Analysts at China Securities, a broker, estimate that 20 million to 30 million pieces of hardware will need to be swapped out as a result of the Chinese directive, with large scale replacement beginning next year. They added the substitutions would take place at a pace of 30 per cent in 2020, 50 per cent in 2021, and 20 per cent the year after, earning the policy the nickname “3-5-2”.
The analysts noted that the order had come from the Chinese Communist party’s Central Office earlier this year.
Earlier this year, Washington banned US companies from doing business with Chinese telecoms equipment maker Huawei, and is looking at ways to help funnel money to its European rivals. Bloomberg
Although Central Office policy documents are confidential, employees from two cyber security firms have told the Financial Times that their government clients have also described the policy. The employees asked to remain anonymous as the information was politically sensitive.
The 3-5-2 policy is part of a drive for China’s government agencies and critical infrastructure operators to use “secure and controllable” technology, as enshrined in the country’s Cyber Security Law passed in 2017.
But unlike previous pushes for self-sufficiency in technology, recent US sanctions have added urgency to the project, said Paul Triolo of consultancy Eurasia Group.
“China’s 3-5-2 programme is just the tip of the new spear,” said Mr Triolo. “The goal is clear: getting to a space largely free of the type of threats that ZTE, Huawei, Megvii, and Sugon now face,” he added, naming some of the Chinese companies that over the past two years have been blocked from buying from US suppliers.
Analysts at Jefferies estimate that US technology companies generate as much as $US150 billion ($219.5 billion) a year in revenues from China, although much of that will come from private sector buyers.
The pace of replacement is ambitious. Government offices already tend to use Lenovo’s desktop computers, following the company’s acquisition of US giant IBM’s personal computer division.
But analysts say that it will be difficult to replace software with domestic alternatives, since most software vendors develop products for popular US-made operating systems such as Microsoft’s Windows and Apple’s macOS.
Although Microsoft did produce a “Chinese Government Edition” of Windows 10 in 2017 with its Chinese joint venture, Chinese cyber security firms now say government clients must move to entirely Chinese-made operating systems.
China’s homemade operating systems, such as Kylin OS, have a much smaller ecosystem of developers producing compatible software.
Defining “domestically made” is also challenging. Even though Lenovo is a Chinese-owned company that assembles many products in China, its computer processor chips are made by Intel and its hard drives by Samsung.
The impact of the 3-5-2 policy could be significant since the government can control procurement for the agencies covered under the policy, another cyber security analyst said.
When it comes to private companies, “let’s see what the government orders are — they will not proactively want to substitute, since the investment is high”, the analyst added.