American companies including Microsoft, Intel and IBM have filed objections against a new Chinese cyber security law that goes far beyond most data sovereignty legislation.
Of most concern is a requirement for software companies, network equipment manufacturers and other technology suppliers to provide the government with proprietary source code to show that it cannot be compromised by hackers or state-actors.
Give us the keys to your kingdom
The Wall Street Journal reports that the US tech companies discussed the new law, which goes into force in June 2017, with the national cyber security standards maker, Technical Committee 260.
“Sharing source code in itself can’t prove the capability to be secure and controllable,” Microsoft said. “It only proves there is source code.”
Microsoft said that it had a new “Transparency Center” in Beijing, where visitors could view code, which it thought was sufficient rather than having to share it outright. Technical Committee 260 disagreed, marking the comment as “not accepted,” and keeping the wording of the document unchanged.
Intel requested clarification over a security standard that gives a higher priority to products where their development and delivery can’t be disrupted by “politics,” something that was marked as “partially accepted.”
IBM took issue with data sovereignty rules that would force cloud and data center operators to keep all data on Chinese users in China, and only in China. “Computing rooms used purely for commercial cloud computing purposes shouldn’t have to be located within China’s borders,” IBM said.
Technical Committee 260 replied that “it’s not only a pure commercial question,” saying that many sectors touch upon social stability and public interest as well.
IBM and Microsoft currently operate their Cloud systems in China in 21Vianet data centers, due to existing Chinese laws.
In the recently published report to Congress, the US-China Economic and Security Review Commission wrote: “Over the past year, Beijing has introduced stricter ICT requirements and stronger cybersecurity policies.
“Many of these measures involve “secure and controllable” technology requirements; while the term is not clearly defined, foreign companies and industry groups fear it would compel foreign companies to give the Chinese government access to networks, encryption keys, and source code, as well as require data storage within the country.”
It continues: “Finally, a draft Cybersecurity Law released in July 2015 mandates data localization and cybersecurity reviews, but offers no details on what the reviews will entail. In general, the language in these laws is broad and vague, and is expected to be clarified in forthcoming implementing regulations. Some analysts are concerned the more worrisome requirements will be rolled into the implementing regulations, or that the provisions may be kept deliberately vague to give authorities flexibility in their enforcement.”