China may try to force US tech firms to give up code

While U.S. officials investigate whether Chinese hackers breached data for millions of federal employees, Beijing is working on a series of rules to protect itself from foreign cyber incursions—or maybe to get its hands on American tech secrets, or maybe both.

Beijing wants foreign technology firms to give up their source code in exchange for Chinese business, and new rules are set to make that happen, focusing first on the banking sector, and then moving to other important markets.

The first set of rules, from earlier this year, mandated that domestic banks move to "safe and controllable" technology—meaning any tech firm interested in doing business with most Chinese financial institutions would need to hand over its relevant source code and encryption keys.

Read More Up to 4 million exposed in deep federal data breach

"They want (source code) because they want to steal it," Steve Dickinson—a lawyer with Harris & Moure who specializes in foreign companies doing business in China—told CNBC. "American companies are freaked out about it—they're very, very freaked out about it."

After an outcry from the tech community (and reportedly from foreign officials) the banking rules have been shelved for now. But experts told CNBC they expect the regulation will be revived, and in the meantime a second set of rules that Beijing says will help it fight "terrorism"—and which would involve more business sectors than just banking—are on the way.

A Chinese policeman stands guard in front of a portrait of Mao Zedong at Tiananmen Square in Beijing, China.
Getty Images
A Chinese policeman stands guard in front of a portrait of Mao Zedong at Tiananmen Square in Beijing, China.

The Chinese say the banking guidelines and the proposed "counterterrorism" law with similar tech regulations for other industries, are important for national security—especially in light of the revelations about U.S. cyberspying that were made public by Edward Snowden. But others say Beijing has more nefarious intentions.

"[It] is sort of an overarching goal for the Chinese government when it comes to these policies to acquire as much foreign technology expertise and capability as they can get—any way they can get it," said Rob Atkinson, founder and president of the Information Technology and Innovation Foundation think tank.

At the very least, the IT security push is part of a Chinese attempt to promote the use of domestic technologies.

Read MoreChinese hack US weather systems, satellite network: Rpt

"This indirectly encourages the development of national enterprises, constrains the dominant position of foreign enterprises, and pushes forward the protection of information technology and information security of China," Armstrong Chen, a China-based partner at international law firm King & Wood Mallesons, wrote in a recent note.

Contacted by CNBC, the Chinese embassy in Washington deferred comment to a representative from its bilateral relations department. He in turn was unable to immediately provide information on the updated status of the Chinese guidelines, or to respond to allegations about their purpose.

The Chinese "counterterrorism" law—far broader than the banking guideline that was halted earlier this year—was submitted as a draft in November, and has yet to be instituted. Still, it has already led to several high-level disagreements, including a statement from President Barack Obama.

"This is something that I've raised directly with President Xi [Jinping]," Obama said in a March interview with Reuters. "We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States."

That draft law also asks foreign and domestic tech companies to hand over encryption keys and install "backdoors" for China's central government, under the stated rationale that such protections will help combat "terrorist" activities.

U.S. and European technology firms may ultimately assent to the demands for encryption keys and backdoors—in exchange for access to China's large marketplace—but they are unlikely to budge on giving up their source code for "inspection," Atkinson said.

Read MoreMicrosoft Outlook 'hacked' by Chinese authorities

"I'm very, very hard pressed to see how a company like Oracle is going to turn over its code to China," he said, adding that companies would be forced to leave much of their Chinese business if they don't comply.

In recent years, China has instituted a push to "de-I.O.E." (IBM, Oracle and EMC) its domestic enterprises, according to Atkinson.

The counterterror law vote was not on the schedule for the Chinese National People's Congress annual meeting in March. The U.S. heralded its absence as a minor victory, but Beijing insists the law is still on the table.

China may have a point

China has wanted to exert control over the technology within its borders for decades, but has only recently found the public rationale for its goals, experts told CNBC.

With the continued stream of revelations about U.S. surveillance that began with Snowden, China now has the justification for pushing out American tech firms—or at least forcing their compliance with its own surveillance regime.

"Their position is, look, we're going to do the same thing the U.S. does," Dickinson said. But, he added, the Chinese plans are mostly either unfeasible or illogical.

Read MoreIs Big Brother really watching you?

China can now point to a series of high-level hacks around the world as evidence that most software is subject to breaches. So in turn, the country's government can ask for the code in order to check it themselves—but they are unlikely to discover any new holes, Dickinson said, and they can't be sure the code ultimately installed on clients' systems matches the provided source code in the first place.

"It's a stupid law—all these laws are stupid," Dickinson said of the halted banking regulations. "The people writing the laws don't know anything about software, and they don't know how software works."

U.S. and European firms may wrongly claim that their products are secure, but a Chinese move to kick them out in favor of domestic companies would be disastrous, Dickinson said. Chinese firms, especially financial ones, would struggle to operate internationally if they were using different systems than everyone else.

While Beijing could ultimately foster the development of local technologies that are sufficiently complex to meet the needs of its domestic enterprises, the Chinese government knows it can force concessions out of Western companies, whose fortunes are tied to quarterly earnings reports, Atkinson said.

China has struggled to create advanced enterprise-level software, despite such development being a national goal for years.

"It's a battle that is being fought on both sides by people who don't know what the heck they're talking about—so who knows where it goes?" Dickinson said.

—Reuters contributed to this report.