Tough security tests for banks' foreign suppliers

Draft Chinese government regulations would force overseas technology vendors to meet stringent security tests before they can sell to China's banks, an acceleration of efforts to curb the country's reliance on foreign technology that has drawn a sharp response from US business groups. But a translation of the proposed rules shows its immediate impact on foreign firms may not be as tough as feared. The draft shows the regulation would initially focus on types of hardware and software where domestic suppliers already have a strong market position compared with their foreign rivals. Western companies say the rules have not yet been formally adopted and some said they believed Beijing would retreat on some of the most onerous ideas, including demanding that firms' proprietary source code be reviewable. Chinese leaders are to review the plan next week, US tech industry sources said. Eighteen American business groups on Wednesday urged Beijing to postpone rolling out the regulation, which they argued were motivated by protectionism as well as security concerns that intensified in the wake of disclosures of US spying techniques by former National Security Agency contractor Edward Snowden. The guidelines by the China's Banking Regulatory Commission were issued on December 26 in a 22-page paper that outlines security criteria that tech products must meet in order to be considered "secure and controllable" for use in the financial sector, according to sources with knowledge of the matter. A translation shows an exhaustive table of equipment it applies to, containing 68 categories of tech products from PC servers to wireless routers to automatic teller machines and air conditioners. Source code powering operating systems, database software, and middleware must be registered with the commission to be considered "secure and controllable", while only wireless routers that have approved encryption or virtual private networking certificates may receive the designation. The document also specified what percentage of new purchases in each product category must be considered "secure and controllable". Every new PC purchased this year, for instance, must carry the designation. The new regulations represent one of China's most significant steps toward banishing foreign technology 18 months after Snowden disclosed that US spy agencies planted code in American tech exports to snoop on overseas targets. The banking commission briefed representatives from major banks on the regulation in January, Chinese sources with knowledge of the matter said. Analysts say the regulations may not bite into foreign suppliers' market share immediately, as banks may continue to opt for cutting-edge offerings from the likes of IBM or Oracle Inc while testing out domestic options. But the long term implications are clear. "The emphasis is moving toward domestic products," said Gene Cao, an analyst at tech research firm Forrester. China appears to have tailored its guidelines based on the competitiveness of its domestic contenders. For instance, banks are expected in 2015 to exclusively purchase approved low-end PC servers, a market where Beijing-based Lenovo is expected to be competitive following its US$2.1 billion acquisition of IBM's server unit. Major US tech companies, wary of appearing critical of Beijing, referred questions to trade groups, but privately, one person working on the issue said demands for a source code review could be dropped, with the government opting for more subtle ways to steer purchasing toward local companies. "That is a typical pattern in China and elsewhere: they put out something so obviously onerous, then wind up negotiating back to something that is only outrageous," the person said. Several Western sources said they believed similar rules would be rolled out for the telecommunication industry and then other sectors. While the banking rules will gradually push out foreign firms, they are expected to boost domestic contenders including Inspur International Ltd, the data centre maker. The People's Bank of China has already run trials to see if it could replace Microsoft 's Windows operating system on some machines with NeoKylin, a Linux-based offering by Standard Software, a Shanghai-based firm with ties to the Chinese government, a source familiar with the matter said. A Standard Software spokesman declined to comment on the new guidelines.

Tough security tests for banks' foreign suppliers

.css-1c6uqr6{color:inherit;font-weight:inherit;font-size:inherit;font-family:inherit;line-height:inherit;overflow-wrap:break-word;}Draft rules drawn up amid concerns overseas technology is used to spy on financial sector

Draft rules drawn up amid concerns overseas technology is used to spy on financial sector