China’s Cybersecurity Law: Controlling Information, Hamstringing Innovation

Alan McQuinn
Research Analyst, Information Technology and Innovation Foundation

Like many other governments, China is seeking to reestablish its sovereignty over the digital sphere with a new Cybersecurity Law. But while the law could help address China’s national security issues, critics argue the law gives the government free reign to conduct surveillance and systematically censor political dissent, while also alienating foreign tech firms through what could be viewed as market protectionist requirements. The Cipher Brief spoke with Alan McQuinn, a research analyst at the Information Technology and Innovation Foundation, about what this law means for both Chinese citizens and foreign companies seeking access into the Chinese market.

The Cipher Brief: How has China traditionally controlled the flow of information online? What are some of the key tactics the Chinese government has used in the past to conduct domestic surveillance and censor political dissent?

Alan McQuinn: While China has a constitution that affords its citizens both freedom of speech and of the press, its government has traditionally used “state secrets” laws to crack down on things it finds subversive, whether political or economic in nature.

The Chinese government is adept at using both traditional and new media to control information. First, it uses technology to monitor online communications and block information. The Chinese government has several public entities devoted to restricting and removing politically sensitive online content, the most powerful of which is the Central Propaganda Department. Some estimates say the government employs roughly 100,000 people to monitor the internet in China. In addition, the Chinese government uses the Golden Shield Project, commonly known as the Great Firewall, to monitor Internet use and censor online content through bandwidth throttling and keyword filtering.

Second, the Chinese government shutters or blocks major websites, especially foreign media and technology companies like Google, that it feels are or were subverting its authority. For example, in 2012 China blocked the New York Times’ website after it published a story on the family wealth of Chinese Prime Minister Wen Jiabao.

Finally, the Chinese government jails perceived dissidents, including journalists and bloggers. According to the Committee to Protect Journalists, as of the end of 2015, China had jailed 49 journalists. Beyond jailing journalists, the Chinese government uses libel lawsuits, fines, forced television confessions, or simply fires journalists to push the media to censor itself.

TCB: How do you see China’s new cybersecurity law furthering the state’s control over information?

AM: The new cybersecurity law, and laws like it, signal the Chinese government is expanding its focus from censoring online access to identifying users and gaining access to private systems, by removing anonymity, accessing source code, and weakening encryption. These laws are designed to both increase the state’s surveillance capabilities and to push foreign competitors out of the Chinese market.

The recent cybersecurity law has several concerning components from a trade, privacy, and innovation perspective. First, it requires that the companies provide government access to their equipment and software to evaluate security capabilities—to see if it is “secure and controllable”—which could include turning over source code for appraisal or weakening encryption. Second, it requires that companies provide yet-to-be-defined “technical support” to government agencies for law enforcement and national security investigations. Third, it requires that “personal information and other important business data” must reside on local Chinese servers and may not leave China’s borders without permission. Fourth, the law enacts criminal penalties for certain types of speech on the Internet, including spreading false information, damaging national unity, and overthrowing socialism. Fifth, these restrictive measures apply to a potentially broad range of sectors considered “critical information infrastructure.” Finally, it strips away the anonymity for users of services such as instant messaging by requiring real names and personal information to sign up. Just how restrictive and intrusive this law is will depend on how implementing agencies define key terms—such as “personal and business information,” “technical support,” “secure and controllable,” and “critical information infrastructure.”

The new cybersecurity law also is the latest Chinese policy to restrict, if not outright exclude, foreign technology companies from China, especially given the risks that come from disclosing valuable source code and intellectual property to the government, who may then pass it to a local competitor. This law’s protectionist intent was made clear during the Chinese government process to seek feedback on how it should define and operationalize the provision for “secure and controllable,” when a government official admitted this was a guise to justify discrimination against foreign technology products and help “domestic production.” Similarly, the data localization measures in the law would increase costs for foreign firms who do not already have Chinese data centers, without increasing privacy or security.

TCB: Do you believe this law will ultimately be effective at censoring material, or even a sustainable practice in the future?

AM: These efforts will work as intended, censoring material and pushing out foreign competition. While there are ways around these restrictions, they require a level of sophistication and dedication beyond the reach of most Chinese residents. However, over time, the costs that result from weaker encryption and barriers to data flows may take their toll. These protectionist policies unwittingly limit the ability of a country’s own firms and industries to innovate by shielding them from international competition. Countries that artificially prop up domestic businesses with protectionist policies set up those businesses to fail because they will be less competitive in the global market than those operating without crutches. Chinese products and services, especially those that benefit from network effects, have certain advantages against foreign providers simply because they have access to a very large, restricted market. Only time will tell if these practices are sustainable, or if they lead to uncompetitive Chinese goods and services.

TCB: China, like many other countries, has legitimate security and cybercrime concerns. How can these be better addressed without facilitating censorship or surveillance?

AM: All countries face these challenges, and they should work together to find common solutions. For example, rather than have its own security standards and certification, China should work with other countries to develop and adhere to global standards. By working together, countries can better tackle issues surrounding how the private sector protects information systems and improve cybersecurity without unnecessarily raising costs on businesses and consumers.

Furthermore, no country should restrict or weaken encryption, because any attempts to do so reduces the overall integrity of the Internet and limits innovation in information security. By forcing a backdoor access requirement on companies operating in China, the Chinese government is effectively hamstringing the ability of those services (both foreign and domestic) to continuously improve the security of their Chinese users.

TCB: Are there similar laws being implemented in other countries?

AM: Yes, there are several laws created by other countries to increase surveillance, restrict data flows, or weaken encryption. One of most extreme surveillance laws in terms of what it requires, called the Investigatory Powers Act, commonly referred to as the “Snooper’s Charter,” was passed this year in the United Kingdom. This law gives UK law enforcement unprecedented authority to collect data on its citizens, and forces technology companies to have the “technical capabilities” to bypass encryption (a phrase that is similar to China’s “secure and controllable” language). Similarly, Russia has recently enacted an anti-terrorism law that expands surveillance, weakens encryption, and establishes localization requirements. Finally, laws to restrict data flows have been enacted in Canada, Australia, India, South Korea, and many others.

Unfortunately, these laws weaken overall security and ignore the harmful effects that barriers to the free flow of data have on the global economy. Only by coming together and recognizing the importance of information security and the free flow of data will the international community be able to establish multilateral agreements that tackle the stickier issues, such as surveillance, trade, and access to and storage of information.

The Author is Alan McQuinn

Alan McQuinn is a research analyst at the Information Technology and Innovation Foundation. His research areas include a variety of issues related to information technology and Internet policy, such as cybersecurity, privacy, virtual currencies, e-government, Internet governance, and commercial drones.

Learn more about The Cipher's Network here