China syndromeNew Chinese cyber rules aim to facilitate intellectual property theft: U.S. tech companies

Chinese cyber officials are asking some U.S. technology firms operating in China to turn over sensitive intellectual property — including source codes — submit their products for “intrusive security testing,” and use Chinese encryption algorithms, according to a 28 January letter from eighteen U.S. business groups to China’s Central Leading Small Group for Cyberspace Affairs, which is led by President Xi Jinping.

U.S. business groups, including the U.S. Chamber of Commerce, the American Chamber of Commerce in China, the Information Technology Industry Council, and the Telecommunications Industry Association said the Chinese plan would also restrict cross-border flows of commercial data.

The New York Times reported last week that the Chinese cyberspace policy group, in late 2014, approved a 22-page document which contained strict procurement rules for technology vendors. Those rules would require firms planning to sell computer equipment to Chinese banks to set up research and development centers in China, get permits for workers servicing technology equipment, and build “ports” which allow Chinese officials to manage and monitor data processed by their hardware.

Industry analysts say revelations by former NSA contractor Edward Snowden have fueled Chinese suspicion of U.S. firms operating in China. “The Snowden snowball keeps getting bigger,” said Duncan Clark, chairman of investment advisory firm BDA China. After news of NSA foreign surveillance operations became public, Chinese state media issued warnings claiming U.S. tech companies have infiltrated China on behalf of the U.S. government. Since then, many U.S. technology firms have had trouble operating in China. Microsoft and Qualcomm have been subjected to antitrust investigations, most of Google’s products have been blocked in China, and state media China Central Television has called the location-tracking function on Apple’s iPhone, a “national security concern.”

U.S. officials and private cybersecurity firms have offered detailed evidence which shows that  Chinese hackers who work in a special unit of the People’s Liberation Army (PLA) have stolen  data from U.S. companies. The U.S. government has blocked efforts of Chinese telecom equipment makers Huawei Technologies Co. and ZTE Corp. to expand their operations in the United States, citing national security concerns. In 2014, the Justice Department indicted five Chinese military officers on charges of hacking U.S. companies to steal trade data.

A U.S.-China working group on cyber issues was dissolved following the Snowden revelations.

U.S. business groups worry that the rules proposed for the Chinese banking sector would expand to other sectors. “An overly broad, opaque, discriminatory approach to cybersecurity policy” would isolate Chinese companies and harm the country’s economic growth, the letter read.

While the proposed rules could limit the Chinese operations of U.S. makers of IT equipment and custom software, analysts warn that Chinese banks would find it difficult to replace U.S. technology. The Wall Street Journal notes that the core functions of China’s banking sector rely on foreign-made servers and other equipment. “Even though we have the will to replace the foreign brands with domestic ones, we just can’t find any homemade ones that could be as reliable and secure as the foreign brands,” said a Chinese banking executive.

Since 2014, Chinese banks have been working to upgrade their banking cards with smart cards to enhance security, but the industry relies on chips made by foreign technology. “The domestic purchasing and related requirements proposed recently for China’s banking sector … would unnecessarily restrict the ability of Chinese entities to source the most reliable and secure technologies, which are developed in the global supply chain,” according to the 28 January letter.