Via the journal
First Monday:
Abstract
The passage of China’s national cybersecurity law in June 2017
has been interpreted as an unprecedented impediment to the operation of
foreign firms in the country, with its new requirements for data
localization, network operators’ cooperation with law enforcement
officials, and online content restrictions, among others. Although the
law’s scope is indeed broader than that of any previous regulation, the
process through which it was drafted and eventually approved bears
similarities to three previous cases from the past two decades of
Chinese information technology policy-making. In comparing these four
cases, we argue that economic concerns have consistently overshadowed
claims of national security considerations throughout laws directed at
foreign enterprises.
Contents
Introduction
Case 1: State Encryption Management Commission (1999)
Case 2: WAPI as a domestic technical standard (2004)
Case 3: Green Dam-Youth Escort (2009)
Case 4: China’s cybersecurity law (2014–present)
Assessment and conclusion
Introduction
In late 2014, the Chinese government proposed a controversial law
with the stated aim to rid China’s banking sector of foreign information
technology by the year 2020. The Ministry of Industry and Information
Technology (MIIT) and the China Banking Regulatory Commission (CBRC)
argued that it was a national security threat for China’s banking sector
— defined as critical infrastructure — to use technology imported from
the United States, particularly in light of former National Security
Agency (NSA) contractor Edward Snowden’s revelations about the NSA’s
surveillance operations. In practice, the proposed law would require
foreign suppliers to reveal the source code of their software to Chinese
law enforcement in order to demonstrate that the technology was not
being used to spy on Chinese banks [1].
Predictably, this law prompted a major backlash from large technology
firms and U.S. government officials who claimed that it was
anti-competitive and a bald attempt to steal intellectual property. In
the spring of 2015, the same Chinese agencies that had defended the
proposed law announced that it would be ‘suspended’ in order to
incorporate comments and suggestions from Chinese banks. The suspension
was described broadly in the West as a victory for the global technology
suppliers and a step back by the Chinese government.
This series of events, however, is not sui generis. Versions
of this story have been repeated, in slightly different forms, at least
three times in the last 18 years. This paper ties these four cases
together. We argue that they represent a pattern of policy behavior that
in turn reveals important insights about long-term strategies for
achieving Chinese domestic technology goals. In light of the passage of a
national cybersecurity law that overshadowed the banking sector
proposal in 2017, these cases can illuminate deep-seated objectives of
Chinese policy-makers that have persisted up to the present.
The basic pattern of behavior is similar in each of four cases we
investigate, and the stories roughly follow a common narrative. First,
the Chinese government proposes the adoption of a sweeping and somewhat
vague piece of legislation in the name of national security, which would
restrain foreign technology companies’ access to Chinese markets and
place intellectual property at risk of theft. This prompts forceful
negative responses, first from the companies, then from U.S. and other
Western government trade representatives, and finally at times from the
most senior government officials as well. This dynamic is Act 1 of the
story.
In ‘Act 2’, the Chinese government then suspends or postpones the
implementation of the law, but keeps it on the books. Western media
labels this (temporary) capitulation a victory for trade and
competition, and government pressure subsides.
But in at least three of the four cases, modified versions of the
proposed law are later passed and partially implemented, as the issue
fades from the spotlight and other conflicting interests come to the
fore. That is ‘Act 3’. At the end of the story, techno-nationalist
policies have not moved as far forward as was feared in Act 1. But they
have moved forward in a way that has cumulated over time to shape the
competitive environment — gradually, but with real impact.
We recount in this paper four specific cases that occurred roughly
five years apart over the last two decades. Up to now these cases have
been treated individually (including legal briefs on the encryption
case, analyses of the political economy of technological
standardization, and evaluations of the rollout and failure of a
nationwide Web content-filtering program). We place them together to
draw out their similarities, with one goal being simply to demonstrate a
pattern of behavior.
Our second goal is to assess that behavior pattern for strategic
coherence. Put simply, we want to know what this observed pattern can
tell us about a Chinese techno-nationalist strategy — if one exists. To
guide the argument, we offer four candidate hypotheses that could
account for the observed pattern, and we assess the evidence in each
case against those hypotheses.
The four hypotheses are these:
H1: Each case is in fact sui generis and the commonalities are coincidental. There is no underlying pattern or strategy at work;
H2: The seemingly vague laws represent the jumbled output of
bureaucratic politics and a struggle among competing agencies for
power, not a coherent ‘state’ strategy per se;
H3: The proposed laws represent the evolution of what is
first and foremost a national security strategy, narrowly defined, that
is aimed at reducing the vulnerability of Chinese military, government,
and commercial information systems to foreign technology intrusions and
cybersecurity threats;
H4: The laws represent the evolution of an economic
development strategy that is aimed at advancing the competitiveness of
the Chinese domestic IT sector. |
Foreshadowing our conclusion, we find that the evidence supports
Hypothesis 4 most strongly, with increasing support for Hypothesis 3 as a
sub-goal in recent years. Put simply, the cases together suggest a
techno-nationalist economic competitiveness agenda that also supports
national security interests in a secondary role. Contrary to the
justifications provided for the most recent iterations of this strategy,
the NSA espionage revelations were more of a catalyst for plans China
already had under way than they were a groundbreaking prompt to reshape
Chinese information technology and cybersecurity laws. When these two
rationalizations are combined, which is increasingly the case at
present, we anticipate that they will continue to generate overambitious
policies that the top leadership is privately willing to suspend, scale
back, or loosely enforce.
In the U.S.-China Economic and Security Review’s 2016 report to
Congress, the authors warned that “the Chinese government’s sustained
commitment to technonationalism is a growing challenge for U.S. and
foreign firms seeking to enter China’s market or compete with its
state-supported firms abroad” (U.S.-China Economic and Security Review
Commission, 2016). The Chinese government is unlikely to abandon the
notion that ‘indigenous innovation’ is the preferred approach to
competitiveness in the information technology sector and to foreign
cybersecurity threats at the same time. Yet these cases demonstrate that
the state has been willing to downsize its boldest initiatives, with an
eye toward making incremental gains over the longer term. The recent
passage of a nationwide cybersecurity law that will further monitor and
restrict the behavior of foreign technology firms in China makes it
critical to understand the possibilities for compromise with Chinese
authorities in the long term.
Case 1: State Encryption Management Commission (1999)
In the 1990s and early 2000s, China heavily relied upon foreign
technology firms that supplied its markets with personal computers,
including such giants as Microsoft, IBM, and Intel. From those years
leading up to the present, an evolving long-term goal of the Chinese
Communist Party (CCP) has been for domestic companies to develop the
technological capabilities to build a robust information technology
sector that will obviate the need for imported devices. One noteworthy
early step in this direction that bears remarkable similarity to current
debates over revealing source code in banking technology occurred in
1999, when information technology regulations and the institutions that
oversaw them were still nascent.
By the end of the twentieth century the CCP was aware of foreign
governments’ abilities to build “backdoors”, or hidden channels used to
clandestinely access devices and networks, into technology sold to
China. Thus they turned their attention to encrypted communications.
Encryption is the process through which digital communication can be
protected such that only parties on the sending and receiving ends have
access to the information being transmitted. Understandably, protecting
encryption falls under the purview of national security in general, yet
the approach the Chinese government used to propose an encryption law
instead gained notoriety for threatening foreign technology companies’
intellectual property rights. At a time when the CCP hastened to create a
regulatory environment to address new advances in information
technology, the possibilities of overdrawing boundaries and
miscalculating what the state could feasibly accomplish were manifold.
What makes the encryption case compelling this many years after the fact
is how it established a precedent for similar incidents that followed,
each of which featured elements of economic protectionism amidst claims
of defending national security....
...
MUCH MORE
