China plans to unveil new cybersecurity rules that require tech companies to hand over source code and build back doors in hardware and software for government regulators. The rules only apply to companies selling computer products to Chinese banks, but they have already sparked anxiety on the part of Western tech companies about being trapped between either giving up intellectual property or not doing business in China.
The new rules—part of cybersecurity policies intended to protect China’s critical industries—first appeared in a 22-page document at the end of 2014, according to a New York Times report. Such rules have not been officially announced yet. But the U.S. Chambers of Commerce joined a number of other foreign business groups in sending a letter [pdf] to the Central Leading Group for Cyberspace Affairs, chaired by President Xi Jinping, that called for “urgent discussions” about the policies. Tech giants such as Microsoft, Cisco, and Qualcomm have also independently voiced their concerns.
Under the bank rules, tech companies would have to hand over source code, set up research and development centers in China, and build hardware and software back doors that would permit Chinese officials to monitor data within their computer systems.
The New York Times also detailed a separate Chinese antiterrorism law being drafted that would require companies to store all data about Chinese users on servers physically located in China. The law would also ask companies to hand over encryption keys and enable Chinese officials to check content for terrorism-related activities.
China’s new policies come in the wake of revelations from former U.S. National Security Agency contractor Edward Snowden, about the NSA’s efforts to infiltrate Chinese tech giant Huawei. Documents leaked by Snowden include an NSA list of programs designed to install back doors in Huawei’s software and hardware that the U.S. spy agency could exploit for intelligence-gathering purposes.
Snowden’s revelations eventually prompted China to set up its Central Leading Group for Cyberspace Affairs. Chinese officials have also set the goal of reducing their reliance upon foreign tech firms and boosting the presence of domestic tech firms.
U.S. tech companies fear that China’s new rules would force them to give up intellectual property to Chinese state-supported companies and possibly compromise the security of their own computer systems and products. Companies also fear that if they don’t comply with the rules and if the Chinese government expands such rules beyond the banking sector, they could potentially be shut out of the Chinese market.
The letter to Xi puts their worries in the context of the Chinese market:
An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global internet and ICT [information and communications technolgy] products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China's economic growth and development and restricting customer choice.
The history of the United States-China cyber detente also makes it difficult for U.S. companies to trust Chinese officials with their intellectual property and access to their computer systems. The United States has long accused China’s government and military of corporate espionage against U.S. companies and government agencies. Last year, the U.S. Department of Justice charged five Chinese military hackers with stealing a variety of trade secrets from U.S. businesses.
Jeremy Hsu has been working as a science and technology journalist in New York City since 2008. He has written on subjects as diverse as supercomputing and wearable electronics for IEEE Spectrum. When he’s not trying to wrap his head around the latest quantum computing news for Spectrum, he also contributes to a variety of publications such as Scientific American, Discover, Popular Science, and others. He is a graduate of New York University’s Science, Health & Environmental Reporting Program.