China sets up new battle over computer security
China has ordered its banks and other major companies to limit use of foreign computer security technology, setting up a possible trade clash with the United States and Europe while adding to strains over high-tech secrecy as some nations threaten to curtail BlackBerry service.
Beijing’s restrictions cite security concerns but are also consistent with its efforts to build up Chinese technology industries by shielding them from competition and pressing global rivals to hand over know-how.
The United States and the European Union have raised questions in the World Trade Organization about the rules. An American industry group is criticizing them as an attempt to shut competitors out of a promising market. Authorities are inspecting companies to enforce the restrictions and some have been told to replace foreign technology.
“These are legitimate security concerns, but the Chinese are going way too far,” said Steven Kho, a trade lawyer for law firm Akin Gump in Washington. “You cannot say from the outset, ‘All foreign products are a security risk.'”
Washington and Europe, which hope technology sales to China will help drive their economic recovery, want Beijing to scale back plans to enforce the rules on a wide range of industries including oil and gas, banking, utilities and telecommunications.
The rules, dubbed the Multi-Level Protection Scheme, or MLPS, come as Beijing tries to protect its fledgling technology companies by favoring them in procurement, promoting Chinese standards for mobile phones and prodding foreign competitors to disclose encryption technology.
The restrictions add to pressure on foreign companies that accuse Beijing of squeezing them out of key industries in violation of its free-trade pledges.
They cover products such as network firewalls and digital identity systems — a market dominated by Western companies such as Cisco Systems Inc. and Juniper Networks Inc. and Taiwan’s Trend Micro Inc.
Beijing announced plans for the curbs in 2007 and authorities and government-licensed private inspectors began visiting companies last year to enforce them.
A manager of an inspection company said 10 to 20 percent of enterprises that its technicians looked at in higher security tiers used technology from Cisco and other foreign providers. He said they were told to switch to or add Chinese-made firewalls or other technology.
“We asked clients to make changes and warned them they would fail to pass the inspection if they don’t,” said the manager at Guangdong Southern Information Security Industrial Base Co. He would give only his surname, Chen.
Chen said entities inspected by his company included financial institutions and other state-owned companies. He declined to say which companies had to make changes or how extensive changes from foreign to Chinese technology were.
Use of foreign security technology already was declining due to a 2008 government directive that was not publicly released, according a manager at another inspection company, Guangzhou Zhongbang Information Engineering Co. He would give only his surname, Ma.
“The government had unpublished policies that the information security products for classified information systems needed to be domestically made or purchasing priority should be given to domestically made products,” Ma said.
The effect on sales so far is unclear. A Cisco spokesman in Beijing declined to comment and spokespeople for Juniper Networks and Trend Micro did not respond to questions.
“If China’s MLPS is fully implemented and applied broadly to commercial sector networks and IT infrastructure, it could have a significant impact on sales by U.S. information security technology providers,” said an American Embassy spokesman, Richard Buangan, in a written response to questions.
The EU wants Beijing to apply the curbs only to companies involved in national security, said the EU mission in Beijing in a statement.
China has tried for a decade to control encryption and security technology even as it promotes Internet commerce and other industries that rely on it. Beijing is ahead of India, the United Arab Emirates and Saudi Arabia, which are starting to grapple with the technology and say they may shut down BlackBerry’s corporate e-mail.
China’s security technology market is worth about $250 million this year, rising to $340 million by 2014, according to research firm IDC. Sales also can lead to other future business as customers buy maintenance and support.
The rules say Chinese companies’ computer systems will be classified into five tiers of increasing sensitivity. Security technology for the top three tiers must be supplied by a company owned by Chinese citizens.
“The program appears to be aimed in part at putting a large part of the Chinese economy out of competition from foreign providers,” said an American business group, the Information Technology Industry Council, in a report to the U.S. International Trade Commission in June.
Chinese-made technology cannot satisfy the demands of the top security tiers, according to a report by researchers Dieter Ernst and Sheri Martin of the East West Center in Hawaii.
That means those needs might have to be met by foreign products, but suppliers might be required to sell them through local partners and hand over technology, nurturing the growth of Chinese competitors.
BlackBerry’s Canadian maker, Research in Motion Ltd., is under pressure from India, the United Arab Emirates and Saudi Arabia to make concessions that almost certainly would provide access to encrypted messages. They are threatening to shut down its corporate e-mail service if it fails to comply.
In China, RIM has refused to say whether it made security compromises to win approval for local BlackBerry service that began in 2006 and is provided through state-owned China Mobile Ltd. and China Telecom Ltd.
RIM has said it tries to cooperate with countries’ legal and national security needs and has “a consistent global standard for lawful access requirements that does not include special deals for specific countries.”
In a separate dispute, the United States and EU are pressing Beijing to scale back a plan unveiled last year to favor Chinese suppliers in its multibillion-dollar annual purchases of computers and other technology.
The tactic is part of a decade-old “indigenous innovation” campaign to reduce reliance on low-skill manufacturing by building up technology industries.
Under yet another initiative, companies that want to sell encryption and other security technology to the government have been required since May to reveal how it works. Beijing wanted to apply that requirement to all sales in China but backed down after U.S. and European objections.
“The Chinese are ahead of the curve on this,” Kho said, “but this is using a hammer when you don’t need to.”
- Paperweight: Wealth management is still among the least tech-literate sectors of the financial services industry
- What can toy building blocks teach developers about security best practices?
- Reality check: Virtual events and the metaverse are not the same
- VMware’s Project Arctic gets going as Broadcom plans for the next generation of infrastructure software
- Mahindra: 2025 could be tipping point for EV adoption in India