(Chinese original follows / 中文在后)
* * *
By Ni Guangnan
Southern Metropolis Daily, June 8, 2017, Page: AA15
A few days ago, Microsoft Greater China CEO Alain Crozier said the China Government Edition of Windows 10, produced according to the “secure and controllable” principle, had already undergone user testing at three major enterprises, proving that it is reliably secure and thus ready for wide deployment. Reports followed saying “Windows 10 Government Edition Has Completed Domestic Security Testing.” People should ask: Why are they making a big deal out of Windows 10 passing “user testing” and “security testing”?
As everyone knows, China’s Cybersecurity Law has officially gone into effect. It requires: “Critical information infrastructure operators purchasing network products and services that might impact national security shall undergo a national security review organized by the State cybersecurity and Informatization departments and relevant departments of the State Council.” In contrast to this regulation, it’s not difficult to see that claiming Windows 10 passed “user testing” or “security testing” is probably designed to give create the false impression that Windows 10 Government Edition has already passed “national security review,” in order to open the door to government procurement.
According to the Security Review Measures for Network Products and Services issued by the Cyberspace Administration of China, cybersecurity review has strict procedures, for instance requiring third-party evaluation by a nationally recognized cybersecurity review organization.
In 2015, before the establishment of the joint venture between China Electronics Technology Group Corporation (CETC) and Microsoft, Microsoft issued Windows 10 Government Edition. At that point, the Security Review Measures for Network Products and Services were being drafted, and on related aspects Windows 10 Government Edition underwent a round of cybersecurity review and did not pass. Since then, Windows 10 Government Edition has never again undergone this kind of review. No matter what kind of “user testing” or “security testing” it later went through, therefore, it still has not passed cybersecurity review.
Experts specifically point out that Windows 10 has subjectively and objectively not passed cybersecurity review, because:
(1) Although China does not lack operating system experts, because Windows is closed-source, proprietary software, no expert outside Microsoft can be fully familiar with it. It is not realistic, then, to rely on a few experts not fully familiar with Windows to accurately estimate the security and controllability of Windows 10 Government Edition with only a short period in which to examine 100 million lines of source code.
(2) Undertaking security review of software at minimum requires access to the software’s refactorable (可重构的) and complete source code, but Microsoft has never provided China with Windows’ complete source code, let alone allowed it to refactor. If a piece of software has millions of lines of non-open source code, it is like a black box, and there is fundamentally no way to accurately estimate its security and controllability.
Today, no substantive change has resulted from experts making the above points. Even if Windows 10 Government Edition again undergoes cybersecurity review, the degree of difficulty will not decrease. Furthermore, because the structure of Windows 10 incorporates trustworthy computing, reviewing it requires verifying that it complies with the Electric Signature Law (电子签名法) and the Provisions on the Administration of the Use of Commercial Encryption Products (商用密码管理条例). Additionally, it requires surveying how domestic and international information security firms integrate trustworthy computing and antivirus software with Windows 10 and deal with the issue of unfair competition. Clearly Windows 10 Government Edition must again undergo cybersecurity review in what will be a protracted process.
In 2005 and 2014, because Windows Vista and Windows 8 were not controllable, the government ordered a halt of purchases. In 2015, Microsoft quickly updated editions and released Windows 10. Several authoritative Chinese security evaluation organizations concluded that, “the Windows 8.1 and Windows 10 kernel are basically the same, there were not more substantial changes, and to a great extent the upgrade was for the sake of commercial publicity.” (This evaluation only determined whether the two editions were the same and did not touch upon security and controllability estimation, and so it was relatively easy to complete.)
In conclusion, seeing that Windows 10, Windows 8, and Windows 10 Government Edition have not passed cybersecurity review, relevant issues will hopefully be given attention, and government procurement and use of Windows 10 (including Windows 10 Government edition) should be prohibited according to law.
Ni Guangnan, a member of the first class of academicians of the Chinese Academy of Engineering, is devoted to indigenous and controllable core information technologies and industries, and has received lifetime achievement awards from the Chinese Information Processing Society of China and the China Computer Federation.
Translated by Graham Webster.
来源：南方都市报 2017年06月08日 版次：AA15 作者：倪光南
一、中国虽然不缺少操作系统专家，不过因为Windows是不开放源代码的专有软件，微软以外的专家谁也无法精通W indow s.现在想指望一些不精通Windows的人，在短时间里对亿行源代码规模的“Win10政府版”的安全性、可控性作出准确评估，显然是不现实的。
二、要对一个软件进行安全审查至少应获得该软件的可重构的全部源代码，但微软从未对中方提供过W indow s的全部源代码，更谈不上可重构了。而如果一个软件有数以百万计的源代码不开放，这就像一个黑盒子，根本无法对其安全性、可控性作出准确评估。