Foreign companies selling equipment to Chinese banks will also be required to disclose source code and submit to audits
The Chinese government has issued new regulations which require all companies that sell computer equipment to Chinese banks to turn over secret source code, submit to security audits and build back doors into hardware and software, according to the New York Times.
The Chinese government laid out the new rules in a 22-page document, which NYT said were approved at the end of last year. China says these rules are necessary to strengthen the cyber security in critical Chinese industries.
However the new regulations have raised fears among the foreign companies especially US companies that China is framing such kind of rules to force them out of one of the largest and fastest-growing markets.
The business groups which include the U.S. Chamber of Commerce, called for “urgent discussion and dialogue” about what they said was a “growing trend” toward policies that cite cybersecurity in requiring companies to use only technology products and services that are developed and controlled by Chinese companies, according to NYT.
The fears of the companies are legitimate and would have them hand over the source code of different hardwares and software to the Chinese government.
Other fear is that the Chinese government would turn this over to the cyber warfare unit of
PLA, who would then find and exploit the zero days and other vulnerabilities to spy on citizens especially Americans.
While China is growing more and more assertive about cyber security, it has also demanded that foreign tech firms make much of their core technology data accessible to the Chinese Government for conducting ‘investigations’.
A Chinese official told the reporters that Beijing wants 75 percent of the technology used in the nation’s financial institutions to be “secure and controllable” by 2019.
Russia has already embarked on a tech censorship kind of plan from 1st Jan 2015. With China also choosing to follow Russia’s footsteps, American businesses are in for some rough weather ahead. The problem is actually dual. If the tech co do hand over the source code to the Chinese, there is no guarantee that it will not be leaked to some Chinese manufacturer who would come out with a cheaper version of the same device. The other problem is the Zero Days, vulnerabilities and flaws which could be exploited by the Chinese military to spy.
BBC News reports that the U.S. Chamber of Commerce and other groups have responded with a letter calling the rules intrusive and stating, “An overly broad, opaque, discriminatory approach to cyber security policy that restricts global Internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cyber security, thereby harming China’s economic growth and development and restricting customer choice.”
Tim Erlin, director of IT security and risk strategy at Tripwire, told eSecurity Planet by email that this latest move is just one part of a complex, far-reaching issue tied to economics, encryption and assurance. “While the likes of Microsoft and Google aren’t willing to simply cede the Chinese market, there can be little doubt that a path that involves sharing source code ends with piracy and ultimately enhances China’s ability to copy what they currently buy,” he said.