GAME PLAN: Teams taking part in the National Network Security Technology Tournament held in Nanjing, capital of east China's Jiangsu Province on May 2 discuss cyber defense strategies (SUN CAN)
Will IBM's operations in China be affected after China starts vetting IT products? The company recently declined to answer this thorny question, and many international IT companies, such as Oracle and Cisco, have remained similarly close-mouthed.
Their taciturn behavior may be understandable in light of recent developments. On May 22, the State Internet Information Office (SIIO) announced a new cyberspace vetting policy targeting major IT products and services. Such products and services will be subject to vetting if they concern the touchy areas of national security and public interests.
According to a SIIO statement, the vetting will also stop unscrupulous suppliers who take advantage of their products and services by using them to control, disturb or shut down their clients' computer systems, as well as to gather, store, process or use their clients' information.
The IT products of U.S. companies such as IBM, Cisco and Qualcomm hold a major market share in China. Most of these companies' products inhabit areas such as telecommunications, finance, energy and other industries connected with the aforementioned sensitive areas. It is unlikely they will remain unaffected by cybersecurity vetting, but their tight-lipped attitude indicates that they are biding their time to observe and calculate just how pervasive the influence of the new measures will be.
China's vetting policy represents a direct reaction to recent actions by the U.S. Government. On May 19, the U.S. Department of Justice charged five Chinese military officers with cyber espionage. A spokesman for the SIIO dubbed the charges "ridiculous" and responded by disclosing the latest data regarding U.S. cyberattacks on China. The Chinese Government then decided to suspend the activities of the China-U.S. Cyber Working Group and to launch the cybersecurity review policy.
When Edward Snowden revealed the cyber surveillance by the United States on Chinese companies and individuals as well as the Central Government, it was suggested the country conduct cybersecurity vetting to avoid the risks associated with U.S. products. However, the Chinese Government did not undertake such measures, and U.S. IT companies in China quickly distanced themselves from the "PRISM incident."
Uncertainty now exists among the general public regarding whether or not U.S. products are safe, and they require a review by the related government authorities to assuage their fears. Therefore, strong on-the-ground support exists in China for the cybersecurity vetting policy.
Emulating Uncle Sam
Zeng Jianqiu, a professor with Beijing University of Posts and Telecommunications, pointed out that China is not the first country to vet the security of IT products. In 2012, the U.S. House Permanent Select Committee on Intelligence conducted a still ongoing security investigation into Chinese IT firms such as Huawei and ZTE.
Zeng said China's protection of information and cybersecurity is definitely lacking when it comes to IT applications. He stated it is time that China learns from the United States.
In the absence of a cybersecurity vetting system in the past, China used to import a large proportion of its information systems. Although domestic equipment has better cost performance, nearly 80 percent of China's Internet backbone equipment is made by Cisco. However, the PRISM debacle revealed that these imported products have had "backdoors" installed on them, from which U.S. intelligence can collect real-time information.
According to a report released in March by China's National Computer Network Emergency Response Technical Team and Coordination Center, in 2013, approximately 61,000 Chinese websites were subjected to backdoor attacks from 31,000 overseas computers. Although the number of foreign cyberattacks in 2013 dropped 4.3 percent from the previous year, the number of compromised websites increased by 62.1 percent.
From March 19 to May 18, the center found that 2,016 IP addresses in the United States had implanted backdoors in 1,754 Chinese websites, which were involved in 57,000 backdoor attacks.
Zeng said China's vetting of services and products involving national Internet security can at least ensure they are not installed with backdoors. This will also mean information will not be illegally collected nor data illegally controlled when IT products are used by the Chinese Government and domestic companies.