In my post last week, China Bank Technology Rules: Not the Same Old Thing, I said I would come back here with a solution to this bank software mess. How should U.S., European and Japanese bank software developers deal with this issue? The basic resolution will come in two steps. First, recognize that this is a software issue and not a trade issue. Second, software developers must face a stark choice. They either capitulate by going local or they stick to their fundamental rules and go home. The middle ground is rapidly being eliminated.
First, consider the software issue. The question of software security has been confused by placing the discussion in the context of NSA/FBI spying and the fear of “back doors” being placed in foreign software. The foreign software developers have treated this as a factual issue. If they can prove that no such back doors exist then the dispute is over.
However, no such proof is possible under the standard model for the sale of software. Software is “licensed” as a compiled binary file. The license includes a prohibition against decompiling the software. Under this approach, the customer can never know what is in the software package. The package remains a permanent black box.
It is impossible for the foreign software developer to prove that this black box does not contain a back door custom designed to allow access by some third party. Even the vendor cannot be sure what has been inserted into the software by simply inspecting the binary file. From the Chinese bank perspective, the only proof can come when the Chinese bank obtains the source-code, analyzes it for back door code, and then compiles a clean version.
The entire discussion of spying and secret back doors is a distraction from the real issue, which is that foreign bank software has largely proved to be insecure as proven by the recent flurry of international hacking events.
The Chinese authorities are intimately aware of this because they are the ones doing the hacking. What the Chinese banking regulator is saying is very clear: we know foreign networking and banking software is easily hacked. This software is fundamentally insecure. Foreign banks can do what they want. However, for our own banking system we will require that Chinese banks use only networking and banking software that can can be confirmed by our own experts to be fully secure. If the software is not secure, and if the vendor is not willing/able to prove to us that this is true, then we will not allow our banks and other industries of national security significance to make use of such software and its associated hardware.
The position of the Chinese banking regulators is reasonable. Networking and banking software has proved to be fundamentally flawed and no software developer has shown that it has the solution. Software customers are simply provided with a series of kludgy patches after a major flaw has been discovered and often only after a major breach has occurred. U.S., European and Japanese customers generally accept this situation. The Chinese government does not and it is of the view that if the software developers cannot prove that their product is secure within tolerances set by the Chinese banking authorities, they should not be permitted to infect a critical pillar of China’s economy like the banking system.
Thus, as I have said, this dispute is not a trade dispute. This is a fundamental dispute about product quality with abundant support for the fundamental position of the Chinese regulators.
With this in mind, the obvious solution for China would be to move to open source software products like Apache, Firefox, or Linux Open Office, which have been remarkably resistant to hacking and related software failures. Encryption using PGP and its derivatives is very powerful. For both black hat and white hat hacking, the tools found on Kali Linux are state of the art.
Given that the Chinese authorities are asking for source code to be released, an observer might assume that the Chinese government is trying to push the major foreign commercial software developers towards an open source model. However, this is not the case. The Chinese authorities are just as hostile towards open source as are the foreign commercial software developers. The Chinese do not want to foster an open system. The Chinese want the opposite. The Chinese government wants a tightly closed system it and a small core of Chinese SOEs control. For this reason, the open source solution is not what the Chinese are seeking.
So how can foreign software/hardware vendors deal with the situation in China. The position in the past has been to strongly resist capitulating to the China control model. However, the bank technology regulations will likely show that such resistance is futile. Foreign software/hardware vendors are going to be confronted with a stark choice: Go local or go home.
The go home approach has been taken by Google in the past and more recently by Yahoo. President Obama in his recent comments on the issue has suggested that foreign software/hardware vendors will follow Google’s lead and take their balls and leave China’s court. The idea is that Chinese banks will suffer so severely from the lack of viable product that the Chinese will capitulate and back down. However, this plan is based on the fundamental mistake that the dispute is a trade dispute rather than a factually based, legitimate dispute over software quality and network security.
I therefore believe that the better solution for the future will likely be for these companies to “go local.” There are two main business models for this. Foreign developers will either license their software/hardware to Chinese entities or they will form Chinese WFOEs. In either case, the software/hardware will be provided to Chinese customers (banks at the outset) by Chinese entities. No foreign business entity will be involved in the transaction.
The Chinese entity will be under the control of the Chinese government regulatory authorities. This control will at a minimum involve the following:
- Software source code will be provided to the customer and to the Chinese regulator for inspection and analysis. Protection of the software will need to be done through standard trade secrecy and licensing agreements rather than through the current black box approach. Compilation will be done in a controlled manner, ensuring that the inspected source code is the sole source for compilation. Suitable back doors for access by the Chinese government regulators will be installed and open access will be maintained.
- Encryption will not use foreign systems but will instead be developed in cooperation with and under the control of the Chinese regulatory authorities. Such encryption will provide back door access to the Chinese regulators and enforcement agencies (police, military, security agencies).
- Software and hardware vendors will he held liable for the security of their products. If a breach occurs, the vendor will be required to resolve the problem and be held liable for the damages that occur. The costs of defective software will not be loaded off on the customer and the burden of repair will not be given to private network security companies.
Provided that the foreign vendors proceed as above, the Chinese regulators will allow them to make a profit from their products. It is simply false that the Chinese are seeking to create a software industry that will displace the foreign software vendors. The Chinese authorities are well aware that China does not have the expertise to accomplish this goal in the short or even middle term. For this reason, Chinese regulators are willing to allow foreign vendors to make a profit from selling and licensing their products in China. The Chinese government is seeking control, not profit.
The business model the Chinese are seeking violates the fundamental business principles that have allowed for the development of the commercial software industry in the U.S., Europe and Japan. Many software and hardware developers see the set of rules that would be violated by this Chinese approach in almost religious terms. It would therefore violate a fundamental moral code to capitulate to the Chinese model.
However, if foreign vendors plan to operate in the Chinese market in the future, they will be required to capitulate. If they do not capitulate, they will be forced to simply go home. This is the choice, and it must be faced. Ducking the issue by sending in the trade negotiators will likely do nothing to resolve the issue. There is perhaps a creative solution. But it will only be found when the industry faces the real concerns of the Chinese banks and other industries around the world that are not drinking the same kool-aid.