The latest hot issue in China/U.S. trade relations is the highly restrictive bank technology rules recently announced by PRC banking regulators. As reported in the foreign press, these rules will require Chinese banks prove their computer technology and software is “secure and controllable.” The following are the most controversial provisions:
- The source code for all software shall be provided to government regulators.
- Encryption will be done in accordance with Chinese encryption standards, meaning Chinese authorities will be able to break all encryption schemes.
- Providers of both software and hardware must do some portion of their R&D in China.
- Banks must provide an initial compliance plan by April 1, with full compliance to take place by the end of 2019.
These rules have been greeted by strong opposition from U.S., European and Japanese software and hardware manufacturers. The U.S. trade representative has taken up the issue in formal talks with Chinese regulators and President Obama indicates that he discussed the matter personally in recent talks with Xi Jinping.
It is difficult to understand what these rules are intended to accomplish. Consider the following:
- How does the Chinese government benefit in getting the source code if the issue is ensuring no “back door” or other security leaks are included in the software? If the Chinese banks purchase compiled software, there is no way to ensure that the compiled software has any particular relation to the source code. Certainly, the Chinese government is not planning to compile software for the benefit of its banks. Thus, the only explanation for requiring the turnover of source code is to give the Chinese authorities the opportunity to take the code and provide it to Chinese software companies owned or controlled by the Chinese government. Foreign software developers quite naturally object.
- Chinese banks are required to interface their technical systems with banks outside China. These banks operate their complex systems using a standardized suite of software and hardware products. If China drives out the foreign providers of these products, who in China has the product available to replace the standardized products? China may have available networking hardware and computers that may meet the raw technical specifications, however, no Chinese company provides software even remotely close to meeting the requirements for compatibility. Moreover, in this area, hardware and software are tightly linked. The fact that the hardware exists means almost nothing regarding whether the hardware will work properly with the required software.
Since this kind of thing has happened many times in the past, many worn out old China hands like me respond by saying: “this is just the same old thing.” An impossible proposal designed by officials who do not understand the technology and did this to extract some sort of trade concession. The proposed rules will not work and are not intended to work. As soon as the trade concession is granted, the rules will quietly die.
Unfortunately, I am not so sure that is the case here and this issue must be considered more carefully for two reasons. First, the impact of this kind of regulation risks having an impact on a significant portion of the Chinese economy. Second, the concerns of the Chinese regulators are actually quite reasonable. When rules that have a reasonable basis have the potential for significant impact, the situation must be treated seriously and it is not appropriate to just laugh off the rules as the “same old thing”.
Consider first the seriousness of the rules. In discussing these regulations with others here in China, I am being told that this type of regulation is not a significant trade issue because it impacts only one business sector and it applies only to state owned enterprises. But this argument fails for several reasons. First, the banking sector plays a major role in the Chinese economy, especially in the area of software and hardware. Second, all Chinese banks are owned by the government, so state owned enterprises constitute the entire sector. Third, and most threatening, if this set of rules gets applied in the banking sector, it is almost certain that similar rules will be applied in other SOE dominated sectors such as insurance, shipping, petroleum and telecommunication. Thus, virtually all of the relevant sectors of the Chinese economy would ultimately be restricted in similar ways. Not to mention that a country’s banking system — as much as any other industry — has tentacles that reach into an entire economy.
Consider then the fact that the rules reflect a reasonable concern with security on the part of the Chinese government. For many years, the Chinese government has seen international computer networking in a negative light. Chinese regulators have consistently portrayed these systems as a weapon aimed at the heart of China. The Great Firewall can perhaps protect China from invasion through the Internet, but what about invasion through weapons hidden inside foreign software and hardware?
Until recently, it was possible for Western companies and governments to laugh off these concerns as just a cover story for economic motives. The argument has been that the Chinese authorities are not really concerned about security; they are really just trying to force Chinese entities to purchase (inferior) product from Chinese companies.
However, this dismissive portrayal of the concerns no longer holds water. In the past year it has become clear that U.S. software and hardware companies have cooperated with the U.S. government, the NSA and the FBI to make use of vulnerabilities in software and hardware to obtain otherwise confidential information. The NSA has also been accused of secretly placing surveillance software on sim cards and other networked devices. Going beyond intentional spying, vulnerabilities in software and hardware that allow for hacking banks and other significant businesses has become daily news. For these reasons, Chinese regulator concerns with the security of foreign software and hardware can no longer be laughed off as paranoia.
So far as I can see, foreign companies have yet to directly confront the issues. Instead, U.S., E.U. and Japanese software/hardware companies are treating this entirely as a trade issue. Trade representatives are now negotiating the matter, with their industry trade associations watching carefully in the background. I am dubious that this sort of approach will succeed
How to proceed
How should U.S., European and Japanese bank software developers deal with this issue? The basic resolution will come in two steps. First, recognize that this is a software issue and not a trade issue. Second, software developers must face a stark choice. They either capitulate by going local or they stick to their fundamental rules and go home. The middle ground is rapidly being eliminated.
First, consider the software issue. The question of software security has been confused by placing the discussion in the context of NSA/FBI spying and the fear of “back doors” being placed in foreign software. The foreign software developers have treated this as a factual issue. If they can prove that no such back doors exist then the dispute is over.
However, no such proof is possible under the standard model for the sale of software. Software is “licensed” as a compiled binary file. The license includes a prohibition against decompiling the software. Under this approach, the customer can never know what is in the software package. The package remains a permanent black box.
It is impossible for the foreign software developer to prove that this black box does not contain a back door custom designed to allow access by some third party. Even the vendor cannot be sure what has been inserted into the software by simply inspecting the binary file. From the Chinese bank perspective, the only proof can come when the Chinese bank obtains the source-code, analyzes it for back door code, and then compiles a clean version.
The entire discussion of spying and secret back doors is a distraction from the real issue, which is that foreign bank software has largely proved to be insecure as proven by the recent flurry of international hacking events.
The Chinese authorities are intimately aware of this because they are the ones doing the hacking. What the Chinese banking regulator is saying is very clear: we know foreign networking and banking software is easily hacked. This software is fundamentally insecure. Foreign banks can do what they want. However, for our own banking system we will require that Chinese banks use only networking and banking software that can can be confirmed by our own experts to be fully secure. If the software is not secure, and if the vendor is not willing/able to prove to us that this is true, then we will not allow our banks and other industries of national security significance to make use of such software and its associated hardware.
The position of the Chinese banking regulators is reasonable. Networking and banking software has proved to be fundamentally flawed and no software developer has shown that it has the solution. Software customers are simply provided with a series of kludgy patches after a major flaw has been discovered and often only after a major breach has occurred. U.S., European and Japanese customers generally accept this situation. The Chinese government does not and it is of the view that if the software developers cannot prove that their product is secure within tolerances set by the Chinese banking authorities, they should not be permitted to infect a critical pillar of China’s economy like the banking system.
Thus, as I have said, this dispute is not a trade dispute. This is a fundamental dispute about product quality with abundant support for the fundamental position of the Chinese regulators.
With this in mind, the obvious solution for China would be to move to open source software products like Apache, Firefox, or Linux Open Office, which have been remarkably resistant to hacking and related software failures. Encryption using PGP and its derivatives is very powerful. For both black hat and white hat hacking, the tools found on Kali Linux are state of the art.
Given that the Chinese authorities are asking for source code to be released, an observer might assume that the Chinese government is trying to push the major foreign commercial software developers towards an open source model. However, this is not the case. The Chinese authorities are just as hostile towards open source as are the foreign commercial software developers. The Chinese do not want to foster an open system. The Chinese want the opposite. The Chinese government wants a tightly closed system it and a small core of Chinese SOEs control. For this reason, the open source solution is not what the Chinese are seeking.
So how can foreign software/hardware vendors deal with the situation in China. The position in the past has been to strongly resist capitulating to the China control model. However, the bank technology regulations will likely show that such resistance is futile. Foreign software/hardware vendors are going to be confronted with a stark choice: Go local or go home.
The go home approach has been taken by Google in the past and more recently by Yahoo. President Obama in his recent comments on the issue has suggested that foreign software/hardware vendors will follow Google’s lead and take their balls and leave China’s court. The idea is that Chinese banks will suffer so severely from the lack of viable product that the Chinese will capitulate and back down. However, this plan is based on the fundamental mistake that the dispute is a trade dispute rather than a factually based, legitimate dispute over software quality and network security.
I therefore believe that the better solution for the future will likely be for these companies to “go local.” There are two main business models for this. Foreign developers will either license their software/hardware to Chinese entities or they will form Chinese WFOEs. In either case, the software/hardware will be provided to Chinese customers (banks at the outset) by Chinese entities. No foreign business entity will be involved in the transaction.
The Chinese entity will be under the control of the Chinese government regulatory authorities. This control will at a minimum involve the following:
- Software source code will be provided to the customer and to the Chinese regulator for inspection and analysis. Protection of the software will need to be done through standard trade secrecy and licensing agreements rather than through the current black box approach. Compilation will be done in a controlled manner, ensuring that the inspected source code is the sole source for compilation. Suitable back doors for access by the Chinese government regulators will be installed and open access will be maintained.
- Encryption will not use foreign systems but will instead be developed in cooperation with and under the control of the Chinese regulatory authorities. Such encryption will provide back door access to the Chinese regulators and enforcement agencies (police, military, security agencies).
- Software and hardware vendors will he held liable for the security of their products. If a breach occurs, the vendor will be required to resolve the problem and be held liable for the damages that occur. The costs of defective software will not be loaded off on the customer and the burden of repair will not be given to private network security companies.
Provided that the foreign vendors proceed as above, the Chinese regulators will allow them to make a profit from their products. It is simply false that the Chinese are seeking to create a software industry that will displace the foreign software vendors. The Chinese authorities are well aware that China does not have the expertise to accomplish this goal in the short or even middle term. For this reason, Chinese regulators are willing to allow foreign vendors to make a profit from selling and licensing their products in China. The Chinese government is seeking control, not profit.
The business model the Chinese are seeking violates the fundamental business principles that have allowed for the development of the commercial software industry in the U.S., Europe and Japan. Many software and hardware developers see the set of rules that would be violated by this Chinese approach in almost religious terms. It would therefore violate a fundamental moral code to capitulate to the Chinese model.
However, if foreign vendors plan to operate in the Chinese market in the future, they will be required to capitulate. If they do not capitulate, they will be forced to simply go home. This is the choice, and it must be faced. Ducking the issue by sending in the trade negotiators will likely do nothing to resolve the issue. There is perhaps a creative solution. But it will only be found when the industry faces the real concerns of the Chinese banks and other industries around the world that are not drinking the same kool-aid.