It’s never been a worse time to be a Chinese telecom company in America. This evening, the Senate is set to vote on whether to restore a ban on U.S. company sales to prominent Chinese telecom player ZTE, a penalty for its illegal shipments to Iran and North Korea. The bill also includes a measure that would ban U.S. government agencies from buying equipment and services made by ZTE and Huawei, one of its competitors, to tackle cyber threats to U.S. supply chains. Meanwhile, a revelation that Huawei was among the companies with whom Facebook had data-sharing agreements, which allowed device makers to access user data and that of their friends, sparked fears that the Chinese government now possesses a treasure trove of sensitive data on U.S. citizens.
ZTE and Huawei have become flashpoints in the Trump administration’s confrontation with Beijing over cybersecurity, investment, trade, and technological leadership. All this comes as the administration slapped tariffs on $50 billion in Chinese goods last Friday. But amid the hysteria surrounding these two companies, we may be missing a less obvious but potentially more impactful challenge: China’s ambitions to radically overhaul the internet.
In late April, just days after the Commerce Department announced the denial order against ZTE, Xi Jinping, the president of China, gave a major speech laying out his vision to turn his country into a “cyber superpower.” His speech, along with other statements and policies he has made since assuming power, outlines his government’s ambition not just for independence from foreign technology, but its mission to write the rules for global cyber governance—rules that look very different from those of market economies of the West. This alternative would include technical standards requiring foreign companies to build versions of their products compliant with Chinese standards, and pressure to comply with government surveillance policies. It would require data to be stored on servers in-country and restrict transfer of data outside China without government permission. It would also permit government agencies and critical infrastructure systems to source only from local suppliers.
China, in other words, appears to be floating the first competitive alternative to the open internet—a model that it is steadily proliferating around the world. As that model spreads, whether through Beijing’s own efforts or through the model’s inherent appeal for certain developing countries with more similarities to China than the West, we cannot take for granted that the internet will remain a place of free expression where open markets can flourish.
China has been open about its intentions to change how the world addresses development. As part of that vision, for over a decade, it has advocated for something its leaders call “cyberspace sovereignty” as a rebuke to established actors in internet governance like the United States, Europe, and Japan. To advance this model, Xi created a powerful government body to centralize cyber policy. In addition to passing a major cybersecurity law, China has pushed through dozens of regulations and technical standards that, in conjunction, bolster the government’s control of and visibility into the entire internet ecosystem, from the infrastructure that undergirds the internet, to the flow of data, to the dissemination of information online, to the make-up of the software and hardware that form the basis of everything from e-commerce to industrial control systems. In a 2016 speech, Xi called for core internet technologies deemed critical to national and economic security to be “secure and controllable”—meaning that the government would have broad discretion, even without specific written regulations, to decide how it protects information networks, devices, and data.
China’s cyber governance plan appears to have three objectives. One is a legitimate desire to address substantial cybersecurity challenges, like defending against cyber attacks and keeping stolen personal data off the black market. A second is the impulse to support domestic industry, in order to wean the government off its dependence on foreign technology components for certain IT products deemed essential to economic and national security. (In effect, these requirements exclude foreign participation, or make foreign participation only possible on Beijing’s terms.) The third goal is to expand Beijing’s power to surveil and control the dissemination of economic, social, and political information online.
To achieve these objectives, Beijing has instituted standards that force foreign companies to build China-only versions of their products, and to comply with government surveillance policies. Government security audits allow Beijing to open up these companies’ products and review their source code, putting their intellectual property at risk, which was documented comprehensively for the first time last March in a report by the Office of the United States Trade Representative. Article 37 of the cybersecurity law also increases government control over the sort of data that can be transferred out of the country, while unwritten rules reward companies that store data on local servers.
Many of these elements serve a dual purpose: supporting domestic industry while further closing off the internet. Freedom House ranks China as “the worst abuser of internet freedom,” noting that its government affiliates “employ hundreds of thousands or even millions of people to monitor, censor, and manipulate online content.” Such policies also effectively exclude foreign content, leaving Chinese providers with uncontested market openings.
But Beijing wants not only to prevent the United States from interfering with its domestic cyber policies: It also wants to set the tone for how the rest of the world governs the internet. To exert influence on its partners, it uses direct outreach to foreign governments, as well as massive investments in internet technologies through the Belt and Road Initiative, extensive military-to-military cooperation, and growing participation in international institutions.
In 2015, for instance, China selected Tanzania (China is Tanzania’s largest trade partner) as a pilot country for China–Africa capacity-building, giving Beijing substantial influence over Tanzania’s government. China used that influence to foster collaboration around cyberspace governance. Since 2015, Tanzania has passed a cyber-crime law and subsequent restrictions on internet content and blogging activity that parallel China’s content controls. Both have been informed by technical assistance from the Chinese government. At a roundtable in Dar es Salaam sponsored by Beijing, Edwin Ngonyani, Tanzania’s deputy minister for transport and communications, explained, “Our Chinese friends have managed to block such media in their country and replaced them with their homegrown sites that are safe, constructive, and popular.” Among other countries where China invests heavily, Nigeria has adopted measures requiring that consumer data be hosted in Nigeria, while Egypt has pending legislation that would mandate ride-sharing companies to store data in-country while also making it more accessible to authorities. Chinese partners like Ethiopia, Sudan, and Egypt engage in aggressive online content control.
Other countries, meanwhile, have adopted only parts of China’s law. Independent of Beijing, Russia has forged a model akin to China’s, embracing an intrusive government role in cyberspace including the most expansive data localization and surveillance regime in the world. Last week Vietnam adopted a cybersecurity law that mirrors China’s. India has imposed some indigenous technical standards, and is considering legislation to enact domestic-sourcing requirements for cybersecurity technologies.
China’s model appeals to these countries because it provides them with tools to take control of an open internet. Online platforms used for terrorism and political dissent threaten national stability. The Edward Snowden revelations and crippling cyber attacks like WannaCry and Mirai create a sense of vulnerability that China’s model promises to fix.
The most alluring feature of the China model appears to be content control, as a broad range of China’s neighbors and partners engage in blocking, filtering, and manipulating internet content. Also alluring: its rules for storing data on servers in-country, which can help law enforcement and intelligence officials get access to user information.
The problem with China’s model is that it crashes headlong into the foundational principles of the internet in market-based democracies: online freedom, privacy, free international markets, and broad international cooperation. China’s model may also not even be effective in delivering on its promises. For example, government-imposed content-control measures have proven to be poor tools in fighting online extremism. Filtering or removing online content has been compared to a game of “whack-a-mole,” making it ineffective and cost-prohibitive. Such controls also suppress countervailing discourse from key anti-extremism influencers, which have proven to be effective in offering compelling alternative narratives and discrediting extremist ideas.
The implications for the strength and resilience of the global internet ecosystem are troubling. China’s control-driven model defies international openness, interoperability, and collaboration, the foundations of global internet governance and, ultimately, of the internet itself. The 21st Century will see a battle of whether it is the China model or the more inclusive, transparent, collaborative principles that underpinned the internet’s rise that come to dominate global cybersecurity governance.