By Jaikumar Vijayan
Foreign vendors covered under the new requirement will face a difficult choice, Cloutier maintained. "They either decide to sell to the government of China, or to everyone else," he said."Let's say you make a particular product and you have encryption in it and you sell it to the government of China," Cloutier said. That fact could well influence purchasers outside of China who might be concerned about the security of that company's encryption technologies, he said. "If you sell to the government of China you've got to tell them how the stuff works," and that could be off-putting to other customers, Cloutier said. There is also concern that sharing encryption technologies with China will enhance Beijing's Internet monitoring and surveillance capabilities and result in the information being leaked to Chinese rivals. An Intel Corp. spokesman said the regulations have "some very specific applications not related to our business." Even so, the company has been working closely with the Information Technology Industry Council on the issue, the spokesman said without elaborating. The Washington, D.C.-based ITI is a trade association for high-technology companies. Vendors Symantec, Cisco Systems and Gemalto did not immediately respond to requests for comments. Harmon Nkenge, a spokeswoman for the U.S. Trade Representative's office, said U.S officials are continuing to press China to address the concerns of foreign governments and industry before implementing the new testing and certification requirement. "In April 2009, China agreed to significantly reduce the scope of its planned information security testing and certification rules after the United States and other trading partners expressed serious concerns about the scope and content of the rules," Nkenge said in an e-mail.. "We were pleased with that decision," she added. The chances of the Chinese government pushing back the implementation deadline or further reducing the scope of the requirement seems unlikely at this point, Cloutier added.
Bruce Schneier, a noted cryptographer, and chief security technology officer at BT predicted that some U.S. companies will comply with the new rules. "Some companies will, and some won't," Schneier said, "There are U.S. companies that sell shock batons to foreign governments [so] features that enable surveillance are much easier to justify," he said.China's requirement that vendors disclose their encryption codes to the government is not entirely without precedent. The Clinton administration in 1993 floated the idea of a "key escrow" in connection with the Clipper chip data encryption technology. The Clipper Chip technology was developed by the National Security Agency and proposed by the government as a way to standardize encryption technology in the U.S. Under the proposal, vendors who implemented the Clipper encryption technology in their products would have been required to hand over the decryption keys to the government, which would keep it in escrow and use it to decrypt communications, if there was a valid legal need for it. That proposal failed to take off after vigorous protest from privacy groups which said the technology and the key escrow scheme would allow the government to expand domestic surveillance. Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org . Read more about security in Computerworld's Security Knowledge Center. Original story - http://www.computerworld.com/s/article/9176138/New_China_encryption_rule_could_pose_headaches_for_U.S._vendors