China Bank Technology Hacking

The latest hot issue in China/U.S. trade relations is the highly restrictive bank technology rules recently announced by PRC banking regulators. As reported in the foreign press, these rules will require all Chinese banks prove that their computer technology and software is “secure and controllable.” The following are the most controversial provisions:

  • The source code for all software shall be provided to government regulators.
  • Encryption will be done in accordance with Chinese encryption standards, meaning that the Chinese authorities will be able to break all encryption schemes.
  • Providers of both software and hardware must do some portion of their R&D in China.
  • Banks must provide an initial compliance plan by April 1, with full compliance to take place by the end of 2019.

As would be expected, these rules have been greeted by strong opposition from U.S., European and Japanese software and hardware manufacturers. The U.S. trade representative has taken up the issue in formal talks with Chinese regulators and President Obama indicates that he discussed the matter personally in recent talks with Xi Jinping.

For anyone even remotely aware of the technical issues involved, it is difficult to understand what these rules are intended to accomplish. Consider the following:

  • What real good does the Chinese government getting the source code do if the issue is ensuring no “back door” or other security leaks are included in the software? If the Chinese banks purchase compiled software, there is no way to ensure that the compiled software has any particular relation to the source code. Certainly, the Chinese government is not planning to compile software for the benefit of its banks. Thus, the only explanation for requiring the turnover of source code is to give the Chinese authorities the opportunity to take the code and provide it to Chinese software companies owned or controlled by the Chinese government. Foreign software developers quite naturally object.
  • Chinese banks are required to interface their technical systems with banks outside China. These banks operate their complex systems using a standardized suite of software and hardware products. If China drives out the foreign providers of these products, who in China has the product available to replace the standardized products? China may have available networking hardware and computers that may meet the raw technical specifications, however, no Chinese company provides software even remotely close to meeting the requirements for compatibility. Moreover, in this area, hardware and software are tightly linked. The fact that the hardware exists means almost nothing regarding whether the hardware will work properly with the required software.

Since this kind of thing has happened many times in the past, many worn out old China hands like me respond by saying: “this is just the same old thing.” An impossible proposal designed by officials who do not understand the technology and did this to extract some sort of trade concession. The proposed rules will not work and are not intended to work. As soon as the trade concession is granted, the rules will quietly die.

Unfortunately, I am not so sure that is the case here and this issue must be considered more carefully for two reasons. First, the impact of this kind of regulation risks having an impact on a significant portion of the Chinese economy. Second, the concerns of the Chinese regulators are actually quite reasonable. When rules that have a reasonable basis have the potential for significant impact, the situation must be treated seriously and it is not appropriate to just laugh off the rules as the “same old thing”.

Consider first the seriousness of the rules. In discussing these regulations with others here in China, I am being told that this type of regulation is not a significant trade issue because it impacts only one business sector and it applies only to state owned enterprises. But this argument fails for several reasons. First, the banking sector plays a major role in the Chinese economy, especially in the area of software and hardware. Second, all Chinese banks are owned by the government, so state owned enterprises constitute the entire sector. Third, and most threatening, if this set of rules gets applied in the banking sector, it is almost certain that similar rules will be applied in other SOE dominated sectors such as insurance, shipping, petroleum and telecommunication. Thus, virtually all of the relevant sectors of the Chinese economy would ultimately be restricted in similar ways. Not to mention that a country’s banking system — as much as any other industry — has tentacles that reach into an entire economy.

Consider then the fact that the rules reflect a reasonable concern with security on the part of the Chinese government. For many years, the Chinese government has seen international computer networking in a negative light. Chinese regulators have consistently portrayed these systems as a weapon aimed at the heart of China. The Great Firewall can perhaps protect China from invasion through the Internet, but what about invasion through weapons hidden inside foreign software and hardware?

Until recently, it was possible for Western companies and governments to laugh off these concerns as just a cover story for economic motives. The argument has been that the Chinese authorities are not really concerned about security; they are really just trying to force Chinese entities to purchase (inferior) product from Chinese companies.

However, this dismissive portrayal of the concerns no longer holds water. In the past year it has become clear that U.S. software and hardware companies have cooperated with the U.S. government, the NSA and the FBI to make use of vulnerabilities in software and hardware to obtain otherwise confidential information. The NSA has also been accused of secretly placing surveillance software on sim cards and other networked devices. Going beyond intentional spying, vulnerabilities in software and hardware that allow for hacking banks and other significant businesses has become daily news. For these reasons, Chinese regulator concerns with the security of foreign software and hardware can no longer be laughed off as paranoia.

So far as I can see, foreign companies have yet to directly confront the issues. Instead, U.S., E.U. and Japanese software/hardware companies are treating this entirely as a trade issue. Trade representatives are now negotiating the matter, with their industry trade associations watching carefully in the background. I am dubious that this sort of approach will succeed

How do I propose proceeding in this area? I will let you know in my next post.