional reporting requirements applicable to network product providers. These key obligations include:
- Reporting to the government authorities within 2 days of discovery of a product vulnerability.
- Notifying upstream product providers of the security vulnerability in its product upon discovery.
- Promptly notifying users and downstream manufacturers of the risks of these vulnerabilities and method of repair if their actions are needed to update the product or implement other relevant measures.
The US ACE Rules and PRC Vulnerability Rules, while both have meaningful underlying interests to protect, inevitably create actual compliance obstacles for entities engaged in cross-border operations between the US and mainland China.
As China has showed its attitude through the enforcement of its rule, it remains to be seen how strict the US ACE Rules will be implemented. There are various situations where a MNC in the information technology industry could be presented with the dilemma of how to fulfil the US requirement to obtain a license and report to the Chinese authorities in a timely manner when one of its engineers, in either market, finds a new vulnerability which could have huge impact on numerous customers.
With both countries seeking to have better control over domestic data security, this impasse in the area of network vulnerability is unlikely to be the end of the challenges facing internet and other tech-focused companies.
(Thanks Ouyi Ye and Crystal Hu for the support in drafting this article.)
The new rules create a host of complications even for software companies outside of China, as many of them work with Chinese researchers who are covered by the new law.