01 Sep 2019

DIGITALEUROPE and ESIA response to the Office of State Commercial Cryptography Administration Draft Cryptography Law

DIGITALEUROPE and ESIA greatly appreciate the opportunity to submit comments to the draft Cryptography Law of China put forward by the Office of State Commercial Cryptography Administration (OSCCA).

For the information society to flourish and grow, it must be based on the principles of trust and security, in particular with regard to the transmission and computing of data. DIGITALEUROPE’s and ESIA’s members remain highly committed to the principles of trust and security. Therefore, we greatly appreciate the efforts put forward by the People’s Republic of China to build towards to a more trustworthy and prosperous information society. Please find below summarised descriptions of our comments.

 

Articles 6, 7 and 8

The functional definition of cryptography, i.e. the division into core, common and commercial cryptography, could benefit from further explanation. If essentially ‘core’ and ‘common’ encryption describe technology and services for securing two different levels of state-classified information, the technical characteristics could be further defined by the competent bodies. The transition between the two fields also needs to consider security measures (handling of classified information) beyond encryption.

In particular, the distinction between the three fields (as outlined in Article 7) is not clear and may be even more blurred when it comes to the use of commercial cryptography in products and services that are or could be used by government entities or fully/partially state-owned enterprises. We recommend that the law include a definition of commercial cryptographic products. We believe that such a definition should be fully compatible with the core function clarification issued by the State Encryption Management Commission in March 2000.

Commercial Cryptography should be defined as cryptography implemented in commercial products where cryptographic functions use standardised algorithms to support clearly identified product features. While including encryption/decryption functions, Commercial Cryptography excludes authentication or digital signatures. In our proposed amendment to the definition of Commercial Cryptographic Product, encryption should be the main function, rather than a subsidiary feature of the product or one of its components.

A component in a product should not be considered a Cryptographic Commercial Product in the following cases:

  1. Cryptography is not the primary function or set of functions of the component;
  2. The component does not change any cryptographic functionality in the products;
  3. The feature set of the component is fixed, cannot be modified to customer specification or is not specifically designed for a particular customer.

For all three categories, it should be made clear that products and services that may be used are admitted on a non-discriminatory basis and on a market-based approach.

 

Articles 21, 22 and 23

We appreciate the commitment towards the promotion of a competitive commercial cryptography industry. In this context, we understand this also as a commitment to include Foreign-Invested Enterprises (FIEs) under this definition.

When it comes to the development of ‘national’ standards, we reiterate our recommendation to use products and services based on commercial encryption regardless of the geographic origin of the underlying standards, thus allowing private, commercial and government entities to use best-in-class products that are globally accessible. As is required of all WTO members, China’s national standards should use international standards, or relevant parts thereof, as their basis, except where the use of such standards or parts of such standards would be ineffective or inappropriate.

Clearly, ‘group’ or ‘enterprise’ standards that are even higher should be promoted, notwithstanding the origin of the innovator. They could then lead, of course, to an even higher (general or industry) standard that is publicly accepted. However, we are concerned that the reference made to ‘independent innovative technology’ may hamper the pursuit of this objective as it indicates a decoupled development, putting in danger economies of scale for users and industry alike. This lowers, rather than raises, the security profile.

Furthermore, the mention of ‘independent’ should be eliminated in accordance with Article 23, in reference to which we applaud OSCCA’s commitment to engaging in applying international standards and bringing in, at the same time, Chinese expertise. In addition, Article 23 should not only encourage participation in the creation of international standards but should also encourage organisations to base their standards on already established and relevant international standards.

 

Article 24

We suggest a clarification in the encouragement to apply ‘voluntary national’ and ‘industry’ standards. In order to avoid incompatibilities, and due to existing obligations under WTO agreements, there should be a clear preference for  internationally accepted and used standards (which may be de-facto standards set up and used by industry or standards that have been worked out in international standardisation bodies), attributing an auxiliary function to national standards in fields where there is no other standard.

 

Articles 25 and 26

We welcome and support the modifications in the second Draft Law aimed at separating commercial cryptography from core and common cryptography, as well as the exclusion of commercial cryptography used in mass consumer products from import licensing system or export control.

In addition, the overall scope of ‘Commercial cryptography-based services used for network-critical equipment and cybersecurity-specific products’ has incrementally expanded and will ultimately have a significant impact on organisations that provide network-critical equipment and cybersecurity-specific products. This concern is aggravated by the duplicative testing that seems to be proposed under the Draft Law.

The vast majority of organisations already use commercial cryptography. Needing to obtain certain certification through a security agency or pass a security test for such cryptography already in use would stifle industry. The concerns articulated under this Article are already addressed by the draft of proposed measures recently published and Article 23 of the Cybersecurity Law. Thus, and given China’s obligations under the World Semiconductor Council’s Encryption Principles1 and international agreements,2 the Article should clearly state that sales of products should not be restricted and, to the extent needed, only the deployment of or specific use of a product in network-critical settings may require certification or testing.

Commercial products with elements of cryptography that are a subsidiary feature should be completely exempt from licensing, testing and certification requirements that limit import, export or sales. This includes all products where cryptography is not the core function or set of functions of the product.

In addition, the new added term ‘Commercial cryptography-based service,’ which is unclear, should not exceed the scope of currently regulated PRC services, as e- government digital certificate service, and defined as a service where encryption serves as the main function of the service, rather than as a subsidiary service or as one of many features.

 

Article 28

In order to secure and extend the manufacturing base of innovative FIEs in the People’s Republic of China, we encourage the State Council to consider that China has meanwhile become, for many companies, a hub for global production, including the export to other countries in Asia. Therefore, any additional restrictions on technology export could hamper this development and slow down FDI.

It is therefore recommended that Article 28 be limited to commercial encrypted products where encryption is core function and expanded beyond the existing 2013 list (OSCAA), ensuring greater alignment to already implemented international standards and agreements. Import and export of commercial encryption products should not be regulated.

 

Article 30

We are highly interested to bring in our knowledge when it comes to building up a Chinese commercial cryptography industry association and both submit our request to be included in the consultative phase of setting up such a body.

However, it is recommended that the draft law provide greater clarity with regard to the details of the ‘commercial cryptography industry association.’ We recommend that such an association should allow both foreign and domestic companies to be members with full participation rights.

 

Article 31

With reference to the social credit system, we would appreciate receiving further information on implications for industry and its activities in People’s Republic of China.

In addition, whilst we welcome the changes made to the originally broad enforcement powers (Article 29), it is recommended that Article 31 state that any ‘random checks’ shall not impact intellectual property and privacy rights. Overall, any checks should be conducted with minimal disruption to business operations and provide protection for intellectual property rights and confidential information.

 

Article 32

Although Articles 9, 10 and 11 encourage RandD, subsequently Articles 12, 21 and 32 seem to impinge on this possibility. It is recommended that an exception should be added to Article 32 for good faith security and vulnerabilities research aimed at improving security of the technology and products. Such research should not be considered illegal/criminal nor subject to any penalty or legal liability.

[…]

For more information, please contact:
Alberto Di Felice
Senior Policy Manager for Infrastructure, Privacy and Security
Back to Cybersecurity
View the complete Policy Paper
PDF
Our resources on Cybersecurity
Policy Paper 05 Sep 2019
Response to ENISA consultation on EU ICT industrial policy
Policy Paper 19 Jul 2019
Joint industry letter on Cybersecurity Vulnerabilities Administrative Regulation Response to MIIT published draft for comments
Press Release 10 Apr 2019
Cybersecurity Act gives Europe a new framework to increase trust in a digitising world
Hit enter to search or ESC to close