How the PRC Blocked Out Foreign Tech Products Claiming Security Risks

Today, PRC manufacturers like Hikvision and Huawei regularly denounce Western efforts at restricting their technology for national security risks as unfounded, political, and anti-China.

However, in the past decade, the PRC government systematically excluded non-PRC tech products due to national security risks, building its own "secure", "autonomous", and "controllable" network.

Watch this 3-minute video explaining how the PRC did this:

In this report, IPVM reveals the full extent of this process, which has yet to be covered in English-language sources.

Prelude To Crackdown

The PRC Procurement Law (2003) states the government "shall procure domestic goods" but allows exceptions if they "are not available" domestically or "cannot be acquired on reasonable commercial terms"; it also gives no details on rules of origin.

This allowed contractors to use exceptions/loopholes to supply foreign products for years. The PRC government itself recognizes the 2003 law allows many to "circumvent the legal substance" and "does not clearly formulate relevant rules of origin".

PRC efforts to crack down on foreign products did occur, e.g. in 2012, state media declared foreign video surveillance a "risk to national security":

Back then, initiatives were sporadic and ineffective due to "outcry from the foreign business community", The Financial Times reported in 2010. Firms like Axis continued to win large PRC government deals with PRC police, hospitals, airports, etc from 2009-2014 as IPVM has reported, even touting installing over 70 cameras in Tiananmen Square.

2014: Crackdown Begins Under Xi

However, in February 2014, the PRC established the Central Leading Group On Cybersecurity And IT with General Secretary Xi Jinping at its head. The group focused on national security, with Xi stating at its first meeting "without cybersecurity, there can be no national security" and "we should have our own technology":

Xi pointed out that without cybersecurity, there can be no national security, and without information technology, there can be no modernization. to build a network power, we should have our own technology, have strong technology, have rich and comprehensive information services, develop a prosperous network culture, have a good information infrastructure to form a strong information economy, have a high-quality network security and information technology personnel, and actively carry out bilateral and multilateral international exchanges and cooperation on the internet. [emphasis added]

"Secure And Controllable" Touted

In August 2014, citing the Leading Group, the Ministry of IT and Industry published Guiding Opinions Concerning Strengthening Cybersecurity Work in the Telecommunications and Internet Sectors, promoting "secure and controllable" software and hardware and "indigenous research and development":

move forward with the application of secure and controllable key software and hardware, and play a positive role in safeguarding national security, stimulating economic development, protection the interests of the popular basses and build a strong network country

Expand indigenous research and development strength for major business application systems, launch business application and programme source code security inspections. [emphasis added]

No Foreign-Made Products, "Autonomous And Controllable" Only

Today, the Leading Group is the powerful Central Cyberspace Affairs Commission, which oversees the PRC's internet/cybersecurity regulator, the Central Cyberspace Administration (CAC). In 2015, CAC released a video explicitly stating that foreign products have "significant safety risks", "China must promote a domestication strategy", and "Autonomous and controllable is a strategic requirement for national security":

Due to historical reasons, China's information technology equipment heavily uses imported products 由于历史的原因，我国信息技术设备大量采用进口

China's software and hardware autonomy rate - the autonomy rate of network storage equipment is only 16%. 我国相关软硬件自主化率 而网络存储设备的自主化率仅为16％

China is unable to be "autonomous and controllable," and there exists significant safety risks. 不能自主可控，存在重大安全风险

Domestically made products and services typically easy satisfy the requirement of "autonomous and controllable" 国产化产品和服务一般容易满足自主可控的要求

"Autonomous and controllable" is a strategic requirement for national security 自主可控”是国家安全的战略要求

Therefore, China must promote a domestication strategy. 因此，我国必须推进国产化战略

Xi Jinping Touts "Domestic Autonomous And Controllable Alternative"

In 2016, Xi Jinping gave another speech on building China into "a network power", stating that the PRC needed to "firmly grasp" "independent innovation" and promote "domestic autonomous and controllable 自主可控" alternatives in order to build a "secure and controllable technology system":

we should firmly grasp the "bull nose" of independent innovation of core technology, break through the cutting-edge technology of network development and the key core technology with international competitiveness, accelerate the promotion of domestic autonomous and controllable alternative programs, and build a safe and controllable information technology system [emphasis added]

This confirmed that "autonomous and controllable" and "secure and controllable" meant excluding foreign products, as PRC state media had already made clear after Xi's original 2014 speech, e.g. in December 2014, Xinhua published an article stating that "domestic substitution is completely necessary to achieve autonomous and controllable" noting "major security risks" of foreign IT:

generally speaking, "domestic" products and services easily meet the requirements of independent control, so the implementation of domestic substitution is completely necessary to achieve independent and controllable.

it can be said that autonomous control is the premise of network security and information security. self-control means that information security is easy to govern, products and services generally do not have malicious backdoors and can be continuously improved or patched vulnerabilities

due to historical reasons, China's information technology equipment is heavily imported, can not be controlled independently, there are major security risks [emphasis added]

The article was written by Ni Guangnan, a member of the Chinese Academy of Engineering who was recently celebrated by state media for the CPC's 100th anniversary for promoting "autonomous and controllable Chinese core" technology.

Government Procurement Network Touts Eliminating Foreign Tech

Starting in 2014, the China Government Procurement Network - China's equivalent of the US GSA - began promoting the elimination of foreign-made technology for national security reasons, launching a dedicated page titled "Government Procurement is Responsible for Maintaining Network Security (政府采购责无旁贷维护网络安全), touting Xi's slogan that "without cybersecurity there can be no national security":

The page promoted "purchasing domestic products to help cybersecurity", featuring various procurement officials and contractors explaining why foreign products need to be removed:

Shanghai Procurement Official Qin Zhilong: Overall, the safety and controllability of domestic products are higher than imported products [...] At present, most of the core technologies and core products in the field of network security in our country are controlled by foreign countries [...] the longer this problem is delayed, the more difficult it will be to solve it, and the higher the cost will be, and it must be resolved as soon as possible. [...] For the field of government procurement, it is necessary to purchase "domestic products" in large quantities

Networking contractor Tongsoft (GSC): must follow the principle of independent and controllable construction clearly put forward by the Party and State [...] [many networking products are] foreign products, resulting in the entire terminal security management platform can not achieve true autonomous control

Jilin province: the [finance department] replaced all [foreign products with] domestic basic hardware and software equipment to achieve the domestic replacement of the financial management system. a few days ago, the system officially went live, users said, the experience of the system's domestic environment and foreign environment is no different, the system response time is very ideal. [emphasis added]

"Serious Backdoor Threat": US Targeted Due To Snowden Scandal

US products were targeted due to the Snowden scandal/PRISM foreign surveillance program revelations, with the CGPN dedicated page mentioning Snowden in its first sentence:

In 2014, People's Daily published Most Of The Core Software and Hardware Are Imported. China's Information Security Situation Is Serious And Complex, emphasizing the "serious backdoor threat" of US/foreign products:

the revelations about America's PRISM scandal [...] have made people realize that cybersurveillance, remote control, data theft, and so on are not sensational legends, but real [...] A large number of information infrastructure and key core technical equipment are foreign, and there is a serious backdoor threat. Implanting backdoors in equipment and technology is one of the main means of information surveillance and theft in the United States. For example, some previous models of Cisco routers, Intel Pentium 3 processor chips and other equipment or devices have been confirmed to have backdoors. [emphasis added]

Also in People's Daily in 2014, the general manager of state-owned China Electronics Corporation (CEC) Liu Lihong said US products have "serious hidden dangers" and lamented that the PRC couldn't "get rid of the United States" products:

individual [US] products and technologies seems to be no problem, but a system needs to be used with many other things, such as our operating system with their own chips, their own database together can not be adapted, can not meet the requirements of autonomous and controllable use, resulting in the national key information system information level and security capabilities cannot get rid of the United States, cannot form an autonomous and controllable core capabilities, to the national information security brings serious hidden dangers [emphasis added]

Lihong touted the role of state-owned enterprises in solving this "problem". The PRISM scandal was also cited by the Jilin Province finance department as a reason for its switch to "autonomous and controllable" products, and cited by the Shanghai provincial procurement official who brought up "[US] backdoors activated by special means".

Non-PRC Sources Push Back To Snowden Justification

However, this justification has met pushback, albeit from non-PRC sources. Australian think tank ASPI said "China is arguably using political fallout to boost its national companies in direct competition with foreigners." A Western expert quoted in PRC state media (China Daily) said "Chinese officials are now trying to glom on to allegations of Western surveillance as a convenient excuse for a new set of policies that favor domestic producers at the expense of foreign ones in government procurement".

As mentioned above, the PRC government had already declared foreign video surveillance a national security risk in 2012 i.e. the year before the Snowden scandal while periodically, if unsuccessfully, trying to crack down on foreign tech before 2010.

2015: Codified Into National Security Law

In 2015, the "secure and controllable 安全可控" and "autonomous and controllable 自主可控" concepts were cemented into the National Security Law:

article 24: the state shall [.....] accelerate the development of autonomous and controllable strategic high-tech and core key technologies in important fields

第二十四条 国家加强自主创新能力建设，加快发展自主可控的战略高新技术和重要领域核心关键技术，加强知识产权的运用、保护和科技保密能力建设，保障重大技术和工程的安全。

article 25: the state shall [...] realize the secure and controllable network and information core technologies, critical infrastructure and information systems and data in important areas

第二十五条 国家建设网络与信息安全保障体系，提升网络与信息安全保护能力，加强网络和信息技术的创新研究和开发应用，实现网络和信息核心技术、关键基础设施和重要领域信息系统及数据的安全可控；加强网络管理，防范、制止和依法惩治网络攻击、网络入侵、网络窃密、散布违法有害信息等网络违法犯罪行为，维护国家网络空间主权、安全和发展利益。

This was a Presidential Order signed into law by Xi Jinping directly:

At the time, Reuters reported that the law raised fears among "foreign business groups and diplomats" because "the law is vague" and they "fear it could require that technology firms make products in China or use source code released to inspectors".

In contrast the PRC government said the law was "crucial" due to "ever-growing security challenges" and necessary to "defend its sovereignty, security and development interests" and "maintain political security and social stability".

"Foreign Companies Are Absent", "Prohibited Or Disadvantaged"

CPS, a PRC security trade publication, reported that by 2017 foreign companies were "absent" from CPSE, the PRC's largest security conference, citing an "express provision" that "the [government] project does not accept bids for imported products" meaning the position of "domestic brands in the field of security market share has been rapidly improved":

since the beginning of 2015, the Chinese government has removed some of the world's leading technology brands from its government procurement list, while adding thousands of local products, foreign media reported. industry insiders said the move was mainly due to security concerns. in many public security project bidding documents, there is also an express provision: the project does not accept bids for imported products. it is reported that in the past three years, domestic brands in the field of security market share has been rapidly improved. from 2015 to now, the government has openly tendered smart cities, safe cities, intelligent transportation, smart buildings and other projects, the majority of the shortlisted brands for local products. only in ping an Wuhan and other projects to see Sony and other small number of foreign brands exposed.

The ban has continued without any loosening of restrictions. In 2019, one of China's largest AI providers Megvii disclosed that "Foreign-owned entities are prohibited or disadvantaged in the relevant City IoT project bidding process":

Foreign-owned entities are prohibited or disadvantaged in the relevant City IoT project bidding process in practice. In practice, when selecting service providers, many end users, as well as many direct customers (which are our system integrators) engaged by such end users to assist them in the supplier selection process, would set implicit requirements that the service provider must not have any foreign shareholder, or at least consider foreign ownership as a disadvantage in their decision making process. Some government agencies even explicitly set forth such requirements in their project bidding invitation documents [emphasis added]

In 2019, IPVM also reported on licensing barriers effectively excluding foreign vSaaS and AI providers from the PRC.

Bidding Contracts Examples

Since these changes under Xi, numerous PRC procurement contracts include explicit language banning imported products.

Public Security Video Surveillance Network in Bishan District, Chongqing City 重庆市璧山区公共安全视频监控建设联网 (2020):

The equipment selected for the construction of the public security video surveillance network application system must be selected from domestic mainstream products that meet the standards, safe, stable, advanced and reliable.

Suzhou Municipal Public Security Bureau's Scientific and Technological Equipment Project of Wangting 230 Provincial Highway Police Investigation and Reporting Station 苏州市公安局关于望亭230省道一级警务查报站科技装备项目 (2020) says "this project does not accept imported products":

"Smart Security Community" of Keqiao District, Public Security Bureau of Shaoxing City (Pingshui, Lanting, Wangtan, Jidong) Construction Projects 绍兴市公安局柯桥区分局“智慧安防小区”（平水、兰亭、王坛、稽东）建设项目 (2020) says "this project does not accept imported product bids":

Goods Procurement Project of Smart Police Service Station of Hai'an Public Security Bureau 海安市公安局智慧警务服务站货物采购项目 (2020) says "this project does not accept the participation of imported products":

Taizhou Smart City Governance Project (Zhi'an Community and Core Domain) 市域治理智能化项目（智安小区与核心域部分) 台州 (2020) . This project is an example where the tender asks for specific products to be domestic brands, instead of a blanket statement at the beginning of the tender banning imported products like the four above. The tender specifies that the data server has to be a domestic brand:

Foreign Firms Forced To Set Up Joint Ventures

PRC state media Science & Technology Daily reported in 2015 that the measures above "severely damaged the business of foreign enterprise-level IT vendors in China", forcing some foreign IT giants to "localize" through joint ventures where all the equipment is produced in the PRC and owned at least 51% by a PRC partner, e.g. LenovoEMC, H3C (HP and PRC's Unisplendour), C&M IT (CETC and Microsoft).

Even this system had PRC critics, e.g. Science & Technology Daily stated that joint ventures "cannot solve the security problem" and the government academic Ni Guangnan stated "domestic production does not mean autonomous and controllable" if the entity is jointly controlled by foreigners.

PRC Impact Severe On Foreign Tech Companies

The PRC has succeeded in advocating "Secure And Controllable", systematically blocking out foreign tech firms. For example, Axis went from touting Tiananmen square installs in 2010 to telling IPVM this month that it is "practically never invited to bid in government funded projects" and now focuses on "international" (i.e. non-PRC) companies in China. Some critical components the PRC has yet to replace are still used, e.g. NVIDIA chips powering PRC police Uyghur analytics, but the official policy and trends are clear, as seen from the numerous projects explicitly stating they do "not accept the participation of imported products".

PRC Current Fight Against US Comparable Efforts

Ironically, after years of comprehensively blocking foreign tech products from its own networks over national security risks, PRC companies are now claiming that similar efforts abroad are discriminatory/political, e.g. the PRC government stating Australia's Huawei ban is "politically motivated" or Hikvision telling the FCC its upcoming ban amounts to "unequal treatment because [Hikvision] is Chinese" (or Hikvision blaming US sanctions on "American politicians").

The juxtaposition is clear - however, the PRC and its companies make this argument in part because few people are aware of how thoroughly and extensively the PRC enacted anti-foreign bans inside China in the past decade, as documented above.