Tough new Chinese cybersecurity rules are providing a rare, behind-the-scenes look at a regulatory skirmish between US technology companies and Beijing.
China is moving to require software companies, network-equipment makers and other technology suppliers to disclose their proprietary source code, the core intellectual property running their software, to prove their products can’t be compromised by hackers.
Tech companies are loath to offer up their source code, saying this will heighten the risk of their code falling into the hands of rivals or malefactors — and may not guarantee it is hack-proof. Microsoft Corp., Intel Corp. and International Business Machines Corp. are among those filing objections. “Sharing source code in itself can’t prove the capability to be secure and controllable,” Microsoft wrote in comments released by a government cybersecurity committee in November. “It only proves there is source code.”
Intel said a rule forcing chip makers to disclose the details of their products “would hurt technological innovation and decrease the security level of products.” The comments were made in a discussion log made public by Technical Committee 260, the national cybersecurity standards maker, as it released technical parameters of its omnibus cybersecurity law adopted Nov. 7. The committee is rolling out standards for operating systems, microprocessors, office software and other products to comply with the regulations when they go into force in June 2017.
Chinese authorities have said these measures are necessary to guard against foreign espionage tools being embedded in software used here. They frequently cite claims by former US National Security Agency contractor Edward Snowden that such back doors were routinely built into US technology products sold overseas. Microsoft, Intel and IBM were the largest US firms to respond to the draft regulations, joining dozens of Chinese companies, government agencies and security experts.
The three US tech giants declined to comment beyond their written statements. All three have multiple China ventures with local partners and are typically reluctant to publicly challenge Chinese policy. As such, their written comments, made in Chinese, offer a rare glimpse into how they parry over regulations with Beijing authorities.
Among other things, tech companies are bristling at the level of detail they would be forced to disclose to have their proprietary technologies rated “secure and controllable.” Microsoft wrote that it believed allowing visitors to view code at its new “Transparency Center” in Beijing should suffice, rather than having to “share source code.” Technical Committee 260 staffers disagreed, maintaining the original wording and marking the comment “not accepted.”
Microsoft and Intel also raised questions over one security standard that gives a higher ranking to products whose development and delivery can’t be disrupted by “politics,” with Intel requesting clarification. That complaint was marked “partially accepted,” although political consideration is still in the most recent draft. IBM said that distinctions should be made between computing services for commercial use, versus services for government applications.
“Computing rooms used purely for commercial cloud computing purposes shouldn’t have to be located within China’s borders,” wrote IBM. In a written response, Technical Committee 260 staffers said that many sectors touch upon social stability and the public interest. “It’s not only a pure commercial question.”
Jeremie Waterman, senior director for Greater China at the US Chamber of Commerce in Washington, said there is “deep concern about the IP disclosure requirements.” But it isn’t clear what recourse US tech companies might have. Despite any objections, US firms are unlikely to leave China over the cybersecurity requirements because of the importance of the mammoth Chinese market, said James Gong, a senior associate at law firm Herbert Smith Freehills LLP who works with western clients in navigating Chinese law.
“I don’t think they will pull out,” said Mr. Gong. “I haven’t heard of any company that has decided to leave.” China has long had cybersecurity standards that weren’t vigorously enforced — but that is likely to change when the nationwide cybersecurity law goes into effect next summer, he said.
Beijing maintains that its security rules apply to domestic and foreign companies equally. When China passed the cybersecurity law last month, a spokesman for the internet regulator said foreigners who thought the law would favor domestic firms had a “misunderstanding, a biased view.” But in Technical Committee 260’s discussions, certain government officials argued for the standards to be drafted to favor domestic companies.
“The big trend is called shifting to domestic production,” wrote Guo Qiquan, chief engineer at the China Ministry of Public Security’s Network Security Bureau, in a suggestion that the committee marked “approved.” “But it can’t be written that way, so one calls it independent and controllable.”