Category Archives: Uncategorized

China policy in Trump’s new National Security Strategy: Excerpts and commentary

After a quick read of the Trump administration’s new National Security Strategy, here several passages bearing on U.S.–China relations, as well as a few comments on them. Not included are several mentions of China’s involvement in other regions of the world.

  • “Every year, competitors such as China steal U.S. intellectual property valued at hundreds of billions of dollars. Stealing proprietary technology and early-stage ideas allows competitors to unfairly tap into the innovation of free societies. Over the years, rivals have used sophisticated means to weaken our businesses and our economy as facets of cyber-enabled economic warfare and other malicious activities. In addition to these illegal means, some actors use largely legitimate, legal transfers and relationships to gain access to fields, experts, and trusted foundries that fill their capability gaps and erode America’s longer-term competitive advantages. We must defend our National Security Innovation Base (NSIB) against competitors. The NSIB is the American network of knowledge, capabilities, and people—including academia, National Laboratories, and the private sector—that turns ideas into innovations, transforms discoveries into successful commercial products and companies, and protects and enhances the American way of life.  The genius of creative Americans, and the free system that enables them, is critical to American security and prosperity” (21).
    • COMMENT: This not just about intellectual property theft, but also about preventing “legitimate” transfers of IP to strategic rivals.
  • “While maintaining an investor-friendly climate, this Administration will work with the Congress to strengthen the Committee on Foreign Investment in the United States (CFIUS) to ensure it addresses current and future national security risks.  The United States will prioritize counterintelligence and law enforcement activities to curtail intellectual property theft by all sources and will explore new legal and regulatory mechanisms to prevent and prosecute violations” (22).
    • COMMENT: CFIUS reform has strong bipartisan support in Congress, and it is in no small part aimed at erecting or legitimizing barriers to Chinese investments that would result in IP transfer.
  • Leading language under Pillar III, “Preserve Peace Through Strength: — “A central continuity in history is the contest for power. The present time period is no different. Three main sets of challengers—the revisionist powers of China and Russia, the rogue states of Iran and North Korea, and transnational threat organizations, particularly jihadist terrorist groups—are actively competing against the United States and our allies and partners. Although differing in nature and magnitude, these rivals compete across political, economic, and military arenas, and use technology and information to accelerate these contests in order to shift regional balances of power in their favor. These are fundamentally political contests between those who favor repressive systems and those who favor free societies. China and Russia want to shape a world antithetical to U.S. values and interests. China seeks to displace the United States in the Indo-Pacific region, expand the reaches of its state-driven economic model, and reorder the region in its favor. Russia seeks to restore its great power status and establish spheres of influence near its borders. The intentions of both nations are not necessarily fixed.  The United States stands ready to cooperate across areas of mutual interest with both countries. For decades, U.S. policy was rooted in the belief that support for China’s rise and for its integration into the post-war international order would liberalize China. Contrary to our hopes, China expanded its power at the expense of the sovereignty of others. China gathers and exploits data on an unrivaled scale and spreads features of its authoritarian system, including corruption and the use of surveillance. It is building the most capable and well-funded military in the world, after our own. Its nuclear arsenal is growing and diversifying. Part of China’s military modernization and economic expansion is due to its access to the U.S. innovation economy, including America’s world-class universities” (25).
    • COMMENT: This is the broadest top-level statement of Trump administration views on China. It places China alongside Russia as actors intentionally seeking to move the world away from U.S. interests. It categorizes both as challengers alongside Iran, North Korea, and terrorism. China is unmistakably situated as the most capable “challenger,” set apart from the others in this framing by technological prowess that is both impressive and illegitimately obtained.
  • “In addition, after being dismissed as a phenomenon of an earlier century, great power competition returned. China and Russia began to reassert their influence regionally and globally. Today, they are fielding military capabilities designed to deny America access in times of crisis and to contest our ability to operate freely in critical commercial zones during peacetime. In short, they are contesting our geopolitical advantages and trying to change the international order in their favor” (27).
    • COMMENT: Chinese diplomats might call this “Cold War thinking,” but it’s long been the case that U.S. strategists perceived a strategic competition between the United States and China. The irony of the Chinese accusations of a Cold War mentality has always been that Chinese strategists think that way too. This new U.S. strategy is strong on recognizing some realities of competition, but weak on assessing how today’s global economic and security environment are drastically different from earlier eras of “great power competition.” There really is a downside in depending too much on analytical tools from another era.
  • “[A]dversaries and competitors became adept at operating below the threshold of open military conflict and at the edges of international
    law” (27). “China, Russia, and other state and non-state actors recognize that the United States often views the world in binary terms, with states being either ‘at peace’ or ‘at war,’ when it is actually an arena of continuous competition” (28).

    • COMMENT: Lyle Morris points to the former quote as the “First instance of an NSS identifying the gray zone challenge to the U.S. Certainly not the last.”
  • “Maintaining America’s central role in international financial forums enhances our security and prosperity by expanding a community of free market economies, defending against threats from state-led economies, and protecting the U.S. and international economy from abuse by illicit actors” (34).
  • Information Statecraft: America’s competitors weaponize information to attack the values and institutions that underpin free societies, while shielding themselves from outside information. They exploit marketing techniques to target individuals based upon their activities, interests, opinions, and values. They disseminate misinformation and propaganda. Risks to U.S. national security will grow as competitors integrate information derived from personal and commercial sources with intelligence collection and data analytic capabilities based on Artificial Intelligence (AI) and machine learning. Breaches of U.S. commercial and government organizations also provide adversaries with data and insights into their target audiences. China, for example, combines data and the use of AI to rate the loyal of its citizens to the state and uses these ratings to determine jobs and more.” (34–5).
    • COMMENT: As U.S. scrutiny of official Chinese influence operations abroad rises, here it is melded rhetorically with oblique references to both authoritarian Internet censorship and (perhaps even) Russian election interference. For obvious reasons, a deeper meditation on the Russian operations is set aside. What’s left is an allusion to the OPM hack, one to the hype-and-reality of AI/ML factors in national security, and a reference to China’s “social credit system” that conflates the government’s plans and some capabilities already installed in privately-run systems. 
  • “Today, the United States must compete for positive relationships around the world. China and Russia target their investments in the developing world to expand influence and gain competitive advantages against the United States. China is investing billions of dollars in infrastructure across the globe. Russia, too, projects its influence economically, through the control of key energy and other infrastructure throughout parts of Europe and Central Asia.  The United States provides an alternative to state-directed investments, which often leave developing countries worse off. The United States pursues economic ties not only for market access but also to create enduring relationships to advance common political and security interests” (38).
    • COMMENT: I suppose then the U.S. plan to compete with Chinese and Russian influence through investment is to just let the private sector do what it will and bet on a positive result, eh?
  • Ensure Common Domains Remain Free: The United States will provide leadership and technology to shape and govern common domains—space, cyberspace, air, and maritime—within the framework of international law. The United States supports the peaceful resolution of disputes under international law but will use all of its instruments of power to defend U.S. interests and to ensure common domains remain free. Protect a Free and Open Internet: The United States will advocate for open, interoperable communications, with minimal barriers to the global exchange of information and services.  The United States will promote the free flow of data and protect its interests through active engagement in key organizations, such as the Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Governance Forum (IGF), the UN, and the International Telecommunication Union (ITU)” (41).
    • COMMENT: The strategy does not advocate for the ratification of the UN Convention on the Law of the Sea (UNCLOS), so I’m not sure what to make of claims that “international law” should be the framework for maritime governance. “International law” isn’t really the animating framework behind all the cyberspace institutions listed, either. 
  • Under the Indo-Pacific regional section: “A geopolitical competition between free and repressive visions of world order is taking place in the Indo-Pacific region. … Although the United States seeks to continue to cooperate with China, China is using economic inducements and penalties, influence operations, and implied military threats to persuade other states to heed its political and security agenda. China’s infrastructure investments and trade strategies reinforce its geopolitical aspirations. Its efforts to build and militarize outposts in the South China Sea endanger the free flow of trade, threaten the sovereignty of other nations, and undermine regional stability. China has mounted a rapid military modernization campaign designed to limit U.S. access to the region and provide China a freer hand there. China presents its ambitions as mutually beneficial, but Chinese dominance risks diminishing the sovereignty of many states in the Indo-Pacific. States throughout the region are calling for sustained U.S. leadership in a collective response that upholds a regional order respectful of sovereignty and independence” (45–6).
  • Action items under the Indo-Pacific regional section: “Political: Our vision for the Indo-Pacific excludes no nation. We will redouble our commitment to established alliances and partnerships, while expanding and deepening relationships with new partners that share respect for sovereign, fair and reciprocal trade, and the rule of law. We will reinforce our commitment to freedom of the seas and the peaceful resolution of territorial and maritime disputes in accordance with international law. We will work with allies and partners to achieve complete, verifiable, and irreversible denuclearization on the Korean Peninsula and preserve the non-proliferation regime in Northeast Asia. Economic: The United States will encourage regional cooperation to maintain free and open seaways, transparent infrastructure financing practices, unimpeded commerce, and the peaceful resolution of disputes. We will pursue bilateral trade agreements on a fair and reciprocal basis. We will seek equal and reliable access for American exports. We will work with partners to build a network of states dedicated to free markets and protected from forces that would subvert their sovereignty” (46).
    • COMMENT: The political vision “excludes no nation” but promises to work with “new partners that share respect for sovereign, fair and reciprocal trade, and the rule of law.” So does that include China? The economic vision promises bilateral trade agreements and a “network of states dedicated to free markets.” Given those goals, wouldn’t it make more sense to get that network together for a broader, more interoperable trade regime—say based on a modified Trans-Pacific Partnership? 
  • “We will maintain our strong ties with Taiwan in accordance with our ‘One China’ policy, including our commitments under the Taiwan Relations Act to provide for Taiwan’s legitimate defense needs and deter coercion” (46).
    • COMMENT: Taiwan was not mentioned in the Obama administration’s February 2015 National Security Strategy. For comparison, here’s the full paragraph on China from that document: “The United States welcomes the rise of a stable, peaceful, and prosperous China. We seek to develop a constructive relationship with China that delivers benefits for our two peoples and promotes security and prosperity in Asia and around the world. We seek cooperation on shared regional and global challenges such as climate change, public health, economic growth, and the denuclearization of the Korean Peninsula. While there will be competition, we reject the inevitability of confrontation. At the same time, we will manage competition from a position of strength while insisting that China uphold international rules and norms on issues ranging from maritime security to trade and human rights. We will closely monitor China’s military modernization and expanding presence in Asia, while seeking ways to reduce the risk of misunderstanding or miscalculation. On cybersecurity, we will take necessary actions to protect our businesses and defend our networks against cyber-theft of trade secrets for commercial gain whether by private actors or the Chinese government.” Other mentions in that version flagged “China’s rise” as a condition that needs to be handled and celebrated U.S.-China cooperation on climate change. The Trump document does not see the climate as a challenge, but does flag climate regulation as a barrier to energy sector success.

Chinese IT security examiner describes review process, clarifies status of Chinese government Windows edition

A public controversy among computer security experts in China has erupted over the degree of national security assessment required in general and what specifically is required by the new Cybersecurity Law and related regulations. Ni Guangnan, an academician with the Chinese Academy of Engineering and a longstanding proponent of indigenous technology in China, recently argued (in a piece translated here) that the new Windows 10 China Government Edition should not be approved for government procurement because it has not yet formally passed the new law’s national security review process. Here, Wang Jun, lead engineer of the China Information Technology Security Evaluation Center (CNITSEC) which is a third-party review organization for the Chinese government, argues that the Microsoft-CETC joint venture behind the new custom Windows edition was developed in consideration of Chinese government security priorities and therefore should be given due consideration as “secure and controllable.” Wang also provides important insights into the degree to which the nascent national security review system has already started to operate and describes in detail his view of how the process is expected to work.

The following was translated from the Chinese original by Rogier Creemers, Paul Triolo, and Graham Webster. 

Core Security Examination Expert on Calls to Suspend Use of Windows 10 China Government Edition: At This Stage, Forcing a Switchover Is Not the Best Option

Southern Metropolis Daily Original

2017-06-12 13:20

China Information Security Monitoring Centre General Engineer Wang Jun

Academician Ni Guangnan of the Chinese Academy of Engineering stated recently in a media article that the Windows 10 version for the Chinese government has not passed cybersecurity review, and should remain outside of the government procurement catalogue. What is cybersecurity review? How does this matter implement the regulatory system just established on 1 June, and what network products is it aimed at?

A Southern Metropolis Daily (SMD) journalist interviewed Wang Jun, General Engineer at the China Information Technology Security Evaluation Center (CNITSEC). Wang Jun has answered these questions from an expert perspective, he indicated that cybersecurity review has a set of activations and review procedures exclusive to itself, these are identical for domestic and foreign products, there is no difference.

Wang Jun indicated that cybersecurity should be discussed in an open environment. The Chinese government version of Windows 10 may be considered as a positive trial in order to resolve the objective requirements concerning operating systems inside China at present, and raising our own technological levels and capabilities.

The general security review for Window 10 has begun, the security review situation for the governmental version is hitherto not understood.

SMD: Has the Chinese Government version of Windows 10 undergone security review?

Wang Jun: The forerunner of the Chinese Government version of Windows 10 is the common version of Windows 10, it is a commercial product of Microsoft, and is the common version distributed worldwide. As I understand it, our country has already started its cybersecurity review (hereafter named security review) of the common version of Windows 10. CNITSEC is designated by the Cyberspace Administration of China, and has undertaken third-party evaluation work of the common version of Windows 10; but at present, I have not seen a decision by the controlling department concerning whether it passed or not.

With regard to whether the governmental version of Windows 10 is on the way towards cybersecurity review, I have not yet heard about the circumstances in this matter.

SMD: And what is the result of the third-party evaluation by CNITSEC of the common version of Windows 10?

Wang Jun: We have major conclusions in two areas: the first is that we have discovered that in comparison with Win8, Win7 and earlier operating systems, the security functions in Windows 10 have been improved substantially. Second, a number of security risk points still exist, in fact, in the common version of Windows 10. According to the work agreement, we are not yet able to reveal details.

SMD: Security review has only been determined by law in the past few years, did we have similar work before this?

Wang Jun: The cybersecurity review system was only finally established in 2016, but before that, similar work actually had been begun.

In 2003, the National Development and Reform Commission authorized CNITSEC to act as a national monitoring body, and represented China in concluding a Government Security Program agreement for source code inspection with Microsoft; this is a multilateral agreement, and Microsoft has concluded GSP agreements with many countries. Considering that a fair few national governments have security concerns with Microsoft operating systems, Microsoft agreed to, through the GSP program, open up source code in a small scale and with secrecy protection, but because this involved intellectual property protection, it only took place in in a small scale, and did not turn into open source. Microsoft, from its side, exhibited a positive attitude, and where we were concerned, this added a channel for understanding.

GSP is an agreement in which both sides are equal, and security review means that when there are risks in a product that may influence national security, we represent the country in conducting a review, and the scope of security review may be broadened.

SMD: Some experts say Windows 8 and Windows 10 use trustworthy technology; will this mean manufacturers have a strong controlling power over operating systems?

Wang Jun: I basically agree with this point of view, in the common Windows 10 operating system, the manufacturer has a very strong controlling power over the system. But the strengthening of this sort of controlling power may have a double-edged sword effect. If it is especially strong, it possibly may mean that user controllability over this system is weakened; on the other hand, if user controllability over operating systems is extremely strong, hackers can equally have these kinds of capabilities, and in this kind of situation, it may also bring new security risks, because of that, we need to find a point of balance.

Where China is concerned, the common version of Windows 10 is not a complete black box.

SMD. So where the Chinese government is concerned, Windows 10 is not a black box after all, right?

Wang Jun: Right. According to the GSP agreement, Microsoft has provided an opportunity to review source code, but as to what the details are that come up in review, these may only be made public with the agreement of both sides.

In the national security review process of the common version of Windows 10, our center has undertaken third-party evaluation work, in Beijing. It has also inspected and verified the source code of the common version. Furthermore, the scope of its review and verification of source code is broader than under the original GSP agreement.

SMD: Can one guarantee security through inspecting source code?

Wang Jun: Between conducting source code inspections and coming to a conclusion whether a product is safe or not, there is a lot of technical work that needs to be done. One cannot simply say that “I give you the source code to look at and so it is absolutely safe,” one should also not simply believe that technological monitoring means going through source code line by line. 

SMD: What technical methods are required to reach a determination of security?

Wang Jun: Source code security examination is in fact one of the methods for the third-party evaluation part of cybersecurity review or information security evaluation, but it is not the only method. Determining the security of network products is a comprehensive process requiring multiple methods. For instance, monitoring program behavior in the real work environment is one evaluation method, as is reverse engineering of executable files.

There are also international common criteria (CC) for security examination of network products (if operating systems are considered a kind of product). CC are also an important reference indicator for our Evaluation Center’s product security evaluation.

Operating system source code can run as long as 100 million lines. How much to look at, what part to look at, and how to judge the code are decided according to objectives of the technology evaluator in the third party evaluation process. Reading every single line is perhaps ideal, but doing so would require an enormous amount of time and resources. On the other hand, from the perspective of a technology evaluator’s methods, looking at every line may not be necessary. But as evaluators we ask for 100 percent of the source code and then, starting from a foundation of analyzing the program’s structure and how it integrates with the user’s machine, we decide which modules specifically require examination and verification.

Cybersecurity reviews must be triggered by someone, and they do not separate domestic from international.

SMD: Are national cybersecurity reviews the same thing as “user testing” and “security testing”?

Wang Jun: Simply put, security reviews and technological evaluation or user evaluation are not the same thing. In the process of security review, however, technology evaluation or user evaluation may be included. Security reviews are about the possibility of network products and services influencing national security.

According to the Security Review Measures for Network Products and Services, the security review process must first be triggered, and the measures clearly enumerate several conditions for triggering. One is if relevant national authorities believe a type of product or service requires cybersecurity review. Two is if national trade associations recommend security review. Three is if the market reflects that it must be done. We believe the market includes the masses, users, etc.

As soon as someone suggests security review, a legally determined work procedure must be undertaken. This work procedure should be defined ahead of time by the competent national department. Security review is serious and important work that cannot be taken lightly and executed at a word; it requires a work procedure and official confirmation before beginning.

SMD: What is the work procedure for national cybersecurity reviews?

Wang Jun: In my understanding of the relevant laws and regulations, once it is initiated, there are several steps. First, a third-party evaluation organization appointed by the competent department undertake objective evaluation of the network product or service for requirements such as security, controllability, reliability, data validation (材料的真实性), user control of the product, etc.

At the same time, there is another set of work, for instance relevant examinations, background investigations, determination of whether there is any unfair competition or influence on the national economy and market. This comprehensive investigation can take place at the same time.

Once the technology evaluation and comprehensive investigation are complete, the results are be submitted to a committee of experts for opinions, independent examination, and judgment. The competent organ finally determines whether review has been passed. It cannot listen only to one side’s opinion, so it asks a high-level experts’ committee to submit judgment and opinions. We are all responsible for our own conclusions and work independently.

Finally, the cybersecurity review office synthesizes the views and reports up to the cybersecurity review committee, which issues the result of the security review.

SMD: Does national cybersecurity review only target foreign network products?

Wang Jun: According to my understanding of the spirit of the Cybersecurity Law, the cybersecurity review does not distinguish between domestic and foreign, cybersecurity review does not have a nationality preference, and it’s not the case that foreign things are all examined while domestic things are not.

I believe that, it doesn’t matter if it’s Microsoft’s general use edition of Windows, the joint venture C&M Information Technology Co.’s Windows 10 China Government Edition, or another Chinese-made operating system. If the product needs to undergo relevant security review, according to the law- and regulation-decided procedure, they can all go through cybersecurity review. The legal requirements are the same.

Once technological evaluation or security investigation, the procedure, standards, and requirements are the same. Of course, different product circumstances may determine different emphases, but on the whole the requirements are the same.

“Developing Windows 10 China Government Edition was a kind of attempt”

SMD: Many people believe a Chinese operating system should replace [Windows]. As an expert, do you agree with this view?

Wang Jun: My own personal view is that our country has a portion of professions and fields that at this stage objectively need to use the Windows platform. Technologically, Windows is in some ways advanced, and it has formed an ecosystem. Many of our applications have developed a certain extent of dependency on the Windows system, and without saying whether this dependency is rational, it’s an objective fact. I understand that some professional users, including some in critical information infrastructure areas, would have difficulty simply switching to a non-Windows operating system.

Thus under these conditions, forcing switchover to non-Windows systems is not necessarily the best choice.

On the other hand, in the open environment, if we can ensure security and controllability of a piece of advanced foreign technology, we can at least say there’s no need to exclude it or decide not to use it.

SMD: How do you view Windows 10 China Government Edition?

Wang Jun: Windows 10 China Government Edition was jointly developed by China Electronics Technology Group (CETC) and Microsoft, and the C&M Information Technology Co. was set up with CETC holding 51% of shares and Microsoft holding 49%. According to my understanding, in their cooperation, Microsoft is willing to open source code under the condition that intellectual property is protected. I believe developing Windows 10 or another later government-use edition in this method is a positive and meaningful attempt.

We understand the goal of this method is to try to give government and critical information infrastructure users an improved edition that suits Chinese users’ security requirements better than the general edition. This is a way to explore new solutions to problems at this stage. I think it’s something to look forward to.

SMD: Do you think that developing a Windows 10 Chinese government version and developing a domestic operating system is not contradictory?

Wang Jun: For the R&D of a domestic operating system, plus the time required to put one into use,  and packaging this to form an ecological environment requires a certain amount of time.

The use of the Windows 10 China Government-specific version, and the R&D and vigorous promotion of the application of a domestic operating system, including the construction of an ecological environment, can be carried out in parallel. In deciding whether or not to implement this parallel situation, it may well be worth considering the issue in terms of improving the degree of control over China’s cybersecurity, and the actual needs of users. We should allow this attempt in a tolerant manner.

Of course, this is for government departments and critical information infrastructure users. Other social users, and business users, must decide according to their own needs what kind of operating system to use.

A “Domestic system does not mean that it must be secure”

SMD: For domestic operating system security issues, what are your views? Is a domestic operating system secure?

Wang Jun: From a security point of view, domestic systems have some advantages compared to some foreign systems, but we cannot simply think that a domestic system must be secure. There are several reasons for this, first of all, any product has vulnerabilities, and vulnerabilities are a fundamental problem of cybersecurity, there is no certain security situation.

Second, some of our own domestically produced systems can be more reassuring in some aspects of security than for foreign products, for example, we do not have to worry about deliberate or passive implantation of malicious programs by the designer; but we may have gaps in terms of other aspects of security with other people, such as our understanding and mastering of security issues and anti-attack capabilities, there may be areas that we are not sufficient. The question of security is a comprehensive consideration.

Third, there are some equipment may be OEM abroad (the original design is abroad, we just got the production license); there are some domestic systems that use open source software, but for OEM and open source itself, domestic systems may also carry security issues.

Moreover, because the special nature of open source systems, there is not a manufacturer, so there may be loopholes and no one to solve the situation. Taking these factors together, we cannot simply say that the domestic network products must be secure.

SMD: So, do you think the Windows 10 China Government Edition requires a complete network review?

Wang Jun: As I just said, network products and services, whether domestic or foreign, whether it is domestic firm or joint venture, are also required in accordance with relevant national laws and regulations to carry out the necessary security assessment, or even a security review. The Windows 10 China Government Edition should also be no exception. Of course, to start a security review requires things to be done in accordance with the relevant legal procedures. If you meet the conditions for triggering the security review, in accordance with the legal procedures, it is possible to conduct a cybersecurity review.

SMD: Is it not the government procurement of critical information network infrastructure that requires conducting a cybersecurity review? So the security review and government procurement are naturally bound into one piece?

Wang Jun: As far as I know, the two are not naturally bound together. Government procurement also has its own procedural requirements. In the Cybersecurity Law, there is a provision for procurement that states that “network products or services that have not passed a security assessment or security review” may not be purchased. We should pay attention to the understanding of “have not,” which should be understood as “should undergo but did not undergo a cybersecurity review.”

Therefore, according to the current law, I think it is clear that if a product did not pass a security review, and clearly announced that it did not pass, it cannot be entered into the procurement directory.

SMD: The current technical testing for security is usually just testing a sampling, how to ensure that each computer operating system is secure?

Wang Jun: We are currently testing the methods, concerned about the two aspects of dynamic and static, but we are limited by the current technology and methods, and there is more of a focus on the static state. We are responsible for certain samples and security conclusions at a given point in time, but these are not permanent and it is difficult to achieve permanent security testing. However, the evaluation agency will try to make up for the relevant deficiencies, such as continuous monitoring, on-line monitoring or testing methods to strengthen the understanding, and mastering of the dynamic security situation.

SMD: Some people worry about the security of foreign products, fearing incidents such as described by Snowden. Is this not justified?

Wang Jun: This concern is reasonable—no one dares to say no. This is one of the reasons we have always stressed security and controllability. But we should not ask for absolute security, just as we do not stop driving a car because of the risk of traffic accidents. In fact, we also have a certain degree of anti-risk ability, through our work, to improve the security and controllability of foreign products, so that the risk is reduced to an acceptable level. Then we can use foreign advanced products.

Southern Metropolis Daily reporter Wu Bin from Beijing

Ni Guangnan: China should suspend purchases and use of Windows 10 China Government Edition pending security review (translation)

(Chinese original follows / 中文在后)

See also related items: 核心安全审查专家回应Windows10政府版被建议禁用:现阶段强行切换系统并非最佳选择,  倪光南炮轰Win10政府版没过审查 微软合作方回应

*  *  *

The Government Should Suspend Purchase and Use of Windows 10 Government Edition

By Ni Guangnan

Southern Metropolis Daily, June 8, 2017, Page: AA15

A few days ago, Microsoft Greater China CEO Alain Crozier said the China Government Edition of Windows 10, produced according to the “secure and controllable” principle, had already undergone user testing at three major enterprises, proving that it is reliably secure and thus ready for wide deployment. Reports followed saying “Windows 10 Government Edition Has Completed Domestic Security Testing.” People should ask: Why are they making a big deal out of Windows 10 passing “user testing” and “security testing”?

As everyone knows, China’s Cybersecurity Law has officially gone into effect. It requires: “Critical information infrastructure operators purchasing network products and services that might impact national security shall undergo a national security review organized by the State cybersecurity and Informatization departments and relevant departments of the State Council.” In contrast to this regulation, it’s not difficult to see that claiming Windows 10 passed “user testing” or “security testing” is probably designed to give create the false impression that Windows 10 Government Edition has already passed “national security review,” in order to open the door to government procurement.

According to the Security Review Measures for Network Products and Services issued by the Cyberspace Administration of China, cybersecurity review has strict procedures, for instance requiring third-party evaluation by a nationally recognized cybersecurity review organization.

In 2015, before the establishment of the joint venture between China Electronics Technology Group Corporation (CETC) and Microsoft, Microsoft issued Windows 10 Government Edition. At that point, the Security Review Measures for Network Products and Services were being drafted, and on related aspects Windows 10 Government Edition underwent a round of cybersecurity review and did not pass. Since then, Windows 10 Government Edition has never again undergone this kind of review. No matter what kind of “user testing” or “security testing” it later went through, therefore, it still has not passed cybersecurity review.

Experts specifically point out that Windows 10 has subjectively and objectively not passed cybersecurity review, because:

(1) Although China does not lack operating system experts, because Windows is closed-source, proprietary software, no expert outside Microsoft can be fully familiar with it. It is not realistic, then, to rely on a few experts not fully familiar with Windows to accurately estimate the security and controllability of Windows 10 Government Edition with only a short period in which to examine 100 million lines of source code.

(2) Undertaking security review of software at minimum requires access to the software’s refactorable (可重构的) and complete source code, but Microsoft has never provided China with Windows’ complete source code, let alone allowed it to refactor. If a piece of software has millions of lines of non-open source code, it is like a black box, and there is fundamentally no way to accurately estimate its security and controllability.

Today, no substantive change has resulted from experts making the above points. Even if Windows 10 Government Edition again undergoes cybersecurity review, the degree of difficulty will not decrease. Furthermore, because the structure of Windows 10 incorporates trustworthy computing, reviewing it requires verifying that it complies with the Electric Signature Law (电子签名法) and the Provisions on the Administration of the Use of Commercial Encryption Products (商用密码管理条例). Additionally, it requires surveying how domestic and international information security firms integrate trustworthy computing and antivirus software with Windows 10 and deal with the issue of unfair competition. Clearly Windows 10 Government Edition must again undergo cybersecurity review in what will be a protracted process.

In 2005 and 2014, because Windows Vista and Windows 8 were not controllable, the government ordered a halt of purchases. In 2015, Microsoft quickly updated editions and released Windows 10. Several authoritative Chinese security evaluation organizations concluded that, “the Windows 8.1 and Windows 10 kernel are basically the same, there were not more substantial changes, and to a great extent the upgrade was for the sake of commercial publicity.” (This evaluation only determined whether the two editions were the same and did not touch upon security and controllability estimation, and so it was relatively easy to complete.)

In conclusion, seeing that Windows 10, Windows 8, and Windows 10 Government Edition have not passed cybersecurity review, relevant issues will hopefully be given attention, and government procurement and use of Windows 10 (including Windows 10 Government edition) should be prohibited according to law.

Ni Guangnan, a member of the first class of academicians of the Chinese Academy of Engineering, is devoted to indigenous and controllable core information technologies and industries, and has received lifetime achievement awards from the Chinese Information Processing Society of China and the China Computer Federation. 

Translated by Graham Webster.

建议政府停止采购和使用“Win10政府版”

来源:南方都市报 2017年06月08日 版次:AA15 作者:倪光南

开放专栏

日前,微软大中华区CEO柯睿杰表示:基于“安全可控”原则打造的中国政府版W in10正处于上市销售前的准备当中,该版本Win10已经通过3家大型企业的用户测试,证明该版本系统拥有可靠的安全性,接下来将进行大规模的部署。接着有报道呼应说,“Win10政府版已经在国内完成安全测试”。人们要问:他们为什么要大肆宣传Win10通过“用户测试”、“安全测试”呢?

众所周知,我国《网络安全法》已正式施行,它要求“我国关键信息基础设施的运营者采购网络产品和服务,可能影响国家安全的,应当通过国家网信部门会同国务院有关部门组织的国家安全审查”。对照这个法规,人们不难理解,宣传Win10通过“用户测试”、“安全测试”,可能是想造成“Win10政府版”已通过国家安全审查的假象,从而为它进入政府采购敞开大门。

按照网信办发布的《网络产品和服务安全审查办法》,网络安全审查有严格的程序,并需由国家统一认定网络安全审查第三方机构,承担网络安全审查中的第三方评价工作。

2015年,早在CETC与微软的合资公司成立前,微软就做出了“Win10政府版”。那时,《网络产品和服务安全审查办法》正在制订中,有关方面对“Win10政府版”进行了一次网络安全审查,结果没有通过。此后,对“Win10政府版”并没有再做此类审查。因此,不管后来它做了什么“用户测试”、“安全测试”,它至今仍是一个没有通过网络安全审查的产品。

那时专家们还特别指出,当前不具备对Win10进行网络安全审查的主客观条件,因为:

一、中国虽然不缺少操作系统专家,不过因为Windows是不开放源代码的专有软件,微软以外的专家谁也无法精通W indow s.现在想指望一些不精通Windows的人,在短时间里对亿行源代码规模的“Win10政府版”的安全性、可控性作出准确评估,显然是不现实的。

二、要对一个软件进行安全审查至少应获得该软件的可重构的全部源代码,但微软从未对中方提供过W indow s的全部源代码,更谈不上可重构了。而如果一个软件有数以百万计的源代码不开放,这就像一个黑盒子,根本无法对其安全性、可控性作出准确评估。

今天,专家陈述的上述情况并没有发生实质变化,即使对“Win10政府版”再作网络安全审查,其难度也没有减少。而且由于Win10的架构集成了可信计算,审查需验证它与我国《电子签名法》和《商用密码管理条例》的合法、合规性。此外,还需调查国内外信息安全厂商对Win10捆绑可信计算和杀毒软件、实施不正当竞争的投诉问题。可见,“Win10政府版”要想再作网络安全审查,也将是旷日持久的事。

在2005年和2014年,我国政府因Vista和Win8不可控,都明令禁止采购。后来到2015年,微软快速更新版本号,推出了Win10.对此,我国几家权威安全测评机构进行测评后认为,“Win8 .1与Win10内核基本一致,并不存在较大幅度的变化,而版本号的大幅度升级更多是为了商业宣传的需要”。(按:这里的测评只需判断两者是否一致,不涉及安全性、可控性的评估,因而较易实施。)

综上所述,鉴于Win10等同于Win8以及“Win10政府版”并未通过网络安全审查,希望有关方面予以关注,应依法继续禁止政府采购和使用Win10(包括“Win10政府版”在内)。

倪光南(中国工程院首批院士,一直致力于自主可控的信息核心技术和产业,曾获得中国中文信息学会与中国计算机学会终身成就奖)

China’s ‘New world order’? What Xi Jinping actually said about guiding international affairs

Quartz reported yesterday that Chinese President “Xi Jinping has vowed for the first time that China should take the lead in shaping the ‘new world order.’” While Xi’s speech is worthy of attention, this eye-catching framing of his remarks and some of the online discussion among observers may have gone too far.

Xi spoke at a seminar on national security, and Quartz points to a typical Xinhua paraphrased summary of the speech and a commentary on a Central Party School-linked website that includes direct quotes.

Taken as a whole, the documents do not so far indicate a strong statement that China’s government has decided to attempt leadership of a “new world order.”

First, the connotation of a new world order in English has a radical character that is not necessarily present in the Chinese 国际新秩序, which could more soberly be translated as “new international order.” (Tangentially, here’s an aging compilation of People’s Daily forum posts on “China’s rise and a new international order.”)

Second, Xi did not unambiguously say China would lead the new international order, but instead said it must “guide international society to collectively shape a more just and rational new international order.” While the Chinese term  引导 can be translated as “lead,” there are several other words Xi could have used if that meaning were really intended; thus as Quartz also translates it elsewhere in the article, “guide” is probably more appropriate.

Third, Xi’s other reported remarks significantly clarify his intended meaning. In the following quote (with my translation) from the commentary, he explicitly echoes the Chinese government’s standard position that its goal is not to replace the existing order but instead to affect its reform and development:

关于国际秩序,习近平指出:“改革和完善现行国际体系,不意味着另起炉灶,而是要推动它朝着更加公正合理的方向发展。中国提出的‘一带一路’、亚洲基础设施投资银行倡议,都是开放、透明、包容的,有利于有关国家发展经济,增加就业,减少贫困,欢迎包括美方在内的有关各方积极参与。”
About the international order, Xi Jinping said: “Reforming and perfecting the existing international system does not mean starting over. It means pushing it to develop in a more just and rational direction. China’s Belt and Road and Asian Infrastructure Investment Bank initiatives are both open, transparent, inclusive, and beneficial to relevant countries’ economic development, employment, and poverty alleviation. And they welcome positive participation by other parties including the United States.

None of this is to say China’s government will not seek to increase its international status and comparative leadership power. The Quartz article was also right to draw attention to these remarks, including the new “two guides” formulation (see below). Still, Xi Jinping’s remarks and actions so far during this period of deep uncertainty about U.S. policy and the fate of the European Union, while worthy of close attention, do not constitute a declaration of China’s intention to reshape the international system.

Although the polished words of top leaders by no means reveal every level of a government’s intentions, “the two guides” in fact suggest a mixed role for China: participant, defender (especially in international security), and proactive reformer in the existing international system:

2月17日,习近平在国家安全工作座谈会上指出,“要引导国际社会共同塑造更加公正合理的国际新秩序” “引导国际社会共同维护国际安全”。
On February 17, at a seminar on national security work, Xi Jinping said: “[China] must guide international society to collectively shape a more just and rational new international order” and “guide international society to collectively safeguard international security.”

* * *

My hasty translations of the other direct quotes in the commentary follow:

习近平指出:“中国是现行国际体系的参与者、建设者、贡献者,同时也是受益者。
Xi Jinping said: “China is a current participant in, builder of, and contributor to the international system, of which it is also a beneficiary.”

习近平指出:“当今世界是一个变革的世界,是一个新机遇新挑战层出不穷的世界,是一个国际体系和国际秩序深度调整的世界,是一个国际力量对比深刻变化并朝着有利于和平与发展方向变化的世界。”
Xi Jinping said: “Today’s world is a changing world, a world of constantly emerging new opportunities and new challenges, a world of profound adjustments in the international system and international order, a world of profound changes in comparative power among countries, a world changing toward beneficial peace and development.”

习近平指出:“人类正处在大发展大变革大调整时期,也正处在一个挑战层出不穷、风险日益增多的时代。回首过去100多年的历史,全人类的共同愿望,就是和平与发展。宇宙只有一个地球,人类共有一个家园。让和平的薪火代代相传,让发展的动力源源不断,让文明的光芒熠熠生辉,是各国人民的期待,也是我们这一代政治家应有的担当。中国方案是:构建人类命运共同体,实现共赢共享。”
Xi Jinping said: “Humanity stands at a moment of great development, great change, and great changes, an era of constantly emerging challenges and multiplying risks. Looking back at the past 100 years of history, the common wish of humanity has been peace and development. The universe has only one Earth, and humanity has only one home. It is every people’s hope and the charge of statesmen of our time to pass the torch of peace from one generation to the next, to ensure the steady flow of development, and to let the radiant light of civilization shine. China’s project is to construct a human community of common destiny and achieve common gain and common enjoyment.”

U.S.–China Week: Trump staffing, first contacts, early uncertainty, Cybersecurity Law (2016.11.14)

Welcome to issue 77 of U.S.–China Week. A week ago, I argued that “a Donald Trump win would at minimum drastically raise uncertainty in the U.S.–China relationship and could easily throw it into economic and security crisis as a consequence of that uncertainty.” (I also predicted “some level of economic turmoil … immediately upon a Trump win.” Instant accountability: Turmoil has in fact been very minor so far—a fact I will take as an inaugural caution about making predictions in a Trump era.) Then, I promised that I would “return to regular programming” this week. So today I move back toward regular programming in that I will not directly address U.S. domestic conditions in this forum. Instead, I will focus on the uncertainty Trump’s win delivered as promised in U.S.–China relations and some of the small areas of added information we have gained since Wednesday morning, when I compiled an early “Trump-China Reading List, and Unanswered Questions for his Asia Policy” for the Lawfare blog. That list includes material that emerged before the election, and there has been a great deal published since, despite limited new information. Maura Cunningham put together a great initial round-up of commentary.

As always: Please encourage friends and colleagues to subscribe to U.S.–China Week. Here is the web version of this issue, ideal for sharing on social media. You can also find U.S.–China Week on Medium and on Facebook, and you can follow me on Twitter at @gwbstr. And please send your comments, quibbles, and suggestions to [email protected].

FIRST CONTACT
Xi and Trump speak by phone after questions about missing phone call

President Xi Jinping sent a “congratulatory message” to President-elect Trump on Wednesday, saying he looks forward to “push[ing] bilateral relations for greater progress at a new starting point.” In response to questions about Trump proposals for a 45 percent tariff on Chinese imports, Foreign Ministry spokesperson said, “I believe that any US politician, if he takes the interests of his own people first, will adopt a policy that is conducive to the economic and trade cooperation between China and the US.” Later, after WSJ reported that Trump said he had spoken to “most leaders, though he hadn’t yet spoken with” Xi, Xinhua reported that Trump and Xi discussed U.S.–China relations on Monday. According to Xinhua, Trump “thanked Xi for the congratulations and said that he agreed with Xi on his views about U.S.-China relations. China is a great and important country with eye-catching development prospects, said Trump. The United States and China can achieve win-win results featuring mutual benefits, he added.”

ANALYSIS: These news items give us very little, and it appears the Chinese government is in a wait-and-see mode, but we might as well keep track of whether Chinese officials again use the term “new starting point” and whether Trump makes a habit of hyping potential “win-win” deals.

PERSONNEL
Unusual pool for Asia advisers after establishment denunciations; policy direction unclear or uncharted

A great deal of speculation has surrounded the question of who might take on important positions for Asia policy. The economist Peter Navarro has long been one of the most visible Asia-oriented Trump policy advisers. The day before the election, he co-authored a Foreign Policy article arguing the Obama era’s “pivot” was merely speaking loudly and arguing for carrying a larger stick. “Trump will steadfastly pursue a strategy of peace through strength, an axiom of Ronald Reagan that was abandoned under the Obama administration,” the article said, adding support for a dozens more naval ships and calling for South Korea and Japan to share more costs for regional security. Alexander Gray, Navarro’s co-author here, is a former adviser to Rep. Randy Forbes, leader of the House China Caucus and an advocate for Naval procurement who lost his primary in Virginia after redistricting and has been discussed as a likely secretary of the Navy. A BuzzFeed article based on a list provided by a “source close to the campaign” also named former Senator Jim Talent, currently a member of the U.S.–China Commission, former State Department official Randy Schriver, and think-tanker Elbridge Colby, whose biosays he has worked on U.S.–China nuclear weapons issues. James Woolsey put himself in the public eye as a Trump adviser with a SCMP op-ed saying he can “see the emergence of a grand bargain in which the US accepts China’s political and social structure and commits not to disrupt it in any way in exchange for China’s commitment not to challenge the status quo in Asia. It may not be a spoken agreement but a tacit understanding that guides the relations in the years to come.” (The same quote appears in a China Daily report before the election based on a conference appearance.) The Hill reports that James Jay Carafano is working on the State Department transition. FT reports that “Dan DiMicco, the former chief executive of steel company Nucor and a longtime advocate of a tougher US line on China, is the point person on trade in Mr Trump’s transition team.” Michael Pillsbury, a veteran defense analyst known to many in the field as a China hawk, has been identified as an adviser to the transition.

“What percentage of the qualified national security establishment has refused to work for Mr. Trump? I would guess it’s at least half,” Pillsbury told Bloomberg. Among the many Republican Asia policy experts who have signed public lettersopposing Trump are several we might have expected to see on another Republican president-elect’s radar: Michael Auslin, Daniel Blumenthal, Aaron Friedberg, Paul Haenle, and others. Eight even said they would vote for Clinton: James Clad, Patrick Cronin, Charles Dunne, Michael Green, Frank Lavin, Robert Manning, Anja Manuel, and Peter Watson.

ANALYSIS: We have no real idea who will play what role in shaping U.S. policy toward China and the Asia-Pacific. That includes Trump’s role and his inclinations. In my “reading list” from Wednesday, I recount many of the campaign statements he and his affiliates made, but those statements often conflict both before the election and with further statements afterward. Even the post-election statements we have seen need to be regarded with skepticism, because people are likely angling for positions. At the most basic level, it is too early to tell what the world should expect. (Thus although there have been at least a dozen reasonable speculative articles about a potential Trump China policy, I’m not processing them here, because I want more information before we start evaluating predictions.) As a Chinese oil industry source tells the WSJ, “Nobody knows what he’ll do.”

FINALE
Abe to meet Trump on way to APEC meeting in Lima, where Obama faces regional leaders in final summit

Reuters reports: “U.S. President-elect Donald Trump’s meeting next week with Japanese Prime Minister Shinzo Abe may mark the start of talks to garner Japan’s support for a push back against China’s growing influence in Asia, a security adviser to Trump said. … The Trump adviser said the president-elect would want to allay any ‘unfounded’ concerns Abe may have and affirm his commitment to their countries’ security alliance.” The Trump-Abe meeting is set for Thursday. / Meanwhile, President Barack Obama is preparing for the Asia-Pacific Economic Cooperation summit in Lima this weekend. National Security Adviser Susan Rice wrote in The National Interest a restatement of Obama administration views on the Asia-Pacific: “This APEC summit will be President Obama’s last, but it cannot and will not be the end of American engagement with the region. … Our interests in the region are enduring. Our commitment must be as well.” There, as U.S. commitment to the TPP appears finished for the forseeable future and likely for good, China is expected to press trade priorities including the Regional Comprehensive Economic Partnership (RCEP) and the long-discussed but nascent APEC-wide Free Trade Area of the Asia-Pacific (FTAAP).

CYBERSPACE
China passes new Cybersecurity Law; U.S. businesses concerned

An item authored by former U.S. Trade Representative Charlene Barshefsky and colleagues at the law firm WilmerHale notes: “Drafts of the Cybersecurity Law had raised significant concerns in the international business community, due to provisions with the potential to restrict market access such as data localization requirements, national security reviews for ICT products and services, and data retention and sharing requirements. The final draft is largely consistent with previous drafts, although the provisions of the Law are cast broadly, and it will be up to the State Council, Cybersecurity Administration of China, and other government bodies to issue implementing rules in the months and years ahead (in addition to related rules that are already in place). The Cybersecurity Law itself will take effect June 1, 2017.” The translated full text of the new law is available with notes on changes since the last draft at China Law Translate. At Lawfare, Christopher Mirasola notes several areas of concern for foreign firms, many of which are rooted in the ambiguities of the law as written (while awaiting more detailed regulations and evidence of how enforcement will be practiced).

#USChinaWeek1966
’19 Experts on Asia Are Named by Rusk As Advisory Panel’

“WASHINGTON, Nov. 10 (AP)—Secretary of State Dean Rusk named today a 19-man advisory panel on East Asian and Pacific Affairs headed by Prof. Edwin O. Reischauer of Harvard, former Ambassador to Japan. The new Group: Edwin O. Reischauer, former Ambassador to Japan and now a professor at Harvard; John M. Allison, former Ambassador to Indonesia, director of the Overseas Career Program, University of Hawaii, Honolulu; Hugh Borton, president of Haverford (Pa.) College; Claude A. Buss, associate of history, Stanford University; Russell G. David, associate director, Center for Studies in Education and Development, Harvard University; Russell H. Fifield, professor of political science, University of Michigan; Caryl Haskins, president of the Carnegie Institution of Washington; Alice Hsieh, China expert, Rand Corporation, Santa Monica, Calif.; Walter H. Judd, former Representative and medical missionary to China; Lucien W. Pye, professor of political science, Center for International Studies, Massachusetts Institute of Technology; A. M. Rosenthal, former foreign correspondent and now metropolitan editor for The New York Times; Dr. Howard A. Rusk, contributing editor of The New York Times; president of the World Rehabilitation Fund and director of refugee and health projects for Korea and Vietnam; Robert A. Scalapino, China expert and chairman of the political science department, University of California; Arch T. Steele, journalist, Portal, Ariz.; George E. Taylor, director of the Far Eastern and Russian Institute, University of Washington; Frank N. Trager, professor of international affairs, New York University; Robert E. Ward, professor of political science, University of Michigan; Clifton Wharton Jr., acting executive director, the Agricultural Development Council, Inc., New York; Kenneth T. Young, former Ambassador to Thailand, now president of the Asia Society, New York.”

(Source: The New York TimesThis entry is part of an ongoing feature of U.S.–China Week that follows U.S.–China relations as they developed in another era of change and uncertainty, 50 years ago.)

ABOUT U.S.–CHINA WEEK

U.S.–China Week is a weekly news and analysis brief that covers important developments in U.S.–China relations and features especially insightful or influential new policy analysis.

Graham Webster is a senior research scholar, lecturer, and senior fellow of the Paul Tsai China Center at Yale Law School, where he specializes in U.S.–China diplomatic, security, and economic relations through research and Track II dialogues. His website is gwbstr.com.

Disclaimer: Opinions expressed here are my own (and I reserve the right to change my mind).

Subscription to U.S.–China Week by clicking here or e-mailing me is free and open to all, and an archive of past editions appears at my long-running website on East Asia and the United States, Transpacifica.

Contact: Follow me on Twitter at @gwbstr. Send e-mail to [email protected].