Google was the first, but it probably will not be the last.
New rules went into effect in China on May 1 that require foreign vendors of information technology devices to disclose proprietary information if they want to sell their products to the Chinese government.
Now Cisco, Symantec, and Microsoft will need to make the same difficult choice as Google did — to continue participating in and benefiting from the miraculous economic growth of the Chinese economy, or to protect their intellectual property from theft and their customers from cyber espionage by hackers based in China.
Under the regulations, vendors of secure network routers, smart cards, anti-spam software, firewall software and other products involved in protecting digital data must meet new technology standards before being certified for sale to government agencies. However, the certification testing will be performed by government-connected testing laboratories, and as part of the testing, the vendors must disclose encryption algorithms, software source code, and design specifications that, for many of the products, are regarded as sensitive trade secrets.
The Chinese government argues that the certification and testing process is necessary in order to protect the Chinese government from viruses and hackers. Officials have also previously justified the new rules on the grounds that they would assist the fledgling Chinese digital security industry. According to one Chinese official, foreign firms currently control 70% of that market in China. Chinese officials have also argued that other nations have similar disclosure and certification programs for digital security products.
But the companies and their home governments argue that disclosure of their proprietary algorithms and source code to the Chinese government, which is also trying to promote its domestic digital security industry, amounts to an unfair trade policy. A further concern (although not officially acknowledged) appears to be that possession of such information would permit Chinese government-connected hackers to gain a “pass key” to the networks of political dissidents and economic competitors. And the knowledge that the Chinese government has such a pass key would dampen purchases by other foreign governments.
The dilemma now faced by foreign digital security vendors echoes that faced by Google, which was forced to choose between access to a market of 380 million computer users, or exposing both its intellectual property and its users to cyber espionage. Google’s decision to move its offices from Beijing to Hong Kong also not coincidentally removed direct competition for Google’s domestic Chinese search engine competitor, Baidu.
The Chinese government has significantly scaled back the certification program since it was first announced. According to an article that ran in the Japanese newspaper Yomiuri Shimbun in September, 2008, the original certification program would have required disclosure of proprietary code even for consumer goods such as flat-panel televisions, and for sales to the Chinese retail market as well as to the government. Those rules were set to go into effect in May, 2009, but after vigorous protests from foreign governments, the effective date was postponed for one year, and the scope was narrowed to only goods procured by the Chinese government.
Similarly, the Chinese government has recently deleted the most controversial provisions of another program that would have required the Chinese government to give preference to Chinese companies for purchases of all information technology products.