By+Lan+Xinzhen

Will IBMs operations in China be affected after China starts vetting IT products？ The company recently declined to answer this thorny question， and many international IT companies， such as Oracle and Cisco， have remained similarly close-mouthed.

Their taciturn behavior may be understandable in light of recent developments. On May 22， the State Internet Information Office （SIIO） announced a new cyberspace vetting policy targeting major IT products and services. Such products and services will be subject to vetting if they concern the touchy areas of national security and public interests.

According to a SIIO statement， the vetting will also stop unscrupulous suppliers who take advantage of their products and services by using them to control， disturb or shut down their clients computer systems， as well as to gather， store， process or use their clients information.

The IT products of U.S. companies such as IBM， Cisco and Qualcomm hold a major market share in China. Most of these companiesproducts inhabit areas such as telecommunications， finance， energy and other industries connected with the aforementioned sensitive areas. It is unlikely they will remain unaffected by cybersecurity vetting， but their tight-lipped attitude indicates that they are biding their time to observe and calculate just how pervasive the influence of the new measures will be.

Chinas vetting policy represents a direct reaction to recent actions by the U.S. Government. On May 19， the U.S. Department of Justice charged five Chinese military officers with cyber espionage. A spokesman for the SIIO dubbed the charges “ridiculous” and responded by disclosing the latest data regarding U.S. cyberattacks on China. The Chinese Government then decided to suspend the activities of the China-U.S. Cyber Working Group and to launch the cybersecurity review policy.

When Edward Snowden revealed the cyber surveillance by the United States on Chinese companies and individuals as well as the Central Government， it was suggested the country conduct cybersecurity vetting to avoid the risks associated with U.S. products. However， the Chinese Government did not undertake such measures， and U.S. IT companies in China quickly distanced themselves from the “PRISM incident.”

Uncertainty now exists among the general public regarding whether or not U.S. products are safe， and they require a review by the related government authorities to assuage their fears. Therefore， strong on-the-ground support exists in China for the cybersecurity vetting policy.

Emulating Uncle Sam

Zeng Jianqiu， a professor with Beijing University of Posts and Telecommunications， pointed out that China is not the first country to vet the security of IT products. In 2012， the U.S. House Permanent Select Committee on Intelligence conducted a still ongoing security investigation into Chinese IT firms such as Huawei and ZTE.

Zeng said Chinas protection of information and cybersecurity is definitely lacking when it comes to IT applications. He stated it is time that China learns from the United States.

In the absence of a cybersecurity vetting system in the past， China used to import a large proportion of its information systems. Although domestic equipment has better cost performance， nearly 80 percent of Chinas Internet backbone equipment is made by Cisco. However， the PRISM debacle revealed that these imported products have had “backdoors” installed on them， from which U.S. intelligence can collect real-time information.

According to a report released in March by Chinas National Computer Network Emergency Response Technical Team and Coordination Center， in 2013， approximately 61，000 Chinese websites were subjected to backdoor attacks from 31，000 overseas computers. Although the number of foreign cyberattacks in 2013 dropped 4.3 percent from the previous year， the number of compromised websites increased by 62.1 percent.

From March 19 to May 18， the center found that 2，016 IP addresses in the United States had implanted backdoors in 1，754 Chinese websites， which were involved in 57，000 backdoor attacks.

Zeng said Chinas vetting of services and products involving national Internet security can at least ensure they are not installed with backdoors. This will also mean information will not be illegally collected nor data illegally controlled when IT products are used by the Chinese Government and domestic companies.

Chinas vetting process will not be as clandestine as that of the United States. If the U.S. Government believes foreign products pose a threat to its national security， system of justice or public interests， these products are usually withdrawn from sale. But it remains impossible to verify if these products are indeed unsafe because the United States has declined to disclose any standards and procedures used for review and accepted no appeals in its review process.

In China， cybersecurity vetting will be supervised by the SIIO and conducted by the National Information Technology Standardization Technical Committee， and third-party professional testing institutions and experts will participate in the review process. The government will vet both imported and domestic products. New products will be able to freely enter the Chinese market only if they meet the countrys cybersecurity standards.

That said， however， to ensure the cybersecurity of a country， using domestic products can avoid， to some extent， the backdoors that may threaten national security.

Market impact

China currently has the worlds largest number of netizens. According to a report by the China Internet Network Information Center， by the end of 2013， China had more than 600 million netizens， 18.44 million domestic domain names and nearly 4 million websites. Among the worlds top 10 Internet companies， three have their roots in China.

The cybersecurity vetting policy brings uncertainties to the $320-billion Internet technology market of the country.

The Chinese market is currently inhabited by famous international companies such as Cisco， IBM and Siemens， as well as domestic titans such as Huawei and ZTE. Since the vetting was announced， some Chinese listed IT software companies， such as China National Software and Service Co. Ltd.， Inspur Electronic Information Industry Co. Ltd.， Unisplendour Co. Ltd. and Beijing VRV Software Corp. Ltd.， have seen their stock price rise.

Shen Changxiang， head of an expert group for the classified protection of national information security， said that vetting will guide research and development into IT， security and Internet products by Chinas stateowned and privately owned enterprises. With this policy， they will develop products conducive to national security and avoid those that may threaten national security. It is therefore foreseeable that clear orientations and technology strategies will encourage the industry to independently develop safe and reliable products.

In the aftermath of the PRISM incident， a perception exists in the Chinese market that use of foreign IT products is unsafe. Tang Lan， Deputy Director of the Institute of Information and Social Development Studies of the China Institute of Contemporary International Relations， said existing IT product certification systems are mostly voluntary rather than compulsory. After vetting commences， however， the country may establish other systems of classification for the protection of cybersecurity. Particular care will be accorded toward Internet backbone technologies in the financial， transportation and telecom sectors.

Chinas ban on Windows 8 may for civil service use give a glimpse into the vetting policys potential impact on foreign IT products. Owing to safety concerns， China has banned the purchase and installation of Windows 8 across all of the desktops， laptops and tablet computers of Central Government departments. The country has instead opted to support homegrown operating systems.

Windows Vista， Windows 7 and Windows 8 by Microsoft are all based on tried-and-trusted computing technology. On the surface， this would make Microsoft appear a safe choice， but the U.S. giant has recently consolidated its control and surveillance of its users， hence the ban.

In 2006， Chinese computer producers Lenovo， Founder， Tongfang and TCL signed agreements to use official editions of the Windows operating system， paying $1.2 billion，$250 million， $120 million and $60 million， respectively. This represents only a fraction of the profits Microsoft annually gleans from the Chinese market.

It is unlikely foreign IT firms will readily acquiesce to the new demands. This raises the question of whether or not vetting will bring fresh woes to the Internet industry. Zeng said such worries are unfounded.

He said that human beings now live in an age of information in what is first and foremost an Internet-based society. The Internet by its very nature is open， but cannot be a place where people can simply do whatever they please. Instead， it is a place where users rights and interests should be protected and this necessitates regulation. All the policies China has put forth are designed to regulate administration of the Internet and protect public interests， be they those of the state， companies or individuals.