China has laid down some new rules that require foreign tech companies selling technology to banks to hand over proprietary source code and adhere to the nation’s encryption algorithms. U.S. business lobbies are calling for "urgent discussions" on the new regulations.
In a letter to China’s Central Leading Small Group for Cyberspace Affairs, dated January 28, the U.S. Chamber of Commerce warned that harm would result from an “overly broad, opaque, discriminatory approach to cybersecurity policy,” according to a Reuters report.
"The domestic purchasing and related requirements proposed recently for China's banking sector . . . would unnecessarily restrict the ability of Chinese entities to source the most reliable and secure technologies, which are developed in the global supply chain," according to the letter, which was also signed by 17 other U.S. business groups. The groups also urged Beijing to postpone the implementation of the new rules.
We caught up with Tim Erlin, director of IT security and risk strategy at advanced threat protection firm Tripwire, to get his thoughts on the matter. He told us this is just one piece of a complex, far-reaching issue with economics, encryption and assurance.
“While the likes of Microsoft and Google aren't willing to simply cede the Chinese market, there can be little doubt that a path that involves sharing source code ends with piracy and ultimately enhances China's ability to copy what they currently buy,” Erlin said. “On the surface, China is seeking assurance that the products they are purchasing from foreign companies are not already compromised, and the [Edward] Snowden (NSA whistleblower) revelations give them good reason to be suspicious.”
As Erlin sees it, China would obviously prefer not to rely on these vendors at all, but they don't have the same capabilities domestically. At the same time, China, as a major market, has leverage with major vendors to push for things like source code audits, he said.
“Market issues aside, there are national security implications to China having open access to source code for software used by other governments, including the U.S. China's offensive cyber capabilities would be greatly enhanced with the 'inside knowledge' afforded by such access,” Erlin said. “It's unlikely that the U.S. would stand idly by while China developed an arsenal of zero days behind the guise of source code audits.”
Backdoors Subvert Security
Ken Westin, a security analyst at Tripwire, told us the issue is odd. Considering most of the devices are already manufactured in China, he said it would seem China would know more about American technology than our own government in some respects.
“As governments push for more access and backdoors into technology companies, it’s the consumer who suffers, just as both privacy and security suffers,” Westin said. “The fact that governments are requesting such access is a sign that technology firms are doing a better job of securing customer data, so much so that governments feel they are doing too good of a job and are attempting to insert themselves either through law or technology in the middle to intercept communications as necessary.”
The problem is that this is all happening in public and the bad guys are fully aware of where their communications can be intercepted and have already moved to more clandestine technologies and forms of communication, Westin said. "The end result of all of this is that legitimate uses of encryption, and other security protections, suffer and the backdoors only work to subvert security making everyone less safe,” he added.
Posted: 2015-02-01 @ 8:54pm PT
Western hypocrisy in full force. It's western companies who want to do business in China and if they don't like the rules just get out. China don't miss them.
Posted: 2015-01-30 @ 5:40am PT
We cannot give all we have to China. Stop manufacturing the products there. Enough is enough.