Author Archives: Graham Webster

U.S.–China Week: ‘Consensus’ at D&SD? Trump to China this year, Cornyn’s CFIUS changes, Alibaba to Detroit, Ford and Tesla to China (2017.06.26)

Welcome to Issue 104 of U.S.–China Week. New out this week is an essay by Hong Yanqing of Peking University, translated by Paul Triolo and myself, and published as a working paper by the Paul Tsai China Center at Yale Law School. Hong, who has worked for the Cyberspace Administration of China (CAC) and is a key participant in the TC260 standards-setting process under CAC, provides detailed and uncommonly authoritative insight into how Chinese policymakers view the scope, process, and intention of new regulations on the cross-border flow of data stemming from the Cybersecurity Law and related documents. Foreign businesses, governments, and trade associations—as well as Chinese companies who operate across borders—have concerns ranging from uncertainty over the rules’ meaning, to compliance challenges, to the potential for de facto trade and market access barriers. Hong’s essay will not eliminate all of these concerns, but his account provides important details not generally available in English. Read it here.

As always: Please encourage friends and colleagues to subscribe to U.S.–China Week. Here is the web version of this issue, ideal for sharing on social media, and you can follow me on Twitter at @gwbstr. Please send your comments, quibbles, and suggestions to [email protected].

SUMMIT CIRCUIT
U.S. and Chinese officials hold first ‘D&SD’ in Washington; Trump state visit to China expected in 2017

Secretary of State Rex Tillerson and Secretary of Defense Jim Mattis held the first Diplomatic and Security Dialogue (D&SD) meeting with State Councilor Yang Jiechi and People’s Liberation Army (PLA) Chief of the Joint Staff Gen. Fang Fenghui. President Donald Trump set an uneasy stage for the meeting, writing on Twitter, “While I greatly appreciate the efforts of President Xi & China to help with North Korea, it has not worked out. At least I know China tried!” Pre-meeting U.S. press conferences (State, State/Defense) also indicated an emphasis on North Korea. The People’s Daily‘s “Zhong Sheng” column called for cooperation, managing differences, and avoiding unnecessary trouble in U.S.–China relations.

Following the meeting, the Chinese government (but not the U.S. government) published a “consensus reached” at the meeting (English | Chinese). Concrete elements of the “consensus” were few but include: efforts toward Trump-Xi meetings in July at the G20 meeting in Hamburg and in China; the exchange of visits between defense ministers; and a visit to China by the chairman of the Joint Chiefs of Staff. Tillerson and Mattis spoke to reporters following the meeting, verbalizing much of what appeared in the Chinese side’s “consensus” release. A photograph published by Xinhua showed Yang and Feng, accompanied by Chinese Ambassador Cui Tiankai, meeting with Trump, National Security Adviser H.R. McMaster, and presidential adviser and son-in-law Jared Kushner. (The Chinese government reportedly invited Kushner and Ivanka Trump to China later this year.) Yang also met with Speaker of the House Paul Ryan and Senator Bob Corker.

What’s next? Before the meetings, Acting Assistant Secretary of State Susan Thornton indicated “we’ll have another Diplomatic and Security Dialogue with China, possibly even another one this year.” She also said the expected Law Enforcement and Cybersecurity channel would be chaired on the U.S. side by the secretary of homeland security and attorney general, and noted it “was established in the previous administration,” indicating continuity with what used to be called the “U.S.–China Cybercrime and Related Issues High Level Joint Dialogue.” Tillerson said Trump “looks forward to his state visit to China later this year.”

ANALYSIS: It’s hard to judge outcomes from this first “D&SD” meeting. While it is significant that a top PLA general and the secretary of defense are now in direct contact through episodic meetings, contact alone doesn’t solve the dilemmas of the Korean Peninsula or defuse an assumption of rivalry among some security officials on both sides. Unlike in the trade area, where the governments pushed out “early harvest” announcements of agreements that in some cases were already half-baked last year, this meeting brought no concrete announcements and set up nothing like the 100-day economic timeline following the Trump-Xi meeting in Florida.

INVESTMENT + SECURITY
Cornyn CFIUS reform bill will not name any country in particular, but senator expresses China concerns in speech

In a speech hosted by the Council on Foreign Relations, Senator John Cornyn (R-Tex.) announced he and Senator Gary Peters (D-Mich.) would be putting forward a bill to revise the system by which the U.S. government examines inbound foreign investment transactions for national security implications. The timeline for the proposed changes to the Committee on Foreign Investment in the United States (CFIUS) process was reportedly not given. Cornyn reportedly said “no nation’s name will be mentioned in the bill,” but that China “is using every tool at its disposal to close the technology gap between the U.S. and that country” and “China is the most preeminent and most aggressive country acting technically in a way to avoid the CFIUS process.” As discussed here last week, Cornyn’s concern about foreign investment is largely oriented around China and fast-developing areas of technology such as artificial intelligence (AI). Patrick Tucker at Defense One has an good story putting those concerns in context. / Meanwhile, venture capitalist and former Google China head Kai-Fu Lee writes about a different set of risks faced by the United States and China as they lead in AI development: AI technologies “will reshape what work means and how wealth is created, leading to unprecedented economic inequalities and even altering the global balance of power.”

TRADE
While Alibaba goes to Detroit, Ford and Tesla go to China

Alibaba founder Jack Ma was in Detroit for Gateway ’17, an Alibaba event advising U.S. small businesses on how to reach Chinese consumers through the company’s platforms. Emily Parker writes, “Earlier this year Ma had told President Donald Trump that he intended to create a million U.S. jobs, and the event was a step toward fulfilling that promise. ‘If we can help one million small businesses online and each small business can create one job, we can create more than one million jobs,’ Ma said in Detroit.” Parker writes that while the jobs rhetoric may be showy, some U.S. small businesses have developed significant sales in China through e-commerce platforms, sometimes with the assistance of firms who ease the regulatory and marketing burden of operating across borders.

Ford Motor, on the other hand, announced plans to build its Focus model “in China, rather than in Michigan or Mexico,” NYT reported. “… Ford’s decision could shift work away from American auto parts factories, which are heavily concentrated in Ohio, Indiana and southern Michigan.” Tesla, meanwhile, was reportedly in talks with the Shanghai government about setting up a car plant in the region.

#USChinaWeek1967
‘Secret U.S. Memos on China Disclosed’

“WASHINGTON, June 24[, 1967] (AP)—The State Department made public secret diplomatic dispatches today that were devoted to the United States relations with China in 1944. The dispatches included an evaluation that said relations with China were bad and that the Army was primarily responsible for the situation. The correspondence included a report to President Roosevelt from Donald Nelson, his personal envoy to China, stating that ‘our relations with China were bad—very bad.’ ‘The attitude of our army in China is primarily responsible for this situation,’ it added. Mr. Nelson had made a special mission with Maj. Gen. Patrick J. Hurley to confer with Generalissimo Chiang Kai-shek in October, 1944. One memorandum, concerning friction between Mr. Chiang and Gen. Joseph W. Stilwell, was from Clarence W. Gauss, then the Ambassador to China, to Cordell Hull, who was the Secretary of States. The note disclosed that General Chiang had insisted that General Stilwell ‘must go,’ and that if there was to be an American commander in chief in China, he must be under General Chiang’s command. The dispatches disclose that pressure from the President led to Mr. Chiang’s reluctant agreement to a United States military observer mission with the Communist forces in Yenan.”

(Source: The New York TimesThis entry is part of an ongoing feature of U.S.–China Week that follows U.S.–China relations as they developed in another era of change and uncertainty, 50 years ago.)

ABOUT U.S.–CHINA WEEK

U.S.–China Week is a weekly news and analysis brief that covers important developments in U.S.–China relations and features especially insightful or influential new policy analysis.

Graham Webster is a senior research scholar, lecturer, and senior fellow of the Paul Tsai China Center at Yale Law School, where he specializes in U.S.–China diplomatic, security, and economic relations through research and Track II dialogues. He is also a fellow for China and East Asia with the EastWest Institute. His website is gwbstr.com.

Disclaimer: Opinions expressed here are my own (and I reserve the right to change my mind).

Free Subscription to U.S.–China Week by clicking here or e-mailing me is open to all, and an archive of past editions appears at my long-running website on East Asia and the United States, Transpacifica.

Contact: Follow me on Twitter at @gwbstr. Send e-mail to [email protected].

U.S.–China Week: First ‘D&SD’ this Wednesday, DPRK pressures, CFIUS changes, cybersecurity reviews, trade talks (2017.06.19)

Welcome to Issue 103 of U.S.–China Week. This Wednesday brings the first meeting the new partial replacement for the Strategic and Economic Dialogue (S&ED), the Diplomatic and Security Dialogue (D&SD). It will take place in Washington, with the United States represented by Secretary of State Rex Tillerson and Secretary of Defense Jim Mattis. The Chinese delegation will be chaired by State Councilor Yang Jiechi, with Chief of the PLA Joint Staff Department Gen. Fang Fenghui “also attending,” according to the Foreign Ministry.

Tillerson had said in May that “so far it appears we will get people at the Politburo level and at much higher levels of the government within China to participate in these dialogues.” Compared with the S&ED, the D&SD is minus-one Politburo member (Vice Premier Wang Yang, who led the economic track) but plus-one high-level PLA officer. Still, Fang is outranked on the Central Military Commission by its Vice Chair Gen. Fan Changlong, who is a Politburo member and was framed as counterpart to the U.S. secretary of defense during a 2015 U.S. visit. It will be interesting to see what if any detailed outcome documents emerge this week, and how U.S. and Chinese messaging either harmonize or conflict. Of course, there is also the question of alignment between President Donald Trump and his cabinet secretaries.

As always: Please encourage friends and colleagues to subscribe to U.S.–China Week. Here is the web version of this issue, ideal for sharing on social media, and you can follow me on Twitter at @gwbstr. Please send your comments, quibbles, and suggestions to [email protected].

INVESTMENT + SECURITY
U.S. national security reviews could tighten for Chinese investments with proposed CFIUS changes

If a proposal to change the way the U.S. government reviews foreign investments for security concerns is implemented, China might be added to a list of countries deemed deserving of increased scrutiny, Bloomberg reported. Senator John Cornyn’s proposal would reshape the Committee on Foreign Investment in the United States (CFIUS), the body that approves, denies, or requires changes in foreign acquisitions for national security reasons. From Bloomberg: “Cornyn’s legislation would require CFIUS to create a list of countries whose companies merit extra scrutiny, such as China, a [Cornyn] spokeswoman said. The bill would also broaden the scope of the committee to include technology joint ventures and real estate transactions near military bases or other national security facilities, she said.” At present, only when a foreign entity gains a controlling stake in a U.S. firm may CFIUS review the transaction. Bloomberg also reported that Treasury Secretary Steven Mnuchin is pushing changes to CFIUS, which he chairs, and wishes to include China on a new list of what the report called “hostile nations.”

Reuters reported that an unreleased Pentagon report “warns that China is skirting oversight and gaining access to sensitive technology through transactions that currently don’t trigger CFIUS review.” Mattis called CFIUS “outdated,” and a Cornyn aid told Reuters the proposed bill would provide a mechanism for the Pentagon to lead efforts to identify specific technologies that require extra focus. Of particular concern, according to Reuters sources, is artificial intelligence and machine learning technology, and the risk that, “When the Chinese make an investment in an early stage company developing advanced technology, there is an opportunity cost to the U.S., since that company is potentially off-limits for purposes of working with the [Department of Defense].” Foreign Ministry spokesperson Lu Kang said, “We believe there should not be undue political dimensions imposed on commercial takeovers, let alone political intervention.” / Meanwhile: The U.S. Department of Energy said it would invest $258 million over three years in a supercomputing race in which China is the main competitor. And a fund reportedly backed by Chinese government money is making a third bid to get CFIUS approval to acquire acquire the microchip company Lattice.

ANALYSIS: Reforms to CFIUS have been a topic of discussion for years, with some concerned that the committee lacks the power to stop or modify investments that could impact national security but don’t fit the current criteria for review, and others concerned that the present regime is unnecessarily opaque and results in an effective barrier to mutually beneficial investment flows with China and other countries. The particular reforms being proposed would call into question the legitimacy of the CFIUS reviews as narrowly focused on national security, especially with the proposal to maintain a list of countries that would receive special scrutiny. While no one doubts that China-linked transactions would receive scrutiny, making a list of countries subject to unequal treatment seems unnecessary and problematic in trade diplomacy. There is a good case to be made for updating the CFIUS process, but the current proposal seems to me to be on the wrong track and likely to create more difficulties then it would solve.

KOREAN PENINSULA
Trump aides reportedly question China’s willingness to help with N. Korea; Pressure mounts on Chinese firms

NYT reports that U.S. officials are questioning the prospects of initial Trump administration hopes that China would pressure North Korea. A source said China’s actions on North Korea could even affect whether Trump and Xi meet at the G20 in Hamburg next month. NYT also reported that Chinese officials “among those most interested in” a Trump meeting with North Korean leader Kim Jong-un, a prospect somewhat less likely following the return of an apparently brutalized U.S. prisoner.

The U.S. government does have specific demands of China, according to reports. Officials told WSJ that the Treasury Department could impose sanctions on Chinese entities that trade with North Korea and have asked the Chinese government to pressure them. “‘We’ve told the Chinese we hope they’ll act against certain companies and people,’ said a senior U.S. official briefed on North Korea policy. ‘But we’ve also said that we’re prepared to act alone and can reach North Korea if we choose.'” U.S. prosecutors also reportedly “accused a Chinese company…of laundering money for North Korea and said they would seek $1.9 million in civil penalties.” According to NYT, the $1.9 million comes from an amount the company allegedly transferred for North Korea, clearing the funds through the United States.

ANALYSIS: Direct legal action against Chinese targets, combined with the threat of sanctions, is a strong echo of what Obama administration officials have said was a winning playbook in bringing Chinese officials to the table over state-linked commercial hacking. The big “win” in that case was a public statement by Xi forswearing support for internet-enabled theft of business secrets for commercial gain. When it comes to commercial hacking, however, the Chinese government already had reason to rein in PLA hackers who might have been freelancing or acting without central approval. In this case, it is hard to imagine threats to name and shame a few Chinese firms and individuals would change China’s fundamental calculus regarding pressure on North Korea.

CYBERSPACE + TECHNOLOGY
Chinese IT security examiner explains details of national security review process, clarifies Windows 10 status

Following the provocative essay translated and featured here last week that called for a moratorium on use of the new Windows 10 China Government Edition unless and until it passes China’s national security review, one of the experts involved in conducting those reviews gave an interview (later translated by Rogier Creemers, Paul Triolo, and me) to the same outlet. Wang Jun, lead engineer of the China Information Technology Security Evaluation Center (CNITSEC), argued that the new Windows edition was developed to be “secure and controllable” in the Chinese government’s view and described important details about how the national security reviews are to function. (Ni Guangnan, author of the initial piece arguing against using the new Windows edition, had another piece on the topic this week, arguing for the importance of “indigenous and controllable” operating systems.)

Among several important insights in the new interview, Wang describes the role of source code examination in determining whether a product meets government requirements: “Operating system source code can run as long as 100 million lines. How much to look at, what part to look at, and how to judge the code are decided according to objectives of the technology evaluator in the third party evaluation process. Reading every single line is perhaps ideal, but doing so would require an enormous amount of time and resources. On the other hand, from the perspective of a technology evaluator’s methods, looking at every line may not be necessary. But as evaluators we ask for 100 percent of the source code and then, starting from a foundation of analyzing the program’s structure and how it integrates with the user’s machine, we decide which modules specifically require examination and verification.”

Meanwhile:

TRADE
Commerce secretary says moving on from ‘easier deliverables’ in China talks; Beef, chicken, dairy deals reported

Calling the news of implementing a long-discussed deal to reopen U.S. beef exports to China one of “the easier deliverables” in the 100-day timeline following the Trump-Xi meeting in Florida, Commerce Secretary Wilbur Ross told a WSJ forum, “We’re now working on another list. We generally have two conference calls a day, one early in the morning our time and one late at night with the Chinese. That’s five, six, seven days a week. … We’re interested in very specific, very tangible achievements. And we’re finding a very, very sensible give-and-take with the Chinese right now.”

Meanwhile:

#USChinaWeek1967
‘Peking Test Blast a Surprise to U.S.: Size of Explosion and Speed of Nuclear Development Were Not Foreseen’

“WASHINGTON, June 17[, 1967]—The Atomic Energy Commission, confirming that Communist China had exploded a hydrogen bomb, said today that the blast had an explosive force equal to several million tons of TNT. United States officials were somewhat surprised by the Chinese test, which was viewed as further evidence of the unexpectedly rapid progress being made by Peking in developing a nuclear arsenal. While China was known to be working on the design of a thermonuclear device, the test came sooner than had been generally predicted by United States intelligence officials. … Senior military analysts in Washington believed that the Chinese announcement of the successful test would intensify political pressure for the deployment of a missile defense system around the United States. But they felt there would not be an actual threat to American cities until the Chinese have built up a force of intercontinental ballistic missiles.”

(Source: The New York TimesThis entry is part of an ongoing feature of U.S.–China Week that follows U.S.–China relations as they developed in another era of change and uncertainty, 50 years ago.)

ABOUT U.S.–CHINA WEEK

U.S.–China Week is a weekly news and analysis brief that covers important developments in U.S.–China relations and features especially insightful or influential new policy analysis.

Graham Webster is a senior research scholar, lecturer, and senior fellow of the Paul Tsai China Center at Yale Law School, where he specializes in U.S.–China diplomatic, security, and economic relations through research and Track II dialogues. He is also a fellow for China and East Asia with the EastWest Institute. His website is gwbstr.com.

Disclaimer: Opinions expressed here are my own (and I reserve the right to change my mind).

Free Subscription to U.S.–China Week by clicking here or e-mailing me is open to all, and an archive of past editions appears at my long-running website on East Asia and the United States, Transpacifica.

Contact: Follow me on Twitter at @gwbstr. Send e-mail to [email protected].

Chinese IT security examiner describes review process, clarifies status of Chinese government Windows edition

A public controversy among computer security experts in China has erupted over the degree of national security assessment required in general and what specifically is required by the new Cybersecurity Law and related regulations. Ni Guangnan, an academician with the Chinese Academy of Engineering and a longstanding proponent of indigenous technology in China, recently argued (in a piece translated here) that the new Windows 10 China Government Edition should not be approved for government procurement because it has not yet formally passed the new law’s national security review process. Here, Wang Jun, lead engineer of the China Information Technology Security Evaluation Center (CNITSEC) which is a third-party review organization for the Chinese government, argues that the Microsoft-CETC joint venture behind the new custom Windows edition was developed in consideration of Chinese government security priorities and therefore should be given due consideration as “secure and controllable.” Wang also provides important insights into the degree to which the nascent national security review system has already started to operate and describes in detail his view of how the process is expected to work.

The following was translated from the Chinese original by Rogier Creemers, Paul Triolo, and Graham Webster. 

Core Security Examination Expert on Calls to Suspend Use of Windows 10 China Government Edition: At This Stage, Forcing a Switchover Is Not the Best Option

Southern Metropolis Daily Original

2017-06-12 13:20

China Information Security Monitoring Centre General Engineer Wang Jun

Academician Ni Guangnan of the Chinese Academy of Engineering stated recently in a media article that the Windows 10 version for the Chinese government has not passed cybersecurity review, and should remain outside of the government procurement catalogue. What is cybersecurity review? How does this matter implement the regulatory system just established on 1 June, and what network products is it aimed at?

A Southern Metropolis Daily (SMD) journalist interviewed Wang Jun, General Engineer at the China Information Technology Security Evaluation Center (CNITSEC). Wang Jun has answered these questions from an expert perspective, he indicated that cybersecurity review has a set of activations and review procedures exclusive to itself, these are identical for domestic and foreign products, there is no difference.

Wang Jun indicated that cybersecurity should be discussed in an open environment. The Chinese government version of Windows 10 may be considered as a positive trial in order to resolve the objective requirements concerning operating systems inside China at present, and raising our own technological levels and capabilities.

The general security review for Window 10 has begun, the security review situation for the governmental version is hitherto not understood.

SMD: Has the Chinese Government version of Windows 10 undergone security review?

Wang Jun: The forerunner of the Chinese Government version of Windows 10 is the common version of Windows 10, it is a commercial product of Microsoft, and is the common version distributed worldwide. As I understand it, our country has already started its cybersecurity review (hereafter named security review) of the common version of Windows 10. CNITSEC is designated by the Cyberspace Administration of China, and has undertaken third-party evaluation work of the common version of Windows 10; but at present, I have not seen a decision by the controlling department concerning whether it passed or not.

With regard to whether the governmental version of Windows 10 is on the way towards cybersecurity review, I have not yet heard about the circumstances in this matter.

SMD: And what is the result of the third-party evaluation by CNITSEC of the common version of Windows 10?

Wang Jun: We have major conclusions in two areas: the first is that we have discovered that in comparison with Win8, Win7 and earlier operating systems, the security functions in Windows 10 have been improved substantially. Second, a number of security risk points still exist, in fact, in the common version of Windows 10. According to the work agreement, we are not yet able to reveal details.

SMD: Security review has only been determined by law in the past few years, did we have similar work before this?

Wang Jun: The cybersecurity review system was only finally established in 2016, but before that, similar work actually had been begun.

In 2003, the National Development and Reform Commission authorized CNITSEC to act as a national monitoring body, and represented China in concluding a Government Security Program agreement for source code inspection with Microsoft; this is a multilateral agreement, and Microsoft has concluded GSP agreements with many countries. Considering that a fair few national governments have security concerns with Microsoft operating systems, Microsoft agreed to, through the GSP program, open up source code in a small scale and with secrecy protection, but because this involved intellectual property protection, it only took place in in a small scale, and did not turn into open source. Microsoft, from its side, exhibited a positive attitude, and where we were concerned, this added a channel for understanding.

GSP is an agreement in which both sides are equal, and security review means that when there are risks in a product that may influence national security, we represent the country in conducting a review, and the scope of security review may be broadened.

SMD: Some experts say Windows 8 and Windows 10 use trustworthy technology; will this mean manufacturers have a strong controlling power over operating systems?

Wang Jun: I basically agree with this point of view, in the common Windows 10 operating system, the manufacturer has a very strong controlling power over the system. But the strengthening of this sort of controlling power may have a double-edged sword effect. If it is especially strong, it possibly may mean that user controllability over this system is weakened; on the other hand, if user controllability over operating systems is extremely strong, hackers can equally have these kinds of capabilities, and in this kind of situation, it may also bring new security risks, because of that, we need to find a point of balance.

Where China is concerned, the common version of Windows 10 is not a complete black box.

SMD. So where the Chinese government is concerned, Windows 10 is not a black box after all, right?

Wang Jun: Right. According to the GSP agreement, Microsoft has provided an opportunity to review source code, but as to what the details are that come up in review, these may only be made public with the agreement of both sides.

In the national security review process of the common version of Windows 10, our center has undertaken third-party evaluation work, in Beijing. It has also inspected and verified the source code of the common version. Furthermore, the scope of its review and verification of source code is broader than under the original GSP agreement.

SMD: Can one guarantee security through inspecting source code?

Wang Jun: Between conducting source code inspections and coming to a conclusion whether a product is safe or not, there is a lot of technical work that needs to be done. One cannot simply say that “I give you the source code to look at and so it is absolutely safe,” one should also not simply believe that technological monitoring means going through source code line by line. 

SMD: What technical methods are required to reach a determination of security?

Wang Jun: Source code security examination is in fact one of the methods for the third-party evaluation part of cybersecurity review or information security evaluation, but it is not the only method. Determining the security of network products is a comprehensive process requiring multiple methods. For instance, monitoring program behavior in the real work environment is one evaluation method, as is reverse engineering of executable files.

There are also international common criteria (CC) for security examination of network products (if operating systems are considered a kind of product). CC are also an important reference indicator for our Evaluation Center’s product security evaluation.

Operating system source code can run as long as 100 million lines. How much to look at, what part to look at, and how to judge the code are decided according to objectives of the technology evaluator in the third party evaluation process. Reading every single line is perhaps ideal, but doing so would require an enormous amount of time and resources. On the other hand, from the perspective of a technology evaluator’s methods, looking at every line may not be necessary. But as evaluators we ask for 100 percent of the source code and then, starting from a foundation of analyzing the program’s structure and how it integrates with the user’s machine, we decide which modules specifically require examination and verification.

Cybersecurity reviews must be triggered by someone, and they do not separate domestic from international.

SMD: Are national cybersecurity reviews the same thing as “user testing” and “security testing”?

Wang Jun: Simply put, security reviews and technological evaluation or user evaluation are not the same thing. In the process of security review, however, technology evaluation or user evaluation may be included. Security reviews are about the possibility of network products and services influencing national security.

According to the Security Review Measures for Network Products and Services, the security review process must first be triggered, and the measures clearly enumerate several conditions for triggering. One is if relevant national authorities believe a type of product or service requires cybersecurity review. Two is if national trade associations recommend security review. Three is if the market reflects that it must be done. We believe the market includes the masses, users, etc.

As soon as someone suggests security review, a legally determined work procedure must be undertaken. This work procedure should be defined ahead of time by the competent national department. Security review is serious and important work that cannot be taken lightly and executed at a word; it requires a work procedure and official confirmation before beginning.

SMD: What is the work procedure for national cybersecurity reviews?

Wang Jun: In my understanding of the relevant laws and regulations, once it is initiated, there are several steps. First, a third-party evaluation organization appointed by the competent department undertake objective evaluation of the network product or service for requirements such as security, controllability, reliability, data validation (材料的真实性), user control of the product, etc.

At the same time, there is another set of work, for instance relevant examinations, background investigations, determination of whether there is any unfair competition or influence on the national economy and market. This comprehensive investigation can take place at the same time.

Once the technology evaluation and comprehensive investigation are complete, the results are be submitted to a committee of experts for opinions, independent examination, and judgment. The competent organ finally determines whether review has been passed. It cannot listen only to one side’s opinion, so it asks a high-level experts’ committee to submit judgment and opinions. We are all responsible for our own conclusions and work independently.

Finally, the cybersecurity review office synthesizes the views and reports up to the cybersecurity review committee, which issues the result of the security review.

SMD: Does national cybersecurity review only target foreign network products?

Wang Jun: According to my understanding of the spirit of the Cybersecurity Law, the cybersecurity review does not distinguish between domestic and foreign, cybersecurity review does not have a nationality preference, and it’s not the case that foreign things are all examined while domestic things are not.

I believe that, it doesn’t matter if it’s Microsoft’s general use edition of Windows, the joint venture C&M Information Technology Co.’s Windows 10 China Government Edition, or another Chinese-made operating system. If the product needs to undergo relevant security review, according to the law- and regulation-decided procedure, they can all go through cybersecurity review. The legal requirements are the same.

Once technological evaluation or security investigation, the procedure, standards, and requirements are the same. Of course, different product circumstances may determine different emphases, but on the whole the requirements are the same.

“Developing Windows 10 China Government Edition was a kind of attempt”

SMD: Many people believe a Chinese operating system should replace [Windows]. As an expert, do you agree with this view?

Wang Jun: My own personal view is that our country has a portion of professions and fields that at this stage objectively need to use the Windows platform. Technologically, Windows is in some ways advanced, and it has formed an ecosystem. Many of our applications have developed a certain extent of dependency on the Windows system, and without saying whether this dependency is rational, it’s an objective fact. I understand that some professional users, including some in critical information infrastructure areas, would have difficulty simply switching to a non-Windows operating system.

Thus under these conditions, forcing switchover to non-Windows systems is not necessarily the best choice.

On the other hand, in the open environment, if we can ensure security and controllability of a piece of advanced foreign technology, we can at least say there’s no need to exclude it or decide not to use it.

SMD: How do you view Windows 10 China Government Edition?

Wang Jun: Windows 10 China Government Edition was jointly developed by China Electronics Technology Group (CETC) and Microsoft, and the C&M Information Technology Co. was set up with CETC holding 51% of shares and Microsoft holding 49%. According to my understanding, in their cooperation, Microsoft is willing to open source code under the condition that intellectual property is protected. I believe developing Windows 10 or another later government-use edition in this method is a positive and meaningful attempt.

We understand the goal of this method is to try to give government and critical information infrastructure users an improved edition that suits Chinese users’ security requirements better than the general edition. This is a way to explore new solutions to problems at this stage. I think it’s something to look forward to.

SMD: Do you think that developing a Windows 10 Chinese government version and developing a domestic operating system is not contradictory?

Wang Jun: For the R&D of a domestic operating system, plus the time required to put one into use,  and packaging this to form an ecological environment requires a certain amount of time.

The use of the Windows 10 China Government-specific version, and the R&D and vigorous promotion of the application of a domestic operating system, including the construction of an ecological environment, can be carried out in parallel. In deciding whether or not to implement this parallel situation, it may well be worth considering the issue in terms of improving the degree of control over China’s cybersecurity, and the actual needs of users. We should allow this attempt in a tolerant manner.

Of course, this is for government departments and critical information infrastructure users. Other social users, and business users, must decide according to their own needs what kind of operating system to use.

A “Domestic system does not mean that it must be secure”

SMD: For domestic operating system security issues, what are your views? Is a domestic operating system secure?

Wang Jun: From a security point of view, domestic systems have some advantages compared to some foreign systems, but we cannot simply think that a domestic system must be secure. There are several reasons for this, first of all, any product has vulnerabilities, and vulnerabilities are a fundamental problem of cybersecurity, there is no certain security situation.

Second, some of our own domestically produced systems can be more reassuring in some aspects of security than for foreign products, for example, we do not have to worry about deliberate or passive implantation of malicious programs by the designer; but we may have gaps in terms of other aspects of security with other people, such as our understanding and mastering of security issues and anti-attack capabilities, there may be areas that we are not sufficient. The question of security is a comprehensive consideration.

Third, there are some equipment may be OEM abroad (the original design is abroad, we just got the production license); there are some domestic systems that use open source software, but for OEM and open source itself, domestic systems may also carry security issues.

Moreover, because the special nature of open source systems, there is not a manufacturer, so there may be loopholes and no one to solve the situation. Taking these factors together, we cannot simply say that the domestic network products must be secure.

SMD: So, do you think the Windows 10 China Government Edition requires a complete network review?

Wang Jun: As I just said, network products and services, whether domestic or foreign, whether it is domestic firm or joint venture, are also required in accordance with relevant national laws and regulations to carry out the necessary security assessment, or even a security review. The Windows 10 China Government Edition should also be no exception. Of course, to start a security review requires things to be done in accordance with the relevant legal procedures. If you meet the conditions for triggering the security review, in accordance with the legal procedures, it is possible to conduct a cybersecurity review.

SMD: Is it not the government procurement of critical information network infrastructure that requires conducting a cybersecurity review? So the security review and government procurement are naturally bound into one piece?

Wang Jun: As far as I know, the two are not naturally bound together. Government procurement also has its own procedural requirements. In the Cybersecurity Law, there is a provision for procurement that states that “network products or services that have not passed a security assessment or security review” may not be purchased. We should pay attention to the understanding of “have not,” which should be understood as “should undergo but did not undergo a cybersecurity review.”

Therefore, according to the current law, I think it is clear that if a product did not pass a security review, and clearly announced that it did not pass, it cannot be entered into the procurement directory.

SMD: The current technical testing for security is usually just testing a sampling, how to ensure that each computer operating system is secure?

Wang Jun: We are currently testing the methods, concerned about the two aspects of dynamic and static, but we are limited by the current technology and methods, and there is more of a focus on the static state. We are responsible for certain samples and security conclusions at a given point in time, but these are not permanent and it is difficult to achieve permanent security testing. However, the evaluation agency will try to make up for the relevant deficiencies, such as continuous monitoring, on-line monitoring or testing methods to strengthen the understanding, and mastering of the dynamic security situation.

SMD: Some people worry about the security of foreign products, fearing incidents such as described by Snowden. Is this not justified?

Wang Jun: This concern is reasonable—no one dares to say no. This is one of the reasons we have always stressed security and controllability. But we should not ask for absolute security, just as we do not stop driving a car because of the risk of traffic accidents. In fact, we also have a certain degree of anti-risk ability, through our work, to improve the security and controllability of foreign products, so that the risk is reduced to an acceptable level. Then we can use foreign advanced products.

Southern Metropolis Daily reporter Wu Bin from Beijing

U.S.–China Week: Top diplo in Beijing resigns & Calif. governor meets Xi over climate; Chinese gov’t Windows edition; beyond FONOPS (2017.06.12)

Welcome to Issue 102 of U.S.–China Week. As always: Please encourage friends and colleagues to subscribe to U.S.–China Week. Here is the web version of this issue, ideal for sharing on social media, and you can follow me on Twitter at @gwbstr. Please send your comments, quibbles, and suggestions to [email protected].

DIPLOMACY
Acting U.S. ambassador in Beijing resigns rather than deliver notification of Paris climate agreement withdrawal

David Rank, a career Foreign Service officer who had been serving as acting ambassador in Beijing (Chargé d’affaires) reportedly resigned rather than formerly notifying China’s government of President Donald Trump’s decision to begin the process to withdraw from the Paris climate agreement. Rank, who had served as Deputy Chief of Mission, was the interim leader of the embassy awaiting former Iowa Governor Terry Brandstad’s formal transition to the ambassadorship. Rank was replaced by Jonathan Fritz, another veteran Foreign Service officer. John Pomfret reported on Twitter that “Rank called a town hall meeting” to announce his decision to colleagues.

Meanwhile, a State Department spokesperson had no information to provide on dates for the first meeting of the new U.S.–China Diplomatic and Security Dialogue, which the State Department had previously reported would take place this month in Washington.

ANALYSIS: China is one of the only countries to which the Trump administration has nominated and confirmed an ambassador. Nonetheless, Rank was still on duty as Branstad prepared to take the position. Such a public show of dissent from within the Foreign Service is extraordinary, and if Chinese officials needed any more evidence that the U.S. government and political community is divided, this surely helped. If the new U.S.–China bilateral meeting actually takes place this month, with Secretary of State Rex Tillerson and Secretary of Defense James Mattis chairing the U.S. side, this public discord will certainly hurt the Trump administration’s credibility.

STATE RITES
California Gov. Jerry Brown meets Xi in Beijing, brings home agreements on emissions trading, climate, clean tech

President Xi Jinping received California Governor Jerry Brown in the Great Hall of the People in Beijing with some of the optics usually befitting a head of state. “California has important economic and social influence in the United States,” Xi said according to Xinhua. “I hope California can contribute to the advancement of U.S.–China regional relations and advance bilateral cooperation in areas like technology, innovation, and green development.” Asked about Brown’s trip, State Department Spokesperson Heather Nauert said, “Well, Jerry Brown is not a part of the Trump administration,” and “this is the first I’m hearing about it.” Matt Sheehan’s Chinafornia newsletter this week has a great roundup of the trip and its reported outcomes. / Meanwhile, NYT reports on management-worker tensions at a Chinese-owned auto glass factory in Ohio, and Treasury Secretary Steven Mnuchin said the U.S.–China bilateral investment treaty (BIT) negotiations are on the Trump administration’s agenda but will follow more focused market access issues.

CYBERSPACE + TECHNOLOGY
Expert calls for moratorium on Microsoft’s new Chinese government Windows edition pending security review

The prominent computer security expert and Chinese Academy of Engineering Academician Ni Guangnan argues in the Southern Metropolis Daily that the Chinese government should suspend purchases and use of Microsoft’s new Windows 10 China Government Edition. Ni writes that Microsoft claims to have undergone “user testing” and “security testing,” but has not undergone the national security review required under the Cybersecurity Law now in effect. Moreover, Ni writes, performing a thorough security review requires greater access to source code than Microsoft has so far provided. (I’ve translated the opinion piece in full at Transpacifica.net.) In a blog post announcing the custom Windows 10 edition, a Microsoft representative wrote that “over the last two years, we have earnestly cooperated with the Chinese government on the security review of Windows 10.”

ANALYSIS: As a major figure, Ni’s criticism may well carry some weight, but it is best read an example of the relatively tough end of a spectrum of Chinese views on how to proceed with the national security review system required under the Cybersecurity Law and the National Security Law. (Ni also “has for some time been a tireless promoter of an indigenous operating system to compete with Windows,” Eurasia Group’s Paul Triolo pointed out in an e-mail. Baidu Baike dates his advocacy on this front back to 1995.) Implementing measures aimed at establishing the new review system were released a few weeks ago in “interim” form, suggesting they may be revised, and although they went into effect on June 1 alongside the Cybersecurity Law, they call for setting up a Cybersecurity Review Committee and third-party assessment system that has not fully emerged. It seems likely to me that Microsoft’s close work with China’s government will ease any eventual further security review of its special Windows 10 edition. It is the details of Ni’s argument that should give foreign firms pause: While not everyone agrees with Ni that full source code access is required for effective security reviews, he is not necessarily an outlier here. Microsoft provides government customers with “transparency centers,” including in Beijing, where experts can examine code in a secure environment. If this is enough to satisfy China’s security reviews, expect other companies to follow suit; if not, we’re in for several more rounds of controversy. (On that note, see a pretty full-throated dismissal of foreign concerns about the Cybersecurity Law from the People’s Daily‘s “Zhong Sheng” column.)

REGIONAL SECURITY
Dutton and Kardon: ‘Forget the FONOPs—Just fly, sail, and operate wherever international law allows’

In a refreshing piece for Lawfare, Peter Dutton and Isaac Kardon of the Naval War College argue, in a partial echo of what I’d speculated last year, that the USS Dewey’s recent activities near Mischief Reef in the South China Sea were “probably—but maybe not” a Freedom of Navigation Operation (FONOP) as defined by the formal FON Program. They argue that “FONOPs should continue in routine, low-key fashion wherever there are specific legal claims to be challenged (as in the Paracel Islands, the other disputed territories in the SCS); they should not be conducted—much less hyped up beyond proportion—in the Spratlys. Instead, the routine exercise of freedom of navigation is the most appropriate way to use the fleet in support of U.S. and allied interests.” / Meanwhile: South Korea reportedly paused deployment of the THAAD missile defense system one-third through pending an environmental assessment.

ANALYSIS: Dutton and Kardon’s most important prescriptive insight is that, whether or not the U.S. government considers the recent Dewey maneuvers a FONOP, “a formal FONOP is the wrong tool for the job.” That’s because FONOPs challenge excessive claims, and no one has made a specific claim in the area to challenge. There is some possibility that U.S. authorities have decided to regard China’s behavior in warning away other countries’ vessels and aircraft, sometimes referring to an ill-defined “military alert zone,” as constituting an excessive claim. We will find out when the next annual FONOP report is released by the Department of Defense: If there is not a new category of claims challenged compared to the past, the Dewey voyage was not counted. In any case, the U.S. government and advocates for U.S. demonstrations against Chinese activities should carefully disentangle the discussion about FONOPs from the discussion about making broader points.

#USChinaWeek1967
‘$8.9-Million Is Given in Ford Fund Grants”

“The Ford Foundation announced yesterday that it had made 29 grants totaling $8,913,000 for educational and related purposes. Five of the grants, totaling $5-million, were made for research to expand Western understanding of China and for the training of specialists to fill teaching and government posts in the field of Chinese study. Harvard University received $1.5-million, the largest award, to be used for China study at its East Asian Research Center. The other grants in that category were $1.2-million to Columbia University for its East Asian Institute; $900,000 to the University of California for its Berkeley Center for Chinese Studies; $900,000 to the University of Michigan for its Center for Chinese Studies and $500,000 to Cornell University for its China-studies program. Harvard also received $800,000 to help support research on contemporary Japan at the university’s East Asian Research Center. The African-American Institute received a $500,000 grant for general support and the Association of Research Libraries $500,000 to help establish a China Materials Development Center in Washington.”

(Source: The New York TimesThis entry is part of an ongoing feature of U.S.–China Week that follows U.S.–China relations as they developed in another era of change and uncertainty, 50 years ago.)

ABOUT U.S.–CHINA WEEK

U.S.–China Week is a weekly news and analysis brief that covers important developments in U.S.–China relations and features especially insightful or influential new policy analysis.

Graham Webster is a senior research scholar, lecturer, and senior fellow of the Paul Tsai China Center at Yale Law School, where he specializes in U.S.–China diplomatic, security, and economic relations through research and Track II dialogues. He is also a fellow for China and East Asia with the EastWest Institute. His website is gwbstr.com.

Disclaimer: Opinions expressed here are my own (and I reserve the right to change my mind).

Free Subscription to U.S.–China Week by clicking here or e-mailing me is open to all, and an archive of past editions appears at my long-running website on East Asia and the United States, Transpacifica.

Contact: Follow me on Twitter at @gwbstr. Send e-mail to [email protected].

Ni Guangnan: China should suspend purchases and use of Windows 10 China Government Edition pending security review (translation)

(Chinese original follows / 中文在后)

See also related items: 核心安全审查专家回应Windows10政府版被建议禁用:现阶段强行切换系统并非最佳选择,  倪光南炮轰Win10政府版没过审查 微软合作方回应

*  *  *

The Government Should Suspend Purchase and Use of Windows 10 Government Edition

By Ni Guangnan

Southern Metropolis Daily, June 8, 2017, Page: AA15

A few days ago, Microsoft Greater China CEO Alain Crozier said the China Government Edition of Windows 10, produced according to the “secure and controllable” principle, had already undergone user testing at three major enterprises, proving that it is reliably secure and thus ready for wide deployment. Reports followed saying “Windows 10 Government Edition Has Completed Domestic Security Testing.” People should ask: Why are they making a big deal out of Windows 10 passing “user testing” and “security testing”?

As everyone knows, China’s Cybersecurity Law has officially gone into effect. It requires: “Critical information infrastructure operators purchasing network products and services that might impact national security shall undergo a national security review organized by the State cybersecurity and Informatization departments and relevant departments of the State Council.” In contrast to this regulation, it’s not difficult to see that claiming Windows 10 passed “user testing” or “security testing” is probably designed to give create the false impression that Windows 10 Government Edition has already passed “national security review,” in order to open the door to government procurement.

According to the Security Review Measures for Network Products and Services issued by the Cyberspace Administration of China, cybersecurity review has strict procedures, for instance requiring third-party evaluation by a nationally recognized cybersecurity review organization.

In 2015, before the establishment of the joint venture between China Electronics Technology Group Corporation (CETC) and Microsoft, Microsoft issued Windows 10 Government Edition. At that point, the Security Review Measures for Network Products and Services were being drafted, and on related aspects Windows 10 Government Edition underwent a round of cybersecurity review and did not pass. Since then, Windows 10 Government Edition has never again undergone this kind of review. No matter what kind of “user testing” or “security testing” it later went through, therefore, it still has not passed cybersecurity review.

Experts specifically point out that Windows 10 has subjectively and objectively not passed cybersecurity review, because:

(1) Although China does not lack operating system experts, because Windows is closed-source, proprietary software, no expert outside Microsoft can be fully familiar with it. It is not realistic, then, to rely on a few experts not fully familiar with Windows to accurately estimate the security and controllability of Windows 10 Government Edition with only a short period in which to examine 100 million lines of source code.

(2) Undertaking security review of software at minimum requires access to the software’s refactorable (可重构的) and complete source code, but Microsoft has never provided China with Windows’ complete source code, let alone allowed it to refactor. If a piece of software has millions of lines of non-open source code, it is like a black box, and there is fundamentally no way to accurately estimate its security and controllability.

Today, no substantive change has resulted from experts making the above points. Even if Windows 10 Government Edition again undergoes cybersecurity review, the degree of difficulty will not decrease. Furthermore, because the structure of Windows 10 incorporates trustworthy computing, reviewing it requires verifying that it complies with the Electric Signature Law (电子签名法) and the Provisions on the Administration of the Use of Commercial Encryption Products (商用密码管理条例). Additionally, it requires surveying how domestic and international information security firms integrate trustworthy computing and antivirus software with Windows 10 and deal with the issue of unfair competition. Clearly Windows 10 Government Edition must again undergo cybersecurity review in what will be a protracted process.

In 2005 and 2014, because Windows Vista and Windows 8 were not controllable, the government ordered a halt of purchases. In 2015, Microsoft quickly updated editions and released Windows 10. Several authoritative Chinese security evaluation organizations concluded that, “the Windows 8.1 and Windows 10 kernel are basically the same, there were not more substantial changes, and to a great extent the upgrade was for the sake of commercial publicity.” (This evaluation only determined whether the two editions were the same and did not touch upon security and controllability estimation, and so it was relatively easy to complete.)

In conclusion, seeing that Windows 10, Windows 8, and Windows 10 Government Edition have not passed cybersecurity review, relevant issues will hopefully be given attention, and government procurement and use of Windows 10 (including Windows 10 Government edition) should be prohibited according to law.

Ni Guangnan, a member of the first class of academicians of the Chinese Academy of Engineering, is devoted to indigenous and controllable core information technologies and industries, and has received lifetime achievement awards from the Chinese Information Processing Society of China and the China Computer Federation. 

Translated by Graham Webster.

建议政府停止采购和使用“Win10政府版”

来源:南方都市报 2017年06月08日 版次:AA15 作者:倪光南

开放专栏

日前,微软大中华区CEO柯睿杰表示:基于“安全可控”原则打造的中国政府版W in10正处于上市销售前的准备当中,该版本Win10已经通过3家大型企业的用户测试,证明该版本系统拥有可靠的安全性,接下来将进行大规模的部署。接着有报道呼应说,“Win10政府版已经在国内完成安全测试”。人们要问:他们为什么要大肆宣传Win10通过“用户测试”、“安全测试”呢?

众所周知,我国《网络安全法》已正式施行,它要求“我国关键信息基础设施的运营者采购网络产品和服务,可能影响国家安全的,应当通过国家网信部门会同国务院有关部门组织的国家安全审查”。对照这个法规,人们不难理解,宣传Win10通过“用户测试”、“安全测试”,可能是想造成“Win10政府版”已通过国家安全审查的假象,从而为它进入政府采购敞开大门。

按照网信办发布的《网络产品和服务安全审查办法》,网络安全审查有严格的程序,并需由国家统一认定网络安全审查第三方机构,承担网络安全审查中的第三方评价工作。

2015年,早在CETC与微软的合资公司成立前,微软就做出了“Win10政府版”。那时,《网络产品和服务安全审查办法》正在制订中,有关方面对“Win10政府版”进行了一次网络安全审查,结果没有通过。此后,对“Win10政府版”并没有再做此类审查。因此,不管后来它做了什么“用户测试”、“安全测试”,它至今仍是一个没有通过网络安全审查的产品。

那时专家们还特别指出,当前不具备对Win10进行网络安全审查的主客观条件,因为:

一、中国虽然不缺少操作系统专家,不过因为Windows是不开放源代码的专有软件,微软以外的专家谁也无法精通W indow s.现在想指望一些不精通Windows的人,在短时间里对亿行源代码规模的“Win10政府版”的安全性、可控性作出准确评估,显然是不现实的。

二、要对一个软件进行安全审查至少应获得该软件的可重构的全部源代码,但微软从未对中方提供过W indow s的全部源代码,更谈不上可重构了。而如果一个软件有数以百万计的源代码不开放,这就像一个黑盒子,根本无法对其安全性、可控性作出准确评估。

今天,专家陈述的上述情况并没有发生实质变化,即使对“Win10政府版”再作网络安全审查,其难度也没有减少。而且由于Win10的架构集成了可信计算,审查需验证它与我国《电子签名法》和《商用密码管理条例》的合法、合规性。此外,还需调查国内外信息安全厂商对Win10捆绑可信计算和杀毒软件、实施不正当竞争的投诉问题。可见,“Win10政府版”要想再作网络安全审查,也将是旷日持久的事。

在2005年和2014年,我国政府因Vista和Win8不可控,都明令禁止采购。后来到2015年,微软快速更新版本号,推出了Win10.对此,我国几家权威安全测评机构进行测评后认为,“Win8 .1与Win10内核基本一致,并不存在较大幅度的变化,而版本号的大幅度升级更多是为了商业宣传的需要”。(按:这里的测评只需判断两者是否一致,不涉及安全性、可控性的评估,因而较易实施。)

综上所述,鉴于Win10等同于Win8以及“Win10政府版”并未通过网络安全审查,希望有关方面予以关注,应依法继续禁止政府采购和使用Win10(包括“Win10政府版”在内)。

倪光南(中国工程院首批院士,一直致力于自主可控的信息核心技术和产业,曾获得中国中文信息学会与中国计算机学会终身成就奖)