The original intention of the design of the network security review system
Cybersecurity review is a type of national security review and is an important national cybersecurity assurance system. By identifying and preventing the national security risks that may be introduced by critical information infrastructure in the process of purchasing network products and services, it can mitigate and mitigate the risks at the source. Control potential threats to national security and societal well-being posed by cyber risks.
Cybersecurity review is an institutional function of safeguarding national security, and is a necessary method and means to enhance national cybersecurity capabilities under the generalization of security risks of network products and services. In recent years, cyberspace games have become more complex. The globalized network product and service procurement activities will inevitably face a more open and lack of security control external environment, and the gradually layered and complex supply chain will inevitably lead to more convenient penetration opportunities for insecure network products and services. . There is no doubt that these insecure network products and services are becoming a major vehicle for cyber espionage and cyber sabotage against critical information infrastructure. Countries must be more cautious about national security risks introduced through supply chain infiltration, and it is of great significance to establish and implement an effective cybersecurity review system.
Cybersecurity review is an international practice
Due to the severe situation of global network security, the establishment and application of a network security review system has gradually become an international common practice.
The United States conducts various forms of cybersecurity scrutiny. For example, in 2000, the United States took the lead in conducting security reviews of purchased products in the national security system; in November 2013, the U.S. Department of Defense stipulated that products and services purchased by defense systems and their contractors must undergo supply chain security reviews; The Omnibus Continuing Appropriations Act requires Commerce, Justice, NASA, and the National Science Foundation to conduct supply chain security reviews and assess potential cyber espionage or sabotage before procuring high- or moderate-impact information technology systems . The 2015-08 Procurement Policy issued by the U.S. Department of Commerce clarified the content and procedures of the department’s internal supply chain security review, and implemented the mandatory requirements of the Comprehensive Continuing Appropriations Act. The 2019 US Presidential Decree “Securing the ICT and Service Supply Chain” and the 2020 “Secure and Trusted Communications Network Act” have established corresponding review systems.
The Cabinet Office of the United Kingdom has also issued Action Bulletin 09/14, which stipulates that, starting from 1 October 2014, central government information technology shall not procure specific information technology products and services, such as procurement participation in the processing of personal information and the provision of specific information and communication technology. Providers of products and services, information technology products and services should undergo the necessary security review.
The review method reflects many institutional highlights
The Cybersecurity Review Measures promulgated by 12 departments including the State Internet Information Office this time are more scientific and rational in terms of system design and normative content, reflecting many institutional highlights. First, the review concept that takes into account both “security” and “development” is established, and it is clearly proposed to adhere to the combination of preventing network security risks and promoting the use of advanced technologies. While ensuring national security, it also takes into account economic and industrial development; secondly, the review mode of a single agency is transformed into a joint review mechanism, and important national ministries and commissions such as development and reform, industry and information technology, public security, national security, finance, and commerce are included in the review work. The mechanism is more conducive to the identification and judgment of national security risks; thirdly, it clearly stipulates the operator’s declaration obligation, establishes the “applicable” review initiation method, and ensures the effectiveness of network security review. At the same time, it fully respects the professionalism of the operator in judging its own security situation, and only requires the declaration if the operator predicts that the procurement activities will affect or may affect the national security. To a certain extent, this also avoids the unnecessary intervention of the security review on the normal operation and maintenance of the critical information infrastructure; finally, the review period is clarified, so that the operator can have a definite time estimate for the future review process. Procurement of network products and service deployment interruptions that may arise are guaranteed in advance.
Globally, cybersecurity review is still an emerging legal system, and all countries are in the initial stage of system exploration. my country is one of the earliest countries to formulate a national cybersecurity review legal system, and has the ability and opportunity to establish a rule system with international demonstration effect on the security assurance of network products and services. Implementing the cybersecurity review legal system is not only an objective requirement for practicing the overall national security concept and maintaining national cybersecurity, but also a favorable basis for enhancing the voice of national cybersecurity governance and realizing the leading and exemplary role of international cybersecurity assurance. Therefore, the continuous exploration and improvement of network security review system construction and promotion of system practice should be vigorously promoted as a key task of national network security assurance. (Author: Ma Ning, Lecturer, School of Administration and Supervision Law, Northwest University of Political Science and Law)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.