This week, the Chinese government circulated new cybersecurity regulations for companies in the banking sector, with these regulations expected to be expanded to other key sectors in the near future.
These new regulations introduced by the Central Leading Group for Cyberspace Affairs – which is chaired by President Xi Jinping – mandate that foreign technology companies that supply software to Chinese banks turn over source code (including encryption), submit to audits, and build “back doors” into hardware and software. Building a “back door” refers to a method of bypassing normal authentication to securely access computers/computer software.
Specifically, the regulations have a chart that notes that 75 percent of technology products used by Chinese institutions must be classified as “secure and controllable” by 2019. However, what “secure and controllable” actually means is open to interpretation. Furthermore, source codes for most computing and networking equipment must be turned over to Chinese officials. This has, of course, caused obvious concern for foreign companies as they would most likely be unwilling to disclose source codes because of concerns with regard to intellectual property, security and United States export control laws.
The regulations also call for companies that want to sell to banks to set up research and development centers in China, obtain permits for workers that service technology equipment and build “ports” to allow Chinese officials to manage and monitor data processed by their hardware.
As expected, there has already been a public response from foreign companies and organizations. A group headed by the US Chamber of Commerce, the American Chamber of Commerce in China, the Information Technology Industry Council and the Telecommunications Industry Association and fourteen other business associations issued a joint letter to President Xi Jinping and the Central Leading Group for Cyberspace Affairs. The letter argued that the technological innovation necessary to protect against bad actors could only be achieved “through commitment to an open market and global trade” – things that these regulations do not exactly help to create thanks to its seemingly protectionist agenda.
This is not the first time that the Chinese government has promoted these types of policies. China has in recent years been known for its cybersecurity policies, which include the infamous “Great Firewall” internet filter policy that regulates the Chinese internet and essentially has created a world with two internets: a Chinese one and a global one. Furthermore, in 2007 the PRC Ministry of Public Security introduced the “Multi-Level Protection Scheme” to prohibit non-Chinese companies from supplying core products used by the government and companies in the banking, transportation, and key critical infrastructure industries; and in 2010, the PRC government introduced the “Compulsory Certification for Information Security Scheme”, which mandated foreign companies to reveal intellectual property for security products to be sold to the Chinese government.