China - Screw slowly tightens on technology companies

Screw slowly tightens on technology companies

By Kathrin Hille in Beijing

Published: February 22 2010 02:00 | Last updated: February 22 2010 02:00

One month after threatening to pull out of China, Google's complaint that the cost of doing business in the country may have become too high is resonating far and wide.

Technology companies are "feeling less welcome and finding it increasingly difficult to do business in China", says John Neuffer, vice-president for global policy at the Information Technology Industry Council, a lobby group.

An evolving regulatory regime, targeting information technology-related products, is the chief cause of this sentiment.

"Once every bit of the organisational infrastructure falls into place and every rule is implemented, there will not be much of a China market left for us," says the regional head of a foreign semiconductor company.

It started in 1999 when Beijing declared that all providers of encryption-related software would be required to disclose their source code. But fears were allayed the next year when the government issued a "clarification", saying the rule would only apply to products whose "core function" was encryption.

However, things did not stop there. Since 2006 Beijing has put in place the Office of Security Commercial Code Administration (OSCCA), responsible for supervising and certifying encryption-related products and their suppliers. This has placed Chinese institutions and companies under pressure to buy information security products only if they have domestic certification - a requirement that foreign suppliers often cannot satisfy.

In 2007 the government announced it would make domestic certification compulsory for 13 product categories, including smart cards, firewalls and secure routers.

China also introduced its own standard for chips that secure critical data in computers, called the trusted computing module (TCM). This in effect locked the global standard, the trusted platform module, out of the market.

The public security ministry then announced plans for a multi-level protection system under which suppliers of all products linked to "critical infrastructure" would be required to disclose confidential product information. Above certain levels of security, products could be sourced from Chinese suppliers only.

Taken together, these measures amount to a disastrous scenario for a range of foreign companies, including software makers, semiconductor companies and producers of telecommunications gear, computers and smartcards.

"The stuff the Chinese government is asking for is stuff we don't give to governments," says a US executive. "If we were to comply and it became known that we disclosed our source codes to Chinese labs, it would damage our standing in other markets."

Industry experts say full implementation of all rules would either exclude foreign players from a big part of the Chinese market or force them to develop separate products for use there.

It could also disrupt production networks. Many electronic products are assembled in China. If a rising number of components were forced to include Chinese security standards, viewed as potentially compromised by other governments, multinationals would need to separate export production from that destined for the local market.

While some executives reject this as a worst-case scenario, China's regulatory thicket has already claimed casualties. State-owned banks have switched the procurement of encryption devices for secure online banking from foreign suppliers to domestic ones. Since the introduction of TCM, foreign companies have lost access to the market for security chips in computers made in China.

After heavy international lobbying, Beijing promised that the 2007 rules for compulsory certification for 13 information security product categories would apply to government procurement only. But experience makes foreign companies doubt that pledge.

Analysts say Beijing's habit of releasing rules and then scaling them back had led to some not taking the issues seriously. "But they are taking two steps forward and one step back," says a lobbyist. "And we're getting to the stage where these things are starting to bite."