New Rules in China Upset Western Tech Companies

| Technology | The New York Times

<Original Source>

HONG KONG — The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars’ worth of business in China.

The new rules, laid out in a 22-page document approved at the end of last year, are the first in a series of policies expected to be unveiled in the coming months that Beijing says are intended to strengthen cybersecurity in critical Chinese industries. As copies have spread in the past month, the regulations have heightened concern among foreign companies that the authorities are trying to force them out of one of the largest and fastest-growing markets.

In a letter sent Wednesday to a top-level Communist Party committee on cybersecurity, led by President Xi Jinping, foreign business groups objected to the new policies and complained that they amounted to protectionism.

The Chinese prime minister, Li Keqiang, with Tamara Lundgren and Thomas Donohue from the U.S. Chamber of Commerce before a meeting last July in Beijing. The chamber is seeking urgent talks over new rules. Credit Pool photo by Ng Han Guan

The groups, which include the U.S. Chamber of Commerce, called for “urgent discussion and dialogue” about what they said was a “growing trend” toward policies that cite cybersecurity in requiring companies to use only technology products and services that are developed and controlled by Chinese companies.

The letter is the latest salvo in an intensifying tit-for-tat between China and the United States over online security and technology policy. While the United States has accused Chinese military personnel of hacking and stealing from American companies, China has pointed to recent disclosures of United States snooping in foreign countries as a reason to get rid of American technology as quickly as possible.

Although it is unclear to what extent the new rules result from security concerns, and to what extent they are cover for building up the Chinese tech industry, the Chinese regulations go far beyond measures taken by most other countries, lending some credibility to industry claims that they are protectionist. Beijing also has long used the Internet to keep tabs on its citizens and ensure the Communist Party’s hold on power.

Chinese companies must also follow the new regulations, though they will find it easier since for most, their core customers are in China.

China’s Internet filters have increasingly created a world with two Internets, a Chinese one and a global one. The new policies could further split the tech world, forcing hardware and software makers to sell either to China or the United States, or to create significantly different products for the two countries.

While the Obama administration will almost certainly complain that the new rules are protectionist in nature, the Chinese will be able to make a case that they differ only in degree from Washington’s own requirements.

The United States has made it virtually impossible for Huawei, a major Chinese maker of computer servers and cellphones, to sell its products in the United States, arguing that its equipment could have “back doors” for the Chinese government.

The documents released by Edward J. Snowden, the former National Security Agency contractor, revealed a major effort by the agency to enter Huawei’s systems, both to figure out who controls the company and to create back doors that the United States could exploit.

Recent calls by the director of the Federal Bureau of Investigation, James B. Comey, to assure that the United States has a key to decrypt information stored on iPhones and other devices will doubtless be used by the Chinese to argue that all governments need access to sensitive computer systems.

For multinationals, the Chinese market is simply too big to ignore. China is expected to spend $465 billion in 2015 on information and communications technology, according to the research firm IDC, which says the expansion of China’s tech market will account for 43 percent of worldwide tech sector growth.

Analysts said new Chinese policies like the bank rules and an antiterrorism law that is still in draft form would make doing business increasingly difficult in China for foreign hardware and software companies.

“I think they’re obviously targeting foreign vendors that are operating in China,” said Matthew Cheung, a researcher at the analytics firm Gartner. “They are promoting the local technologies so that local providers who have the capabilities to provide systems to these enterprises can get more market share.”

For instance, the bank rules say 75 percent of technology products used by Chinese institutions must be classified as “secure and controllable” by 2019.

Though analysts say “secure and controllable” — a phrase that peppers several new Chinese technology policies — may be open to interpretation, a chart attached to the banking regulations shows the troubles foreign companies could have in winning that classification for their products.

For most computing and networking equipment, the chart says, source code must be turned over to Chinese officials. But many foreign companies would be unwilling to disclose code because of concerns about intellectual property, security and, in some cases, United States export law.

The chart also calls for companies that want to sell to banks to set up research and development centers in China, obtain permits for workers servicing technology equipment and build “ports” to allow Chinese officials to manage and monitor data processed by their hardware.

The draft antiterrorism law pushes even further, calling for companies to store all data related to Chinese users on servers in China, create methods for monitoring content for terror threats and provide keys to encryption to public security authorities.

“Banking is the first industry where we are aware a black-and-white regulatory document was issued,” said Jeffrey Yao, a vice president for enterprise research at IDC. “In some other industries, if you talk to the customers, many of them get the pressure to adopt the local brands, but in most of the cases they are via internal communications from the top officers.”

Some of America’s largest tech companies could be hurt by the rules, including Apple, which is making a big push into the country. Apple has used new encryption methods in the iPhone 6 that are based on a complicated mathematical algorithm tied to a code unique to each phone. Apple says it has no access to the codes, but under the proposed antiterrorism law, it would be required to provide a key so that the Chinese government could decrypt data stored on iPhones.

A growing number of American technology executives have complained about new barriers to access to the Chinese market. John T. Chambers, the chief executive of the network equipment maker Cisco Systems, has raised the issue, as have executives at the chip maker Qualcomm. This week, Microsoft’s chief executive, Satya Nadella, said his company was working through “geopolitical issues” regarding China.

In the letter, the Western companies voiced concerns about a broader “cybersecurity review regime” under which the Chinese government would assess the “security and controllability” of hardware, software and technology services sold in China, through audits and other checks. More details about the checks will be sent in February to the Central Leading Group for Cyberspace Affairs, the committee led by the Chinese president, according to a recent report by Xinhua, the state-run news agency.

The committee, which was created after the disclosures by Mr. Snowden, is leading the charge in consolidating and streamlining online security efforts in China. Analysts said it had most likely presided over or given tacit support to the new policies.

The leadership committee is said to be also trying to wean the country from its reliance on foreign technology, a longstanding goal that has gained urgency after Mr. Snowden’s revelations.

Zuo Xiaodong, vice president of the China Information Security Research Institute, said the new policies and the broader push for indigenous innovation were not intended to eliminate foreign companies from the market.

“We’re under the yoke of others. If the others stop services, what do we do?” he said, noting that many Chinese companies and local governments had to scramble when Microsoft discontinued its support of Windows XP. “From a security perspective, that simply wasn’t acceptable. We’re breaking away from these types of circumstances.”

Even if Beijing wants it to, the banking industry cannot immediately do away with all foreign hardware makers, Mr. Yao of IDC said. Banks purchase billions of dollars’ worth of hardware and software to manage transactions, and Chinese companies cannot yet produce some of the higher-end servers and mainframes they rely on.

Mr. Yao said 90 percent of high-end servers and mainframes in China were still produced by multinationals. Still, Chinese companies are catching up at the lower end.

“For all enterprise hardware, local brands represented 21.3 percent revenue share in 2010 in P.R.C. market and we expect in 2014 that number will reach 43.1 percent,” he said, using the abbreviation for the People’s Republic of China. “That’s a huge jump.”