In my post last week, China Bank Rules Technology: Not the Same Old Thing, I said I would come back here with a solution to this mess banking software. How should the United States, the European banking software developers and Japanese address this problem? The basic resolution come in
two stages. First,
recognize that it is a software issue and not a trade issue.
Second,
software developers face a difficult choice. They either surrendered by going local or they stick to their basic rules and go home. The balance is rapidly eliminated. Consider first the software question. The issue of software security has been confused by placing the discussion as part of the NSA / FBI spying and fear of "backdoors" to be placed in the foreign software. Foreign software developers have treated this as a question of fact. If they can prove that such doors are rear ended the dispute.
However, no proof is possible within the framework of the standard model for software sales. Software is "allowed" as a compiled binary. The license includes a ban decompile the software. Under this approach, the client can never know what is in the software. The package remains a permanent black box.
It is impossible for the developer of foreign software to prove that black box does not contain custom designed back door to allow access by a third party. Even the seller can not be sure that what has been inserted into the software by simply inspecting the binary. From the perspective of the Chinese bank, the only evidence may come when the Chinese bank gets the source, the analysis and the code of the back door, and then compiles a clean version.
The discussion set of espionage and secret doors back is a distraction from the real issue, which is that the foreign bank software has largely proven to be insecure as evidenced by the recent wave of international piracy events.The Chinese authorities are intimately aware of this because it is they who make piracy. That China's banking regulator said is very clear: we know foreign bank networking and software is easily hacked. This software is inherently insecure. Foreign banks can do what they want.
However, for our own banking system, we will require that Chinese banks only use networking and banking software that can be confirmed by our own experts to be fully secure. If the software is not secure, and the seller is not willing / able to prove that this is true, then we will not allow our banks and other national security industries important to make use of this software and its associated hardware.
The position of the Chinese banking regulators is reasonable. Banking networks and software turned out to be fundamentally flawed and not software developer has shown that he has the solution. software clients are simply equipped with a series of patches kludgy after a major flaw was discovered and often after a major violation occurred. American, European and Japanese customers generally accept this situation. The Chinese government is not, and is of the opinion that if software developers can not prove that their product is safe within the limits established by the Chinese banking authorities, they should not be allowed to infect a key pillar of the China 's economy as the banking system.
So, as I said, this dispute is not a trade dispute. This is a fundamental dispute over the quality of the product with the abundant support for the fundamental position of the Chinese regulators.In this spirit, the obvious solution would be for China to move to open source software products such as Apache, Firefox, Open Office or Linux, which were remarkably resistant to hacking and failures related software. Encryption with PGP and its derivatives is very powerful. For both black and white hat hacking hat, tools found Kali Linux are state of the art.
Given that the Chinese authorities require source code to be released, an observer can assume that the Chinese government is trying to push the large foreign commercial software developers to an open source model. However, this is not the case. The Chinese authorities are just as hostile to open source developers as are foreign commercial software. The Chinese do not want to encourage an open system. The Chinese want the opposite. The Chinese government wants a sealed system and a small Chinese SOEs control core. For this reason, the open source solution is not what the Chinese are seeking.
So how software / foreign equipment suppliers may face the situation in China. The position in the past has been strongly resist capitulate to Chinese control model. However, bank technical rules will probably show that resistance is futile. Foreign software / hardware vendors will face a difficult choice: Go local or go home.
The approach to the house fire was taken by Google in the past and more recently by Yahoo. President Obama in his recent comments on the issue suggested that the software / foreign equipment suppliers will follow Google's example and take their balls and let the Chinese court. The idea is that Chinese banks will suffer so severely lack of viable product that the Chinese will surrender and retreat. However, this plan is based on the fundamental error that the dispute is a trade dispute rather than a legitimate dispute made based on the quality of software and network security.
So I think the best solution for the future will probably be for these companies to "go local." There are two main business models for it. Foreign developers will either license their software / hardware to Chinese entities or they will form China WFOE. In both cases, the software / hardware will be provided to Chinese customers (banks initially) by Chinese entities. Any foreign business entity will be involved in the transaction.
The Chinese entity will be controlled by the
regulatory authorities of the Chinese Government. This control will at least include the following:
- Software source code will be provided to the customer and the Chinese regulator for inspection and analysis. Software protection shall be made by the trade agreements and the secret of the Standard license rather than the current approach of the black box. Compilation is done in a controlled manner, to ensure that the inspected source code is the only source for compilation. Appropriate rear doors for access by the regulators of the Chinese government will be installed and the free access will be maintained.
- Encryption not to use foreign systems, but instead will be developed in collaboration with and under the control of the Chinese regulatory authorities. This encryption will provide back entrances to the Chinese authorities and enforcement agencies (police agencies, military, security).
- Software and hardware vendors will he held responsible for the safety of their products. If a violation occurs, the seller will be required to solve the problem and be liable for damages that occur. Defective software costs will not be loaded off the client and the burden of compensation will not be given to private network security companies.
Provided that foreign suppliers do the above, the Chinese authorities will allow them to take advantage of their products. It is simply wrong to say that the Chinese are looking to create a software industry that will move the publishers of foreign software. The Chinese authorities are well aware that China does not have the expertise to achieve this objective in the short or even medium term. For this reason, Chinese regulators are willing to allow foreign suppliers to make a profit sale and licensing their products in China. The Chinese government seeks control, not profit.
The Chinese business model looking violates the fundamental principles of the company have allowed the development of commercial software industry in the US, Europe and Japan. Many developers of software and hardware to see all the rules that would be violated by the Chinese approach in almost religious terms. It would therefore violate a fundamental moral code to capitulate to the Chinese model.
However, if the foreign vendors plan to operate in the Chinese market in the future, they will be required to surrender. If they do not capitulate, they will have to just go home. This is the choice, and we must face it. Dodge the issue by sending trade negotiators will likely do nothing to solve the problem. It may be a creative solution. But it turns out that the industry is the real concerns of Chinese banks and other industries around the world who are not drinking the same Kool-Aid.