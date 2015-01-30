BEIJING/SAN FRANCISCO Jan 30 Draft Chinese
government regulation would force technology vendors to meet
stringent security tests before they can sell to China's banks,
an acceleration of efforts to curb the country's reliance on
foreign technology that has drawn a sharp response from U.S.
business groups.
But a translation of the proposed rules viewed by Reuters
shows its immediate impact on foreign firms may not be as tough
as feared.
The draft shows the regulation would initially focus on
types of hardware and software where domestic suppliers already
have a strong market position compared with their foreign
rivals.
Western companies say the rules have not yet been formally
adopted, and some said they believed Beijing would retreat on
some of the most onerous ideas, including demanding that firms'
proprietary source code be reviewable.
Chinese leaders are to review the plan next week, U.S. tech
industry sources said.
On Wednesday, 18 American business groups urged Beijing to
postpone rolling out the regulation, which they argued were
motivated by protectionism as well as security concerns that
intensified in the wake of disclosures of U.S. spying techniques
by former National Security Agency contractor Edward Snowden.
The guidelines by the Chinese Banking Regulatory Commission
were issued on Dec. 26 in a 22-page paper that outlines security
criteria that tech products must meet in order to be considered
"secure and controllable" for use in the financial sector,
according to sources with knowledge of the matter.
A translation shows an exhaustive table of equipment it
applies to, containing 68 categories of tech products from PC
servers to wireless routers to automatic teller machines to air
conditioners.
Source code powering operating systems, database software,
and middleware must be registered with the commission to be
considered "secure and controllable," while only wireless
routers that have approved encryption or virtual private
networking (VPN) certificates may receive the designation.
The document also specified what percentage of new purchases
in each product category in 2015 must be considered "secure and
controllable". Every new PC purchased this year, for instance,
must carry the designation.
BANISHING FOREIGN TECH
The new regulations represent one of China's most
significant steps toward banishing foreign technology, 18 months
after Snowden disclosed that U.S. spy agencies planted code in
American tech exports to snoop on overseas targets.
The banking commission briefed representatives from major
banks on the regulation in January, Chinese sources with
knowledge of the matter said.
According to a presentation used by regulators during the
briefing and obtained by Reuters, Chinese government officials
established the "self-controlled" technology strategy in 2012 -
prior to the Snowden revelations - and hoped 75 percent of tech
products used by banks would meet a "secure and controllable"
criteria by 2019.
In order to meet the criteria, a product will also be judged
on its "intellectual property and the level of independence
during its development process."
Firms planning to sell computer equipment to Chinese banks
would also have to set up research and development centres in
the country, get permits for workers servicing technology
equipment and build "ports" which enable Chinese officials to
manage and monitor data processed by their hardware.
Analysts say the regulations may not bite into foreign
suppliers' market share immediately, as banks may continue to
opt for cutting-edge offerings from the likes of IBM or
Oracle Inc while testing out domestic options. But the
long term implications are clear.
"The emphasis is moving toward domestic products," said Gene
Cao, an analyst at tech research firm Forrester.
China appears to have tailored its guidelines based on the
competitiveness of its domestic contenders.
For instance, banks are expected in 2015 to exclusively
purchase approved low-end PC servers, a market where
Beijing-based Lenovo is expected to be competitive
following its $2.1 billion acquisition of IBM's server unit.
However, the guideline for sophisticated virtualisaztion
software carried out by local firms is set at just 10 percent.
Chinese companies such as telecom giant Huawei Technologies
have only recently begun to offer virtualization
services that are used, for instance, in cloud computing.
BOOST FOR LOCALS
Major U.S. tech companies, wary of appearing critical of
Beijing, referred questions to trade groups. But privately, one
person working on the issue said demands for a source code
review could be dropped, with the government opting for more
subtle ways to steer purchasing toward local companies.
"That is a typical pattern in China and elsewhere: They put
out something so obviously onerous, then wind up negotiating
back to something that is only outrageous," the person said.
Several Western sources said, though, they believed similar
rules would be rolled out for the telecommunication industry and
then other sectors.
While the banking rules will gradually push out foreign
firms, they are expected to boost domestic contenders including
Inspur International Ltd, the data-center maker.
The People's Bank of China has already run trials to see if
it could replace Microsoft 's Windows operating system
on some machines with NeoKylin, a Linux-based offering by
Standard Software, a Shanghai-based firm with ties to the
Chinese government, a source familiar with the matter said.
A Standard Software spokesman declined to comment Thursday
on the new guidelines but said the company "will not lower our
quality or security standards simply because we're a domestic
vendor, but the policy support does give us the opportunity to
compete with foreign products in the market and show the quality
of our product and service".
