Today, the Cybersecurity Association of China (中国网络空间安全协会), China's first officially approved national social organization in cybersecurity, calls for a cybersecurity review of Intel in China.

According to the Association, the reasons they believe the government should initiate a cybersecurity review of Intel are as follows:

• Frequent security vulnerabilities: Intel's CPUs have been repeatedly exposed for severe security vulnerabilities (such as Downfall, Reptar, etc.), which put users' sensitive data and system security at risk. Intel has been slow to respond and continued selling problematic products even after being aware of the vulnerabilities.

• Poor product reliability and disregard for user complaints: Since the end of 2023, users have reported frequent crashes with Intel's 13th and 14th generation Core i9 processors. Intel deflected responsibility in response to user complaints, delaying acknowledgment for six months before providing a fix, seriously affecting user experience and product stability.

• User surveillance risks in remote management: The IPMI technology and BMC module designed by Intel and other manufacturers contain security vulnerabilities, and Intel has integrated outdated third-party components with significant security risks into its products. This exposes users' networks and data to substantial threats.

• Hidden backdoors that jeopardize network security: Intel's Management Engine (ME) is accused of having backdoor functions, allowing remote access and control of systems. This poses a potential security risk for global users, especially with suspicions of collaboration with the NSA, thus creating a significant threat to critical information infrastructure.

• Harming China's interests: Intel has suppressed Chinese companies on Xinjiang-related issues and incorrectly listed Taiwan in its financial reports. Its alignment with U.S. government policies to suppress China's semiconductor industry raises concerns, leading to the recommendation of a cybersecurity review to safeguard China's national security and consumer interests.

For those unfamiliar with China's "cybersecurity review" mechanism, here is an introduction:

In April 2020, the CAC, along with 12 other departments, jointly issued the Cybersecurity Review Measures (referred to as the "2020 Measures"), designating the CAC's Cybersecurity Review Office as the regulatory body responsible for establishing standards and conducting cybersecurity reviews. Under the measures, operators of critical information infrastructure (CIIOs) in China must undergo a cybersecurity review when purchasing network products and services that affect or may affect national security. CIIOs are required to assess the risks of their network products and services and, if risks are identified, submit a cybersecurity review request to the CAC before proceeding with the purchase.

This rule is similar to the ICTS final rules by the U.S. Department of Commerce in 2023, which focus on national security reviews of the ICTS supply chain. The major difference is that the ICTS rule narrowly targeted ICTS products and services from “foreign adversaries”, while China’s Cybersecurity Review Measures does not target specific countries on its literal meaning.

The 2020 Measures specify a range of evaluation factors for assessing the potential national security risks of network products and services. Notably, the review places a strong emphasis on the "risk of disruption to the continuity of critical information infrastructure operations" and the "reliability of supply chains, as well as the risk of disruption due to political, diplomatic, or trade factors."

On June 30, 2021, China's famous ride-hailing platform Didi went public in the United States. Three days after the listing (on July 2, 2021), the Cybersecurity Review Office of the CAC, based on the 2020 Measures, announced a cybersecurity review of Didi and mandated the suspension of new user registrations during the review period. Subsequently, the CAC issued a notice, stating that after verification of reports, all Didi apps should be removed from app stores. Shortly after, the CAC, along with the Ministry of Public Security, Ministry of State Security, and five other departments, conducted an on-site review at Didi’s headquarters.

After the Didi incident, the CAC led the revision of the Cybersecurity Review Measures, which were approved and released in November 2022 as the updated 2022 Measures. The revised measures received endorsement from 12 departments, including the National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, Ministry of State Security, Ministry of Finance, and Ministry of Commerce. They came into effect on February 15 of that year.

Five months later, the CAC, citing the Cybersecurity Law, the Data Security Law , and the Personal Information Protection Law, imposed an administrative penalty on Didi: a fine of 8.026 billion RMB, and a personal fine of 1 million RMB each on Didi's Chairman and CEO Cheng Wei, and President Liu Qing.

Overall, the 2022 Measures expanded the scope of the 2021 version in two ways:

• It extended the jurisdiction beyond CIIOs to include "data processors" under the review system. Hence, any "data processing activities" in China that affect or may affect national security must now undergo a cybersecurity review.

• It expanded the scope beyond "procurement activities" to include "data processing activities" and "overseas listings" of domestic companies, to assess the potential national security risks of these activities. Notably, under the revised measures, companies possessing personal information of over 1 million users must submit an application for cybersecurity review before going public abroad, and the application must include "proposed IPO materials." The review evaluates risks such as the potential influence, control, or malicious use of critical information infrastructure, core data, important data, or large volumes of personal information by foreign governments after the overseas listing.

Since the establishment of China's cybersecurity review system, only a few investigations have been conducted aside from the Didi case, but each one has been highly representative:

• BOSS Zhipin(Boss直聘), Yunmanman(运满满), and Huochebang(货车帮): On July 5, 2021, the Cybersecurity Review Office initiated a cybersecurity review of "BOSS Zhipin," "Yunmanman," and "Huochebang." This action primarily targeted companies with vast amounts of data (including significant amounts of personal information) and assessed the potential national security risks posed by their overseas listing.

• CNKI (China National Knowledge Infrastructure, 中国知网): On June 24, 2022, the CAC initiated a cybersecurity review of CNKI, a leading Chinese academic resource integration platform. According to the CAC, its Cybersecurity Review Office interviewed the leadership of CNKI’s operator, Tongfang Knowledge Network Technology Co., Ltd., to announce the review. Analysts believe the focus of this review was on “important data.” On 6 September, the CAC made a decision ordering CNKI to stop the illegal processing of personal information and imposing a fine of 50 million RMB. CNKI is considered to hold a large amount of sensitive data related to national defense, industry, telecommunications, transportation, natural resources, healthcare, finance, and key information about China’s major projects, scientific achievements, and cutting-edge technology trends.

• Micron: On March 31, 2023, the CAC announced initiating a cybersecurity review of Micron, a U.S. memory chip giant, to "ensure the security of the critical information infrastructure supply chain, prevent potential product vulnerabilities from causing cybersecurity risks, and safeguard national security." On May 21, the CAC ruled that Micron had failed to pass the cybersecurity review. This quickly triggered a trust crisis in China regarding Micron products. Some Chinese companies classified as CIIOs were forced to sever ties with Micron and remove its chips and other products from their supply chains. Even non-CIIO Chinese companies became highly cautious in their dealings with Micron, which significantly impacted Micron's revenue in China and led to direct negotiations between U.S. Senate Majority Leader Chuck Schumer, U.S. Secretary of Commerce Gina Raimondo, and the Chinese government.

Unlike the reviews of Didi and CNKI, the investigation into Micron was the first cybersecurity review targeting a foreign company and focused primarily on "supply chain security" risks rather than traditional "cybersecurity" or "data security" risks. Analysts believe this review highlights the geopolitical nature of the ICTS supply chain and reflects China’s countermeasure against the U.S. government’s sanctions targeting China’s ICTS supply chain.