China has recently approved a broad new cybersecurity law that further establishes state control over information flows and technology equipment. As a result, foreign companies operating in the country are raising concerns.
The law requires tech companies to reveal their proprietary source code to prove their products can't be compromised by hackers. The source code presents the core of the intellectual property running the software.
Understandably, there is some resistance from the tech companies, arguing the measures will increase the risk of their code falling into the wrong hands, be it rivals or criminals. Also, another point is that the whole process may not guarantee it is hack-proof after all.
“Sharing source code in itself can't prove the capability to be secure and controllable,” Microsoft wrote in comments released by a government cybersecurity committee in November. “It only proves there is source code.”
Intel said a rule forcing chip makers to disclose the details of their products “would hurt technological innovation and decrease the security level of products.”
Protection from foreign espionage
The comments come from a discussion log made public by Technical Committee 260, China's cybersecurity standards maker. The committee is unveiling the technical parameters necessary to comply with the regulations when they start in June 2017.
Chinese authorities claim these measures are necessary to protect against the foreign espionage tools embedded in the software. Their point of reference is Edward Snowden, the former U.S. National Security Agency contractor. He claims that such back doors were regularly built into U.S. technology products sold overseas.
Microsoft, Intel, and IBM were the largest U.S. firms to respond to the draft regulations, along with a number of domestic companies, government agencies, and security experts.
All three companies have a wide range of local partnerships and are usually reluctant to publicly challenge Chinese policy. As we reported before, Microsoft acknowledged there was some filtering regarding its Chinese-based Xiaoice chatbot's interaction with users. The reason behind such action seems to be to appease the ultra-strict domestic regulators.
However, the written statement of the three companies, made in Chinese, offers a rare view into how they fight over regulations with Chinese authorities, away from the public eye.
China has a long history of rigid policies regarding sensitive content. The tightly-controlled government system for products and services will only get stronger when the nationwide cybersecurity law goes into effect next summer.
Still, despite the questionable limitations, U.S. firms are unlikely to leave the country over the cybersecurity requirements. The importance of the Chinese market is too great to risk such a move. Hence, given the seriousness of the situation, it will be interesting to see how it unfolds in the coming months.