China Policy Could Shut Out Foreign Security Firms


China catches a lot of flack in the infosec World, mostly for being suspected of cyber-terrorism and for propagating nasty malware.

Lately things have been getting more political especially during their tussle with Google over the whole ‘search freedom’ issue and censorship.

The latest is that they are starting to check for compliance on a 3 year old initiative called the Multi-Level Protection Scheme or MLPS which effectively mandates all core services that the government uses must be provided by local Chinese companies.

China is stepping up efforts to keep the security systems that protect its critical infrastructure in the hands of local firms, and that could be bad news for companies based outside the country.

China has started sending out inspectors to check for compliance with a little-known initiative called the Multi-Level Protection Scheme (MLPS), the Associated Press reported Wednesday. Introduced three years ago by China’s Ministry of Public Security, it mandates that core products used by government and infrastructure companies such as banks and transportation must be provided by Chinese companies.

Over the past year, government inspectors have been telling some companies that they must switch to Chinese firewalls and other types of security technology, the AP said. The development could force security vendors such as Cisco Systems and Symantec out of important parts of the growing market, or force them to partner with local businesses, said Stephen Kho, senior counsel with Akin Gump Strauss Hauer & Feld, an international law firm based in Washington. “Right now, it seems to only affect the companies that are in the information security sector,” he said.

The MLPS regulations have been public since 2007, but it wasn’t clear until recently that China would actually enforce them, Kho said. “When they put this one in place, nobody really paid any attention to it,” he said. “A lot of times these laws stay on the books and they do nothing.”

The regulations have been in place for 3 years but are only being enforced now, it seems like a concerted effort by the Chinese government to start pushing foreign companies out of China. Some could also say it’s to get back at the US rejecting takeover bids by Huawei citing ‘security concerns’.

It’s a two way street, you don’t let China in…they are going to push you out. So much for bilateral ties?

Critics worry that China may be leveraging security concerns to shut down free trade in its growing security products market.

The MLPS covers critical infrastructure companies, and China has said most government agencies and state-owned companies must be fully compliant by this year, according to a recent report by the American Chamber of Commerce in China. This requirement could have “serious implications” for companies that sell to critical infrastructure operators in China, the report states.

The MLPS is just one of several policies designed by China over the past few years to spur homegrown technology development. Groups like the American Chamber of Commerce worry that they simply close out foreign competition. “[P]olicies that China is adopting under the banner of ‘indigenous innovation’ are increasingly closed and protectionist in nature,” the group wrote in its report.

In a blog post last year, Oracle Director of Standards Strategy and Policy Trond Undheim said other laws and regulations are also at play here, including the Chinese Compulsory Certification (CCC), which requires the disclosure of intellectual property in some security products.

“China is at the moment poised to limit the global IT industry’s footprint in their country,” Undheim wrote. “They have devised a quite devious set of schemes to do this, centered around IT security legislation.”

This could cause some serious issues for big hardware players like Cisco and Juniper and honestly I think if China really pushes this policy their only choice will be to form some kind of joint venture with China shareholders being in the majority.

It seems China have things locked down pretty tight and if they so wish they can shut everyone down or just simply push them out of the market by making it illegal for them to do business.

Either way, it’s not looking good for some of the big US players.

Source: Network World

Posted in: Legal Issues

, , , ,


Latest Posts:


zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors
Memhunter - Automated Memory Resident Malware Detection Memhunter – Automated Memory Resident Malware Detection
Memhunter is an Automated Memory Resident Malware Detection tool for the hunting of memory resident malware at scale, improving threat hunter analysis process.
Sandcastle - AWS S3 Bucket Enumeration Tool Sandcastle – AWS S3 Bucket Enumeration Tool
Sandcastle is an Amazon AWS S3 Bucket Enumeration Tool, formerly known as bucketCrawler. The script takes a target's name as the stem argument (e.g. shopify).
Astra - API Automated Security Testing For REST Astra – API Automated Security Testing For REST
Astra is a Python-based tool for API Automated Security Testing, REST API penetration testing is complex due to continuous changes in existing APIs.
Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network


Comments are closed.