By Kevin Coleman
Defense Tech Cyber War Correspondent
Back in 2008, China first announced a certification process that included a set of computer security rules covering a broad swath of security products that they claimed were needed for national security reasons. The rules require security product vendors to provide China's Certification and Accreditation Administration and the General Administration of Quality Supervision, Inspection and Quarantine with complete details of the inner-working of computer products in 13 different broad categories.
These rules cover the following categories:
1. Firewalls (hardware & software) but it does not apply to personal firewalls
2. Network security separation cards and line selectors
3. Security isolation and information exchange products
4. Secure network routers
5. Chip operating systems (COS)
6. Data backup and recovery products
7. Secure operating systems
8. Secure database systems
9. Anti-spam products
10. Intrusion detection systems
11. Network vulnerability scanning products
12. Security auditing products
13. Web site recovery products
These rules were originally due to go into effect in 2009, but were delayed until May 1, 2010 after complaints were made by U.S. and European Union officials.
Chinese officials will demand detailed disclosure of just how these products work. This would not only potentially risk the intellectual property and competitiveness of all security companies if detailed and potentially proprietary data is handed over, but could also be used to create counter-measures to defeat the security protection these products provide.
The detailed inner workings of these critical components that are commonly used to protect our critical infrastructure, military systems, government systems and business infrastructures could also be used to assist in the planning and design of future cyber attacks.
The clock ticked, midnight came and went, the deadline passed. I reached out to contacts in China and received the following response. “The regs went into effect but the certification process is limited to companies that sell domestically to the government in China, and there is still uncertainly about what exactly must be revealed during the certification process,” said James M. Zimmerman ( Squire Sanders & Dempsey L.L.P. in Beijing).
China has repeatedly tried to compel foreign companies to hand over details on encryption (keys as well) and other security technologies, and this time it looks like these rules have done it. Organizations serious about security need to put in place a policy that requires security product vendors to disclose if they have provided any details of the inner workings of their products to China.
If they have, evaluate the risks and look for other sources of those products who have not complied with this new set of Chinese rules. One person that demanded not to be identified said, “Maybe it is time to reevaluate DoD’s COTS (commercial off the shelf) decision either in totality or just for security products and systems.”