10 September 2018

The Chinese Cyber Sovereignty Concept (Part 1)

by Niels Nagelhus Schia and Lars Gjesvik.

Cyber sovereignty is a distinct concept from the more familiar term cybersecurity, which concerns protecting the infrastructure and processes connected to the Internet. Cyber sovereignty, on the other hand, is concerned with the information and content the Internet provides. China’s cyber sovereignty concept is based on two key principles: The first is that unwanted influence in a country’s “information space” should be banned. In effect, this would allow countries to prevent their citizens from being exposed to ideas and opinionsdeemed harmful by the regime. The other key principle is to move the governance of the Internet from the current bodies, which includes in them academics and companies, to an international forum such as the UN. This move would also entail a transfer of power from companies and individuals to states alone.


Cyber sovereignty is thus the subordination of cyberspace to the interests and values of the state. The concept refers to states’ ability to govern and control its cyberspace i.e. within its territory, ensuring that a country’s cyberspace follows the same rules, norms, and cultural considerations as the rest of society. In their International Strategy of Cooperation on Cyberspace, Chinese officials described the concept accordingly: “Countries should respect each other’s right to choose their own path of cyber development, model of cyber-regulation and Internet public policies, and participate in international cyberspace governance on an equal footing. No country should pursue cyber hegemony, interfere in other countries’ internal affairs, or engage in, condone or support cyber activities that undermine other countries’ national security.”

To understand the concept of cyber sovereignty it is useful to contrast it to the current method of governing the internet, and how it has evolved through history. While the Chinese position is that a states government and military should govern the Internet, the current regime, led primarily by the US, gives a lot of room for influence from individuals and companies. This stems from the creation of the Internet in the nineteen sixties and seventies, when the Internet emerged without any clear coordination or government control, instead of depending on a loose group of individuals influenced by liberal ideas, techno-utopianism, and freedom from censorship. As the Internet continued to reach new communities across the world it was commercialized in the nineteen nineties. In this phase, the introduction of copyright and firewalls, and other private appropriations of the Internet as a public space began to take place. Already towards the end of the nineteen-nineties, scholars such as Saskia Sassen (1998) and Henry H. Perritt (1998) pointed out how the commercialization of internet could threaten its democratic potential because it resulted in private digital networks and firewalled sites. China’s model of Internet governance can be seen as a continuation of this firewalling albeit on the state level.

This part of the cyber sovereignty concept is fairly comprehensible, but there is a great deal of confusion both inside and outside of China on how it will be applied in practice. While the actual enforcements have sometimes been more hapless than repressive, the underlying theme and considerations have been constant. The most famous aspect of the Chinese policy is the Golden Shield project, dubbed “The Great Firewall of China” by western media. The system uses filtering and monitoring of all data at the country’s six data entry-points to prevent information that is deemed harmful from spreading online. There have been voiced concerns that the development could end with the development of a parallel Internet controlled by China. This Internet would be an extension of the heavily controlled Chinese cyber-sphere to the rest of the world. The implications, if this were to occur, would be profound and hard to predict.

China’s new cybersecurity law can be understood as a function or an effect of the Chinese cyber sovereignty concept. Drafts of the new cybersecurity law (in effect since June 2017) had been circulated since July 2015, providing indicators of the direction China is taking. One important part of this law is the requirement that companies that contribute to critical information infrastructure store their data within Chinese borders. As long as “critical information infrastructure” remains ill-defined the potential impact of this law could be very broad. Other important elements in the draft include the storing of basic information about users of the Internet, which would remove the feature of anonymity from the internet. The law also demands compliance of companies in aiding Chinese investigations. Finally, the concept also entails continuing the current censorship of sites deemed harmful to China. Another recent development is the government’s decision to crack down on providers of Virtual Private Networks (VPN). These networks have so far been able to avoid censorship, allowing internet users to access blocked foreign websites. If the crackdown is successful it will entail a much stricter supervision and enforcement of the rules, and a tightening of the control over internet activities.

China’s role in defining, developing, and promoting cyber sovereignty.

The emergence of a clear Chinese stand on cyber sovereignty is in line with the broader trends of Chinese foreign policy. After years of following a low-key foreign policy, China’s emergence as a more assertive power over the last decade has been evident in several areas, not least on cyber. What was once a domain where US companies could operate freely while Chinese ones played catch-up has been replaced by increasingly vocal disagreements on how it should be managed.

For China, cyber sovereignty is a part of a larger term of information security which in turn is critical for China to maintain its core values. China’s concept of cyber sovereignty is in this way pertaining to its need to control the narrative about the country, nation, and the party. This is a holistic approach that does not separate the challenges to maintaining the actual infrastructure of the Internet from the content and information that flows through it. Consequently, China has a predisposal to seeking control and management over the Internet and the content in it. It is not a fully separate concept from cybersecurity, but an authoritarian interpretation of this concept.

China has seen an explosive rise in net connectivity over the last 10 years: whereas only 10% had access to the internet 10 years ago, the number now exceeds 50%, more than 700 million netizens. As information about the state of affairs to an increasing degree comes from the Internet and smartphones the urge to control this information grows with the Chinese leadership. Their dependence on western-made technologies are therefore seen as a gigantic weakness that foreign actors probably are, and at the very least can exploit. Managing this, and achieving a sufficient degree of technological independence, is therefore seen as crucial for the country to remain fully independent.

Contrary to the popular belief of China as an offensive cyber power intent on raiding industry secrets from the west, the main concern of the Chinese government is stability within. The diversity and size of China makes controlling information and managing unrest the most pressing issue, and cybersecurity is no exception. In fact, the issue might be even more pressing, as information dissemination moves from stationary sources, such as network stations and newspapers, to more fluid sources such as blogs and social media. At the very end of 2016 the CAC (Cyberspace Administration of China) presented a new strategy for the cybersecurity including the warning that internet usage for “treason, secession, revolt, subversion or stealing or leaking of state secrets would be punished”, also warning about anyone working with outside forces trying to subvert China’s autonomy.

Over the last few years, the Chinese regime’s approach towards dissenters has become markedly stricter. As the regimes hold over the population tightens the policies towards cyberspace follow suit. The policies on cyberspace, which for a long time were piecemeal and incoherent, have become more uniform and controlled from the very top. In that regard 2014 may in some ways be regarded as a watershed year: It was the year the leading small groups of Central Internet Security and the Information Leading Group, both chaired by president Xi Jinping, were formed. That a sitting president chairs a leading small group sends a strong signal on China’s strong commitment to the issue. During that year the first annual World Internet Conference was also held, the main arena where China promotes its foreign policy and stance on cybersecurity.

Cyber sovereignty was in 2015 described by Lu Wei, then head of Cyberspace Administration of China (CAC), as the difference between a “multi-stakeholder” and a “multilateral” approach. Put simply the difference boils down to what extent the primacy of the state is valid in the cyber domain. The concept is a key part of Chinas broader cyber policy and has been promoted from the highest levels. In a speech held in 2015 Xi Jinping warned the world about the destabilizing prospects of not allowing countries to govern their own cyberspace according to their own rules. However, in late 2016 the Chinese stance seemed to soften slightly when Chinese officials introduced and recognized the term “multi-party governance” as their alternative to the “multi-stakeholder” concept. This “softer” idea of cyber sovereignty was re-stressed in the 2017 “International Strategy of Cooperation on Cyberspace” which emphasized both the need for multilateral governance of the Internet, and of multi-party participation in this governance, including companies, organizations, and technological communities.

This uncertainty indicates a fundamental dilemma facing Chinese policymakers. The Internet is at the same time perceived as a huge threat to Chinese stability and as necessary for Chinese development goals. Striking the right balance between openness and repression is, therefore, a delicate issue. One of the main ways China has tried to balance these two concerns has been by promoting domestic companies and giving them a stake in the regime. Notable businessmen, such as Alibaba-founder Jack Ma, has been given a role in forming and promoting Chinese policies.

This piece continues in part 2.

Dr Niels Nagelhus Schiais Senior Research Fellow, Norwegian Institute of International Affairs [NUPI] and Programme Manager, Cyber Security Centre/Editor, Internasjonal Politikk. Lars Gjesvik is a research assistant in the Research group for Security and Defence, working mainly on cybersecurity. Image Credit: CC by Anssi Koskinen/Flickr.

No comments: