China is currently working on revising its first anti-terrorism law to deal with the increasingly complicated terrorism situations. This would be a major act that reflects rule of law in the fields of antiterrorism and securing the Internet. Even so, the clauses relevant to information security in the antiterrorism law have been confronted by opposition and concern from some countries, the U.S. in particular, which claimed that these new network security regulations directly harmed the benefits of some American enterprises.
U.S. president Barack Obama openly declared: “if China wants to do business with the U.S., it must change its relevant policies and regulations.” Marie Harf, the U.S. State Department spokeswoman, even held that “China should consult U.S. government and business circles first before drafting its antiterrorism law.” Such great concerns and opposing attitude held by America reflect not only the “double standard” it often adopts in matters of network security, but also its lack of understanding of the China’s real needs for network security.
The reason for the U.S.’ undue criticism of China’s antiterrorism law resides in its lack of understanding of the current terrorism situation in China, and particularly China’s defensiveness embodied in the related policies. Quite to the contrary, America cares only about what the antiterrorism law means to its enterprises in China, while overlooking the universal and fair applicability of the law.
China has been motivated by multiple factors to strengthen its cyber security, among which are its increasingly strained anti-terrorism efforts. Terrorists have been found utilizing the Internet as a platform to spread extremist information or to call for terrorist attacks, which have caused hundreds of deaths in Xinjiang Autonomous Region and many other provinces in China. In the case of Bachu terrorist attack, 14 terrorists of the reported 25 violent criminals used the Internet as a tool to receive and disseminate terrorism information. With the largest number of Internet users in the world, China has become a victim which suffers most from foreign hacker attacks, personal information leakage, and financial assets risks on both personal and institutional levels. The PRISM incident makes the Chinese government more aware of the potential cyber security risks that China is facing, particularly when it comes to the fact that core technologies and key areas of IT industry are under the control of western countries and all 13 DNS root servers are located in America, Europe, Japan and other developed countries.
On January 21, 2014, Internet users in China could not gain access to websites for several hours, and it was proved by Chinese security agents later that the incident was caused by a foreign hackers’ attack. Furthermore, both software and hardware in Chinese governments, banks, and research institutes are almost entirely dominated by foreign IT companies. Therefore, China’s law making on cyber security is of a defensive nature. China’ economy is becoming more sensitive to cyber risks with the emergence of e-commerce and e-finance, and it has become a consensus among the Chinese people that risks in the financial system can lead to a collapse of China’s economy.
It then follows that China’s real purpose for revising its anti-terrorism law is to safeguard its national security as well as the financial security of its people. The volume of online business transactions in China amounted to 13 trillion RMB last year, comprising of approximately 20% of its total GDP. With the development of Internet finance, China relies more and more on the Internet to conduct investment and financing transactions of capital. The monopoly of foreign technologies and products in China’s communication technologies market has further increased the risks and uncertainties China’s economy may encounter. When Microsoft stopped providing security support for Windows XP, governments at various levels, enterprises, and research institutions in China were forced to choose between installing a new Windows version or face security risks posed by loopholes of the old system. Microsoft’s act actually constituted a security threat to nearly 200 million XP users in China. For this reason, understanding the real demand and concern of China in network security is the prerequisite for America and China to further cooperate in cyber security.
In fact, strict regulations in the form of laws could ensure that all investors are treated equally without any discrimination. For instance, Huawei and ZTE Corporation suffered a lot from barriers in the name of security concerns from the U.S. government when investing in America and were demanded to disclose their source codes and encryption keys by the American government.
The excessive examination of investments from China by CFIUS has led to unfairness and discrimination against Chinese companies. The purpose, scope, and related regulations of a security review – clarified in the form of legislation – will help to carry out the principle of fair access for investors. Furthermore, China’s requirements of disclosing the sites of data storage, encryption keys, and source codes involve only those enterprises and companies engaged in telecommunications and Internet services, while other American hi-tech companies are not affected at all. Regarding the possible information and technology leakage of the high-tech companies, Hua Chunying, the spokeswoman of Chinese Foreign Ministry, pointed out in a news conference that only public security agencies or national security agencies are entitled to examine the related data in view of anti-terrorism needs by following very strict enforcement procedures.
Presently, the Chinese government and enterprises are fully aware of the worsening situation of foreign capital inflow caused by the lack of IPR protection. They are also aware that IPR protection is vital to China’s long-term competitiveness and sustainable economic growth. Thus the Chinese government is determined to strengthen legislation and reform in IPR. In this context, concerned American enterprises do not agree with the Chinese government’s drive for new round of economic reform and market opening. It also indicates a lack of understanding of the implications behind Chinese government action on the part of U.S. government.
In fact, not only China, but many other countries in the world have made laws or imposed strict political control in the field of network security. Governments of Western countries, including the U.S. and Britain have required high-tech companies to reveal their source codes and encryption keys. The Obama administration has been aggressively launching series of cyber security bills since he took office, such as “network security policy review,” “cyber space international security strategy,” and “network space action strategy.” This year, president Obama is playing an even more active role in promoting cyber security legislation, and has signed an executive order calling for enterprises to share information with the government cyber security agency. British Prime Minister David Cameron has made it clear that he will strive for legislation requiring IT companies to release their source codes and encryption keys once he wins the re-election this May. In addition, affected by the incident of PRISM project, the German government is also considering a formal legislation to force IT companies to release software source codes. The Russian government is very cautious about its own security and is trying to force Apple Corp and SAP to open source code so as to ensure relevant products will not be used as tools in monitoring Russian national institutions. Furthermore, countries like Australia, Canada and many other European countries regard the ICT sector as Critical Infrastructure and implemented very strict review processes. As an information technology giant, India has laid out a very comprehensive strategy regarding cyber security as well. Early in 2012, two Chinese companies, Huawei and ZTE were forced by Indian Foreign Investment Promotion Board (FIPB) to reveal their source codes and encryption keys.
The U.S. government’s concern about its enterprise’s interests does not matter its so-called national interests. Actually, the national interests of America do not lie in those companies which claim that their interests are affected, but depend upon related enterprise’s discrepant attitudes towards the maintenance of immediate monopoly interests or the development of long-term competitiveness. There are news reports that Apple’s decision to open its source code to the Chinese government is actually counteracting what Obama administration strives for. However, the media seems to neglect that Apple Inc. has long-period values and pursues maintaining product competitiveness by continuous sustainable innovation.
The Chinese government has fully recognized the costs caused by excessive protection of enterprises in the process of economic transition. Actually, the U.S. is no exception, either, though it boasts itself as a so-called market economy. It should leave corporate behaviors to the market, and allow investment of enterprises to be jointly decided by market mechanism and corporate strategy. Regarding cyber security disputes, the U.S. should take into account China’s actual situation and its defensive psychology as a disadvantaged party in cyber security issues. Let alone overlooking the policy tendencies of other countries in the world. Understanding this will be conducive to ensuring a substantial progress in Sino-US cooperation in network security.