China is spying on US firms using power cords

Taiwan server suppliers move off mainland at US customers' request
By LAULY LI and CHENG TING-FANG

TAIPEI -- U.S. technology companies, concerned that server power cords and plugs could be used by China to access sensitive data, have asked Taiwanese suppliers to shift production of these components out of the mainland.
Lite-On Technology, whose customers include Dell EMC, HP and IBM, is building a new factory in Taiwan to manufacture power components for servers at the request of American clients that cited cyberespionage risks from Beijing, according to one executive.
Quanta Computer, which supplies servers and data centers to U.S. tech companies including Google and Facebook, has shifted production to Taiwan and elsewhere, citing security as one of the reasons, an executive told the Nikkei Asian Review.
"Cybersecurity, tariffs and geopolitical risks are the three main factors" propelling the decision by Quanta and its clients to move production, the executive said.
The drive by U.S. information technology companies to eradicate security threats is reaching even the most mundane of components. 

Some face pressure to source these components outside of China, despite the higher production cost.
"Unlike many other Taiwanese tech manufacturers diversifying their production away from China to avoid Washington's tariffs on Chinese goods, the top priority [for Lite-On's new plant] is addressing U.S. clients' security concerns," said the Lite-On executive who has direct knowledge of the company's plan. 

The executive declined to name these clients.
Cybersecurity experts confirmed that such a risk is legitimate.
"It is totally reasonable for U.S. companies to have such concerns because, technically, it is doable and not difficult for hackers to use the power supply system or power cords to retrieve data stored in servers," Tien Chin-wei, deputy director at the Taipei-based Cybersecurity Technology Institute, told the Nikkei Asian Review.
In servers, the data warehouses of the digital economy, the structure of the power supply system is more complicated than in ordinary consumer electronic devices like smartphones or notebooks. 

This makes it difficult to detect whether unwanted chips have been implanted in the power supply during production, cybersecurity experts said.
"If the server is compromised and the chip implanted in the power supply system is activated, the power lines could serve as a covert channel to transmit data," Philippe Lin, senior threat researcher at cybersecurity company Trend Micro, told Nikkei.
Besides common targets such as servers, data centers or large telecommunications infrastructure, these attacks also could occur against personal electronic devices, the experts said. 

Free charging cable provided by public spaces in China accessed smartphone data if individuals plugged in the fast-charging cable.
Lite-On supplies power components and power supply systems used in various electronics from smartphones and notebooks to servers and data centers. 

The company's power supply systems and parts often are shipped to manufacturers like Quanta, Wistron, or Inventec for final assembly into servers.
Lite-On's American customers had been alarmed by reports from Bloomberg Businessweek last year revealing that Beijing implanted tiny chips into the data center supply chains of U.S. tech companies, the executive with the Taiwanese manufacturer said.
"The American clients want to elevate their security measures, and they also do not want to upset the Trump administration," the Lite-On executive said.
The company is investing about 10 billion New Taiwan dollars ($324 million) to construct the new facility and research center in the southern Taiwanese city of Kaohsiung, which was previously planned to make electronic components for automobiles. 

Lite-On confirmed that the focus of the facility now is to produce server power parts to address American clients' need for higher security standards. 

The facility is scheduled to begin pilot operations in June.
Major server and data center manufacturers such as Quanta, Inventec and Wistron began shifting production to Taiwan and overseas sites last year, mainly to cope with Washington's additional tariff on networking-related components and devices. 

But now some are moving off the mainland as a result of these security concerns.
However, cybersecurity experts said that simply moving production out of China will not remove all risks, as there always will be ways to manipulate the production process regardless of the location.
"Every interface between components, or between motherboards and power supply systems could be a loophole for malicious implants," the Cybersecurity Technology Institute's Tien said. 

"You can only reduce or manage the risks, but it is not possible to entirely eliminate the threats."

China's global theft of commercial secrets

China hacked Norway's Visma to steal client secrets

By Jack Stubbs

LONDON -- Hackers working on behalf of Chinese intelligence breached the network of Norwegian software firm Visma to steal secrets from its clients, cybersecurity researchers said, in what a company executive described as a potentially catastrophic attack.
The attack was part of what Western countries said in December is a global hacking campaign by China's Ministry of State Security to steal intellectual property and corporate secrets, according to investigators at cybersecurity firm Recorded Future.
China's Ministry of State Security has no publicly available contacts. 

The foreign ministry did not respond to a request for comment.
Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients.
Cybersecurity firms and Western governments have warned about Cloudhopper several times since 2017 but have not disclosed the identities of the companies affected.
Reuters reported in December that Hewlett Packard Enterprise Co and IBM were two of the campaign's victims, and Western officials caution in private that there are many more.
At the time IBM said it had no evidence sensitive corporate data had been compromised, and Hewlett Packard Enterprise said it could not comment on the Cloudhopper campaign.
Visma, which reported global revenues of $1.3 billion last year, provides business software products to more than 900,000 companies across Scandinavia and parts of Europe.
The company's operations and security manager, Espen Johansen, said the attack was detected shortly after the hackers accessed Visma's systems and he was confident no client networks were accessed.

"PARANOIA HAT"
"But if I put on my paranoia hat, this could have been catastrophic," he said. 

"If you are a big intelligence agency somewhere in the world and you want to harvest as much information as possible, you of course go for the convergence points, it's a given fact."
"I'm aware that we do have clients which are very interesting for nation states," he said, declining to name any specific customers.
Paul Chichester, director for operations at Britain's National Cyber Security Centre, said the Visma case highlighted the dangers organisations increasingly face from cyber attacks on their supply chains.
"Because organisations are focused on improving their own cyber security, we are seeing an increase in activity targeting supply chains as actors try to find other ways in," he said.
In a report https://www.recordedfuture.com/apt10-cyberespionage-campaign with investigators at cybersecurity firm Rapid7, Recorded Future said the attackers first accessed Visma's network by using a stolen set of login credentials and were operating as part of a hacking group known as APT 10, which Western officials say is behind the Cloudhopper campaign.
The U.S. Department of Justice in December charged two members of APT 10 with hacking U.S. government agencies and dozens of businesses around the world on behalf of China's Ministry of State Security.
Priscilla Moriuchi, director of strategic threat development at Recorded Future and a former intelligence officer at the U.S. National Security Agency, said the hackers' activity inside Visma's network suggested they intended to infiltrate client systems in search of commercially-sensitive information.
"We believe that APT 10 in this case exploited Visma networks to enable secondary operations against Visma's customers, not necessarily to steal Visma's own intellectual property," she said. "Because they caught it so early they were able to discourage and prevent those secondary attacks." 

China's Cyber-Aggressions

China hacked Hewlett Packard Enterprise, IBM and then attacked clients 

By  Christopher Bing, Jack Stubbs, Joseph Menn

Signs for Hewlett Packard Enterprise Co. cover the facade of the New York Stock Exchange November 2, 2015. 

WASHINGTON/LONDON/SAN FRANCISCO -- Hackers working on behalf of China’s Ministry of State Security breached the networks of Hewlett Packard Enterprise Co and IBM, then used the access to hack into their clients’ computers, according to five sources familiar with the attacks.

The attacks were part of a Chinese campaign known as Cloudhopper, which the United States and Britain on Thursday said infected technology service providers in order to steal secrets from their clients.
While cybersecurity firms and government agencies have issued multiple warnings about the Cloudhopper threat since 2017, they have not disclosed the identity of technology companies whose networks were compromised.
International Business Machines Corp said it had no evidence that sensitive corporate data had been compromised. 

Hewlett Packard Enterprise (HPE) said it could not comment on the Cloudhopper campaign.
Businesses and governments are increasingly looking to technology companies known as managed service providers (MSPs) to remotely manage their information technology operations, including servers, storage, networking and help-desk support.
Cloudhopper targeted MSPs to access client networks and steal corporate secrets from companies around the globe, according to a U.S. federal indictment of two Chinese unsealed on Thursday. 

Prosecutors did not identify any of the MSPs that were breached.
Both IBM and HPE declined to comment on the specific claims made by the sources.
“IBM has been aware of the reported attacks and already has taken extensive counter-measures worldwide as part of our continuous efforts to protect the company and our clients against constantly evolving threats,” the company said in a statement. 

“We take responsible stewardship of client data very seriously, and have no evidence that sensitive IBM or client data has been compromised by this threat.”
HPE said in a statement that it had spun out a large managed-services business in a 2017 merger with Computer Sciences Corp that formed a new company, DXC Technology.
“The security of HPE customer data is our top priority,” HPE said. 

“We are unable to comment on the specific details described in the indictment, but HPE’s managed services provider business moved to DXC Technology in connection with HPE’s divestiture of its Enterprise Services business in 2017.”
DXC Technology declined to comment, saying in a statement that it does not comment on reports about specific cyber events and hacking groups.
Reuters was unable to confirm the names of other breached technology firms or identify any affected clients.
The sources, who were not authorized to comment on confidential information gleaned from investigations into the hacks, said that HPE and IBM were not the only prominent technology companies whose networks had been compromised by Cloudhopper.
Cloudhopper, which has been targeting technology services providers for several years, infiltrated the networks of HPE and IBM multiple times in breaches that lasted for weeks and months, according to another of the sources with knowledge of the matter.
IBM investigated an attack as recently as this summer, and HPE conducted a large breach investigation in early 2017, the source said.
The attackers were persistent, making it difficult to ensure that networks were safe, said another source.

IBM has dealt with some infections by installing new hard drives and fresh operating systems on infected computers, said the person familiar with the effort.
Cloudhopper attacks date back to at least 2014, according the indictment.
The indictment cited one case in which Cloudhopper compromised data of an MSP in New York state and clients in 12 countries including Brazil, Germany, India, Japan, the United Arab Emirates, Britain and the United States. 

They were from industries including finance, electronics, medical equipment, biotechnology, automotive, mining, and oil and gas exploration.
One senior intelligence official, who declined to name any victims who were breached, said attacks on MSPs were a significant threat because they essentially turned technology companies into launchpads for hacks on clients.
“By gaining access to an MSP, you can in many cases gain access to any one of their customers,” said the official. 

“Call it the Walmart approach: If I needed to get 30 different items for my shopping list, I could go to 15 different stores or I could go to the one that has everything.”
Representatives with the FBI and Department of Homeland Security declined to comment. 

Officials with the U.S. Justice Department and the Chinese embassy in Washington could not be reached.
A British government spokeswoman declined to comment on the identities of companies affected by the Cloudhopper campaign or the impact of those breaches.
“A number of MSPs have been affected, and naming them would have potential commercial consequences for them, putting them at an unfair disadvantage to their competitors,” she said.

U.S. Tech Quislings

How Qualcomm Is Backing China’s Tech Ambitions
By DAVID BARBOZA

As the Chinese government develops drones, the American technology giant Qualcomm is helping. The same goes for artificial intelligence, mobile technology and supercomputers. 

Qualcomm is also working to help Chinese companies like Huawei break into overseas markets in support of China’s “go global” campaign to develop big multinational brands.
Qualcomm is providing money, expertise and engineering for Beijing’s master plan to create its own technology superpowers.
Big American companies fiercely protect their intellectual property and trade secrets, fearful of giving an edge to rivals. 

But they have little choice in China — and Washington is looking on with alarm.
To gain access to the Chinese market, American companies are being forced to transfer technology, create joint ventures, lower prices and aid homegrown players. 

Those efforts form the backbone of Xi Jinping’s ambitious plan to ensure that China’s companies, military and government dominate core areas of technology like artificial intelligence and semiconductors.
As concerns mount about Beijing’s industrial policy, the Trump administration is preparing a broad investigation into potential violations of American intellectual property, according to people with knowledge of the matter. 

Congress is also considering ways to restrict China’s ability to acquire advanced technology by toughening rules to prevent the purchase of American assets and limit technology transfers.

In this arena, America’s economic interests are aligned with its national security needs. 

The worry is that by teaming up with China, American companies could be sowing the seeds of their own destruction, as well as handing over critical technology that the United States relies on for its military, space and defense programs.
Advanced Micro Devices and Hewlett Packard Enterprise are working with Chinese companies to develop server chips, creating rivals to their own product. 

Intel is working with the Chinese to build high-end mobile chips, in competition with Qualcomm. IBM has agreed to transfer valuable technology that could enable China to break into the lucrative mainframe banking business.
“There’s a great deal of unease in Washington,” said James Lewis, an analyst at the Center for Strategic and International Studies, a Washington-based think tank. 

“The defense, intelligence agencies and others are concerned that advanced chip-making capabilities are going to China.”
Qualcomm declined to comment, as did Intel.
Qualcomm is caught in the middle.
The world’s dominant mobile phone chip maker, Qualcomm ran afoul of the Chinese government, getting hit in 2015 with a record $975 million fine for anticompetitive behavior. 

To get back in Beijing’s good graces, the company agreed to lower its prices in China, promised to shift more of its high-end manufacturing to partners in China, and pledged to upgrade the country’s technology capabilities.
The extent of Qualcomm’s involvement with the Chinese government — and the complications for American tech giants — is seen in a low-slung office building in the southwest part of the country. There, a team of engineers is developing leading-edge microchips to compete with the finest made by Intel. 

The chips will help power a huge data and cloud center with the potential to strengthen the country’s computing capabilities. 

No longer content to rely on buying the chips that go into cellphones, computers and cars, China now wants to design and build the brains that drive much of the digital world.
The government is providing land and financing to the start-up formed with Qualcomm, called Huaxintong Semiconductor. 

Qualcomm has provided the technology and about $140 million in initial funding.
“Qualcomm has a balancing act,” said Willy Shih, who teaches at Harvard Business School. 

“Most of the world’s PCs are made in China, and most of the world’s smartphones too, so they have to play along. It’s a fact of life.”
Qualcomm was early to break into China.
In the mid-1990s, as China’s economy began to boom, Bill Clinton pressed the country’s leaders to open to American technology companies.
Members of the Clinton administration, including Charlene Barshefsky, the United States trade representative, and William M. Daley, the secretary of commerce, were dispatched to Beijing to hammer out the details. 

They pushed for one company by name: Qualcomm.
“At the time, they were the only U.S. show in town,” Ms. Barshefsky said.
“Bill Daley and I pushed the Chinese hard on accepting the U.S. standard for wireless technology,” she added, “and that was Qualcomm.”
Mobile phone adoption was taking off globally, largely backed by a European wireless standard called G.S.M., or global system for mobile communications. 

Qualcomm had a competing American standard called C.D.M.A., or Code Division Multiple Access.
Irwin M. Jacobs, a founder of Qualcomm, spearheaded an aggressive lobbying campaign in Washington and Beijing, promoting the technology’s potential to transform wireless communication markets.
“We knew China would be important, and they didn’t have their own system,” said Perry LaForge, a former Qualcomm executive. 

“We also told them this system would give them an opportunity to manufacture their own handsets, and not rely on buying them from other countries.”
When Qualcomm first entered China in the late 1990s, it was slow to gain traction. 

The company struggled to find Chinese partners to produce mobile phones that worked with its network. 

China also tried to develop its own wireless standard.
Qualcomm eventually won out, helping write the standards for next-generation mobile technology, 3G and 4G service. 

The standard championed by European telecom providers faded rapidly. 

And China’s homegrown technology struggled.
By 2013, virtually every wireless device around the world was reliant on either Qualcomm’s chips or its patents — enough to provide some of the technology industry’s fattest profit margins.
With its dominance rising, global brands like Apple and Samsung began complaining to regulators around the world, citing “discriminatory” pricing practices and high royalty fees. 

In China, a trade group made up of the country’s major handset makers complained about patent holders levying “exorbitant licensing fees.”
“These days a smartphone is covered by about 250,000 patents,” said Dieter Ernst, a senior fellow at the East-West Center, a research and educational center based in Honolulu. 

“A Chinese smartphone maker needs to negotiate license agreements with companies like Qualcomm that own the essential patents.”
“The Chinese government was worried about this,” he added. 

“That all these costs could constrain Chinese companies.”
The raids began at dawn, in late November 2013. 

Investigators descended upon Qualcomm’s offices in Beijing and Shanghai, questioning the staff and hauling away laptops and documents.
At the time of the raids, the San Diego-based company’s senior managers were at the Ritz-Carlton Hotel in New York, attending an investor conference. 

The executives were planning to talk about the company’s strategy. 

Instead, they began fielding frantic phone calls from China.
The China business, which accounted for more than half of its global revenue, was in trouble.
A week later, one of the country’s most powerful regulatory agencies, the National Development and Reform Commission (N.D.R.C.), announced that it was looking into whether Qualcomm had abused its power in the sale of mobile phone chips. 

“Qualcomm came to control so much of the chip market in China,” said Louie Ming, a former Qualcomm executive in China. 

“It was clear they were eventually going to run into antitrust problems.”
While Qualcomm agreed to fully cooperate with the investigation, some senior executives appealed to the Obama administration, pressing the White House to raise the issue with China’s senior leaders, according to a former administration official.
Qualcomm’s troubles went beyond China. 

The company was also under scrutiny by antitrust regulators in the European Union and South Korea, as well as by the United States Federal Trade Commission.
China didn’t back down. 

The head of the N.D.R.C. branded Qualcomm a monopoly.
In February 2015, after a 15-month-long investigation, Qualcomm settled allegations in China that it had charged unfairly high prices for its chips and patents. 

The company agreed to pay the $975 million fine — about 8 percent of its annual revenue in China — and to lower the prices for chips sold in the country.
“We are pleased that the resolution has removed the uncertainty surrounding our business in China, and we will now focus our full attention and resources on supporting our customers and partners in China,” said Steve Mollenkopf, the company’s chief executive, said at the time.
Qualcomm then went into business with the Chinese government.
There was a $150 million investment fund to help Chinese start-ups; new research and design facilities set up with Chinese companies such as Huawei and Tencent; and a partnership with a Beijing-based company called Thundersoft to develop drones, virtual reality goggles and internet-connected devices.
Qualcomm is also helping the Chinese government develop supercomputers, a technology the United States government has discouraged American companies from supporting overseas. 

In May, Qualcomm agreed to form a joint venture with other state-backed firms to design and sell mass-market smartphone chips. 

And to help make Chinese chip manufacturing more competitive, Qualcomm has pledged to shift more of its high-end production — long done by outside contractors in Taiwan and South Korea — to China.Continue reading the main story

Continue reading the main story

The Price of Access to a Big Market

Beijing is pressing American technology giants to form joint ventures or partnerships with Chinese companies and transfer advanced technology. The enterprises, in which American companies usually take a minority stake, are backed by the government.

Company	Partner	Date	Product	Investment
AMD	Tianjin Haiguang Advanced Technology Investment Company	2016	Server chips	$293 million
Qualcomm	Guizhou government	2016	High-end server chips	$280 million
Brocade	Guizhou government	2016	Data center networking solutions	unknown
VMWare	Sugon Information	2016	Cloud computing and virtualization software	$50 million
Hewlett Packard Enterprise	Tsinghua Holdings Unisplendour Group	2016	Networking servers and storage systems	$4.5 billion
Microsoft	C.E.T.C. Group	2015	Software	$40 million
Western Digital	Tsinghua Holdings Unisplendour Group	2016	Data center storage systems	$300 million
Cisco Systems	Inspur Group	2016	Networking systems	$100 million
Intel	Spreadtrum/ RDA Microelectronics	2014	Mobile phone chips	$1.5 billion

The investment figure is either the initial investment in the venture or the U.S. company's investment in it. | By THE NEW YORK TIMES

“This is what China does better than anyone else,” said Robert D. Atkinson, president of the Information Technology and Innovation Foundation, a think tank focused on technology policy that has conducted studies detailing the Chinese government’s pressure on technology companies.
“They have a large carrot and a large stick,” he said. 

“And they have a market no C.E.O. can walk away from.”
Qualcomm’s biggest new venture is taking shape in southwest China’s Guizhou Province. Determined to leap into advanced technology, China has designated a large parcel of land in the provincial capital of Guiyang as the home of a new industrial park for supercomputing, data centers and cloud computing. 

The country’s large state-run telecom operators and its internet behemoths, including Alibaba and Tencent, are moving in, to build massive server farms. 

The region offers lower energy costs and abundant supplies of water, necessary to cool server farms.
A year ago, Qualcomm set up a joint venture with the Guizhou government and pledged to invest about $140 million for a minority stake in the business, situated in a development zone that has also attracted the interest of Microsoft and Dell. 

Qualcomm says it received American government approval for the deal.
The new Qualcomm joint venture, Huaxintong Semiconductor, broke ground on the site in 2016, and now operates in a 46,000-square-foot design and engineering center. 

A major test of the partnership will come when the joint venture’s first server chips are released — helping Qualcomm and the Chinese government stake out new ground. 

The Chinese government will control the chips and reap most of the profits.
In late March, Qualcomm’s president, Derek K. Aberle, flew to Guizhou to meet a powerful local government leader, Chen Min'er, a confidant of the Chinese president. 

Seated in a government hall, before an enormous landscape painting, Mr. Aberle pledged to “continually cooperate” with the Chinese government.

3.8 Million Chinese Spies

Ex-IBM Employee Guilty of Stealing Secrets For China
By Jeff John Roberts

A former developer for IBM pled guilty on Friday to economic espionage and to stealing trade secrets related to a type of software known as a clustered file system, which IBM sells to customers around the world.
Xu Jiaqiang stole the secrets during his stint at IBM from 2010 to 2014 "to benefit the National Health and Family Planning Commission of the People’s Republic of China," according to the U.S. Justice Department.
In a press release describing the criminal charges, the Justice Department also stated that Xu tried to sell secret IBM source code to undercover FBI agents posing as tech investors. (The agency does not explain if Xu's scheme to sell to tech investors was to benefit China or to line his own pockets).
Part of the sting involved Xu demonstrating the stolen software, which speeds computer performance by distributing works across multiple servers, on a sample network. 

The former employee acknowledged that others would know the software had been taken from IBM, but said he could create extra computer script to help mask his origins.
Xu, who is a Chinese national who studied computer science at the University of Delaware, will be sentenced on October 13.
The Justice Department's press release does not identify IBM, but instead refers to "the Victim Company." 

But other news outlets name IBM as the target of the theft, while a LinkedIn page with Xu's name shows he worked at IBM as a file system developer during the relevant dates.
IBM did not immediately respond to request for comment on Sunday.
This isn't the first time that Chinese nationals have carried out economic espionage against American companies. 

In 2014, the Justice Department charged five Chinese hackers for targeting U.S. nuclear and solar energy firms. 

And late last year, the agency charged three others for hacking U.S. law firms with the goal of trading on insider information that they obtained.

Microsoft, Intel, IBM Push Back on China Cybersecurity Rules

Beijing wants foreign tech companies to hand over their source code.By EVA DOU

Visitors used a laptop behind a security guard at the Global Mobile Internet Conference in Beijing in April 2015. The Chinese government plans to implement new cybersecurity rules by next summer.

BEIJING—Tough new Chinese cybersecurity rules are providing a rare, behind-the-scenes look at a regulatory skirmish between U.S. technology companies and Beijing.
China is moving to require software companies, network-equipment makers and other technology suppliers to disclose their proprietary source code, the core intellectual property running their software, to prove their products can’t be compromised by hackers.
Tech companies are loath to offer up their source code, saying this will heighten the risk of their code falling into the hands of rivals or malefactors—and may not guarantee it is hack-proof.
Microsoft Corp., Intel Corp. and International Business Machines Corp. are among those filing objections.
“Sharing source code in itself can’t prove the capability to be secure and controllable,” Microsoft wrote in comments released by a government cybersecurity committee in November.
“It only proves there is source code.”
Intel said a rule forcing chip makers to disclose the details of their products “would hurt technological innovation and decrease the security level of products.”
------------
BEIJING’S ONLINE RULES
Some features of China’s new regulations to ensure information technology products are ‘secure and controllable.’

• IT suppliers must provide the software source code running the products, and design details, so authorities can check for security flaws or back doors.
• Product security will be graded on whether the system’s technology is transparent to authorities, how data is stored and processed, and the stability of the supply chain, to economic and political changes.
• IT buyers in China will be ranked into five security classifications that require different levels of IT equipment security.

-------------
The comments were made in a discussion log made public by Technical Committee 260, the national cybersecurity standards maker, as it released technical parameters of its omnibus cybersecurity law adopted Nov. 7.
The committee is rolling out standards for operating systems, microprocessors, office software and other products to comply with the regulations when they go into force in June 2017.
Chinese authorities have said these measures are necessary to guard against foreign espionage tools being embedded in software used here.
They frequently cite claims by former U.S. National Security Agency contractor Edward Snowden that such back doors were routinely built into U.S. technology products sold overseas.
Microsoft, Intel and IBM were the largest U.S. firms to respond to the draft regulations, joining dozens of Chinese companies, government agencies and security experts.
The three U.S. tech giants declined to comment beyond their written statements.
All three have multiple China ventures with local partners and are typically reluctant to publicly challenge Chinese policy.
As such, their written comments, made in Chinese, offer a rare glimpse into how they parry over regulations with Beijing authorities.
Among other things, tech companies are bristling at the level of detail they would be forced to disclose to have their proprietary technologies rated “secure and controllable.”
Microsoft wrote that it believed allowing visitors to view code at its new “Transparency Center” in Beijing should suffice, rather than having to “share source code.”
Technical Committee 260 staffers disagreed, maintaining the original wording and marking the comment “not accepted.”
Microsoft and Intel also raised questions over one security standard that gives a higher ranking to products whose development and delivery can’t be disrupted by “politics,” with Intel requesting clarification.
That complaint was marked “partially accepted,” although political consideration is still in the most recent draft.
IBM said that distinctions should be made between computing services for commercial use, versus services for government applications.
“Computing rooms used purely for commercial cloud computing purposes shouldn’t have to be located within China’s borders,” wrote IBM.
In a written response, Technical Committee 260 staffers said that many sectors touch upon social stability and the public interest.
“It’s not only a pure commercial question.”
Jeremie Waterman, senior director for Greater China at the U.S. Chamber of Commerce in Washington, said there is “deep concern about the IP disclosure requirements.”
But it isn’t clear what recourse U.S. tech companies might have.
Despite any objections, U.S. firms are unlikely to leave China over the cybersecurity requirements because of the importance of the mammoth Chinese market, said James Gong, a senior associate at law firm Herbert Smith Freehills LLP who works with western clients in navigating Chinese law.
“I don’t think they will pull out,” said Mr. Gong.
“I haven’t heard of any company that has decided to leave.”
China has long had cybersecurity standards that weren’t vigorously enforced—but that is likely to change when the nationwide cybersecurity law goes into effect next summer, he said.
Beijing maintains that its security rules apply to domestic and foreign companies equally.
When China passed the cybersecurity law last month, a spokesman for the internet regulator said foreigners who thought the law would favor domestic firms had a “misunderstanding, a biased view.”
But in Technical Committee 260’s discussions, certain government officials argued for the standards to be drafted to favor domestic companies.
“The big trend is called shifting to domestic production,” wrote Guo Qiquan, chief engineer at the China Ministry of Public Security’s Network Security Bureau, in a suggestion that the committee marked “approved.”
“But it can’t be written that way, so one calls it independent and controllable.”