Last week, the Cyberspace Administration of China (CAC) announced a cybersecurity review of the U.S. semiconductor firm Micron and the goods it sells in China. The official announcement manages to reveal little while raising several questions about the nature of the cybersecurity review regime. As a starting point, here is the full announcement in translation:
"Notice on the Initiation of Cybersecurity Review into the Products Sold in China by Micron, Inc.
"March 31, 2023, 8:30 p.m. Source: Cyberspace Administration of China
"In order to safeguard the supply chain security of critical information infrastructure, to guard against product issues and hidden dangers leading to cybersecurity risks, and to defend national security; in accordance with the National Security Law of the People's Republic of China and the Cybersecurity Law of the People's Republic of China; the Cybersecurity Review Office is implementing a cybersecurity review of the products sold by Micron in China according to the Cybersecurity Review Measures.
"Notice is hereby given."
This is fairly typical language announcing a Chinese regulator’s enforcement action. It gives reasons that echo statutory language, cites legal authorities behind the action at a broad level—and little else.
Looking closer, however, this announcement sets off a new round of questions about the nature of the “cybersecurity review” regime led by the CAC. It underlines continued uncertainty about what might or might not trigger a cybersecurity review. Below, I review the triggers for cybersecurity review, outline the evolution of this regime over time, and analyze how the Micron announcement fits into what we know. Published commentary from a Chinese expert and Chinese media discourse further signals a U.S.–China geopolitical context that cannot be ignored.
What triggers China’s Cybersecurity Review system?
Some triggers for cybersecurity review are clear. The Cybersecurity Review Measures explicitly require critical information infrastructure (CII) operators (i.e. any entity operating IT or data systems across a broad range of key sectors) to file for cybersecurity review when procuring network products and services that may affect a capacious concept of national security. This approach appears to trigger an enormous volume of work, requiring filing for each pairing of an individual product or service with an individual use by a CII operator. If a given piece of network hardware is approved for use in your slightly security-sensitive factory, for example, that doesn’t mean it would be cleared for installation at the heart of the electric grid. This best-developed type of cybersecurity review is fundamentally a granular, risk-based approach to cybersecurity regulation, as opposed to blanket certifications or prohibitions at the product or supplier level. Another clear trigger for review is if a firm handling the personal information of more than 1 million users is headed for a foreign IPO.
Other triggers for cybersecurity review clearly exist, but they are not specified—and this is not a new uncertainty. The first cybersecurity review to be publicized came in 2021, when the CAC announced a review of DiDi, the Chinese ride-hailing company that had days earlier gone forward with an IPO in New York that regulators had reportedly warned them to delay. Although DiDi clearly handled more than 1 million users’ data going into the IPO process, that explicit trigger for a required filing was added only after the government had slapped DiDi with a review. There was no obvious connection with the preexisting enumerated triggers for review.
Now revised, the current text of the Cybersecurity Review Measures gives no explicit indication that cybersecurity review might be initiated by regulators outside of the contexts where filing is required, but there’s nothing saying it cannot be. Apparently, the Cybersecurity Review Office (CRO), a unit of CAC charged with administering these reviews and consulting with 12 diverse departments, is also able to move based on its own initiative or on other prodding from within the government.
In Micron’s case, based on what little public information is available, several things could have happened:
- A CII operator might be seeking to procure one or more Micron products for one or more specific uses, filing with the CRO for review as explicitly required. According to the Measures, however, the decision to review in this context would go to the CII operator who would then require the cooperation of Micron (Articles 9 and 6). The recent announcement doesn’t immediately fit this scenario.
- The CRO may be faced with multiple filings for approval to use Micron products and, separate from the Measures’ described approach of reviewing for each CII operator and each procurement, they might have decided to review the supplier all at once. This would be a deviation from published procedures but still reliant on published triggers for review.
- Other factors may have led the CRO to decide on a novel form of review, similar to what happened with DiDi, presumably drawing on the vague legal authorities. The published triggers and procedures would not seem to be fully active.
Can't stop moving
A quick timeline of the “national security review” and “cybersecurity review” regime can help explain why something like option 3 is a real possibility, and potentially most likely. Over a period of almost eight years, the business of reviewing technology for national security risks in China has been constantly evolving:
- July 2015 — The National Security Law (NSL) sets out state authorities for “national security review” involving “specified products, critical technologies, and internet information technology products and services” (Article 59).
- November 2016 — The Cybersecurity Law (CSL), which is to take effect the following year, establishes “national security reviews” by the CAC and other departments for “CII operators purchasing network products and services that might impact national security” (Article 35). Details are thin.
- May 2017 — To coincide with the June 1, 2017, effective date of the Cybersecurity Law, the CAC issues the Interim Measures on Security Review of Network Products and Services. These are effective pending unspecified future regulatory work, and they explicitly reference the NSL and CSL.
- May 2019 — The CAC and 11 other regulatory entities issue the Cybersecurity Review Measures (Draft for Comment), which would replace the 2017 Interim Measures if finalized and implemented. DigiChina analyzes the differences between the existing interim measures and the draft at the time.
- April 2020 — The same 12 regulators issue finalized Cybersecurity Review Measures, which replace the Interim Measures on June 1, 2020—three full years after the Cybersecurity Law took effect.
- July 2021 — The Cybersecurity Review Office (CRO) of the CAC, which is established by these Measures, announces a cybersecurity review of DiDi Chuxing two days after the company’s IPO. The Cybersecurity Review Measures do not contain clear and specific grounds for the review.
- July 2021 — Days after it announces the DiDi cybersecurity review, the CAC releases a draft revision to the Cybersecurity Review Measures, which adds the China Securities Regulatory Commission to the dozen regulators involved in the regime and adds the risk of data disclosure to foreign governments through listing on foreign stock exchanges as an explicit grounds for review. It also adds reference to the newly passed Data Security Law.
- December 2021 — The 2021 revision to the Cybersecurity Review Measures is finalized, including the new language on foreign IPOs, and is to take effect Feb. 15, 2022.
- July 2022 — The CAC announces that DiDi’s cybersecurity review resulted in the opening of an investigation resulting in a large fine. It says it found violations of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law and announces a fine of 8.026 billion RMB (~$1.2 billion USD).
This progression reveals two important facts. First is that even the most stable period in the cybersecurity review regime’s development (the three years from June 2017 to June 2020) was explicitly uncertain; the Measures in effect then were “interim” in nature and always sat ready to be revised. Second, while these documents vest the CAC’s CRO with responsibility to coordinate reviews and enumerate some specific requirements, the office’s role draws its legal weight from broad provisions of the NSL, CSL, and Data Security Law. While some Chinese regulators may hew more closely to enumerated responsibilities, the DiDi case made clear that at least in some cases, the CRO would adapt to the needs of novel situations. The relevant laws, after all, were drafted in full knowledge that technology and its context would develop rapidly.
Why Micron? Early indications.
Few details are public about the Micron situation, and we can expect to learn more—even if not a lot more—over time. For now, some Chinese commentary can at least suggest hypotheses. Beijing Institute of Technology Law Professor Hong Yanqing, a leading Chinese data governance expert, has written two interesting WeChat posts on the Micron review. In one post, Hong points to the short CAC announcement, which specifies risks to supply chain security for CII, as well problems and hidden dangers in the products, as the area of concern. Article 10 of the Cybersecurity Review Measures lists general types of risks the reviews are concerned with, including several that are relevant here. On supply chain security, there is the risk of “illegal control of, interference with, or destruction of CII,” “the harm to CII business continuity of product and service supply disruptions,” and “the risk of supply disruptions due to political, diplomatic, and trade factors.” In an era when U.S.–China supply chains for semiconductors are acutely affected by U.S. restrictions and may be affected by further limits in the future, supply chain security is not just about sneaking in vulnerabilities.
“Now, as for the reason Micron is being reviewed,” Hong writes, “those following the China–U.S. technological gamesmanship will have their own understanding—specifically, the violent shock to global semiconductor supply chains brought about by the frequent revisions in recent years to the U.S. Export Administration Regulations (e.g. changes to the scope of jurisdiction and territories at any time).” Hong points to an article in the tech news publication ijiwei.com, one of many in Chinese outlets that have discussed the firm’s role in advocating for the unprecedented semiconductor restrictions the U.S. government has implemented on China. The unbylined article argues that Micron has been an active lobbying force for restrictions on China’s tech industries and a direct beneficiary of U.S. policy actions targeting China. It is beyond the scope of the present article to evaluate this narrative or check its assertions, but the prevalence of Chinese commentary identifying Micron as a company particularly unfriendly to China is important in understanding the context for its cybersecurity review.
Finally, Hong’s second commentary focuses on what is likely to happen if Micron does not pass this review: namely, that CII operators would be prohibited from purchasing the company’s products. This raises a question that the Micron case may help answer: Will China’s cybersecurity review regime turn out to operate as it once appeared—a risk-based review system that differentiates between different use cases and different products? Or will it turn out to be a tool that can also effectively ban suppliers in all use cases within the sometimes hard-to-discern boundaries of CII?