After the Chinese government officially removed 25 apps operated by Didi Global Inc. from the app store, Didi’s share price plunged below its IPO. 

Zuo Xiaodong–the vice president of China Academy of Information Security– provides answers during an interview with Southern Weekly for the many speculations that have floated around since regulators ceased new member registration on the platform on 3 July.  He has participated in the research and drafting of many major cybersecurity policies and regulations. 

Momentum Works team summarised and translated the key points for our readers, revealing insights about the incident from a trustworthy source. 


Zuo highlights that Didi is not the first company to undergo network security review– a few smaller companies had gone through the same process previously.   

As he recalls, before the “Network Security Review Measures” was issued, the initiative had been on trial since 1 June 2017, with the trial lasting three full years. It has been a year since the measure was officially implemented. 

There have been a lot of guesses since China announced the investigation of Didi. However, Zuo responded to these speculations by stating that the understanding of Didi as a critical information infrastructure operator is neither informed nor comprehensive.

“If a product has a huge safety hazard that may seriously endanger national security when it is used, how could no one care about this application earlier? Do I have to wait til the operator went public before going through the procedures for it to undergo the cyber security review? Obviously not.” he stressed. 

 

“Cyber ​​Security Review Measures” clearly stipulates that network applications and services that were believed to affect national security would be reported to the central network security and information by the Cyber ​​Security Review Office in accordance with standard procedures.

He added that there are 12 government agencies under the umbrella of the Cyber Security Review Measures. In other words, any of the twelve bodies can initiate a cyber security review when it deems that a company is at risk of endangering national security after submitting for approval. 

Regarding the factors that may lead to a review, he reiterates that both domestic or foreign service providers are treated equally. As long as any company brings serious risks to China’s network security, it should be subject to review according to the provisions  

 

The focus of the review includes the followings: 

  1. The risk of illegal control
  2. Interference or destruction of critical information infrastructure after the use of products and services
  3. The risk of important data being stolen, leaked, or destroyed
  4. The application’s openness, transparency, diversity of sources, reliability of supply channels
  5. The risk of supply interruption due to political, diplomatic, trade and other factors

 

In response to concerns (from the international community) about the nature of the organization, Zuo replied, “The Cyber ​​Security Review Office is located in the National Internet Information Office. It is responsible for formulating related systems and regulations for cyber security review and organizing cyber security reviews.” 

He concluded that the main concern of this review is the potential leakage of confidential data and citizens’ personal information. China is implementing these regulatory actions as a way to protect such data. 

Under normal circumstances, the network security review will be completed within 45 working days. However, if the situation is complicated, it may be extended by 15 working days. Didi may also be subjected to fines for any violation of cybersecurity rules and regulations set by the Chinese government. 

Thanks for reading The Low Down (TLD), the blog by the team at Momentum Works. Got a different perspective or have a burning opinion to share? Let us know at [email protected].