Decentralized Technology in a Centralized State: China & Encryption
This article highlights how the encryption debate in China has evolved since it was broached in the mid to late 1990s. It seeks to add context to the current encryption policy of the Chinese Communist Party, including potential ramifications of Beijing’s 2019 Cryptography Law on both domestic security and economic well-being of the country.
Beginning in the mid to late 1990s, the Chinese Communist Party (CCP) began to leverage encryption technology to increase the competitiveness of domestic information technology firms. In 1999, with the release of State Council Directive №273, the Chinese government “banned foreign encryption products, deemed all commercial encryption standards a state secret, and required that commercial encryption products only be produced and sold by units designated by the Office of State Commercial Cryptography Administration.”[1] Under pressure from international technology firms like Microsoft and Cisco, Beijing quickly reeled in the regulation.[2] In a clarifying document issued in March 2000, the Party disclosed that only hardware and software using encryption as “core functions” would be regulated under the law.[3] From its adoption of encryption technology in the late 1990s, it’s clear that Beijing was struggling to reconcile its own national security interests while, at the same time, fostering foreign investment within its borders.
With the 2013 Snowden-led WikiLeaks, Chinese concern over the vulnerabilities of foreign-supplied encryption technology skyrocketed.[4] Beijing realized that it could not rely on foreign suppliers of encryption technology to guard top-secret Party data or, in more extreme cases, prevent foreign spying. In 2014, President Xi Jinping formed the Leading Small Group on Cybersecurity and Informatization, a high-level body tasked with “overseeing issues related to the digital economy and cyber defenses.”[5] Under the slogan of “without cybersecurity, there is no national security,” the Chinese Communist Party kicked into high gear efforts to localize important data and establish an internal standard-setting technical authority of encryption practices. On October 26, 2019, the National People’s Congress passed sweeping new regulation in the Cryptography Law.[6] The law aims to bring sweeping changes to existing regulations, with both security and commercial implications.
The 2019 Cryptography Law identifies two categories of encryption related to national security: “core” and “common” encryption.[7] According to the encryption law, “all state secrets relevant to China’s national security must be stored and transmitted using ‘core’ and ‘common’ encryption.” “Core” encryption will be used to protect all state secrets classified as “secret,” “highly secret” and “top secret.” And “common” encryption will be used for all state secrets defined as “secret” and “highly secret.” The semantics behind the separation of the different types of “secret” remain unclear, and it’s possible Beijing is seeking to reserve the right to determine this formally in the future. However, the Chinese Communist Party has signaled to the global community that foreign firms may use commercially developed encryption standards, a comforting sign to firms with concern regarding China’s troubling history with enforcing intellectual property rights. It’s worth noting that under the law, Beijing established a commercial encryption supervision system that allows for the monitoring and ad-hoc checking of commercial encryption systems.[8] This may an example of Beijing keeping with Mao Zedong’s famous advice, “Despise the enemy strategically, but take him seriously tactically.”
While the 2019 Cryptography Law appears to be a step in the right direction for China, there are still some rather large remaining policy decisions to follow in the coming years. For starters, 5G wireless networks and suppliers will likely use commercial-grade encryption for their intellectual property. While the encryption law does not mention the advent of new technology like 5G directly, the commercial encryption supervision clause certainly leaves a lot of room for the Chinese Communist Party to ask for “an encryption back door to any new commercial encryption technology platform, simply on national security grounds.”[9] In this case, it’s possible that Beijing could effectively ask for a key-escrow to nearly any commercial-grade encryption that it finds threatening. In the case of monitoring and reducing freedom of expression amongst the Chinese populace, it is not a huge leap to imagine Beijing using the law to justify the decryption of popular messaging platforms like WhatsApp, Signal, or Telegram. Whereas its Western counterparts view encryption as a means to enable decentralized information sharing, China appears to simply want to use it to boost national security and encrypt commercial trade secrets from the prying eyes of Western rivals, and further control freedom of expression.
I recognize that the above diagnosis of the 2019 Cryptography Law is rather pessimistic; however, much like the Cypherpunks before I trumpeted, strong cryptography cannot have any “asterisks” or, in the case of the aforementioned law, supervision clauses.[10] In the end, the strongest and best cryptography has no escrow keys or back-doors. If China hopes to maintain not only its own commercial technology intellectual property but also encourage strong foreign investment, it must not try to circumvent a technology that punishes circumvention. This idea that China can rein in the technological might of encryption for certain priorities, but not others, is like being dipped in the River Styx only to find out that you are still vulnerable to attack. While Beijing has considerable policy decisions to make regarding how to harness the power of encryption, it still has plenty of opportunities to leverage encryption technology to further State economic and security interests without back-door addendums, clauses, or asterisks.
[1] http://www.asianlii.org/cn/legis/cen/laws/rocec383/
[2] https://carnegieendowment.org/2019/05/30/encryption-debate-in-china-pub-79216
[3] Notice Regarding Questions Related to the Administration of Commercial Encryption (the “Encryption Notice”), issued by the State Encryption Administrative Committee Office, March 2000
[4] Listening: Cybersecurity in an Insecure Age, Susan Landau, 2017
[5] https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-xi-jinpings-april-20-speech-national-cybersecurity-and-informatization-work-conference/
[6] https://www.cov.com/-/media/files/corporate/publications/2019/10/china_enacts_encryption_law.pdf
[7] https://www.cpomagazine.com/data-protection/chinas-new-encryption-law-highlights-cryptography-as-a-strategic-priority/
[8] https://carnegieendowment.org/2019/05/30/encryption-debate-in-china-pub-79216
[9] https://www.cpomagazine.com/data-protection/chinas-new-encryption-law-highlights-cryptography-as-a-strategic-priority/
[10] https://www.activism.net/cypherpunk/manifesto.html
Endnote: Special thank you to Professor Josephine Wolff at the Fletcher School at Tufts University for providing tremendous feedback and encouraging healthy debate on the topics of encryption and data privacy.