Should US Tech Companies Share Their “Source Code” with China?
(This has been cross-posted from the PIIE RealTime Economic Issues blog.)
IBM and Microsoft have agreed to let the Chinese government review some of their proprietary source code in a secure setting, provoking criticism from the Obama administration and some technology companies that doing so will reopen the door to the Chinese campaign to force technology transfer to Chinese companies. These two tech giants do want to secure their place in the large Chinese market, but their willingness to provide the Chinese with a look at their source code is clearly focused on blunting concern about surveillance, not transferring technology to Chinese companies.
The Chinese have been determined to examine the source code for technology company products to make sure there are no security risks of the sort disclosed in 2013, when materials made public by Edward Snowden revealed that the US government was penetrating information technology (IT) products to spy on China and other governments. In a highly charged atmosphere of mistrust between the United States and China, the effort by IBM and Microsoft should be seen as a step in the right direction that would reassure both users and foreign governments that data placed on their equipment will not be compromised.
The international IT industry is being splintered by suspicions about the integrity of hardware and software systems, leading to discrimination according to the nationality of the producing company. In an era of globalized supply chains, national or regional demonstration centers that can test large random samples of IT products may be the way to reassure all parties that such products do not have secret backdoors or spyholes. The goal would be to have IT source code inspected by independent impartial demonstration centers—not government-run labs with lax intellectual property protections—that would help provide confidence about the integrity of IT goods and services from all around the globe (Moran 2013).
What did IBM and Microsoft agree to do?
On Friday, October 16, the Wall Street Journal reported that IBM had agreed to share its source code with the Chinese government, which IBM promptly confirmed. The story provoked widespread media coverage, much of it filled with alarm. The Journal asserted that IBM was “the first major U.S. tech company to comply with Beijing’s recent demands” for the sharing of source code. In fact, a dozen years earlier, in September 2003, Microsoft announced the opening of a software review lab in partnership with the Chinese government in Beijing, an announcement that was with met with no coverage and no alarm (Microsoft News Center, September 26, 2003).
Source code is a set of software instructions that tells a computer how to execute a particular program to achieve the objectives desired by the programmer. “Sharing source code” could involve access that is very broad or quite narrow. IBM insisted that its agreement with China’s Ministry of Industry and Information Technology was carefully constricted, allowing only “the capability to conduct limited demonstrations of specific aspects of our technology in highly-secure, controlled IBM environments that have no external communication links”(IBM response to press inquiries, October 16, 2015).
IBM said further that the purpose of sharing source code was “to reassure key stakeholders, including our clients, that no means exist for other parties to access IBM technology or data we manage on behalf of clients.” In a 2014 Open Letter to clients, IBM “stated unequivocally that we respect the security and privacy of client data. IBM does not provide government access to client data or ‘back doors’ into our technology. That commitment remains firm.”
At the same time, IBM maintains that careful steps will be taken “to ensure that no software source code is released, copied or altered in any way” so as to prevent technology theft or imitation.
Microsoft’s agreement to share source technology has the same twin stated objectives of reassuring Chinese users and the Chinese government about product integrity without allowing theft of intellectual property. In February of 2003 Bill Gates signed a source code agreement with the China Information Technology Security Certification Center (CNITSEC). On September 25, 2003, CNITSEC’s Source Code Review Lab officially opened in Beijing.
Tim Chen, vice president of Microsoft and CEO of Microsoft Greater China, said: “The opening of CNITSEC Source Code Review Lab is a significant step in fulfilling Microsoft’s long-term commitment in China. To create a trustworthy computing environment is the goal of Microsoft.” Microsoft emphasized that its Windows technology would be inspected under carefully “controlled access,” built around the global ISO 15408 standard to test, evaluate, and certify information security products, systems, and web services.
The ISO 15408 standard provides a framework in which computer system users can specify their security requirements, vendors can implement and make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they meet the claims. ISO 15408 is a mutually recognized standard across many countries, including Germany, France, and the United Kingdom, as well as the United States and Canada. CNITSEC is the first and only technology security center in China to adopt the ISO 15408 standard.
While narrowly circumscribing the review of their source code, both IBM and Microsoft maintained, however, that they will continue to follow through on past steps to integrate basic building blocks of their technology portfolios into China’s rapidly expanding IT infrastructure.
Since 2013 IBM has pursued a global program called Open Power that offers base technology that can be enhanced by local licensees worldwide to spur business opportunities in which IBM can participate. “Our Open Power partners in China are getting access to the same technology that we make available to all Open Power members around the world,” Edward Barbini, a spokesman for IBM, pointed out (New York Times, April 19, 2015).
Microsoft explained its agreement to share source code with CNITSEC as a central component of the company’s strategy to help fortify its long-term position in the Chinese market. To this end, Tim Chen affirmed at the opening of the Source Code Review Lab that “Microsoft is willing to cooperate with the Chinese government and its authorized parties and share Microsoft’s accumulated experience in software and security development.”
As noted earlier, Microsoft’s agreement to share source code has gone largely unnoted, while IBM has been the subject of much critical comment.
In September 2014, in an earlier example of Chinese pressure to force technology transfer from US to Chinese companies, China’s banking regulator introduced rules to govern foreign banks that would require them to switch to what was called “safe and controllable technologies” from providers that incorporated Chinese companies as partners. The rules were seen in the United States as protectionist, discriminatory, and distortionary in many ways. They included a requirement to share source code with regulators. With strong backing from US trade groups, the Obama administration pushed back hard against the proposed rules, and in April 2015 the Chinese banking regulator suspended their implementation.
IBM’s willingness to work with Chinese authorities as part of an aggressive strategy to incorporate its technology into the backbone of the Chinese IT industry, meanwhile, has been criticized as appearing to undermine the orchestrated US resistance to Chinese demands. According to the New York Times, “critics say IBM is caving in to Chinese demands, placing short-term business gains ahead of longer-term political and trade issues. Its actions may spur other American companies to break ranks and also submit to the new Chinese regulations, out of concern that IBM will get advantages by cooperating with the country.”
“People do feel angry about what appears to be an accommodation with the Chinese,” noted James A. Lewis, a former government official now at the Center for Strategic and International Studies. “And you have to kind of expect that, particularly at a time when you have the whole U.S. government ginned up to push the Chinese on this.”
But instinctive criticism such as this may miss the larger opportunity for multilateral cooperation in the fraught arena of ensuring the integrity of IT supply chains. IBM reports that its actions in China are part of a wider effort to establish technology demonstration centers in diverse countries to ensure that the company’s hardware and software do not allow unauthorized access to client data.
Microsoft too points out that their source code agreement is part of a “global initiative that provides national governments with managed access to Microsoft Windows source code and other technical information they need to be confident in the security of the Windows platform.”
The Chinese government, Microsoft notes, is simply “one of the first governments around the globe to sign the agreement.”
The willingness of IBM and Microsoft to set up demonstration centers outside of China, as well as inside, underscores the importance of finding agreed upon procedures to protect the integrity of high technology by consumers and producers. All IT companies procure their inputs from sources in China, Mexico, Israel, and other sites where backdoors or penetration portholes might be inserted. Ensuring the integrity of IT equipment and IT upgrades in a world of globalized supply chains, therefore, may require setting up regional vetting stations to examine random samples of hardware and software from all providers (see Moran, Policy Brief 13-11: Dealing with Cybersecurity Threats Posed by Globalized Information Technology Suppliers, May 2013). To be credible such vetting stations may have to move beyond the look-but-don’t-touch approach of IBM to allow multilaterally-agreed test procedures by independent experts.
The large objective of such an international initiative would be precisely to prevent discrimination on the basis of nationality of supplier. In this context, the steps taken by IBM and Microsoft may help blunt and even reverse the balkanization of information technology that now haunts the international IT industry.
Dou, Eva. 2015. IBM Allows Chinese Government to Review Source Code. Wall Street Journal(October 16).
IBM. 2015. IBM Statement on Limited Technology Demonstrations (October 16).
Microsoft News Center. 2003. China Information Technology Security Certification Center Source Code Review Lab Opened (September 26).
Mozur, Paul. 2015. IBM Venture With China Stirs Concerns. New York Times (April 19).
Moran, Theodore H. 2013. Dealing with Cybersecurity Threats Posed by Globalized Information Technology Suppliers. Policy Brief 13-11. Washington: Peterson Institute for International Economics.