By Kevin Coleman
Defense Tech Cyber War Correspondent
Back in 2008, China first announced a certification process that included a set of computer security rules covering a broad swath of security products that they claimed were needed for national security reasons. The rules require security product vendors to provide China’s Certification and Accreditation Administration and the General Administration of Quality Supervision, Inspection and Quarantine with complete details of the inner-working of computer products in 13 different broad categories.
These rules cover the following categories:
1. Firewalls (hardware & software) but it does not apply to personal firewalls
2. Network security separation cards and line selectors
3. Security isolation and information exchange products
4. Secure network routers
5. Chip operating systems (COS)
6. Data backup and recovery products
7. Secure operating systems
8. Secure database systems
9. Anti-spam products
10. Intrusion detection systems
11. Network vulnerability scanning products
12. Security auditing products
13. Web site recovery products
These rules were originally due to go into effect in 2009, but were delayed until May 1, 2010 after complaints were made by U.S. and European Union officials.
Chinese officials will demand detailed disclosure of just how these products work. This would not only potentially risk the intellectual property and competitiveness of all security companies if detailed and potentially proprietary data is handed over, but could also be used to create counter-measures to defeat the security protection these products provide.
The detailed inner workings of these critical components that are commonly used to protect our critical infrastructure, military systems, government systems and business infrastructures could also be used to assist in the planning and design of future cyber attacks.
The clock ticked, midnight came and went, the deadline passed. I reached out to contacts in China and received the following response. “The regs went into effect but the certification process is limited to companies that sell domestically to the government in China, and there is still uncertainly about what exactly must be revealed during the certification process,” said James M. Zimmerman ( Squire Sanders & Dempsey L.L.P. in Beijing).
China has repeatedly tried to compel foreign companies to hand over details on encryption (keys as well) and other security technologies, and this time it looks like these rules have done it. Organizations serious about security need to put in place a policy that requires security product vendors to disclose if they have provided any details of the inner workings of their products to China.
If they have, evaluate the risks and look for other sources of those products who have not complied with this new set of Chinese rules. One person that demanded not to be identified said, “Maybe it is time to reevaluate DoD’s COTS (commercial off the shelf) decision either in totality or just for security products and systems.”
{ 14 comments… read them below or add one }
The Pentagon should just give them the satellite encryption codes, while we're at it.
Seriously, though, this is part of why China doesn't scare me as a business entity in the long run. The CPC runs directly at odds with international corporate sovereignty. An admittedly made up term, yes, but you get the point. The market isn't always worth the risk to control over your product – particularly when the Chinese have a storied history of IP infringement on a national scale.
doesnt matter most corp ceo's are too focused on short term profits to be worried about long term competition. im sure they will sell themselves down the river for that quick golden parachute. and they will be long got by the time the chinese have figured it out and sell their own tech back to them at lower prices
I would argue that very few corporations get to pole position by being short-sighted. Some companies will certainly get shafted in the process, but I think it's folly to assume that global business won't wise up and stop playing ball.
I cite Google as an example of this already happening. Granted, the circumstances are not as clear as simple industrial espionage, but the principle is essentially the same; a company willing to lose the Chinese market to maintain control of a product or service.
sounds like tossing the baby out with the bathwater to me…
China certainly needs to re-think their approach to how it controls their international image. It's remarkably short sighted for any country to just demand that a private enterprise hand over the fruits of it's research and development. This sort of mentality may work when dealing with their own population, but the rest of the world is running out of diplomatic ways to tell these ham-fisted idiots what to do with themselves.
Tell Taht to "Obama"
Are the geese having second thoughts about laying all those eggs in China?
I agree with the above comments, companies putting up with China's IP infringement, (case in point the Russia's dealings with China in the Fighter market), but our 'current' administration will roll over, wag their tail, and play dead just to appease the people who bankroll Obama's spending habits.
Don't give them the code. Personally I dont trust China. It's for security. They were good in hacking and copying secret military-government files.
Ok, I missed it- how did Obama get dragged into this???
As far as I can tell this is just another way for China to hand over tools to facilitate espionage and sabotage actions aimed against the US. I can see the US Gov watching those that comply with China, then rooting out all of that software and replacing it with reliable stuff, but what does corporate solvency have to do with Obama??? If the individual company(ies) decide to handle over their proprietary information, let them- its their future, and I'm sure the China already has something comparable (or if they do reverse engineer the code and use it to prevent us from countering their attacks, I'm sure the providing company would have no problem turning over details to thwart China), and if they don't- its treason and the gov can go in and take everything.
I just hope this information will be publicized (who does and who doesn't comply with China on this) so that I will know which products not to buy.
The short sightedness of the coporate world due to an insatiable greed will be the mechanism which brings the free world to its knees. My grandfather alwas said," Never under estimate the power of the stupidity of a greedy man".
Appeasement never works, but on a limited scale it might. Perhaps these security companies could do a split run on product for the Chinese Market, which is to say the products sold to China will not be the same as the product sold outside. I'm pretty sure the software and hardware developers have an idea of what proprietary technology the Chinese understand and can copy and what they don't . Moreover, government & technology companies outside China could insist on technology that must be added to the computers and hardware to be sold outside of China, such an added cost could negatively affect the desirability of manufacturing in China. Rather than a curse this could be an opportunity for repatriating good manufacturing jobs in hi tech. I think this approach should pretty much motivate Beijing to rethink their policy.
Appeasement never works, but on a limited scale it might. Perhaps these security companies could do a split run on product for the Chinese Market, which is to say the products sold to China will not be the same as the product sold outside. I'm pretty sure the software and hardware developers have an idea of what proprietary technology the Chinese understand and can copy and what they don't . Moreover, government & technology companies outside China could insist on technology that must be added to the computers and hardware to be sold outside of China, such an added cost could negatively affect the desirability of manufacturing in China. Rather than a curse this could be an opportunity for repatriating good manufacturing jobs in hi tech. I think this approach should pretty much motivate Beijing to rethink their policy.
We looked at that and the costs are too significant to support two completely different product lines (one for China and one for the NATO countries). They cannot share any circuitry or code.