UNSW UNSW Business School UNSW Business School

China and the Secret Code: Foreign Companies Face New Software Insecurity Rules

September 07, 2010
​​​​​​​New regulations in China now require software and equipment to meet strict standards before being certified for sale to Chinese government agencies. To have their products certified, Chinese and foreign companies must hand over sensitive "trade secrets", including the encryption algorithms, software source code and design specifications of many of their products to Chinese government-connected testing laboratories. The new rules largely affect sales of network routers, smart cards, firewall software and other products involved in protecting digital data.​
​"The quality of security-related equipment is defined by the quality of its encryption," says Greg Stephens, a lecturer in information systems and technology at the Australian School of Business. "No self-respecting company will say to any government in the world: 'Here is my intellectual property, you can have it.' It's such an expensive process to create encryption algorithms. I would be surprised if anyone actually will just hand over the information."

All eyes were on the high profile row between globally dominant search engine Google and Chinese authorities over censorship and hacking that peaked when Google relocated its China-based servers to Hong Kong in March. The standoff ended in July when Google stopped automatically redirecting Chinese searchers to its Hong Kong domain (now they must actively choose to go there) – a move that coincided with the renewal of its licence to operate in China. The overarching question remains whether Beijing's recent behaviour signals a shift in the way foreign companies will have to engage with China.

Perceptions of what is happening in China's relationship with the world differ widely. Stephens claims that foreign businesses are not going to take it anymore. After all, if either the United States or the European Union imposed similar rules, the World Trade Organisation would fume and the world of information and communications technology would be outraged, he claims. However, analysts specialising in the security software industry believe China is just too big a market to be left behind. Market research firm Gartner reports "the security market has been growing at double-digit rates in the past few years" and forecasts growth of nearly 30% for 2010 alone.

How multinational IT corporations deal with regulations asking them to disclose proprietary information to government agencies might be the showdown in which the outcome of this debate is decided. The risks of complying with Beijing's new rules would be considerable. A major concern is the regulations could allow the leaking of crucial foreign technology information to Chinese competitors seeking to build an IT industry on par with the West. And, from Stephens' viewpoint, the problems run even deeper. "To give away algorithms and source codes will put the security of all products currently on the market worldwide at risk," he says. "All software-producing companies have keys to verify the legitimacy of software on a machine. They lose control of those codes if they are given away." In addition, the new measure could disrupt production. Many electronic products are assembled in China. If a rising number of components were forced to include Chinese security standards, then multinationals would need to separate production of goods for export from those destined for the local Chinese market.

The China Question

So far the Chinese dragon has mainly produced hot air and no fire. As early as 1999, Beijing declared that all providers of encryption-related software would be required to disclose their source code. But fears were allayed the next year when the government issued a clarification, saying the rule would only apply to products whose "core function" was encryption. It's possible the authorities might back off again. After all, recently China backtracked on a radical proposal for government procurement requiring that products contain intellectual property "totally independent of overseas organisations or individuals". Effectively, it excluded foreign producers in the name of "indigenous innovation". Beijing might also avoid this latest dispute by rolling over.

On the other hand, the Office of Security Commercial Cryptography Administration (OSCCA) has been responsible for supervising and certifying encryption-related products and their suppliers since 2006. As a result, Chinese institutions and companies are expected to buy information security products only if they have domestic certification – a requirement that foreign suppliers often cannot satisfy. China also introduced its own standard for chips that secure critical data in computers, called the trusted computing module (TCM). In effect, this kicked the global standard out of the market. In 2007, the government announced it would make domestic certification compulsory for 13 product categories, including smartcards, firewalls and secure routers. The public security ministry then announced plans for a multi-level protection system under which suppliers of all products linked to "critical infrastructure" would be required to disclose confidential product information.

Critics have concluded that these measures have created a hostile environment for foreign software makers, semiconductor companies and producers of telecommunications equipment, computers and smartcards. And China's regulatory thicket has already claimed casualties. State-owned banks have switched the procurement of encryption devices for secure online banking from foreign suppliers to domestic ones. Since the introduction of TCM, foreign companies have lost access to the market for security chips in computers made in China. At a high-level US–China dialogue in Beijing in late May, US commerce secretary Gary Locke said: "I'm not going to go into specifics of how we are going to address this, other than that it is a major, major concern to foreign companies and foreign governments, not just a concern for the US."

Most observers agree that the latest regulations will grant Chinese companies an unfair edge in government sales, a growing part of the market that is worth US$85 billion annually. For fear of alienating this big market, few players are willing to comment. Matthew Cheung, an analyst with Gartner in Hong Kong, notices "an increasing number of inquiries from our clients, but so far we have not been able to get enough information on how it could affect them". According to The New York Times, anonymous US industry experts in Beijing predict that most US companies would rather abandon sales to the Chinese government than turn over their trade secrets.

John Neuffer, vice-president of global policy at the Washington-based trade group, Information Technology Industry Council, says: "Even if you're not talking about the really sensitive stuff, it's not clear yet how product information will be protected or secured while it is running through the Chinese testing process." But most observers agree that since the global financial crisis, Chinese officials have looked less favourably at foreign enterprises, while chambers of commerce in the US and Europe have reported rising pessimism among members.

No Longer Listening?

​There are several explanations for the policy shift in Beijing. Developed countries have been stumbling over their deregulated financial sectors, triggering Chinese leaders to believe that theirs is the superior economic model. Therefore, China might as well develop without foreign help. Joerg Wuttke, president of the European Union Chamber of Commerce in China, suggests that Chinese officials now sport a "we-don't-have-to-listen-to-you-anymore" attitude.

Another explanation is that Beijing is seeking to slow down the pace of foreign direct investment. There is an endless flow of capital trying to get into China. In 2009, in the middle of the financial crisis, foreign investment was about US$90 billion. Since this capital puts such a strain on the central bank and the valuation of the Chinese currency, most observers are not surprised the Communist party is becoming more considered about the projects it approves. Former Chinese leader Deng Xiaoping put his faith in the power of reform, but current president Hu Jintao believes in an economic paradigm that aims at building up "national champions". He wants to reserve China's domestic market for Chinese enterprises. And his vision does not stop at the country's borders. He anticipates that 50 of the world's 500 largest companies will be Chinese by 2015.

China itself has reason enough to fear protectionism, according to Barry van Wyk from The Beijing Axis, a Chinese consultancy for strategy, sourcing and investments. He quotes the Global Trade Alert finding that 192 of the 280 state initiatives implemented worldwide since November 2008 unfairly favoured domestic commercial interests.

With no way to force China to bring down its trade barriers, what can be done? A global technology giant such as IBM, for example, would not find it easy to pull out of China – not only does it have research and development facilities there but also its procurement headquarters. Stephens believes a solution may be for companies to produce separate product lines. "I expect many companies will be pragmatic and will come up with different product ranges that they market in that environment only," he says. However, Microsoft's chief executive Steve Ballmer has already said his company sees less potential in China than in Indonesia or India. "There are two things that make a country interesting. One is it buys a lot of PCs, the other is they pay for the software that gets used on those PCs." But there is no need for that, once you own the source code. So far, international corporations have been China's keenest allies. If they pull out, China will lose its greatest international supporters. Undoubtedly, the companies will meet up again – in other Asian countries.
comments powered by Disqus

Subscribe now

BusinessThink is a free online publication. By subscribing, the latest edition will be delivered to your inbox once a month.

​ ​
Print PDF