China—third largest economy—to shut down global IT industry?
By user804106 on Jan 18, 2009
The Financial Times this week reports that China becomes the world's third largest economy, bypassing Germany, with the new Chinese statistics published recently. While that is slightly surprising, it is not unexpected. In fact, projections are now for China to overtake the US purchasing power by 2017, which is far sooner than expected, and become the world's largest economy by all measures by 2040. It gets more interesting. I can tell you this—and the Financial Times for all its might has not discovered this fact yet: China is at the moment poised to limit the global IT industry's footprint in their country. They have devised a quite devious set of schemes to do this, centered around IT security legislation.
Forcing foreign companies to show their IPR
Three long acronyms are the key to understand this development—CCC, OSCCA-CEC and MPLS. Why do they matter? I will tell you right now. There is a myriad of regulatory bodies, here are several issues in play in the Chinese information security landscape: (1) the Chinese Compulsory Certification (CCC), the Commercial Code Administration Regulation from the Office of Security Commercial Code Administration (OSCCA-CEC), and (3) the Multi Level Protection Scheme (MLPS).
1) CCC. As regards CCC, on 27 August 2007, China filed 13 Technical Barriers to Trade (TBT) notifications to the World Trade Organization (WTO), covering a broad range of software and hardware product areas including secure routers, smartcards, chips, operating systems, data backup, and recovery or security audit products. The main concern here is forced Intellectual Property transfer, required encryption codes, and lacking compatability between the CCC and international standards (ISO 15408-1:2005 and Common Criteria). The crucial issue is that China defines “state/government applications” wider than the norm.
2) OSSCA-CEC. The OSCCA-CEC, released on 7 October 1999 says all enterprises who research, produce or sell commercial encryption software should be approved and certified by OSCCA and that Chinese enterprises and individuals who utilize such products should only purchase a product certified by OSCCA.
3) MLPS. The August 2007 MLPS makes disclosure of confidential product information mandatory for European enterprises with security relevant products (“critical infrastructure”). The crucial point is how to interpret the term “critical infrastructure”, although China has already specified it includes banks and transportation. Also, all systems with an Evaluation Assurance Level (EAL) 4 security level requirement must be Chinese. The measures also include the mandatory use of a Chinese encryption algorithm (which is not disclosed) plus the disclosure of source code. All MLPS rules are outside the Common Criteria (CC). Finally, there is the specific issue of Trusted Platform Modules (TPM), id est security chips dedicated to the storage of, and to measuring the integrity of, critical data (and the specification of such chips). According to my sources, China already back in 2007 stopped importing TPMs and instead outfit PCs by governmental order. The problem is that globally, TPMs are part of the Trusted Computing Group (TCG) consortia's standard, and moreover an ISO-standard after the Ballet Resolution Meeting (BRM) in October 2008, and should be a published standard early this year, according to a blog entry by Claire Vishik of Intel. In that meeting, China (with South Africa) voted against, since they have developed a competing standard. The Chinese government is not part of the TCG, although one Chinese company member has signed up and one Chinese university is a liaison member. The TPM market is around 200 Mio. Chips per year, equivalent to the PCs produced per year. Two European firms together produce 50 percent of the market requirement in this space, so the EU should at least be somewhat concerned.
China temporarily suspended the regulation
The immediate context is the “official” Chinese announcement that it will delay publication of its final rules on a Chinese grown certification scheme for IT products. This followed intense pressure from foreign companies and governments, especially from the US, Japan and the EU to think it over. In the Fall, China most reasonably agreed to so-called “technical dialogue” and since then there has been contact between US and Chinese IT security experts. This shows that once they realized that the impact of their regulation was potentially more far-reaching than they had initially foreseen, they were prepared to listen. This shows great respect and understanding for the delicate nature of trade and technical dialogue. The confirmation of the suspension of the announcement of the rules came in a U.S.- China Joint Commission on Commerce and Trade (JCCT) meeting in September 2008, China reconfirmed this intent in the 5-6 November 2008 World Trade Organization (WTO) Technical Barriers to Trade (TBT) meetings in Geneva. The “front” has widened. While the US initially carried the discussion forward to the Chinese, followed by Japan and the EU, both Korea and Canada came on board during the WTO meetings.
What will happen?
The current status is that, after international pressure and dialogue, the regulation is suspended, but China has given no guarantees. The stakes are high. Some companies might consider pulling out of China, or drastically scaling down their offerings. Those who stay, would presumably face significant technical barriers to trade. At the moment, many actors hope that China will consider joining the voluntary Common Criteria Ratification Agreement (CCRA) with roughly 22 countries that trust each other and use a few trusted labs to issue certificates. The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. The fact that CCRA is an open standard is crucial. It means there is a guarantee that all parties have access to the innovation going on. That way, there would not be the need for such a far reaching Chinese IT security legislation. In fact, it may not be needed at all. Given that there now is a global dialogue on these issues thanks to the Chinese willingness to discuss, things could resolve themselves with a good result for all parties involved.
The future of China: traditional and global perspective
China is an interesting place. It is bound to grow more interesting. I might not have a reason to go there for business, given my profession in the global IT industry, but I might go there to revisit the Chinese Wall (it was surprisingly challenging to climb all the steps) or to watch their boom and bust. Just to give you an example, last time I was there, back in 2003 or so, I met a guy whose job was to put up an entire city block in five years. I wonder if he made it on time to the Olympics. I also had a quite interesting haircut. I wonder if they keep that tradition alive. I am not sure which of their initiatives will fail and which will succeed. I choose to be an optimist. China is showing signs of becoming a more diplomatically engaged player on the global scene. The fact that they are willing to continue technical dialogue in this case is just another sign of that. China, currently maybe the third largest economy and on its way even further up the list of world powers, does not need to flex its muscles. Like a Olympian athlete, they can be gracious and let everybody take part in their victory--through continued communication.That seems like the better choice.