BEIJING/SAN FRANCISCO (Reuters) - Draft Chinese government regulation would force technology vendors to meet stringent security tests before they can sell to China’s banks, an acceleration of efforts to curb the country’s reliance on foreign technology that has drawn a sharp response from U.S. business groups.
But a translation of the proposed rules viewed by Reuters shows its immediate impact on foreign firms may not be as tough as feared.
The draft shows the regulation would initially focus on types of hardware and software where domestic suppliers already have a strong market position compared with their foreign rivals.
Western companies say the rules have not yet been formally adopted, and some said they believed Beijing would retreat on some of the most onerous ideas, including demanding that firms’ proprietary source code be reviewable.
Chinese leaders are to review the plan next week, U.S. tech industry sources said.
On Wednesday, 18 American business groups urged Beijing to postpone rolling out the regulation, which they argued were motivated by protectionism as well as security concerns that intensified in the wake of disclosures of U.S. spying techniques by former National Security Agency contractor Edward Snowden.
The guidelines by the Chinese Banking Regulatory Commission were issued on Dec. 26 in a 22-page paper that outlines security criteria that tech products must meet in order to be considered “secure and controllable” for use in the financial sector, according to sources with knowledge of the matter.
A translation shows an exhaustive table of equipment it applies to, containing 68 categories of tech products from PC servers to wireless routers to automatic teller machines to air conditioners.
Source code powering operating systems, database software, and middleware must be registered with the commission to be considered “secure and controllable,” while only wireless routers that have approved encryption or virtual private networking (VPN) certificates may receive the designation.
The document also specified what percentage of new purchases in each product category in 2015 must be considered “secure and controllable”. Every new PC purchased this year, for instance, must carry the designation.
The new regulations represent one of China’s most significant steps toward banishing foreign technology, 18 months after Snowden disclosed that U.S. spy agencies planted code in American tech exports to snoop on overseas targets.
The banking commission briefed representatives from major banks on the regulation in January, Chinese sources with knowledge of the matter said.
According to a presentation used by regulators during the briefing and obtained by Reuters, Chinese government officials established the “self-controlled” technology strategy in 2012 - prior to the Snowden revelations - and hoped 75 percent of tech products used by banks would meet a “secure and controllable” criteria by 2019.
In order to meet the criteria, a product will also be judged on its “intellectual property and the level of independence during its development process.”
Firms planning to sell computer equipment to Chinese banks would also have to set up research and development centers in the country, get permits for workers servicing technology equipment and build “ports” which enable Chinese officials to manage and monitor data processed by their hardware.
Analysts say the regulations may not bite into foreign suppliers’ market share immediately, as banks may continue to opt for cutting-edge offerings from the likes of IBM or Oracle Inc while testing out domestic options. But the long term implications are clear.
“The emphasis is moving toward domestic products,” said Gene Cao, an analyst at tech research firm Forrester.
China appears to have tailored its guidelines based on the competitiveness of its domestic contenders.
For instance, banks are expected in 2015 to exclusively purchase approved low-end PC servers, a market where Beijing-based Lenovo is expected to be competitive following its $2.1 billion acquisition of IBM’s server unit. However, the guideline for sophisticated virtualization software carried out by local firms is set at just 10 percent. Chinese companies such as telecom giant Huawei Technologies [HWT.UL] have only recently begun to offer virtualization services that are used, for instance, in cloud computing.
Major U.S. tech companies, wary of appearing critical of Beijing, referred questions to trade groups. But privately, one person working on the issue said demands for a source code review could be dropped, with the government opting for more subtle ways to steer purchasing toward local companies.
“That is a typical pattern in China and elsewhere: They put out something so obviously onerous, then wind up negotiating back to something that is only outrageous,” the person said.
Several Western sources said, though, they believed similar rules would be rolled out for the telecommunication industry and then other sectors.
While the banking rules will gradually push out foreign firms, they are expected to boost domestic contenders including Inspur International Ltd, the data-center maker.
The People’s Bank of China has already run trials to see if it could replace Microsoft’s Windows operating system on some machines with NeoKylin, a Linux-based offering by Standard Software, a Shanghai-based firm with ties to the Chinese government, a source familiar with the matter said.
A Standard Software spokesman declined to comment Thursday on the new guidelines but said the company “will not lower our quality or security standards simply because we’re a domestic vendor, but the policy support does give us the opportunity to compete with foreign products in the market and show the quality of our product and service”.
Reporting by Gerry Shih and Michael Martina in Beijing and Joseph Menn in San Francisco. Additional reporting by Krista Hughes in Washington, Paul Carsten in Beijing, Byron Kaye in Sydney and Beijing Newsroom; Editing by Emily Kaiser and Rachel Armstrong