This is the first in what will be a multi-part series on China cybersecurity. This series stems from the recent webinar at which Steve Dickinson discussed cybersecurity in China. To watch that webinar, go here.
I. Cybersecurity with Chinese Characteristics: The Party is the leader of everything.
Under the guidance of the Chinese Communist Party (CCP), the Chinese government is working to create a cybersecurity system with Chinese characteristics. This system is designed to make all networked information that crosses the Chinese border a) transparent to the Chinese government and b) closed to unauthorized access by foreign and domestic hackers and governments not affiliated with the CCP.
The primary goal is to use this system for surveillance and control. Surveillance means acquisition of information. As a result, the transparency of the system means all information that crosses the Chinese border should be available to the CCP and its agents. There are no secrets from the Party. As a result, from the standpoint of an individual or a business entity, whether domestic or foreign, this system is a cyber-insecurity system. As the system is implemented with progressively greater refinement and scope, there will be no place to hide from the eyes of the party.
All foreign entities operating within China are subject to this cyber-insecurity system. Since network systems and communication are central to the work of every modern company, understanding how the Chinese system operates is essential. The impact is not limited to foreign entities that establish foreign invested enterprises in China. It also applies to anyone who transmits information, personal or technical, into China via any network. It also applies to any person who transmits information into any country in which the Chinese digital authoritarianism system has been implemented through the Digital Silk Road project. It also applies to anyone who transmits information into any country or region (Hong Kong/Taiwan) that has become the target of Chinese based data gathering operations.
To understand the basis of this system, certain features of the current Chinese system of government must be understood. First, we must understand the role of the CCP. There are two key features:
One, the CCP has been recognized as the “leader on everything”. Under Deng, Jiang and Hu, the goal was to remove the Party from the dominant leadership role so as to release the economic and creative power of the people and non-party institutions. This plan worked so well that many in China began to question the role of the Party.
The primary goal of the Xi Jinping administration has been to reverse this trend. Through the efforts of Chairman Xi, the CCP is now the leader on everything. There is no limit on its role in directing all aspects of China. Accordingly, in 2018 the CCP constitution was revised to state:
The leadership of the CCP is the primary characteristic of socialism with Chinese characteristics. The Party, government, military, civil and education, north, south, east, west and the center, the Party is the leader on everything.
Though the CCP is the leader on everything, the primary goal of the Party is to lead in economic development. As stated in the Preamble to the CCP Constitution:
In leading the cause of socialism, the Communist Party of China must continue its commitment to economic development as the central task, and all other work must take an ancillary role and serve this center. The Party shall implement the strategy for invigorating China through science and education, the strategy on developing a quality work force, the innovation-driven development strategy, the rural vitalization strategy, the coordinated regional development strategy, the sustainable development strategy, and the military-civilian integration strategy. It shall give full play to the role of science and technology as primary productive forces and the role of innovation as the primary force driving development, draw on advances in science and technology, improve the quality of the country’s workforce, and ensure higher-quality and more efficient, equitable, and sustainable development of the economy.
In keeping with this broad role, the CCP has also greatly expanded the concept of national security. Under Xi Jinping’s Comprehensive National Security Concept (总体国家安全观), the traditional military, protection of borders approach to national security is transformed. Under the new security concept, two features are critical. First, the primary goal is to preserve the absolute power of the CCP as ruler of China. Second, the focus is on these threats to CCP power:
— Failure of the PRC to develop quickly into a high technology country.
— Failure of the Party to control ideology and information.
The cybersecurity concerns of private persons and business entities do not enter into the analysis. It is the Party that must be protected, not the public. In particular, it is not possible for any member of the public to be in conflict with the Party. Any such conflict is anti-Party and therefore anti-China. This issue is not addressed in any way. All of this is explained in detail in the standard collection of Xi Jinping’s speeches and writings on the comprehensive national security concept: 习近平关于总体国家安全观论述摘编，2018. A good summary in English can be found at Matthew D. Johnson, Safeguarding Socialism: The origins, evolution and expansion of China’s total security paradigm,
In order to be the leader on everything, the Party has to know everything. In the cyber realm, the CCP and its agencies have responded to this need to know in two ways:
Domestically, the CCP has embraced digital technology to create a surveillance state within China. Through facial recognition, control of the Internet, mobile phone, WeChat and related sources of information monitored and controlled through AI and big data, the PRC has created a surveillance and control system that has been termed digital authoritarianism. See U.S. Senate Committee on Foreign Relations, The New Big Brother: China and Digital Authoritarianism.
Internationally, the Party and its agents, the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), have become the primary cyber-hackers of technology and trade secrets. The role of the MSS in cyber-hacking is well documented. Recent criminal indictments and U.S. and foreign government responses can be found here for the United States and here for the United Kingdom.
What then is the CCP?
1. The CCP is the CEO of Chinese state owned and private businesses that direct compete with foreign entities.
2. The CCP is the director of the research centers charged with developing technology per the Made in China 2025 program and other high-speed high-tech development projects.
3. The CCP is commander in chief of the Chinese military, a military from which foreign persons are banned from dealing. Under the doctrine of civil/military fusion, the military has access to all information and technology obtained by the CCP.
4. The CCP is the manager of the worldwide cyber hacking system conducted by the MSS and the People’s Liberation Army (PLA), along with the domestic cyber hacking system conducted by the MPS.
The Party is entirely in control of this system. The Party is the leader of everything: north, south, east, west and center. Any attempt to defeat this system is doomed to failure. All networks and digital data within the Chinese border will be made transparent to the CCP with no exceptions. There is no place to hide.
So, how does it work? That will be discussed below.
II. China’s Comprehensive Network Security Program
The Chinese government has been working for several years on a comprehensive Internet security/surveillance program. This program is based on the Cybersecurity Law adopted on 2016. The plan is vast and includes a number of subsidiary laws and regulations. On December 1, 2018, the Chinese Ministry of Public Security announced it will finally roll-out the full plan.
The core of the plan is for China’s Ministry of Security to fully access the massive amounts of raw data transmitted across Chinese networks and housed on servers in China. Since raw data has little value, the key to the Ministry’s success will be in processing that data. Seeing that this is the key issue, the Ministry has appointed Wang Yingwei as the new head of the Cybersecurity Bureau. Wang is a noted “big data” expert and he will be tasked with making sense of the raw data gathered under the new system.
The plan for the new system is ambitious and comprehensive. As explained by Guo Qiquan, the chief cheerleader for the plan, the main goal of the new system is to provide “full coverage”. “It will cover every district, every ministry, every business and other institution, basically covering the whole society. It will also cover all targets that need [cybersecurity] protection, including all networks, information systems, cloud platforms, the internet of things, control systems, big data and mobile internet.”
This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government. Since the Chinese government is the shareholder in all SOEs and is now exercising de facto control over China’s major private companies as well, all of this information will then be available to those SOEs and Chinese companies. See e.g. China to place government officials inside 100 private companies, including Alibaba. All this information will be available to the Chinese military and military research institutes. The Chinese are very clear that this is their plan.
In the past, foreign owned companies in China were generally able to avoid the impact of this type of system in two ways. They did this primarily by establishing VPN internet servers in their own offices. These servers used VPN technologies to isolate data from the Chinese controlled networks, allowing for a company intranet to maintain the secrecy of emails and data stored on the company servers in China. As cloud computing has advanced, foreign owned companies typically use the same VPN technologies to isolate their cloud-based servers from the Chinese controlled system. Though the Chinese authorities often complained about these VPN systems, foreign companies were usually able to claim their special WFOE status exempted them from Chinese data controls.
However, with the roll-out of the new system, that will all change. First, the Cybersecurity Law and related laws and regulations are clear that they apply to all individuals and entities in China without regard to ownership or nationality. There are no exceptions. More important, the new Foreign Investment Law that went into effect on January 1, 2020 eliminates any special status associated with being a WFOE or other foreign invested enterprise. Foreign owned companies will be treated in exactly the same way as Chinese owned companies. See China’s New Foreign Investment Law Benefits: Like Putting Lipstick on a Pig. This means the Cybersecurity Law will apply to foreign owned companies (WFOEs, joint ventures, and Representative Offices) in the exact same way it applies to Chinese owned companies and individuals. There will be no place for foreign owned companies to hide.
This means using intra-company VPN systems will no longer be authorized in China for anyone, including foreign companies. This in turn means all company email and data transfers will be required to use Chinese operated communication systems fully open to China’s Cybersecurity Bureau. All data servers that make any use of Chinese based communications networks will also be required to be open to the Cybersecurity Bureau’s surveillance and monitoring system.
It is important to fully understand what this means. Under the Cybersecurity Law, the Chinese government has the right to obtain from any person or entity in China any information the Chinese government deems has any impact on Chinese security. The Chinese government understands foreign companies and individuals will be reluctant to simply turn over their information to the Chinese government when asked. For that reason, the Chinese Cybersecurity Bureau does not plan to politely make a formal request for the information. The fundamental premise of the new cybersecurity systems is that the government will use its control of communications to simply take the information without discussing the matter with the user. All data will be open to the Chinese government.
This system of constant and pervasive access to and monitoring of data sets up a fundamental conflict for U.S. and many foreign companies operating in China because U.S. law in many cases mandates much information be kept secret. But Chinese law now requires complete government access to those secrets if those secrets cross the Chinese border for any reason. This conflict puts many U.S. and foreign companies in an impossible legal bind. I include foreign companies because foreign companies with U.S. subsidiaries or even certain sorts of relationships with U.S. companies will also be bound or at least impacted by these U.S. secrecy laws.
First, as the scope of what the U.S. government designates as controlled information and technology begins to expand, the restrictions on what cannot be transmitted across the Chinese border increases. See this post on what will likely constitute a restricted “emerging technology” under U.S. law. U.S. companies used to take the position that their information in China is on a private server isolated from the Chinese government and if the Chinese government requests this information, “we will refuse to comply.” This argument will no longer work because the Chinese government will no longer ask for the information; it will simply take it.
Second, much intellectual property is protected as a trade secret rather than because it is registered as a patent. In fact, the value of many U.S. patents lies in its supporting trade secret know-how. Trade secrets are a form of property protected under U.S. law. However, the general rule for being able to maintain something as a trade secret (under U.S. and China and EU law) is that the holder of the trade secret must take reasonable steps to maintain its secrecy. Once a trade secret has been intentionally or unreasonably revealed by its holder, its protection as trade secret property is terminated. This then leads to the conflict.
Under the new Chinese system, as a practical matter, trade secrets hidden from the CCP will no longer exist. This means U.S. and EU companies operating in China will now need to assume any “secret” they seek to maintain on a server or network in China will automatically become available to the Chinese government and then to all their Chinese government controlled competitors in China, including the Chinese military. This includes phone calls, emails, WeChat messages and any other form of electronic communication. Since no company can reasonably assume its trade secrets will remain secret once transmitted into China over a Chinese controlled network, they are at great risk of having their trade secret protections outside China evaporating as well.
The U.S. or EU company may have an enforceable agreement with the Chinese recipient of its confidential information that protects that information with respect to that authorized recipient. But if the secret is easily available to the Chinese government, there is no real trade secret protection.
By giving the Chinese government and its cronies full access to its data, the U.S. or EU company may very well be deemed to have illegally exported technology to China, and it could face millions of dollars in fines and even prison sentences for some of its officers and directors. There is an inherent conflict between foreign laws mandating a company not transfer its technology to China and China’s laws which effectively mandate that transfer
III. China’s Regulatory System: The Multi-Level Protection Scheme (MLPS 2.0)
A core concept in the CCP system of control is that China must be ruled by law. The law is the expression of the will of the Party. That expression of will must be clear and inflexible. In keeping with that basic policy, the cybersecurity system that will be rolling out over the next decade is documented in detail as the Cybersecurity Multi-level Protection Scheme (“MLPS 2.0”), which is came into effect on December 1, 2019. This scheme sets out the technical and organizational controls all companies and individuals in China must follow to comply with MLPS-related Internet security obligations mandated by China’s Cybersecurity Law. All companies and individuals must abide by the following three standards:
1. GB/T 22239 – 2019 Information Security Technology – Baseline for Multi-level Protection Scheme
2. GB/T 25070 – 2019 Information Security Technology – Technical Requirements of Security Design for Multi-level Protection Scheme.
3. GB/T 28448 – 2019 Information Security Technology – Evaluation Requirements for Multi-level Protection Scheme.
The Chinese language versions of these standards can be found here; I am not aware of any English language translations of these standards.
My personal file on the laws and regulations relating to the MLPS 2.0 system consists of 800+ pages of very technical Chinese. But even this vast documentation is not sufficient to fully understand the function of the system. To fully understand all this, one must also consider the objectives of other key Chinese government planning documents, such as the national artificial intelligence program, the Internet+ program, the social credit system for individuals and businesses (See China’s New Company Tracking System: Comply, Comply, Comply), and various other network/Internet/data gathering and surveillance programs being implemented in China.
When one examines these various different programs together, it becomes apparent the MLPS 2.0 system is the “hardware” component of a comprehensive data gathering, surveillance and control program. China’s plan is to create a system that covers every form of network activity in China: Internet, mobile phone, WeChat type social networks, cloud systems, domestic and international email. China’s goal is not to create a commercial system where individual players can participate and make money. Its goals are surveillance and control by the PRC government and the CCP.
To achieve those goals China is creating a system to achieve two ultimately contradictory objectives: the system will be closed against intrusion by “bad actors” (foreigners and internal dissidents), but completely transparent to the Ministry of Public Security and other internet security agencies of the PRC government and the CCP. Transparency to the Ministry of Public Security means what it says: No technology that blocks access by the Ministry of Public Security is permitted. No VPN, no encryption, no private servers. If the Ministry of Public Security is required to install back doors or other message/data interception devices or systems to achieve full access, then China Telecom and Chinese based ISPs are required to comply. But because providing open access to the Ministry of Public Security directly conflicts with the goal of hardened security from intrusion, how to mediate between these conflicting goals is the chief reason for the length and complexity of the MLPS 2.0 standards.
The legal basis for allowing China’s Ministry of Public Security to access networks and data comes from a regulation not included within the MLPS 2.0 standards. As I noted above, full understanding requires pulling together all the applicable regulations. This is just one example of this. The written regulations that give the Ministry of Public Security the right to just “take it” are the Regulation on Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定). This regulation was promulgated on September 15, 2018 and came into effect on November 1, 2018. My references to this regulation below are to the articles of the Chinese language version published by the Chinese government. It is important to base comments on the Regulation on what was actually adopted, not to earlier discussion drafts containing provisions that were not adopted.
As a preliminary issue, a key matter confirmed by the Regulation on Internet Security Supervision and Inspection by Public Security Organs is that the Ministry of Public Security has lead authority to take on the front-line enforcement duties related to the Internet and to network security in China. This means MIIT (China Telecom), CAC, CNNIC and the alphabet soup of other Chinese agencies that sought a role in cybersecurity administration have been pushed aside in favor of the Ministry of Public Security. This means enforcement will be handled by the police rather than by local bureaucrats. This decision on enforcement has real meaning for foreign companies doing business in China and for its foreign employees who live and work there. When a Chinese bureaucrat shows up at your door asking for information, you can perhaps send that bureaucrat on his or her way. But when two or more uniformed police officer show up at your door, you have no option but to comply.
The Regulation on Internet Security Supervision and Inspection by Public Security Organs provides for two levels of inspection of networked servers: on-site inspection and offline, remote access. See Article 13. When an on-site inspection is conducted, a minimum of two local police officers must be present. See Article 14. The police officers will be accompanied by local government agency staff charged with Internet security. If local government agency staff are not sufficient, the Ministry of Public Security may employ independent contractors to do the work.
The inspection team has complete access to the network system. Inspection can cover both the technical aspects of the network system and the data/information maintained on the servers. See Article 10.
The inspectors can fully access the system and copy any data they find. See Article 15. The only restriction on the inspectors copying the data in your company’s system is that they must provide you with a receipt. Though Article 10 “restricts” access to matters involving national security, the definition of national security in China is so broad there is no real limitation on what can be accessed, copied and removed.
In cases where the Ministry of Public Security determines there is an Internet security issue, it has the right to perform a remote access inspection. the scope of which is set out in Article 10. Prior notice of remote access is required. There are two issues related to such notice: First, the purpose of the notice is not to protect the rights of the party being inspected. Rather, the purpose of the notice is to ensure that the server has been completely opened to access by the Ministry of Public Security. Second, for servers maintained by a cloud provider, it is not clear whether notice goes only to the cloud provider or to both the cloud provider and its customer(s). It is therefore not clear whether the cloud customer will ever receive notice that its server and data were viewed and copied by China’s Ministry of Public Security. Time will tell on this, but my guess is the cloud customer will never know unless its cloud provider tells them, which is unlikely.
This off-site access rule is awkward to manage. The structure of the MLPS 2.0 standards suggest the Ministry of Public Security plans to work with cloud providers and Managed Service Providers to get them to install systems that will allow the Ministry of Public Security easy off-site access at any time, without need to go through an incident by incident prior notice then access procedure. However, this type of constant access system is not contemplated by the Regulation. Even if the Regulation on Internet Security Supervision and Inspection by Public Security Organs is strictly followed, there is no getting around the fact that it provides for China’s Ministry of Public Security to have essentially unfettered access to all servers and data. Referring to this as “cybersecurity” is fundamentally misleading. As the Regulation itself states, this is a regime for inspecting and controlling by the Chinese government. It has nothing to do with cybersecurity as normally considered in the open Internet world.
The key issue then becomes what happens to the data collected by China’s Ministry of Public Security –your company’s data, for instance. The Ministry is permitted to copy and remove virtually any information or data it finds on the servers it inspects. What about the confidentiality of that information? Article 5 of the Regulation on Internet Security Supervision and Inspection by Public Security Organs addresses this issue : “The personal information, privacy, trade secrets and state secrets that the public security organs and their staff members are aware of in the fulfillment of the duties of Internet security supervision and inspection shall be strictly kept confidential and shall not be disclosed, sold or illegally provided for others.” This provision must be read carefully because it provides for “confidentiality with Chinese characteristics”.
The key point is that the term “others” does not include any agency of the Chinese government or of the CCP. In other words, it does not include universities and other research centers operated or controlled by the Chinese government. It also does not include the Chinese military or Chinese arms manufacturers. It also does not include China’s State-Owned Entities (SOEs). Though not clear, the term “others” also probably does not include nominally private entities controlled by the CCP. See e.g., Huawei.
So again, what does this confidentiality provision mean? As applied in China, the confidentiality rule of Article 5 is intended to prevent Ministry of Public Security officers from doing two things: selling data to Chinese or foreign companies for personal profit and two, disclosing data to foreign agents (spies). This rule is not intended to prevent the Ministry from sharing the data it collects with the insiders described above. In fact, such sharing is mandated as part of the data needs of the entire Chinese government and the CCP. The Ministry of Public Security is not permitted to hoard the data; it is required to spread it around within China’s Party- controlled system.
This result then leads to the key issue. Confidential information housed on any server located in China is subject to being viewed and copied by China’s Ministry of Public Security and that information then becomes open to access by the entire PRC government system. But the PRC government is the shareholder of the State-Owned Entities (SOEs) which are the key industries in China. The PRC government also essentially controls the key private companies in China, such as Huawei and ZTE, and more recently, Alibaba and Tencent and many others. See China is sending government officials into companies like Alibaba and Geely and China to place government officials inside 100 private companies, including Alibaba. The PRC government also either owns or controls China’s entire arms industry.
Simply put, the data the Ministry of Public Security obtains from foreign companies will be available to the key competitors of foreign businesses, to the Chinese government controlled and private R&D system, and to the Chinese arms industry and military.
The negative consequences of this should be obvious. But the critical issue is that the consequences go far beyond just the commercial impact. China’s new systems will become a matter of national security for the U.S. and other governments. This then sets up a conflict private companies will not be able to avoid. Do they make their data available to China’s Ministry of Public Security as required by Chinese law or do they keep that data from the Ministry (and in turn the Chinese Military) as required under the laws of their home country? In other words, do they simply stop using or providing data to their China operations?
The final result will be that as far as China is concerned, “free trade” in the critical areas of technology will end up being severely curtailed. Welcome to the New Normal.
My future posts will address oft-proposed solutions that do not work and solutions that can actually make the situation a bit better.