China is taking a no-holds barred approach to cyber security, especially with respect to the acquisition of foreign cyber security technologies. Their new draft cyber security law really tightens up the Chinese governmental stranglehold on the countries network-oriented security:
Ensuring the security of network products and services is fundamental to cyber security. The Chinese government intends to implement a strict policy on network products and services to improve China’s cyber security. The Draft sets up a system where key IT hardware and equipment must meet mandatory security qualifications, and acquire government certification, before being sold and implemented.
Article 19 of the Draft states that key network facilities and special network safety products may only be sold after being certified or after passing a test established by the relevant authority. The catalog of key network facilities and special network safety products will be published by the national network and information authority and relevant departments under the State Council separately.
However, this approach may not be novel—it may be a reflection on, and consequence of, recent events. Specifically, foreign IT suppliers may face greater challenges when attempting to provide any of the aforementioned products or services.
Until recently, Chinese companies and administrative authorities widely used foreign software and hardware in their IT systems. However, when the PRISM project was uncovered in 2013, the Chinese government was alerted to the inherent dangers of foreign IT products; products from American IT tycoons like IBM, Oracle, and EMC ( IOE ) were ubiquitous. Since these foreign IT products create the potential risk that foreign governments could be provided with critical and confidential information, more and more Chinese companies and administrative authorities stopped using foreign IT products (including, but not limited to, IOE). Instead, Chinese entities have turned to domestically developed products and services, or have started developing their own technologies.
In response to these concerns, the Guidelines on Banks Using Secure and Controllable Information Technology (2014-2015) (《银行应用安全可控信息技术推进指南（2014-2015）》) ( Guidelines ) were promulgated by the Ministry of Industry and Information Technology and the China Banking Regulatory Commission ( CBRC ) on 26 December 2014. While the Guidelines does not explicitly prohibit foreign suppliers from selling IT software and hardware to the Chinese banking industry, it does set a very high bar for foreign suppler entry into the market. For example, source codes of the software attached to certain network equipment (e.g. backbone routers ) and storage equipment (e.g. storage FC switches) must be filed with the Technology and Information Department of CBRC for recording purposes; the monitoring and administering interface of certain network equipment (e.g. firewalls) must be tested and certified by the Technology and Information Department of CBRC; suppliers of certain kinds of network equipment (e.g. core switches) and storage equipment (e.g. tape library) are required to establish R&D centers in China.
It is going to be exceptionally tough for American cyber defense technology vendors to (pun intended) penetrate China as a result of this law.
Disclosure: I work for Intel Security, a cyber security product and services vendor.