U.S. and China Spar Over Cyber Security Rules
China Announced that recently (see post) that they were going to stop buying western tech, much to the dismay of companies like Cisco that sells $2 Bil a year in China. Whether this is a move to counter the NSA or just a way to increase the sales of Chinese made tech is unclear.
Now the Chinese are saying (see article) that they want all encryption keys, back doors into equipment and to track personnel who have access to equipment. Of course, this is no different than what the FBI and NSA would like, but in China, they can just do it. Ttreasury Secretary Jacob Lew (see article) asked the Chinese to delay some of these requirements, but it is unclear what rules are being delayed or for how long.
One of the Chinese requirements is for western tech companies to hand over their source code for “review” (or perhaps to give to Chinese competitors). Western tech companies need to consider whether the risk to their IP is worth the sales. For example, for Cisco, $2 billion represents about 4% of their sales. If they do give the Chinese their source code, how do they control it’s redistribution? What if the Chinese find vulnerabilities? The Chinese have even less motivation to tell Cisco than the NSA does.
Another requirement is to give China all encryption keys. It is not clear how this is done exactly, because for the most part, users choose their own encryption keys. When you set a key, do they have to silently send a copy to the Chinese government?
If they agree to do this, do they then do the same thing for the NSA, FBI, DHS and others? It might be hard to argue that they won’t give the NSA or FBI the same concessions that they give to China?
And if they do create back doors for these guys, how to they make sure that the bad guys don’t find out about them.
It seems like a mess from my point of view.