China encryption rule little impact on foreign firms

A new policy in China that requires technology vendors to hand over encryption keys to be certified for government procurement projects, is unlikely to have a major impact on foreign players even if they choose not to comply, according to an analyst.

Liu Jingwei, associate research manager for China at Springboard Research, told ZDNet Asia in an e-mail interview that since the regulations apply only to government procurement, "business[es] of foreign IT vendors in China will not be significantly affected".

"Although foreign information security vendors take a lead in China as a whole, public sector procurement has long preferred local products, especially in hardware," he explained.

However, Liu advised foreign vendors to keep a close watch on developments. "If similar requirements apply to other sectors [such as] notable deep-pocket, large state-owned enterprises, it might impact foreign vendors to a much larger extent," he warned.

Delayed for a year
First announced in 2008, the ruling was intended to tie information security products to the China Compulsory Certification, which has been enforced on products such as electronic appliances, PCs and printers since 2003. Thirteen types of information security products, including firewalls, network routers, antispam, and backup and recovery, are covered under the policy.

The requirement was to have gone into effect on May 1, 2009, for all types of sales, but resistance from foreign vendors saw a postponement to May 1, 2010, and a narrowing of the scope to government procurement, the Springboard analyst said.

Citing the official Web site of the China Information Security Certification Center, Liu added that 67 security products from 22 companies have since been certified between August 2009 and April 2010. All these companies, he noted, are local vendors with the exception of H3C. H3C is considered a local vendor with historic ties to Huawei and the Chinese government, but is in reality a wholly-owned subsidiary of Hewlett-Packard following HP's acquisition of 3Com.

Motivation
This is, in fact, not the first time China is demanding for access to encryption codes. Back in 2000, the Chinese government also proposed holding keys to encryption codes used by foreign companies, but subsequently backed down, according to an AFP article.

Liu attributed the revoking of the decision, a decade later, to two reasons. "First, as a major economic power, China has increasingly realized that it has to keep tight control of national information security, rather than rely on 'uncertified' foreign products which may impose security loopholes."

A second and perhaps more important reason, he added, is that the country has "introduced a series of measures in government procurement to promote locally-developed innovations" since the global economic crisis. The new regulations are consistent with the government's previous actions to foster local innovation, said Liu.

A China-based observer whom ZDNet Asia contacted also concurred with Liu's observations. Jeremy Goldkorn, founder and editor-in-chief of Danwei, said in an e-mail that the move could be construed as "protectionist", falling under the government's pursuit of "indigenous innovation".

To that end, there has been a raft of measures to increase government and private sector purchases of Chinese products and intellectual property, he noted.

The Chinese government, Goldkorn added, could also be using the policy to ensure that equipment from foreign vendors do not contain any kind of malware that can be used to snoop on government agencies in the country.

Still, there are concerns over how exactly how the Chinese government will push the policy through, said Springboard's Liu.

"It is mandated that security products have to be compliant with corresponding China technical standards such as GB/T and CNCA/CTS, which put foreign vendors in disadvantaged positions," he noted. "A certain degree of information disclosure--including source code--will be inevitable to comply with local standards, especially for smart card COS (chip operating system) products.

"[The Chinese] government should make the information disclosure requirements clearer for each product and alleviate [the] worries of foreign vendors."

Several IT companies ZDNet Asia contacted, including Cisco Systems, Kaspersky and Symantec, declined to comment on the rule. The U.S. Information Technology Industry Council, which is said to be looking into the issue, did not respond to requests for comments.