On May 27 2014, China revealed a new security review system, that obligates all foreign IT products and services sold in China to pass an unprecedented safety review. Failing the safety tests will ban any company, product or service from entering the Chinese market, [i] according to the new regulation (hereinafter: "the regulation"). The regulation initially applies to firms selling products to Chinese corporations in crucial sectors such as telecommunications, finance, energy and national security, or other industries of "public interest".
Under the new Chinese initiative, corporations will be required to disclose intellectual property and other sensitive material to the Chinese government for ‘inspections’. This concerns many countries, and especially the U.S. Information, Communication and Technology (ICT) Industry.
[ii] According to the U.S. Chamber of Commerce, the American Chamber of Commerce in China, the Information Technology Industry Council and the Telecommunications Industry Association, among others (hereinafter: "the group"), the regulation would require technology sellers to create backdoors for the Chinese government, adopt Chinese encryption algorithms and disclose sensitive intellectual property. Specifically in the finance sector, firms planning to sell computer equipment to Chinese banks would also have to set up research and development centers, get permits for workers servicing technology equipment and build "ports" which enable Chinese officials to manage and monitor data processed by their hardware. Regarding these demands, several organizations have sent a letter to Chinese cybersecurity officials, calling for negotiation towards a better solution.
[iii] Is the group’s concern above justified? Are China’s new regulations bound to abuse the American private sector? The regulation is a part of Chinese Cyber Security Policy, which initiated as early as 2003 by the Chinese "National Coordinating Small Group for Cyber and Information Security" titled "Document 27 - Opinions of the Leading Group for Strengthening Information Security Assurance Work" (国家信息化领导小组关于加强信息安全保障工作 的意见). Its key feature is to develop a high-powered domestic IT industry in order to stifle potential threats from foreign software. The Chinese government perceives software by western manufacturers as a threat to national security,[iv] perceptions that seem well-founded in light of the fact that last year (2014), it was discovered, following the disclosures made by American whistle-blower Edward Snowden, that the U.S. government had targeted weaknesses, including those in American hardware and software products, for espionage purposes.[v] According to press reports, NSA employees even constructed these weaknesses intentionally, for instance in routers made by IT company CISCO.
[vi] Therefore, the regulation imposes a tool to implement "level 3 criteria" of The Multi-Level Protection Scheme (MLPS) that is the heart of the Chinese Cybersecurity Policy. MLPS divides IT security to 3 levels of criteria: Levels 1 and 2 apply to private users and small companies; Level 3 applies to businesses in strategically important sectors, i.e. finance, infrastructure etc.; and Level 4 applies to public authorities. Level 3 criteria imposes that: (1) The product was developed by Chinese citizens, legal entities or companies with state participation; (2) China owns the intellectual property for key components of the technology; (3) Persons involved in the production process have no criminal record at all; (4) No back doors or Trojan horses have been built into the products; (5) the products pose no risk to national security, public order or public interests; (6) The software is certified for requirements of national security.[vii] As a result of the regulation, the Chinese government already placed a ban on Windows 8 and Microsoft's antiviruses from being installed on any public sector computer as their potential weak spots and ability to permit virtually unlimited access to computers and servers systems.
[viii] Though the regulation seems to be legitimate, it still raises an important question: Are there other, less harmful measures to achieve these goals? One example could be taken from the U.S., which also limits imports of Chinese software for security reasons. As early as 2013, President Obama signed an act into the law that prohibits acquisition of Chinese technology by American federal authorities: Section 516 of the Consolidated and Further Continuing Appropriations Act of 2013, prohibits the U.S. Department of Commerce and Justice, NASA and the National Science Foundation, from purchasing IT systems which “produced, manufactured or assembled” by entities “owned, directed, or subsidized by the People's Republic of China” unless the head of the purchasing agency consults with the FBI and a determination is made that the purchase is “in the national interest of the United States.” These agencies must now make a formal assessment of “cyber-espionage or sabotage” risk for every IT system purchase. [ix] In opposition to Chinese regulation, the U.S. regulation is less intrusive, specific and seemingly fulfills the purposes of the Chinese cyber security policy. In light of the case revealed in May 2014, which the American Justice Department prosecuted five alleged Chinese IT spies, who spied after, inter alia, business plans at a solar energy company and steel installed malwares, it is going to be difficult for China to argue that its regulations are proportionate - after all, why steal if you can require the exposure of secrets? [x]
[i] Paul Bischoff ,Which Chinese Tech Companies Benefit from Cyber Security Row with US?, TECHINASIA (May 30, 2014), https://www.techinasia.com/chinese-tech-companies-benefit-cyber-security-row; Paul Bischoff , After Cybersecurity Spat with US, China Issues New ‘Security Review’ System that could Block Foreign IT Companies, TECHINASIA (May 27, 2014), https://www.techinasia.com/cybersecurity-spat-china-issues-security-review-system-block-foreign-companies.
[ii] CNN Money, The cost of doing business in China: Spying, CNN (Jan. 29, 2015), http://money.cnn.com/2015/01/29/technology/security/china-businessspying/index.html?section=money_news_international.
[iii] Kevin Rawlinson, US Tech Firms Ask China to Postpone "Intrusive" rules, BBC (Jan. 29, 2015) http://www.bbc.com/news/technology-31039227; Tara Seals, China to Require US tech Companies to Submit Source Code for Inspection, Info Security (Jan. 29, 2015), http://www.infosecurity-magazine.com/news/china-tech-companies-source-code/?utm_source=twitterfeed&utm_medium=linkedin; Tech vendors hit back at new Chinese trade rules, IT News (Jan. 30, 2015), http://www.itnews.com.au/News/399844,tech-vendors-hit-back-at-new-chinese-trade-rules.aspx?utm_source=feed&utm_medium=rss&utm_campaign=iTnews).
[iv] Hauke Johannes Gierow, Cyber Security in China: New Political Leadership Focuses on Boosting National Security 2 http://www.merics.org/fileadmin/templates/download/china-monitor/China_Monitor_No_20_eng.pdf.
[v] China Said to Study IBM Servers for Bank Security Risks, Bloomberg (May 28, 2014), http://www.bloomberg.com/news/articles/2014-05-27/china-said-to-push-banks-to-remove-ibm-servers-in-spy-dispute.
[vi] Bill Snyder, Snowden: The NSA Planted Backdoors in Cisco Products, InfoWorld (May 15, 2014), http://www.infoworld.com/article/2608141/internet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html; Steve Johnsin, Cisco Systems gear reportedly bugged by NSA, Siliconbeat (May 15, 2014), http://www.siliconbeat.com/2014/05/15/cisco-systems-gear-reportedly-bugged-by-nsa.
[vii] Gierow, supra note iv.
[viii] Id. at 6; Kevin Rawlinson, US Tech Firms ask China to Postpone "intrusive" Rules, BBC (Jan. 29, 2015), http://www.bbc.com/news/technology-31039227; Liang Chen, China's network security censorship will be introduced: foreign IT companies affected (中国网络安全审查制度将出台：波及外资IT企业), QQ Tech (May 27, 2014), http://tech.qq.com/a/20140527/007124.htm.
[ix] Spending Bill's China Cybersecurity Provision Is Unclear, Law360 (Apr. 12, 2013), http://www.law360.com/articles/432500/spending-bill-s-china-cybersecurity-provision-is-unclear; Nova J. Daly & Nancy J. Victory, Recent Legislation Could Ban Federal IT Purchases of Certain Chinese Equipment, Wiley Rein LLP (Mar. 27, 2014), http://www.wileyrein.com/publications.cfm?sp=articles&id=8745.
[x] Jose Paglirey, What were China's Hacker Spies After?, CNN Money (May 19, 2014), http://money.cnn.com/2014/05/19/technology/security/china-hackers/?iid=; Gierow, supra note iv.