The Art of Cyberwar
For most of the day on a recent Friday, internet users in the US could get a taste of what life is like for their compatriots living in China. Beginning around breakfast time on Oct. 21, several popular websites – such as Twitter, Netflix, and Spotify – were seemingly unavailable for millions of users across the US east coast. The cause of the disruption was a massive cyberattack, now estimated to be the largest distributed denial-of-service (DDoS) attack on record. Peaking at 1.2 terabits per second, roughly equivalent to streaming 320,000 high-definition movies simultaneously, the attack was more than double the size of the previous record holder. While expatriates living in China might be used to poor or non-existent connectivity to Twitter, the unexpected disruption in the US has attracted growing attention from government and security officials to the transnational nature of cybersecurity.
The perpetrators of the attack are still unknown, but the technical means for the attack can be traced to a variety of internet-connected devices produced in China. Digital video recorders, security cameras, and even baby monitors connected to the internet were hijacked by hackers and weaponized into a network of devices commanded by the attackers and directed at Dyn. Hangzhou XiongMai Technology produced almost all the devices used in the attack, which were targeted because of their weak default security settings and passwords. While XiongMai eventually issued a software patch for the vulnerability and recalled products with more serious flaws, the implications for cybersecurity are of massive concern to policymakers and security researchers alike.
Of similar concern to foreign businesses in China is the new Cybersecurity Law. Despite the massive growth in data generated by devices that are connected to the internet, legal developments have not kept pace with the modern realities regarding data privacy and security. According to the Chinese government, this fact was the impetus for the newly-passed Cybersecurity Law, approved in its third reading on Nov. 7 by the Standing Committee of the National People’s Congress. China’s new Cybersecurity Law goes into effect June 1, 2017, despite the strong objections of more than 40 business groups, including AmCham China. While the government's impetus for passing the law might be improving China's cybersecurity, the harsh data localization and national security measures included in the law have led some experts to speculate that a more protectionist motivation is masquerading as “cyber-sovereignty.”
Things on the Internet
A DDoS attack relies on overwhelming websites with millions of connections at the same time, usually through computers that have been infected with malicious programs. The target of the October attack was an internet infrastructure company named Dyn, based in New Hampshire. Dyn functions as a “phone book” for websites, turning the names of websites into the numbered address of the website’s server. (For example, www.amchamchina.org is the name for the numbered address of 22.214.171.124). Dyn provides this service to dozens of companies for their websites, including The New York Times, Reddit, and WIRED.com. As a result, the attack took down service to companies’ websites for a wide swath of users in the US.
The devices used in the attack are part of the so-called “Internet of Things” (IoT) – everyday devices with internet connectivity. In recent years, these “smart” products have exploded in popularity. Wearable health monitors, air filters, and even utilities meters can now connect to the internet, which offers huge benefits in convenience for consumers. IoT devices are ubiquitous in transportation and logistics, especially in the Chinese market, and have even penetrated industrial settings and production lines.
China is positioned as a leader in IoT-related enterprises, due in large part to extensive government support for the industry. In addition to industry guidance and standardization efforts, in 2011 the Chinese government established a fund for IoT research and development projects worth RMB 500 million, which has supported more than 381 companies. Globally, the total number of machine-to-machine (M2M) connections is expected to triple from 4.9 billion in 2015 to 12.2 billion in 2020, according to a 2016 study by technology giant Cisco.
Cybersecurity or e-Protectionism?
In December 2015, President Xi Jinping delivered a speech at the Second World Internet Conference in Zhejiang province that provides some insight into the spirit of this new law. Addressing the world leaders from four other countries, Xi explained his vision of every country’s “internet sovereignty” and right to choose how they engage with international cyberspace. Some observers have criticized China’s vision of internet sovereignty as tantamount to the creation of a Chinese “intranet,” with tight controls over access to the world-wide version of the web. Beyond the academic discussion of “sovereignty” as enshrined in the United Nations Charter, this vision of internet sovereignty is causing increasing concern among the foreign business community in China.
When the law was opened for public comment, more than 40 trade groups, including AmCham China, signed a letter to Premier Li Keqiang advocating major changes, most of which were ignored. The most obvious effect of tightened internet controls in China is blocking certain products or websites for people within the Mainland. While simultaneously the best excuse for avoiding people on Facebook and the worst excuse for not reading the Wall Street Journal, the Great Firewall of China is not a new phenomenon. This law does, however, establish new and mandatory security reviews for internet technology (IT) products. For technology companies, especially those that produce networks components and other hardware, these reviews could make it impossible to compete domestically. While these requirements affect a relatively narrow (albeit significant) segment of the technology industry, other elements of the legislation will indiscriminately cast a shadow over foreign companies operating in the Mainland.
The Lay of the Law
The broad language of the Cybersecurity Law seems to indicate that the regulations will apply to almost every company operating in China. Article 76 of the law defines a “network” as “any system comprising computers or other information terminals and related equipment for collection, storage, transmission, exchange and processing of information.” Additionally, “network operators” are any “network owners, managers, and network service providers.” Taken together, these two definitions could ostensibly mean that any company that has networked devices, even merely an internal network or a website operating in China, will have to comply with the legislation’s requirements.
One of the most worrisome aspects of the new law is Article 28, the requirement for “network operators” cooperate and provide technical support to security authorities for reasons of national security of criminal investigation. While clear guidelines may be forthcoming that narrow the scope of “technical support,” in its current form there is little to prevent security authorities from interpreting the law as providing expansive access to private information, trade secrets, intellectual property, or internal business communications. The Cyberspace Administration recently began security reviews for technology products from major companies, even going so far as to demand confidential source code from Apple; the new law makes this review compulsory for a subset of network operators.
“Critical information infrastructure,” as a term introduced by the law, encompasses “public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security, national welfare and the people's livelihood, or the public interest…” As a more narrowly defined subset of network operators, critical information infrastructure operators (CIIOs) are also covered by more strict regulations.
Especially notable is the new data localization requirement, which would require companies that fall into the CIIO category to store any personal data on Chinese citizens and other important business data on servers physically within Mainland China. For international companies with offices in other countries, this requirement could prove to be especially restrictive, even requiring a massive change in data architecture and business operations.
[For a more in-depth look at the law's requirements, please read the Legal Update column, written by JunHe LLP's Wei Chen.]
The mere uncertainty about the definition of CIIOs and how data localization requirements will affect cross-border data flows is enough to disrupt business-as-normal in China. In October, Airbnb announced the creation of a new entity – Airbnb China – that will process and store reservation data for both traveling and hosting in China. Airbnb’s email to customers cited “Chinese laws and regulations” as the reason for the change, just a few days before the passage of the Cybersecurity Law. Airbnb follows in the footsteps of other data-centric companies that have established separate China services, including Evernote’s launch of yinxiang biji (印象笔记) in 2012. According to Evernote’s blog announcement, the US version of Evernote is managed from servers in California and complies with US data privacy laws, while the Chinese version is managed from Beijing and complies with Chinese data laws.
Rather than isolated events of international companies dividing up their operations, these seem to be data points on the trend of an increasingly political segregation of the internet. AmCham China has been especially vocal in opposing the balkanization of the global internet – in April 2015, as part of the Policy Spotlight series, AmCham China published a report that specifically warned against data localization policies becoming a barrier to trade. When the second draft of the Cybersecurity Law was opened for public comment, AmCham China issued a statement and led extensive lobbying efforts by more than 40 industry groups against the most damaging aspects of the law.
While the intent of the law is to improve the security of China’s cyberspace, experts doubt that the new law will accomplish this. Much of the world’s internet traffic passes through servers and internet architecture in the US, a reality that has caused China to focus on developing domestic companies and products for its own internet architecture. In fact, China has cited intelligence leaks revealing extensive US cyber-espionage programs as one of the major considerations in the push for new protections. The new law is an attempt to improve cybersecurity, but making it harder to innovate new security products and putting up barriers to data movement may not solve these problems.
The physical location of the servers containing sensitive data is not regarded as an important factor in the security of that data. Even networks that are not connected to the internet are vulnerable to attacks. In 2010 it was revealed that an attack using the now-famous Stuxnet virus was able to destroy Iranian centrifuges at a nuclear facility by stealthily infecting the computers that controlled them. The computers at the Iranian facility were not connected to the internet, however, so the virus first targeted engineering companies that were providing technical support to the facility. Eventually, a USB stick was infected that made its way into a computer at the facility, where the virus spread and surreptitiously destroyed the sensitive equipment.
In addition, cloistering sensitive data in “silos” and producing domestic internet infrastructure components can even make threats more salient. Storing the most valuable data in one “honeypot” can attract greater attention from hackers and increases the impact of a breach. Cybersecurity commentators have also argued that data localization policies and domestic provider requirements will actually make information more vulnerable. Choosing a product on the basis of national origin rather than quality can make it more likely that weak or outdated security features are left undiscovered or improved slower than evolving threats. Experts believe that these two aspects will make foreign surveillance or malicious attacks more successful and frequent, producing the opposite of the law’s stated objectives. Cybersecurity solutions can be developed by more cooperation and data access, not less. High-profile IT companies and security experts are working on using big data from a variety of sources to detect threats earlier and respond faster. Having more information about attacks and vulnerabilities allows companies to develop innovative solutions to transnational cybersecurity problems. Research and development needs more speed and more data to be successful.
The desire to improve the security of important networks and data is understandable, especially considering how significant the internet has become in business life. Before the law comes online in 2017, the relevant bodies of China’s government will develop the standards for compliance. In this critical period, the norms of global internet governance offer expert guidelines that might offer some predictable basis for businesses in China.
Addressing the 2016 World Internet Conference attendees by video a week after the new Cybersecurity Law was passed, President Xi Jinping reiterated the importance of cyber sovereignty and explained his vision for the internet. "The development of the internet knows no international boundaries. The sound use, development and governance of the internet thus calls for closer cooperation," Xi said. Perhaps this is an indication that China will be looking to implement the law in a way that can enhance international governance similar to existing norms.
One example for China could be the EU-US Privacy Shield agreement ratified in July of 2016. In October 2015, the European Supreme Court struck down the previously existing “Safe Harbor” agreement, threatening the operations of more than 4,700 businesses relying transatlantic data flows. After months of hurried negotiations, European representatives voted on July 8, 2016, to approve the replacement data agreement and its stricter controls on data.
Notably, the largest political party in the European Commission, the European People’s Party, supported the new law. “Clear and uniform rules are a key element of business development and growth,” wrote Axel Voss, a member of the European Parliament. Voss added: “Free cross-border data flows between the EU and the US are of paramount importance to our economies, trade and investment. Data flows are a key element for the competitiveness of business.”
During the cyberattacks that shut down popular online sites in the US last month, companies such as Amazon and PayPal were cut off from customers, providing a short glimpse of what the internet looks like when hobbled by barriers to data transfer. Adopting measures that make data flows more difficult risks undoing the benefits of globalization and free trade, just as the burgeoning Internet of Things is bringing economic and efficiency gains to companies and customers alike. AmCham China’s Chairman, James Zimmerman, argued that the solution lies in continued cooperation between the private and public sectors, as well as national governments. “Cybersecurity is too complex and dynamic for any government to tackle single-handedly,” he said. “It requires cooperation between the public and private sectors across national boundaries.”
Aaron Kruse is the content editor at AmCham China.