HONG KONG — The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars’ worth of business in China.
[Reposted from The New York Times | Paul Mozur | January 28, 2015]
The new rules, laid out in a 22-page document approved at the end of last year, are the first in a series of policies expected to be unveiled in the coming months that Beijing says are designed to strengthen cybersecurity in critical Chinese industries. As copies have spread in the past month, the regulations have heightened concern among foreign companies that the authorities are trying to force them out of one of the largest and fastest-growing markets in the world for technology products and services.
In a letter sent Wednesday to a top-level Communist Party committee on cybersecurity led by President Xi Jinping, foreign business groups that represent major Western technology companies objected to the new policies and complained that they amounted to protectionism.
The groups, which include the U.S. Chamber of Commerce, called for “urgent discussion and dialogue” about what they said was a “growing trend” toward policies that cite cybersecurity in requiring companies to use only technology products and services developed and controlled by Chinese firms.
The letter is the latest salvo in an intensifying tit-for-tat between China and the United States, which have clashed over online security during the last two years in what has begun to resemble a technological Cold War. While the United States has accused Chinese military personnel of hacking and stealing from American companies, China has pointed to recent disclosures of United States snooping in foreign countries as a reason to get rid of American technology as quickly as possible.
With China’s Internet filters increasingly creating a world with two Internets, a Chinese one and a global one, new policies could further bifurcate the tech world, with national security considerations forcing hardware and software makers to sell to either China or the United States.
Several Chinese hardware makers have run into problems in the United States after warnings from Congress about their ties to the Chinese government.
For multinationals, the Chinese market is simply too big to ignore. China is expected to spend $465 billion in 2015 on information and communications technology, according to the research firm IDC, which says the expansion of China’s tech market will account for 43 percent of worldwide tech-sector growth.
Analysts said new Chinese policies like the bank rules and an antiterror law that is still in draft form will make doing business increasingly difficult in China for foreign hardware and software companies.
“I think they’re obviously targeting foreign vendors that are operating in China,” said Matthew Cheung, a researcher at the analytics firm Gartner. “They are promoting the local technologies so that local providers who have the capabilities to provide systems to these enterprises can get more market share.”
For instance, the bank rules say 75 percent of technology products used by Chinese institutions must be classified as “secure and controllable” by 2019.
Though analysts say “secure and controllable” — an emerging buzz phrase that peppers several new Chinese technology policies — may be open to interpretation, a chart attached to the banking regulations shows the troubles foreign companies could have winning that classification for their products.
For most computing and networking equipment, the chart says, source code must be turned over to Chinese officials. But many foreign companies would be unwilling to disclose code because of concerns about intellectual property, security and, in some cases, United States export law.
The chart also calls for companies that want to sell to banks to set up research and development centers in China, obtain permits for workers servicing technology equipment and build “ports” to allow Chinese officials to manage and monitor data processed by their hardware.
The draft antiterror law pushes even further, calling for companies to store all data related to Chinese users on servers within the country, create methods for monitoring content for terror threats and provide keys to encryption to public security authorities.
Sophie Richardson, China director of Human Rights Watch, said in a news release that the law was “little more than a license to commit human rights abuses.”
The rules about encryption could prove problematic for Apple, which has used new encryption methods in the iPhone 6 that are based on a complicated mathematical algorithm tied to a code unique to each phone. Apple says it has no access to the codes, but under the proposed antiterror law, it would be required to provide a key so that the Chinese government could decrypt data stored on iPhones.
In the letter, the Western companies also voiced concerns about a broader “cybersecurity review regime” under which the Chinese government would assess the “security and controllability” of hardware, software and technology services sold in China, through audits and other checks. More details about the checks will be sent to the Central Leading Group for Cyberspace Affairs, the committee led by the Chinese president, in February, according to a recent report by Xinhua, the state-run news agency.
Prompted in part by the disclosures by Edward J. Snowden, the former United States intelligence contractor, the committee is leading the charge in consolidating and streamlining cybersecurity efforts in China, and analysts said it has most likely presided over or given tacit support to the new policies.
The leadership committee is also trying to wean the country from its reliance on foreign technology, a longstanding goal that has gained urgency after Mr. Snowden’s revelations.
“Banking is the first industry where we are aware a black-and-white regulatory document was issued,” said Jeffrey Yao, a vice president for enterprise research at IDC. “In some other industries, if you talk to the customers, many of them get the pressure to adopt the local brands, but in most of the cases they are via internal communications from the top officers.”
Zuo Xiaodong, vice president of the China Information Security Research Institute, said the new policies and the broader push for indigenous innovation were not intended to eliminate foreign companies from the market.
“In reality, it’s about the core elements of Chinese information technology. We don’t really control these. We’re under the yoke of others. If the others stop services, what do we do?” he said, noting that many Chinese companies and local governments had to scramble when Microsoft discontinued its support of Windows XP. “From a security perspective, that simply wasn’t acceptable. We’re breaking away from these types of circumstances.”
But a growing number of American technology executives have complained about new barriers to access to the Chinese market. John Chambers, the chief of the network equipment maker Cisco, has raised the issue, as have executives at the chip maker Qualcomm. Earlier this week, Microsoft’s chief executive, Satya Nadella, said his company was working through “geopolitical issues.”
Even if Beijing wants it to, the banking industry can’t yet do away with all foreign hardware makers, according to IDC’s Mr. Yao. Banks purchase billions in hardware and software to manage transactions, and Chinese companies can’t yet produce some of the higher-end servers and mainframes they rely on.
Mr. Yao said 90 percent of high-end servers and mainframes in China were still produced by multinationals. Still, Chinese companies are catching up at the lower end.
“For all enterprise hardware, local brands represented 21.3 percent revenue share in 2010 in PRC market and we expect in 2014 that number will reach 43.1 percent. That’s a huge jump,” he said.
Though Chinese companies stand to benefit, the letter from foreign business groups warned that China would hurt itself if it continued to follow its current policy trajectory.
“An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global Internet and I.C.T. products and services,” the letter said, referring to information and communications technology, “would ultimately isolate Chinese I.C.T. firms from the global marketplace and weaken cybersecurity, thereby harming China’s economic growth and development and restricting customer choice.”
