China and the Eight Guardian Warriors of American tech
What does China mean by “secure and controllable” and who stands to lose?
Is the Chinese government seeking to shut foreign information technology companies out of the Chinese market? To one degree or another, that’s what many foreign companies, governments, and trade associations believe is the case.
Recent developments, in line with years of efforts by the Chinese government, suggest that whether or not the intention is to shut out foreign companies, government goals to make China a global center for high-tech innovation and to address professed cybersecurity concerns will significantly disadvantage global companies.
Chinese efforts to build a strong digital economy have come in many forms, including new initiatives already announced in 2017 — and with them, new causes for international concern. In January, for example, the Chinese government announced a 100 billion yuan fund to invest in internet companies and the “Internet Plus” plan to spread internet technologies throughout Chinese industry. New draft rules released for comment in February would charge officials with examining a wide variety of IT products for vaguely defined national security concerns.
The pending national security review process is only the most recent effort to implement a strain of policy that has flowed through Chinese regulation and legal developments in recent years, and foreign interests have expressed heightening concern. This month, the European Union Chamber of Commerce in China released a report on an earlier, expansive plan known as “Made in China 2025,” noting that it highlights “indigenous innovation” and “self-sufficiency” and arguing that “Chinese policies will further skew the competitive landscape in favor of domestic companies.” A Chinese minister dismissed the European criticism, but concerns remain.
As China’s strategy has taken shape, the United States’ unique position as the world’s sole superpower and home to many of the internet’s most indispensable companies has meant Chinese efforts have direct implications for U.S. interests, for the global trade regime, and for the future of the internet.
Two “cyber” agendas
In June 2013, President Xi Jinping traveled to the Sunnylands resort in California for a “shirtsleeves summit” during which officials sought to develop a frank and direct relationship between Xi and President Barack Obama. The visit came in an atmosphere of cautious optimism for U.S.–China relations — a contrast, perhaps, with the reported “lowering-the-temperature summit” set for next month at President Donald Trump’s Florida resort. At Sunnylands, Obama raised the allegedly government-connected Chinese theft of U.S. intellectual property via the internet as a major concern. U.S.–China cybersecurity issues had thus reached top-level dialogue and made big headlines in the States — all around accusations that the Chinese government knowingly allowed, and perhaps directly conducted, the “cyber-enabled theft” of U.S. commercial secrets that benefited Chinese competitors.
Obama’s message, however, was sapped of its strength before he could deliver it. Earlier that same week, the first rounds of leaks from the intelligence contractor Edward Snowden hit the news, and the world’s attention turned to U.S. government surveillance, not Chinese government commercial hacking.
In the Chinese media, the stage had already been set for a different focus on U.S.–China cybersecurity issues: the perceived risks of dependence on network infrastructure made by foreign companies. The U.S. House Intelligence Committee had expressed concerns in a 2012 report that network hardware from the Chinese companies Huawei and ZTE could be vulnerable to Chinese spying. If that were so, it was natural to ask, were Chinese networks running on top of Cisco machines, Qualcomm chips, and Microsoft operating systems perhaps vulnerable to U.S. spying?
International IT companies, like those in other industries, had long faced challenges in China’s politically entangled market, but now U.S. companies were targeted for the same suspicions as those leveled at Huawei and ZTE.
Even before the Snowden leaks added fuel to the fire, eight U.S. companies had been branded in Chinese commentary the “Eight Guardian Warriors” (八大金刚) and compared with the Eight-Nation Alliance (八国联军) remembered for invading Beijing and looting, for the second time, Beijing’s Old Summer Palace. The eight U.S. companies — Cisco, IBM, Google, Qualcomm, Intel, Apple, Oracle, and Microsoft — were deeply entrenched in the hardware and software that made up the internet in China and elsewhere, from network infrastructure to smartphones. U.S. analysts anticipated significant challenges for foreign IT businesses and noted talk of a “de-Cisco-ization campaign” (去思科化运动) in China.
Thus, while the Obama administration went to work trying to convince China’s government to rein in commercial hacking, the Chinese discussion centered on something much bigger: building a digital industrial base to free China of dependence on the existing, mostly U.S.-branded network infrastructure.
“Cybersecurity” had risen to the public agenda in both countries. But the U.S. story was about unfair competition, while the Chinese framed it in terms of deep infiltration by potentially hostile foreign forces — a concern Xi argued was still relevant in a 2016 speech: “The situation that our country is under others’ control in core technologies of key fields,” he said, “has not changed fundamentally.”
Secure and controllable
It is in this context that the Chinese term “secure and controllable” (安全可控), which had been in use for at least five years by 2013, entered the international discussion. The need for networks and their constituent hardware and software to be secure and controllable became a widespread policy priority. Emphasizing security, of course, is a no-brainer. It was the way “control” was imagined that raised international alarm about access to the Chinese market.
By September 2014, “secure and controllable” took concrete form in regulations for banking industry IT infrastructure. Among other things, the banking rules required certain types of software and hardware to be “under indigenous IPR” (intellectual property rights), to have a “controllable” supply chain, and to use Chinese government–certified encryption protocols. Suppliers would be required to operate research and service centers in China.
Most alarming for firms for whom software secrets are the corporate crown jewels, the rules required suppliers to deposit source code with China’s banking regulator — a risky proposition, no matter what assurances might be offered. While these far-reaching rules ostensibly targeted only one industry, analysts speculated that they had been designed as a pilot that might be more widely implemented down the road.
The banking rules spurred the U.S. government into action. In March 2015, U.S. representatives circulated a document at the World Trade Organization questioning the rules and implying that the U.S. government might officially allege that the rules could violate China’s trade commitments. The following month, with the threat of trade litigation on the table, U.S. commerce secretary Penny Pritzker met with Chinese premier Li Keqiang, and the Chinese government soon announced that the controversial rules would be suspended.
Suspending the problematic banking rules, however, did not settle the issue for foreign companies and the market at large. The Chinese government had still declared its intention to develop indigenous technology industries, to seek greater security of its networks, and to remain wary of of foreign IT infrastructure as a security matter. “Secure and controllable” remained part of the discussion and appeared, for instance, in October 2015 draft rules put out by China’s insurance regulator. Again, the U.S. government questioned China’s proposed rules at the WTO.
Structuring and centralizing internet regulation
While relatively concrete regulatory documents raised the most specific concerns among foreign business, Chinese efforts to centralize internet policymaking and outline broad principles under new laws reveal a consistent concern about cybersecurity. Specifically, the laws and regulations that have either been released or already gone into effect show that the Chinese government hopes to exclude outside powers from control of its networks and ensure its own power to regulate and monitor online activities domestically. In short, the Chinese government seeks to exercise sovereignty over the internet within its borders.
In early 2014, Xi’s newly coalescing government formed the Central Leading Group for Cybersecurity and Informatization, chaired by Xi with the Cyberspace Administration of China (CAC) as its secretariat. The CAC became a key coordinating body and is co-administrator of the new 100 billion yuan internet investment fund.
Soon, a series of measures appeared in draft legislation. China’s legislative process, which often produces vague statements of policy that are then made concrete through implementing regulations, has produced several major laws with implications for the crossroads of network security and foreign business.
Reviewing the reviews
When the CAC posted the draft rules (English translation here) setting up a cybersecurity review process on February 4, “security and controllability” were the basic criteria to be reviewed, with emphasis, for instance, on “the risks of illegal control, interference, and interruption of the operations of products and services,” risks to personal data, and a catchall: “other risks that may endanger national security and the public interest.”
Which products and services would be subject to review is left vague, but a Cybersecurity Review Committee would be set up to organize the reviews. According to the draft rules, authorities responsible for “critical information infrastructure” may decide that a product needs review, but the result of the review could have wider implications. According to China Daily, “Any service or product that fails the review will be blacklisted, making them off limits to all Communist Party of China (CPC) organs, government departments, and key industries.”
The draft rules were published with a request for comment, so they may change. And as drafted, the specific extent and criteria of the national security reviews are unclear. Read in the context of the continued progression of Chinese policy, however, it is hard to conclude that the reviews will not be burdensome or even prohibitive for some foreign products.
The “Eight Guardian Warriors” can expect trouble. If passing the review requires enabling the Chinese government to break users’ encryption in certain cases, Apple may find it cannot pass.
If reviewers demand the opportunity to examine source code, the mode of investigation will be crucial. Microsoft, for one, already provides “Transparency Centers,” where security-sensitive clients can examine Microsoft source code in a controlled environment, and a new center was announced last year for Beijing. Some other tech firms have been unhappy with the precedent set by these centers, but if such facilities satisfy Chinese reviewers, it might enable compliance without putting the crown jewels at risk.
Some companies may be at less risk because they have set up joint ventures with Chinese companies. IBM, for instance, has a long-standing link with Great Wall Technology that could potentially shield it from some kinds of scrutiny. But joint ventures are well-recognized mixed blessings, since they often involve intellectual property transfer in tacit exchange for market access and regulatory cover.
At the network infrastructure level, companies like Cisco may be most at risk, since Chinese competitors like Huawei and ZTE increasingly provide competitive products, and a national security review might decide — outwardly or not — that domestic companies produce more “controllable” products.
As usual with Chinese regulation — even for more detailed rules like those on national security review — the real effect will not be known until the reviews are set up, and there will be plenty of opportunity for bargaining and maneuvering.
What is clear, though, is that Chinese efforts to secure and exercise sovereignty over the internet at home are well aligned with a goal to develop leading high-tech industries at home. Such a goal has implications for the type of international competition that the world is likely to see well beyond the IT industry. It raises the question of what national interests governments can legitimately pursue. Are Chinese concerns about surveillance in the post-Snowden era grounds enough to significantly limit U.S. firms’ operation in the Chinese market, and are U.S. concerns about Chinese hacking legitimate grounds to undermine Huawei and ZTE internationally? Is the desire to strengthen a domestic industry justification for subsidies and trade barriers? How China, the United States, and others answer questions like these will decide whether economic globalization’s high tide will pass, and, if so, whether it will recede peacefully or with powerful interests fighting the current.