For several years now the Chinese government has been attempting to create a set of standards and norms governing cybersecurity. In the wake of increased trade tensions between the US and China, there is a growing fear among security researchers and investors that these standards may be used to deter or sabotage the efforts of foreign tech firms trying to enter the Chinese market. The set of standards is often simply referred to as the “national cybersecurity standards”. These standards are issued by the Chinese National Information Security Standardization Technical Committee (TC260), a government agency that has issued roughly 300 standards since 2015.
Generally, these standards are seen as recommendations made by the government. They are intended to govern the design and operation of various products, such as routers, firewalls, or even software applications. Some of these standards describe methods of providing the Chinese government with access to sensitive data belonging to Chinese citizens. It further specifies how that data is handled by a particular type of service or piece of hardware. Other stipulations provide a list of acceptable encryption algorithms. Others specify how a product's cross-border data transfer and behavior are to be handled and monitored. According to the Chinese government, these standards are all only "recommended" as mere guidelines for product and service designs and bare no official status for the sale of products on the Chinese market. However, the Center for Strategic and International Studies (CSIS), a Washington-based think tank, in practice, many of these "recommended" standards may actually be required to do business in China without explicitly saying so.
In an article published by the CSIS at the start of August 2018, they argued that although these standards are recommended in terms of status they are a major influencing factor on whether foreign firms can do business in China. An example given by the Washington based think tank is in how the standards are applied to how Chinese state-owned enterprises procure services. In this case, some of the cybersecurity standards are listed as procurement requirements for the government or SOEs (State Owned Enterprises). Further, foreign enterprises may be affected as private Chinese companies may also not buy products from vendors who lack a certification associated with certain standards, as this may also render upstream products non-compliant.
Essentially, that would mean that a product that does not adhere to the standards is almost automatically rendered non-compliant. This could potentially mean that other products related to the one deemed non-compliant are likewise non-compliant. Further, many of these standards set out by the government also imply granting the government access to sensitive data, as a condition for meeting the standard itself. One of the major fears then for foreign firms is the reputational damage that can potentially be caused by such a move. This was currently experienced by Google after the tech giant admitted that it was developing a censored version of its search engine for the Chinese market.
Another one of the fears highlighted in the article is that the mere existence of these standards may be used by government officials as a basis for testing and certification. This, in turn, can result in the pressuring of foreign companies into undergoing invasive product reviews where sensitive intellectual property and source code may be exposed, regardless if explicitly required by the standard itself. When all this is viewed in light of a burgeoning trade war between the US and China, the standards meant for protecting China's national cybersecurity against foreign governments, terrorists, and cyber-criminal groups can be used to advance Chinese interests in retaliation to tariffs. For instance, the standards could be used to block access of US companies to China's market, as seen above.
Another sign of the times came when the US Department of Defence released its Annual Report to Congress detailing security developments in response to Chinese actions. In the report, the DoD is of the opinion that the Chinese army has emphasized the importance of cyberspace for national security because of the country's increasing reliance on its digital economy. Further, the Pentagon believes the Chinese military strategists see cyber operations as a low-cost deterrent that can demonstrate their capabilities and challenge an adversary. These worries are related to a Chinese international cyberspace cooperation strategy in March 2017, which called for the expedited development of a military "cyber force" as an important aspect of the country's defense strategy.
While the report does point to an increase in cyber espionage campaigns by the Chinese, the Chinese government is still of the opinion that it is currently lagging behind the US in terms of personnel and technology. To that extent, the report stated China “is working to improve training and bolster domestic innovation to overcome these perceived deficiencies and advance cyberspace operations.” As a result, the Pentagon is concerned that computer systems around the world, particularly those owned by the US government, continued to be targeted by China-based intrusions through 2017. These intrusions appear focused on accessing networks and extracting information, with China using its cyber capabilities to support intelligence collection against US diplomatic, economic, academic, and defense sectors.
For a number of years, the US has accused China of using hackers to steal US industrial secrets. In 2014 it indicted a number of Chinese hackers, accusing them of industrial espionage, and a similar indictment was made in 2017. However, the US has struggled to come up with a model of cyber deterrence able to stop such attacks and probing by foreign nations, most notably China and Russia. While much of the media attention, particularly in the West, portrays the US and its Allies as targets. It would be interesting to see an analysis of the US’s offensive capabilities since Stuxnet.