China has long exerted control over Internet content and access by its citizens. The censorship regime known as the Great Firewall of China has been used to eliminate unwanted content such as criticism of Communist Party leadership. Since Xi Jinping’s became president in 2013, that regime has been tightening up in many ways.
China’s right to control its own portion of the Internet has been defended by the government through its promotion of the concept of “cyber sovereignty.” They express this as the right of each nation to establish its own norms and controls over Internet operations in their country, extending the notion of national sovereignty into the cyber realm. This has been used to justify China’s restrictions over Internet use that other countries do not impose.
The way China is acting under the banner of cyber sovereignty, however, not only constrains its citizens but has recently been extending constraints out into other countries. Foreign websites seen threatening to Chinese control have been subjected to cyber-attack. Foreign companies operating in China are being told to censor content in outside media as a condition for their continued operations. Stronger cybersecurity laws have put new controls on foreign businesses’ data collection and processing inside China and threatened police intrusion into their cybersecurity operations.
In addition, to position itself as a dominant cyber power, the Chinese government is investing heavily in technology development that has impact on their competitiveness, especially in the areas of semiconductor production, quantum technology, and artificial intelligence. They are also extending their control over international telecommunications networks by building telecoms infrastructure in dozens of countries as part of their Belt and Road Initiative.
Finally, China is directly challenging the international system of Internet governance that they see as dominated by the United States. This effort has included gaining a greater voice in ICANN and using the United Nations as a forum to argue for a multilateral, nation-state based system, giving them a more equal footing with the US.
Having started out a few years behind developed countries in Internet use, with only 100,000 users in early 1997, China has grown to be the largest national chunk of the Internet with 770+ million citizens online. For the past 20 years, China has always faced a major dilemma in how it relates to the Internet and, through it, to the outside world. China needs a free, world-connected Internet as an engine of commerce and development. However, China’s leaders also see themselves as needing to control citizens’ Internet use to prevent challenges to the regime.
The arrival of Xi Jinping has clarified the answer to that question and given rise to frequent use of a new term, cyber sovereignty, that embodies his approach. This report will examine how the Chinese talk about the concept of cyber sovereignty, what it means for internal Internet censorship, and how China is trying to extend the concept—and their reach—out into the world.
CYBER SOVEREIGNTY AS A CONCEPT
Under Xi Jinping, the government’s expressed priorities make clear that their solution to the Internet dilemma lies in strengthening government control in a number of ways. Chinese wants a “harmonious” Internet, free of turbulence, controversy, or dissent; one that fosters economic growth but also guides public opinion, supports good governance, and is tightly controlled. In addition, China wants to develop itself into the primary source for its own digital and communications equipment, cutting its dependence on foreign manufacturers. Increasingly wary of the risk of cyber-attacks, China is mobilizing the People’s Liberation Army to further develop its cyber-forces and strengthen China’s network defenses. Finally, China has promoted cyber sovereignty as an organizing principle of Internet governance, which also means opposing US support for a global, open Internet. China argues instead for a world of national Internets, with the sovereign rights of states extended into the cyber sphere. No government agency in China has yet promulgated anything like an official definition of the term cyber sovereignty (网络主权), but this term is frequently used from the highest levels. The way it is most frequent used indicates that it means the subordination of cyberspace to the interests and values of the state. In 2017 China issued a “White Paper” on cyber security that contained this claim: “Countries should respect each other’s right to choose their own path of cyber development, model of cyber-regulation and Internet public policies, and participate in international cyberspace governance on an equal footing. No country should pursue cyber hegemony, interfere in other countries’ internal affairs, or engage in, condone or support cyber activities that undermine other countries’ national security.”
As a medium for disseminating the Chinese view of Internet governance to the rest of the world, China organized its first World Internet Conference in 2014, now held annually in Wuzhen just outside Shanghai. The principle of cyber sovereignty was extolled by Xi himself from the podium at the World Internet Conference in 2015: “Respect for cyber sovereignty must be upheld. We should respect the right of individual countries to independently choose their own path of cyber development, model of cyber regulation and Internet public policies, and participate in international cyberspace governance on an equal footing.” This stance was reiterated at this year’s World Internet Conference. Xi did not attend but instead sent Huang Kunming, the Chief of the Propaganda Department of the Chinese Communist Party, who read a letter from Xi Jinping to the conference attendees, saying: “We should adhere to the principle of respecting cyber sovereignty, respecting every individual country’s right to choose its own development path for cyberspace, model of cyber governance, and internet public policy.”
Xi Jinping has also been pushing another term: “cyber superpower.” An article published by the Cyberspace Administration of China’s Theoretical Studies Center Group described what it said was Xi’s thinking on this topic. They said in part that “General Secretary Xi Jinping’s concept of building China into a cyber superpower (网络强国) is a product of the combination of the basic principles of Marxism and the practice of Internet development in China under the new historical conditions. It constitutes a scientific summary and theoretical refinement of the path to socialist governing of the Internet with Chinese characteristics.”
CYBER SOVEREIGNTY IN PRACTICE
The Chinese concept of cyber sovereignty has meaning internally for the Chinese citizen but also for how China interacts with the rest of the world. Internally, the promotion of this concept has meant ever-tighter Internet censorship and control. Internet control has been a feature of China since the Internet was introduced. Prior to Xi Jinping the control system, informally called the “Great Firewall of China,” has often been porous, allowing many citizens to access foreign websites that the government tried to block. This changed over time as the government’s technical means to control became more sophisticated, but generally speaking Chinese citizens have historically been smart enough to circumvent controls in a number of ways. Under Xi Jinping, that situation has been changing. As the most recent Freedom House report on Internet control stated: “China was once again the worst abuser of Internet freedom in 2018.” The report went on to say: “Internet controls within China reached new extremes in 2018 with the implementation of the sweeping Cybersecurity Law and upgrades to surveillance technology.” This has involved a network of tighter measures across the board, leading to a situation where citizens cannot express themselves anonymously online as they had been able to in the past. Technical advancements have given the Chinese government new tools for monitoring its citizens, whether online or just walking through their cities. The Freedom House report also stated:
“One of the most alarming developments this year has been the uptick in state surveillance. Facial recognition technology and other advanced tools are being used to thwart any actions deemed to harm ‘public order’ or ‘national security.’” The Chinese government retains technical control over foreign content through packet filtering at the handful of international gateways that connect China to the rest of the world. Prohibited search terms and foreign domain names are used to check packet content, and if searches or addresses are on the prohibited list, the query returns no results.
The Chinese government regularly issues lists of “sensitive words” to Internet content providers and instructs them to search their own pages and cull out content with those terms. These terms change based on current events and whatever the government considers sensitive at the moment.
Explicit instructions are also issued to print and online media about what not to report. This can include any stories that embarrass the government, international events that could put China in a bad light, or even disasters that somehow could reflect badly on the government. One of the key provisions of the new Cybersecurity Law is that it requires Internet users to register with their real names before posting any content online. The government has been pushing this approach for years to quash anonymous criticism, but this appears to be the first time they are making such controls stick. The Cybersecurity Law and the Cybersecurity Administration of China, charged with enforcing such laws, have been used to fine or shut down content providers who fail to comply. Several such enforcement actions were reported in 2017 and 2018. In terms of technical controls, the most serious recent attack on ways to circumvent the Great Firewall has been the 2017 Ministry of Industry and Information Technology regulations banning the use of circumvention tools, especially virtual private networks (VPNs). For the previous few years, VPN’s have been the tools of choice for Chinese citizens seeking to connect with foreign content. In 2017, however, serious limits were put on VPN use. Even Apple removed all VPNs from its App Store in China, citing the need for compliance with Chinese government regulations.
In addition to constraining the kinds of topics that can be discussed by Chinese Internet users, the government has mounted a serious effort to shape conversations and opinions online. One foreign study in 2013 estimated that as many as two million people were employed by the Chinese government as “internet public opinion analysts,” whose duties were to post comments that were favorable to the government or argued the government position. A Harvard study in 2016 of Chinese online activity estimated that the Chinese government was fabricating and posting more than 400 million comments on social media annually.
China’s censorship regime is not just a problem for Chinese citizens, but is being extended out into the world in a number of ways. China has a history of both blocking specific foreign content and by blocking any access to certain foreign websites. Those blocked in any given year have varied, but as of mid-2018 the following were just the top tier of a very large set of foreign domains that were blocked from China:
BBC NY Times
In addition to blocking what content can be accessed from inside China, China has recently attempted to exert censorship control over foreign entities in several cases. The following are a few examples:
- In 2015, the Chinese government conducted a distributed denial of service (DDOS) attack against GitHub, a major US-based software archive site. This attack was an attempt to force GitHub to remove pages linked to the Chinese-language edition of the New York Times and to GreatFire.org, a popular VPN service.
- In 2016, the US firm LinkedIn was ordered to censor posts about China that the government considered offensive from its worldwide network. The government made this action a condition of LinkedIn’s continuing operations in China.
- In 2017, Cambridge University Press admitted it had blocked access in China to more than 300 articles published in its journal China Quarterly, following orders from the Chinese government. It later reversed its decision and discontinued the blocking.
- The Marriott International hotel website and cell services in China were shut down by the Cybersecurity Administration of China for more than a week in January 2018. The Chinese objected to the fact that a Marriott customer questionnaire had listed Hong Kong and Taiwan as countries separate from China. Service was only restored after Marriott apologized and pledged to amend the questionnaire.
- WeChat, a popular Chinese-developed texting system, is used by Chinese worldwide. It was recently discovered that WeChat was being censored even when used by people outside China.
One event that had a big impact on both Chinese citizens and foreign corporations operating in China was the new Cybersecurity Law that went into effect in June 2017. This law placed an elaborate system of government controls over data security, data use, and digital data itself. Under this law, network operators must obtain users’ consent for data collection and processing. “Critical infrastructure operators” who collect personal data of Chinese citizens must also keep that data within China. Businesses are now obliged to employ network security safeguards, report network security incidents, and assist Chinese authorities in investigating cyber-crimes. In addition, cybersecurity-related products used by anyone in China have to be certified in advance by the Chinese government.
These original provisions created a great deal of anxiety among foreign businesses in China, but so far prosecution or serious intrusion into foreign business operations have not been reported. However, there has been a flood of additional regulation promulgated through late 2017 and all of 2018 that threaten to further tighten government control. The reach of the basic regulations of 2017 has been extended to cover more than data networks and critical infrastructure controls; it now includes cloud computing, big data, artificial intelligence, and the Internet of Things under its purview. Companies must now provide the government all information on any received cyber-attacks and any “cyber threat intelligence” in their possession. Network operators are now charged with conducting self-reviews of their cybersecurity systems once a year and report the risks discovered to the Ministry of Public Security. Data that poses risks to such things as China’s national politics, territory, military, economy, culture, society, or technology cannot be transferred out of the country. Foreign businesses’ communications methods are further constrained in that they now they can only use VPN’s that have been approved by the government in advance.
One measure of the extent to which Chinese controls have an impact on foreign firms can be seen in the nature of Google’s Project Dragonfly. This is a reported Google plan to create a search engine that conforms to Chinese censorship. The details of such a system have not been made public, but in October 2018 Google CEO Sundar Pichai acknowledged and defended the effort, saying that Dragonfly would “be able to serve well over 99 percent of [Chinese] queries.” A Google internal memo reportedly said that this search system would require users to log in to perform searches, and that the system would track user location and share search history with a “Chinese partner.” Google employee protests have called for an end to Dragonfly development.
RESEARCH AND DEVELOPMENT
China has been putting serious money down to achieve its goals of cyber dominance. China’s overall spending on research and development has recently exceeded $230 billion per year, or 20 percent of the world total in R&D spending. The focus on technology development is evident from several other data points. For example, more students graduate with science and engineering degrees in China than anywhere else in the world. In 2018, China overtook the US in the number of scientific publications produced. Xi Jinping has initiated a major development program called “Made in China 2025” which aims to achieve Chinese dominance across a set of ten technologies. Of these, the technologies that probably matter most for cyber sovereignty are semiconductor production, quantum computing, and artificial intelligence. One means the Chinese have tried to advance in semiconductor production has been simple: buy semiconductor manufacturers, including those in the United States. In 2013-2016, Chinese companies made 27 attempts to buy US semiconductor companies, worth a total of $37 billion. Most of these attempts have been turned back, and as of 2016, China still imported 90 percent of its integrated circuits. Some Chinese companies, such as telecoms manufacturer ZTE, are vitally dependent on chips made in the US, and the 2018 US sanction of ZTE highlighted to the Chinese their vulnerability from foreign manufacturers. So, through “Made in China 2025” China has committed $150 billion to improve its ability to design and manufacture its own advanced microprocessors.
Another focus of development that is showing some success has been in quantum computing development. The total expenditure in this area is unknown, but China is spending $1 billion on one quantum computing laboratory alone. At this point, no one in the world has developed an actual quantum computer, but China has recently made some breakthroughs in quantum technologies. In 2018, a Chinese team used quantum mechanics to generate strings of “real” random numbers at up to 180 quantum-certified bits per second. This was achieved by generating numbers from the physical properties of quantum particles such as individual photons. Because the state of such a quantum particle is not settled until it is observed, it is not predictable by the usual algorithms of classical physics. Access to real random numbers through such a process makes encryption technologies theoretically much harder to break.
China also launched the first quantum generation satellite in 2016, capable of generating pairs of “entangled” quantum particles. This phenomenon of quantum physics means that the pair of entangled quantum particles can be separated by long distances but their states are still tied to one another. China demonstrated this in 2018 by generating pairs on their satellite and then separating them and sending the particles to different locations on Earth. They were then incorporated into a communications circuit and operated between China and Austria. The nature of quantum particles means that if this were tampered with it would change the states of the particles and be discovered, an aspect that has caused some proponents to describe this as an “unbreakable” encryption mechanism.
The 2025 program is also spending a lot of money on artificial intelligence (AI) development. Xi Jinping is currently spending $150 billion on AI with the goal of taking the world lead in this field. Apparently, they have a good chance of doing just that, as Eric Schmidt, former Google CEO, has said of the Chinese: “By 2020, they will have cauch up. By 2025, they will be better than us. And by 2030, they will dominate the industries of AI.”
The Chinese are currently applying AI to technologies that will probably underpin their goals for better monitoring and control of their population. The relevant technologies include facial recognition, which is being driven by AI breakthroughs. Facial recognition development has been used in a number of commercial applications: identity at an ATM, identifying frequent shoppers in a store, or using the face instead of physical tickets to an event. Some of these technologies were demonstrated at the World Internet Conference held in Wuzhen, China, in November 2018. One demo was a vending machine that charged one’s account based on a scan of their face. Another use was applied to the conference as a whole. When participants first entered the grounds for the conference, their face was scanned and matched to their identity and payment data. Thereafter, participants could enter any venue at the conference by a quick face scan.
These technologies also have obvious police applications: With a large enough data base of faces and identities, facial recognition could be used to identify criminals at the scene of a crime from surveillance camera images or monitor people on the street or in public venues, searching for suspects or fugitives. Chinese police have reported that one wanted man was plucked out of a crowd of 60,000 people at a pop concert in Nanchang in April 2018, having been scanned and identified at the ticket entrance to the venue. Facial recognition is reportedly being applied now against the Uighur Muslim minority in Xinjiang Province. As part of a crackdown on Uighurs, which reportedly also includes detention and “reeducation” camps holding up to a million Uighurs, China has been trying to build a facial data base for the entire province. The Freedom House report stated: “In the western region of Xinjiang, home to the country’s Uighur Muslim minority, facial recognition technology and other advanced tools are being used to monitor the local population and thwart any actions deemed to harm ‘public order’ or ‘national security.’”
There is another aspect of China’s approach to cyber sovereignty that has potential impact on other countries: Chinese construction of communications infrastructure in those countries. In fact, extending control over international telecommunications infrastructure is embedded in China’s Belt and Road Initiative.
The essence of the Belt and Road Initiative as China’s plan to promote international trade is that China is building the international infrastructure on which that trade will travel. This currently includes major China-funded and executed road, rail, and port construction projects, not only in neighboring countries but also extending out into South Asia, Africa, the Middle East, and even to Western Europe. Belt and Road is one of the largest infrastructure and investment projects in history, covering more than 68 countries that represent 40% of global GDP. Western analysis indicated China has $900 billion in projects underway or planned. Other estimates put eventual total cost at $4 trillion.
The cyber aspect of this is the fact that Belt and Road includes telecommunications infrastructure built by the Chinese. They even refer to this as the “Digital Silk Road.” China has more money to spend, more modern hardware, and more technical expertise than their neighbors, so their taking the lead and spending the money is attractive to many. Part of this effort involves organizing the participating countries and getting their buy-in on the technologies and standards. For example, the concluding communiqué from a 2017 Belt and Road Forum involving 33 countries pledged, in part, to cooperate on “telecommunications and information and communication technology,” committed to “put into place an international infrastructure network over time,” and called for “harmonizing rules and technological standards when necessary” to “maximize synergies in infrastructure planning and development.” Other major countries, including Russia, were part of this forum, but China is taking the lead and funding much of the infrastructure.
Chinese corporations are key players in this effort. For example, China Telecom and others are building fiber-optic links to Myanmar, Kyrgyzstan, and Nepal. Huawei is building mobile networks in Bangladesh and Cambodia. Alibaba has acquired Pakistani e-commerce company Daraz and established a digital free-trade zone with Malaysia and Thailand. ZTE is laying fiber-optic cables, setting up mobile networks, providing surveillance, mapping, cloud storage, and data analysis services in 50 countries. These corporations are not elements of the Chinese government, but they likely take guidance on some technology choices from the government and would be subject to coercion after the fact if the government wanted to use their infrastructure for information collection. In addition to infrastructure construction, China has been marketing its own surveillance technologies to some of these countries. One Chinese AI firm is working with Zimbabwean security forces to develop their surveillance system using facial recognition technology. Huawei is promoting its “smart city” systems, surveillance-heavy networks to assist police in crime prevention. Huawei currently has one such high-profile smart-city project underway in Kenya. In its 2018 report, Freedom House identified 18 countries where Chinese companies Yitu, Hikvision, and CloudWalk are installing facial recognition systems for security.
Exporting of cyber control techniques also extends to training by China. In 2018, China’s government hosted media officials from dozens of countries for seminars on its system of censorship and surveillance. One example was a two-week “Seminar on Cyberspace Management for Countries along the Belt and Road Initiative.” These involved tours of Chinese companies involved in “big data public-opinion management systems,” “positive energy public-opinion guidance” and “tools for real-time monitoring of negative public opinion.”
Specific media control techniques were part of some of this training. Journalists from the Philippines visited China for two weeks in May 2018 to learn about “new media development” and “socialist journalism with Chinese characteristics.” A “Seminar for Senior Media Staff in Arab Countries” brought in representatives from Egypt, Jordan, Lebanon, Libya, Morocco, Saudi Arabia, and the United Arab Emirates. The impact of such work may be seen in the fact that involvement in such Chinese courses preceded passage of new, restrictive media laws in Uganda and Tanzania.
DIPLOMATIC TARGET: U.S. INTERNET GOVERNANCE
Another Chinese effort at pushing for its version of cyber sovereignty involves a direct attack on the current scheme of Internet governance. The Internet grew up in the 1970’s and 1980’s from ARPANET without a central driver or centralized control. The current “governance” system is intentionally loose and a bit chaotic, based on multiple stakeholders of various types rather than nation-states. While no one country runs the Internet, much of its development and its hardware have been American.
China’s current message on governance is that the US actually runs the Internet, not the international community. As evidence, China can point to the fact that ICANN, which manages the Internet’s domain name system, was under the US Department of Commerce until 2016. The effort to privatize ICANN, which was successful in 2016, has been seen in part as a victory for Chinese diplomacy.
China has been working at having a greater voice with ICANN for several years. China’s ICANN Engagement Center opened in Beijing in 2013. China is the only country to have such an entity. In 2015, China successfully organized a "high-level advisory committee" co-chaired by ICANN CEO Chehade and Alibaba CEO Jack Ma. The founders of this committee "invited 31 leading Internet figures from governments, enterprises, academic institutions, and technological communities to be members.” Again, as co-chair, China can work to shape the nature of the “advisory” mission.
China has also used other forums for building coalitions against the US and its supposed control of the Internet. China has framed Internet governance as a threat of potential US interference in other nations, making the case at recent summits of the BRICS (Brazil, Russia, India, China, and South Africa) organization and the Shanghai Cooperation Organization (China, Russia, India, Pakistan, Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan).
As another example, the speaker for China at the Russia-China Internet Forum in 2016 was Fang Binxing, a Chinese security specialist known as the “Father of the Great Firewall of China,” the collection of monitoring and control systems that blocks Chinese from unfettered Internet access. At the conference, Fang’s theme was that since most Internet infrastructure was located in America, Internet governance today was under American control. The Chinese are arguing for a governance system based on nation-states. Fang stated that state power already exists over the Internet, that the United States is that state, and the US is a hegemon dominating all other countries using the Internet. Fang’s conclusion was that cyber sovereignty should mean the US sharing control with other nation-states.
China has also pushed its nation-state multilateral theme at the United Nations. The approach they have been espousing here is "the need to internationalize Internet governance and to enhance in this regard the role of the ITU." The International Telecommunications Union is an entity under the United Nations in which, if some components of Internet governance were transferred to the ITU, China could act as a peer competitor to the US in promoting a form of governance to their liking.
The fact is that the Internet has changed to the point that China has a logical claim to a louder voice in Internet governance. In 2000, when the West was deeply into Internet use, China had just one million users. In 2018, it is by far the country with the most Internet users with more than 700 million. What does the push for its own cyber sovereignty likely mean for the future of the Internet? When this question was posed to Eric Schmidt in September 2018, he answered in this way: "I think the most likely scenario now is a bifurcation into a Chinese-led Internet and a non-Chinese Internet led by America … Globalization means that they get to play too. I think you're going to see fantastic leadership in products and services from China. There's a real danger that along with those products and services comes a different leadership regime from government, with censorship, controls, etc.”
However, this develops in the near future. What seems clear is that China is actively espousing cyber sovereignty as a guiding principle for Chinese use of the Internet, and that China will establish stricter controls over how it is used by Chinese citizens. If that were a problem for China alone, it might be ignored by other countries. However, current actions indicate that control of the Chinese Internet includes attempts at censorship that have impact on the rest of the world. Censorship demands are being directed, successfully in many cases, at outside entities. Furthermore, China is building out its digital infrastructure into the rest of the world through their Belt and Road Initiative, which may give China control over standards, hurt the competitiveness of other countries in the telecommunications market, and make outside networks more vulnerable to Chinese intelligence collection. It is important at this time to recognize that the Chinese diplomatic push for new forms of Internet governance has other elements. Cross-border censorship, equipment and training for stronger government control in other nations, international communications infrastructure and more domination by Chinese hardware. All this imbedded in China’s concept of its cyber sovereignty.
Contact the Wapack Labs for more information: 603-606-1246, or firstname.lastname@example.org