Cyber Security in China: Internet Security, Protectionism and Competitiveness: New Challenges to Western Businesses

Cyber sovereignty, intensified internet censorship, shadow IT economy.

by Hauke Johannes Gierow

MAIN FINDINGS AND CONCLUSIONS

 Censorship and restrictions on internet connections place constraints on

 China is resolutely moving forward with development of its own IT industry.
China as a business location. Concerns about IT espionage and theft of
It is also isolating itself from international IT technology. By exercising
company secrets driving international businesses to transfer personnel or
control over major state-run businesses, the PRC is also maintaining its
entire departments to other Asian countries.
sovereign position in the IT sector.

 Chinese internet users are threatened by a shadow IT economy. Illegal

 The government supports the international expansion and sales endeavours
programs are often installed on computers and are not provided with security
of Chinese IT companies – the ‘national champions’. This blend of political
updates. Hackers can gain access to these unprotected computers and use
and economic factors frequently gives rise to security questions among
them as a base for worldwide attacks.
customers from Western countries.
 Instead of insistently calling for fundamental changes in Chinese internet
 China is developing parallel standards in the software and hardware sectors.
policy, the Federal Government of Germany ought to negotiate specific
In addition, alternative encryption standards, operating systems and
improvements for German businesses, for example in terms of market
competing app stores are earmarked for enhancing China’s independence
access or protection of intellectual property rights.
in the IT sector. However, inadequate quality regulations are posing a threat
to IT security.
1 No internet security without independent At the same time, sealing the domestic market off Chinese IT companies such as ZTE, Lenovo and
technology from external influence is intended to foster the Datang Mobile.
development of industrial and innovation policies in Chinese companies are becoming increasingly
At the beginning of 2014, an alliance of fifteen China: the government in Beijing wants to successful in the field of IT infrastructure, a fact that
private Chinese IT manufacturers was founded in strengthen the competitiveness of domestic IT is partly due to state support. In addition to Huawei
the Beijing district of Zhongguancun ( 中 关 companies 3 (see issue 20 of MERICS China and ZTE, both network equipment suppliers of
村), the Chinese equivalent of Silicon Valley. They Monitor). international repute, new companies are also
stepped up endeavours to develop a Chinese gaining a foothold in the market now: businesses
operating system based on Linux that would run on 2 Cyber security: opportunities and costs for such as Inspur and Dawning Industries ( 曙光) are
government computers and the computers of the Chinese IT economy using Chinese technology to develop servers and
security relevant businesses such as banks. By supercomputers for complex computing tasks, up
taking this step, Beijing hopes to gain 2.1 Targeted promotion by the state to now mostly for the domestic market (see Figure
protection from espionage from the USA and 1). This technology is particularly relevant to
demonstrate the innovative power of the The Chinese government has succeeded in secure networks since even small mistakes in
Chinese IT economy.1 promoting a dynamic IT industry with robust the programming code can destroy the basis
In spite of the rampant growth of its IT industry, private companies while retaining control over for secure IT products.
China is still dependent upon foreign technology at the sector. State-run telecommunications China will become more independent of foreign IT
the moment. According to Xinhua, the state news companies (China Telecom, China Unicom and products in the years to come. However, there is no
agency, ninety per cent of its microchips and sixty- China Mobile) dominate the market with their consensus among experts on whether this
five per cent of its firewall products originated in investments. Decisions they make, usually independence will enhance network security on the
other countries in 2012, primarily the US. 2 The approved by the government, determine what kind whole. Meeting quality standards, for instance by
government views foreign technology as a potential of technologies will be developed, thus defining the monitoring the supply chain or having an
threat to national security. Covertly installed back framework conditions for the industry and its independent examination of the source code, is a
doors enable surveillance of computers and regulation.4 In addition, the government promotes crucial criterion for software security. Many IT
networks, for example. Therefore, stringent its own technological standards through state-run companies in China ignore these standards,
constraints on the use of foreign IT products are programs, generally in close collaboration with though.
already in place in areas critical to security.

©
Encryption technologies are a different problem: Figure 1: Chinese IT suppliers and their Western competitors (by the author, Hauke Gierow)
This part of the IT infrastructure not only protects
hard drives and documents, but it also shields
internet connections from unauthorised access.
However, the strict import regulations imposed on
Chinese companies only allow them to adopt
international encryption standards such as RSA,
which is used by many governments and
corporations, in exceptional cases. Instead, they
must rely on Chinese encryption methods, which
only provide partial protection. Chinese suppliers
have to deposit a type of ‘skeleton key’ with the
National Encryption Leading Group (国家密码管理局
) (referred to as the Key Escrow procedure).5 This
procedure protects data from hackers and foreign
governments, but the government in Beijing can
gain access to it at any time via the skeleton key.

2.2 Going out – both an opportunity and

challenge for Chinese companies

With their products, Chinese IT firms are

stepping up competition with Western
companies in developing and emerging pursued the ‘Going Out’ strategy ( 走 出 去 ) ever sector as well. Low-interest loans and the active
countries. since 1999. This is used to support successful support of Chinese embassies are the tools with
The Chinese Ministry for Industry and Chinese companies and make them internationally which the government intends to enhance the
competitive. It has been expanded to include the IT competitiveness of these national champions on
Informatisation (中华人民共和国工业和信息化部) has

©
international markets. 6 Huawei, for example, was company is setting up ‘local clouds’ in key markets 2.3 Alternative ecosystems: their own app
granted a low-interest loan of ten billion USD by the such as India. Local users can deposit their stores and operating systems, but with security
China Development Bank to finance its contacts, calendar entries and other data there gaps
international expansion.7 instead of in China. This measure is probably
But this systematic promotion of the IT sector also intended to build up user confidence in the brand Users in China are situated in a unique digital
presents problems for Chinese companies: more than anything else, however. ecosystem. Chinese alternatives have been
technology from the PRC is perceived as a threat In spite of initial misgivings, Chinese companies developed for many applications from the West.
to security by other countries, even though there are already enjoying great success in some foreign In Germany, users of Android devices download
has been no concrete evidence that the markets. Huawei and Lenovo now rank among the apps or digital content such as films and books
government has placed any back doors in routers, leading manufacturers of IT products for the primarily through Google’s own app store, Google
mobile phones or other devices to date. Huawei European and American consumer market, for Play. However, Google Play is blocked in China,
offered to equip the London Underground with example. Lenovo actually overtook Hewlett- and companies such as Baidu, Tencent or Qihoo
mobile wireless technology for the 2012 Olympic Packard, the previous market leader in the PC 360 offer alternative app stores. Compared to
Games free of charge, an offer worth more than sector, in 2014 by securing a market share of Google Play, however, they have severe security
500 million CNY (approx. 65 million EUR), but the almost seventeen per cent.10 drawbacks. A review of 7,000 apps infested with
reasons. 8
British side rejected the offer for security Chinese IT companies even keep pace with global viruses revealed that 95 per cent of them were
Both businesses and the Chinese government are leaders in the area of mobile-communications offered in Chinese app stores. 11 A mobile-phone
now trying to stem the loss of confidence in their infrastructure. While the Chinese alternative to virus developed by a student infected over 100,000
products. Huawei, for example, has launched a UMTS, TD-SCMA, is only used in Nicaragua and Android devices in China within only a few hours.
transparency drive to deal with concerns in Europe. Zimbabwe outside China, networks with the new The virus spread via the user’s address book and
The company has established a research centre in Chinese FDD-LTE are part of network enabled control over almost all of the device’s
the UK to enable independent security audits of infrastructure in Germany and other European telephone functions.12
their program code by the British government.9 countries. The Chinese government also plans to distribute
The world’s third-largest mobile phone alternative systems on the PC market. For more
manufacturer, Xiaomi ( 小 米 ), is employing a than five years, it has therefore been pushing the
different tactic: to eliminate concerns about back development of its own operating systems hard.
doors in their own cloud services in China, the From 2015 onwards, fifteen per cent of all

©
computers in every official office are to be huge undertaking with considerable financial suspect that the Chinese government was behind
converted from Windows to Chinese operating repercussions. By comparison, the sector’s leader, the attack or at least knew about it.16 However, just
systems. The best-known systems are NeoKylin Facebook, employs a total of only 8,500 staff a few days later, Apple’s chief executive, Tim Cook,
OS and Red Flag Linux. Chinese technologies worldwide.14 went to Beijing and held discussions with key
have not reached full maturity yet, however: users Internet censorship also impairs the development decision-makers at party headquarters,
complain about compatibility problems, lack of of software and apps. Google and other ISPs grant Zhongnanhai (中南海). This shows that Beijing has
software alternatives and inadequate user- developers global access to program libraries and to deal with security reservations on the part of
friendliness – a deficit expected to be eliminated by web fonts free of charge. This service helps large Western companies in spite of its market
domestic IT companies forming an alliance, as programmers save time and money. Since data in power.17
mentioned earlier. China is blocked by internet censorship, Other companies also feel the impact of cyber
programmers there have to redevelop the data attacks and censorship. International collaboration
2.4 The high cost of internet censorship themselves.15 with services such as Gmail, Google Docs or
Dropbox is becoming increasingly dysfunctional.
Isolationism and protectionism lead to another 3 Cyber security – a key location factor for
The same applies for virtual private networks
problem for Chinese IT companies: the foreign companies
(VPNs), with which users seek protection for
obligation to censor the internet. Not only does information and business secrets. 18 Routine
3.1 Censorship and cyber attacks hurt business
censorship affect freedom of speech, but it also workflows of global corporations only function to a
impacts the entire economy. Foreign companies in China must comply with limited extent in the People’s Republic of China. In
Operating a social network in China is expensive. ever more stringent regulations in the IT sector, international companies, for instance, many
The State Council Internet Information Office (国家 impeding their ability to protect business business applications such as statistics and
互 联 网 信 息 办 公 室 ) places tight restrictions on secrets and hindering international co- database programs are not run on local computers,
information from the internet. To comply with these operation. but rather on servers based at corporate
controls, ISPs are required to employ two to three China represents the largest market in the world for headquarters. If connections are slow or VPNs
censors per 50,000 users.13 For Sina Weibo, with Apple; the iPhone is very popular there. In October unstable, these applications cannot always be
around 300 million users, this means employing 2014 it became known that hackers had targeted
15,000 people for the sole purpose of monitoring data transmission to the company's iCloud service.
the content of the web pages the users invoke – a Due to the complexity of the hack, IT experts

©
accessed from China. Even simply transferring files Figure 2: Internet censorship and competitiveness (by the author, Hauke Gierow)
to colleagues in other countries can be a trying
experience.
More than half the American companies
questioned in a recent survey by the American
Chamber of Commerce in China indicated that
internet censorship is detrimental to their business
(see Figure 2).19 Recently stepped-up blockades of
websites and online tools have accelerated this
tendency even further. Over eighty per cent of the
European companies in China report of negative
impact on their business prospects. Thirteen per
cent have even postponed investments in R&D due
to current events.20
The media report that international corporations
such as General Motors are already in the process
of moving their Asian headquarters to Singapore,
Japan or Vietnam. Their reasons for doing so
Question asked: How does censorship of content on the internet impact the ability of your company to
include not only censorship, but also factors such conduct routine business in China? Source: AmCham China (2014): 15f.
as poor air quality and inadequate protection of
intellectual property.21
Many companies, including those in the digital American cyber-security companies and the FBI 3.2 Parallel technical standards are a challenge
sector, have been complaining about industrial blame the Chinese government for supporting and to Western companies
espionage for years. Company secrets and even engaging hackers. Hard evidence of this is
construction plans are favourite targets of Chinese scarce, however, as professional hackers are Western suppliers on the Chinese market have
hackers. capable of covering their tracks or leaving false to conform to parallel Chinese IT standards.
trails. The Chinese wireless LAN technology called WAPI

©
(‘WLAN Authentication and Privacy Infrastructure’) 4 Illegal IT shadow economy worldwide: 26 if security gaps are not closed up,
is one example. Even though WPA2 encryption has criminals can gain access to users’ devices and
become the international standard, China has 4.1 Piracy poses a security problem employ these as ‘zombie computers’ in botnets.
deliberately gone separate ways since 2003. For This enables them to steal additional access data
foreign suppliers of routers and WLAN-compatible Disputes between Chinese and Western IT from users or attack websites or network
devices, this means they have to share their source companies over their market share and market infrastructure. Illegally sold operating systems also
code with one of eleven licensed Chinese IT access are rather secondary to the security of frequently contain deliberately embedded viruses.
companies and contribute to the development of users in China. For them, it is imperative that
the WAPI standard. Due to insufficient WAPI they are able to shop securely online and that 4.2 Hacker networks in China
support, Apple was not allowed to sell the first their computers cannot be hacked.
version of its iPhone in China in 2010 until Criminal hackers are a menace to the well-being
adjustments were made.22 There are major electronics markets in cities such and privacy of Chinese internet users. Illegal
Now, Apple will be the first Western IT company to as Shenzhen and Hong Kong. Visitors have a wide services are unabashedly offered in public
have its products tested in China for compatibility selection of software and hardware products to forums, so there is obviously little fear of
with Chinese security standards. Lu Wei, head of choose from, many of which are manufactured and prosecution.
the State Council Internet Information Office, made distributed illegally, however. The ways and means with which illegal services are
an announcement to this effect in January 2015. Software piracy is clearly harmful to Western offered and advertised in China differ
Thus, the company is presumably sharing manufacturers: according to their own figures, they fundamentally from those in Western countries.
confidential information with the government.23 IT lose billions in licence fees. Former Microsoft head While trade in stolen passwords or credit-card data
companies such as CISCO, Qualcomm and Steve Ballmer, for instance, once indicated that generally runs via encrypted networks, Chinese
Microsoft will also have to make concessions if they ninety per cent of the company’s products in China hackers co-ordinate their illegal activities in open
want to enjoy continued access to the Chinese were being used illegally. 25 What’s more, pirated chat groups in QQ or forums run by Baidu. One
market in the future.24 copies generally do not include any security reason for this is that Tor27, an internet anonymizer
updates, a fact that is especially problematical in service, is blocked in China.
key components such as operating systems. A wide variety of often reasonably priced services
Susceptible devices are not only a security hazard is offered. Criminals can purchase access to
for their users, they also threaten network security servers with which they can infect users with

©
malware or send spam messages. Custom-made internet governance, which has been dominated by property or secure market access for German
Trojan horses or creation of counterfeit sign-in the West up to now. companies.
pages for banks and social networks are also
available – thus, PCs and smartphones can also be As far as IT services and products for high-tech
spied on (see Figure 3). sectors are concerned – for instance in the area of Your contact for this issue of China Monitor:
Hauke Gierow
Industry 4.0 and specialised business software –
[email protected]
5 German policy against Chinese protectionism German companies can rely on their Editor: Silke Ballweg
competitiveness in the face of Chinese rivals. The
China’s steady expansion of its own IT industry and question is, for how much longer? It would Publisher’s details:
growing isolation from foreign products have been therefore be wise for Germany to pursue a policy Mercator Institute for China Studies
Klosterstr. 64
felt keenly by international manufacturers. that has already proved to be effective in other
D-10179 Berlin
Germany’s cyber policy towards China must be fields. 28 Instead of working towards fundamental phone: +49 30 3440 999-0
prepared for conflict. In the long run, China will not change in Chinese cyber security, the Federal e-mail: [email protected]
agree to become integrated into a cyber-security Government of Germany should focus on www.merics.org
system defined by Western concepts. In fact, pragmatic goals that are attainable in practice. After
Beijing is already working with other newly all, there are enough urgent topics to be dealt with
industrialised countries on parallel standards for as it is, such as better protection of intellectual

Figure 3: Sample of ‘services’ offered by criminal hacker networks (by the author, Hauke Gierow)

Source: Trend Micro (2013).

©
1 Zhang, Yu (2014). ‘Homegrown developers look to unseat to-probe-huaweis-cybersecurity-evaluation-center.html. 19
American Chamber of Commerce in China (2013). ‘Business
Microsoft's dominant OS’, Accessed on 22 October 2014. Climate Survey 2013’,
http://www.globaltimes.cn/content/887716.shtml. Accessed on 10
Gartner (2014). ‘Gartner Says Worldwide PC Shipments http://web.resource.amchamchina.org/cmsfile/2013/03/29/0640
24 October 2014. Declined 6.9 Percent in Fourth Quarter of 2013’, e5a7e0c8f86ff4a380150357bbef.pdf. Accessed on 24
2
Zhangwei 张卫 (2012). ‘信息安全的机遇与挑战’ (Opportunities http://www.gartner.com/newsroom/id/2647517. Accessed on September 2014.
and Challenges of Information Security). 22 September 2014. 20
The European Chamber of Commerce in China (2015).
http://news.sohu.com/20120416/n340660958.shtml. Accessed 11
Eddy, Max (2013). ‘Nearly 7,000 Malicious Android Apps ‘Internet Restrictions Increasingly Harmful to Business, say
on 15 September 2014. Infest China's Appstores’, European Companies in China’,
3
Zhonghua renmin gongheguo guowuyuan 中华人民共和国国 http://securitywatch.pcmag.com/mobile-security/315218- http://www.europeanchamber.com.cn/en/press-
务院 (2012). ‘国务院出台意见推进信息化发展切实保障信息安 nearly-7-000-malicious-android-apps-infest-china-s-appstores. releases/2235/internet_restrctions_increasingly_harmful_to_bu
全’ (The State Council publishes a document on promoting the Accessed on 22 September 2014. siness_says_european_companies_in_china. Accessed on 17
12 February 2015.
development of informatisation and for the protection of cyber Muncaster, Phil (2014). ‘Chinese Heart App Virus Slams
21
security). http://politics.gmw.cn/2012- 100,000 Android Phones’, http://www.infosecurity- Bradsher, Keith (2014). ‘Looking Beyond China, Some
07/17/content_4571519.htm. Accessed on 14 August 2014. magazine.com/news/chinese-virus-100000-android-phones/. Companies Shift Personnel’,
4 http://www.nytimes.com/2014/09/10/business/international/look
Ernst, Dieter and Naughton, Barry (2008). ‘China’s emerging Accessed on 22 September 2014.
industrial economy: insight from the IT industry’, in: McNally, 13
King, Gary, Pan, Jennifer and Roberts, Margaret E. (2014). ing-beyond-china-some-companies-shift-personnel.html?_r=0.
Christopher A. (ed.) (2008). China’s Emergent Political Accessed on 30 November 2014.
‘Reverse-engineering censorship in China: Randomized 22
Economy – Capitalism in the dragon’s lair, 39–59. London and experimentation and participant observation’, Science 345 Ricker, Thomas (2010). ‘Chinese iPhone approved with
New York: Routledge. (6199): 1–10. WAPI WiFi’, http://www.engadget.com/2010/05/04/chinese-
5 iphone-approved-with-wapi-wifi/. Accessed on 30 November
Cloutier, Christopher T. and Cohen, Jane Y. (2011). ‘Casting 14
Facebook Newsroom (2014). Company Info.
a wide net: China’s encryption restrictions’, 2014.
http://newsroom.fb.com/company-info/. Accessed on 30 23
http://www.kslaw.com/imageserver/KSPublic/library/publication November 2014. Shouji zhongguo wang 手机中国网 (2015). ‘苹果成全球首个
/2011articles/11-11WorldECRCloutierCohen.pdf. Accessed on 15
Bradsher, Keith and Mozur, Paul (2014). ‘China Clamps 接受中方网络安全审查的公司’ (Apple will be the world’s first
15 August 2014. company to have network security tested by the Chinese),
6 Down on Web, Pinching Companies Like Google’,
Wang, Yukai 汪玉凯 (2014). ‘中央网络安全与信息化领导小组 http://www.nytimes.com/2014/09/22/business/international/chin http://t.m.china.com.cn/convert/c_uPId9W.html. Accessed on
的由来及其影响’ (The origins and impact of the Central Cyber a-clamps-down-on-web-pinching-companies-like- 22 January 2015.
24
Security and Informatisation Leading Group). google.html?_r=0. Accessed on 25 September 2014. Mozur, Paul (2015). ‘New Rules in China Upset Western
http://theory.people.com.cn/2014/0303/c40531-24510897.html. 16
Franceschi-Bicchierai, Lorenzo (2014). ‘Apple Addresses Tech Companies’,
Accessed on 22 October 2014. iCloud Attacks While China Denies Hacking Allegations’, http://www.nytimes.com/2015/01/29/technology/in-china-new-
7 cybersecurity-rules-perturb-western-tech-
Nolan, Peter (2014). Chinese Firms, Global Firms: Industrial http://mashable.com/2014/10/21/apple-icloud-attacks-china/.
Policy in the Era of Globalisation. New York: Routledge. Accessed on 22 October 2014. companies.html?ref=business&_r=0. Accessed on 2 February
8 17 2015.
Fauna (2011). ‘Huawei’s London Underground Bid Blocked, Lovejoy, Ben (2014). ‘Tim Cook meets with Chinese vice 25
Chinese Reactions’, premier in Beijing following iCloud phishing attack’, Brodkin, Jon (2011). ‘Ballmer to Hu: 90% of Microsoft
http://www.chinasmack.com/2011/stories/huaweis-london- http://www.techgreatest.com/apple-news/tim-cook-meets-with- customers in China using pirated software’,
underground-bid-blocked-chinese-reactions.html. Accessed on chinese-vice-premier-in-beijing-following-icloud-phishing- http://www.networkworld.com/article/2199038/software/ballmer
30 November 2014. attack/. Accessed on 3 December 2014. -to-hu--90--of-microsoft-customers-in-china-using-pirated-
9 18 software.html. Accessed on 30 November 2014.
Kan, Michael (2013). ‘UK to probe Huawei's cybersecurity Arthur, Charles (2011). ‘China cracks down on VPN use’, 26
evaluation center’, http://www.pcworld.com/article/2044722/uk- http://www.theguardian.com/technology/2011/may/13/china- Gantz, John F. et al. (2013). ‘The Dangerous World of
cracks-down-on-vpn-use. Accessed on 3 December 2014. Counterfeit and Pirated Software’, white paper no. 239751.

©
 28
Heilmann, Sebastian (2014). ‘Lob der Nischenpolitik – part of the initiator in China’s current policy’), Internationale
Deutschland spielt in Europas China-Politik heute die Rolle des Politik, September/October, 34–43.
http://news.microsoft.com/download/presskits/antipiracy/docs/I
DC030513.pdf. Accessed on 22 October 2014. Impulsgebers’ (In praise of niche politics: Germany plays the
27
The Onion Routing (Tor). One way to circumvent Internet
censorship.