U.S.–China Week: First ‘D&SD’ this Wednesday, DPRK pressures, CFIUS changes, cybersecurity reviews, trade talks (2017.06.19)

Welcome to Issue 103 of U.S.–China Week. This Wednesday brings the first meeting the new partial replacement for the Strategic and Economic Dialogue (S&ED), the Diplomatic and Security Dialogue (D&SD). It will take place in Washington, with the United States represented by Secretary of State Rex Tillerson and Secretary of Defense Jim Mattis. The Chinese delegation will be chaired by State Councilor Yang Jiechi, with Chief of the PLA Joint Staff Department Gen. Fang Fenghui “also attending,” according to the Foreign Ministry.

Tillerson had said in May that “so far it appears we will get people at the Politburo level and at much higher levels of the government within China to participate in these dialogues.” Compared with the S&ED, the D&SD is minus-one Politburo member (Vice Premier Wang Yang, who led the economic track) but plus-one high-level PLA officer. Still, Fang is outranked on the Central Military Commission by its Vice Chair Gen. Fan Changlong, who is a Politburo member and was framed as counterpart to the U.S. secretary of defense during a 2015 U.S. visit. It will be interesting to see what if any detailed outcome documents emerge this week, and how U.S. and Chinese messaging either harmonize or conflict. Of course, there is also the question of alignment between President Donald Trump and his cabinet secretaries.

As always: Please encourage friends and colleagues to subscribe to U.S.–China Week. Here is the web version of this issue, ideal for sharing on social media, and you can follow me on Twitter at @gwbstr. Please send your comments, quibbles, and suggestions to [email protected].

U.S. national security reviews could tighten for Chinese investments with proposed CFIUS changes

If a proposal to change the way the U.S. government reviews foreign investments for security concerns is implemented, China might be added to a list of countries deemed deserving of increased scrutiny, Bloomberg reported. Senator John Cornyn’s proposal would reshape the Committee on Foreign Investment in the United States (CFIUS), the body that approves, denies, or requires changes in foreign acquisitions for national security reasons. From Bloomberg: “Cornyn’s legislation would require CFIUS to create a list of countries whose companies merit extra scrutiny, such as China, a [Cornyn] spokeswoman said. The bill would also broaden the scope of the committee to include technology joint ventures and real estate transactions near military bases or other national security facilities, she said.” At present, only when a foreign entity gains a controlling stake in a U.S. firm may CFIUS review the transaction. Bloomberg also reported that Treasury Secretary Steven Mnuchin is pushing changes to CFIUS, which he chairs, and wishes to include China on a new list of what the report called “hostile nations.”

Reuters reported that an unreleased Pentagon report “warns that China is skirting oversight and gaining access to sensitive technology through transactions that currently don’t trigger CFIUS review.” Mattis called CFIUS “outdated,” and a Cornyn aid told Reuters the proposed bill would provide a mechanism for the Pentagon to lead efforts to identify specific technologies that require extra focus. Of particular concern, according to Reuters sources, is artificial intelligence and machine learning technology, and the risk that, “When the Chinese make an investment in an early stage company developing advanced technology, there is an opportunity cost to the U.S., since that company is potentially off-limits for purposes of working with the [Department of Defense].” Foreign Ministry spokesperson Lu Kang said, “We believe there should not be undue political dimensions imposed on commercial takeovers, let alone political intervention.” / Meanwhile: The U.S. Department of Energy said it would invest $258 million over three years in a supercomputing race in which China is the main competitor. And a fund reportedly backed by Chinese government money is making a third bid to get CFIUS approval to acquire acquire the microchip company Lattice.

ANALYSIS: Reforms to CFIUS have been a topic of discussion for years, with some concerned that the committee lacks the power to stop or modify investments that could impact national security but don’t fit the current criteria for review, and others concerned that the present regime is unnecessarily opaque and results in an effective barrier to mutually beneficial investment flows with China and other countries. The particular reforms being proposed would call into question the legitimacy of the CFIUS reviews as narrowly focused on national security, especially with the proposal to maintain a list of countries that would receive special scrutiny. While no one doubts that China-linked transactions would receive scrutiny, making a list of countries subject to unequal treatment seems unnecessary and problematic in trade diplomacy. There is a good case to be made for updating the CFIUS process, but the current proposal seems to me to be on the wrong track and likely to create more difficulties then it would solve.

Trump aides reportedly question China’s willingness to help with N. Korea; Pressure mounts on Chinese firms

NYT reports that U.S. officials are questioning the prospects of initial Trump administration hopes that China would pressure North Korea. A source said China’s actions on North Korea could even affect whether Trump and Xi meet at the G20 in Hamburg next month. NYT also reported that Chinese officials “among those most interested in” a Trump meeting with North Korean leader Kim Jong-un, a prospect somewhat less likely following the return of an apparently brutalized U.S. prisoner.

The U.S. government does have specific demands of China, according to reports. Officials told WSJ that the Treasury Department could impose sanctions on Chinese entities that trade with North Korea and have asked the Chinese government to pressure them. “‘We’ve told the Chinese we hope they’ll act against certain companies and people,’ said a senior U.S. official briefed on North Korea policy. ‘But we’ve also said that we’re prepared to act alone and can reach North Korea if we choose.'” U.S. prosecutors also reportedly “accused a Chinese company…of laundering money for North Korea and said they would seek $1.9 million in civil penalties.” According to NYT, the $1.9 million comes from an amount the company allegedly transferred for North Korea, clearing the funds through the United States.

ANALYSIS: Direct legal action against Chinese targets, combined with the threat of sanctions, is a strong echo of what Obama administration officials have said was a winning playbook in bringing Chinese officials to the table over state-linked commercial hacking. The big “win” in that case was a public statement by Xi forswearing support for internet-enabled theft of business secrets for commercial gain. When it comes to commercial hacking, however, the Chinese government already had reason to rein in PLA hackers who might have been freelancing or acting without central approval. In this case, it is hard to imagine threats to name and shame a few Chinese firms and individuals would change China’s fundamental calculus regarding pressure on North Korea.

Chinese IT security examiner explains details of national security review process, clarifies Windows 10 status

Following the provocative essay translated and featured here last week that called for a moratorium on use of the new Windows 10 China Government Edition unless and until it passes China’s national security review, one of the experts involved in conducting those reviews gave an interview (later translated by Rogier Creemers, Paul Triolo, and me) to the same outlet. Wang Jun, lead engineer of the China Information Technology Security Evaluation Center (CNITSEC), argued that the new Windows edition was developed to be “secure and controllable” in the Chinese government’s view and described important details about how the national security reviews are to function. (Ni Guangnan, author of the initial piece arguing against using the new Windows edition, had another piece on the topic this week, arguing for the importance of “indigenous and controllable” operating systems.)

Among several important insights in the new interview, Wang describes the role of source code examination in determining whether a product meets government requirements: “Operating system source code can run as long as 100 million lines. How much to look at, what part to look at, and how to judge the code are decided according to objectives of the technology evaluator in the third party evaluation process. Reading every single line is perhaps ideal, but doing so would require an enormous amount of time and resources. On the other hand, from the perspective of a technology evaluator’s methods, looking at every line may not be necessary. But as evaluators we ask for 100 percent of the source code and then, starting from a foundation of analyzing the program’s structure and how it integrates with the user’s machine, we decide which modules specifically require examination and verification.”


Commerce secretary says moving on from ‘easier deliverables’ in China talks; Beef, chicken, dairy deals reported

Calling the news of implementing a long-discussed deal to reopen U.S. beef exports to China one of “the easier deliverables” in the 100-day timeline following the Trump-Xi meeting in Florida, Commerce Secretary Wilbur Ross told a WSJ forum, “We’re now working on another list. We generally have two conference calls a day, one early in the morning our time and one late at night with the Chinese. That’s five, six, seven days a week. … We’re interested in very specific, very tangible achievements. And we’re finding a very, very sensible give-and-take with the Chinese right now.”


‘Peking Test Blast a Surprise to U.S.: Size of Explosion and Speed of Nuclear Development Were Not Foreseen’

“WASHINGTON, June 17[, 1967]—The Atomic Energy Commission, confirming that Communist China had exploded a hydrogen bomb, said today that the blast had an explosive force equal to several million tons of TNT. United States officials were somewhat surprised by the Chinese test, which was viewed as further evidence of the unexpectedly rapid progress being made by Peking in developing a nuclear arsenal. While China was known to be working on the design of a thermonuclear device, the test came sooner than had been generally predicted by United States intelligence officials. … Senior military analysts in Washington believed that the Chinese announcement of the successful test would intensify political pressure for the deployment of a missile defense system around the United States. But they felt there would not be an actual threat to American cities until the Chinese have built up a force of intercontinental ballistic missiles.”

(Source: The New York TimesThis entry is part of an ongoing feature of U.S.–China Week that follows U.S.–China relations as they developed in another era of change and uncertainty, 50 years ago.)


U.S.–China Week is a weekly news and analysis brief that covers important developments in U.S.–China relations and features especially insightful or influential new policy analysis.

Graham Webster is a senior research scholar, lecturer, and senior fellow of the Paul Tsai China Center at Yale Law School, where he specializes in U.S.–China diplomatic, security, and economic relations through research and Track II dialogues. He is also a fellow for China and East Asia with the EastWest Institute. His website is gwbstr.com.

Disclaimer: Opinions expressed here are my own (and I reserve the right to change my mind).

Free Subscription to U.S.–China Week by clicking here or e-mailing me is open to all, and an archive of past editions appears at my long-running website on East Asia and the United States, Transpacifica.

Contact: Follow me on Twitter at @gwbstr. Send e-mail to [email protected].

Chinese IT security examiner describes review process, clarifies status of Chinese government Windows edition

A public controversy among computer security experts in China has erupted over the degree of national security assessment required in general and what specifically is required by the new Cybersecurity Law and related regulations. Ni Guangnan, an academician with the Chinese Academy of Engineering and a longstanding proponent of indigenous technology in China, recently argued (in a piece translated here) that the new Windows 10 China Government Edition should not be approved for government procurement because it has not yet formally passed the new law’s national security review process. Here, Wang Jun, lead engineer of the China Information Technology Security Evaluation Center (CNITSEC) which is a third-party review organization for the Chinese government, argues that the Microsoft-CETC joint venture behind the new custom Windows edition was developed in consideration of Chinese government security priorities and therefore should be given due consideration as “secure and controllable.” Wang also provides important insights into the degree to which the nascent national security review system has already started to operate and describes in detail his view of how the process is expected to work.

The following was translated from the Chinese original by Rogier Creemers, Paul Triolo, and Graham Webster. 

Core Security Examination Expert on Calls to Suspend Use of Windows 10 China Government Edition: At This Stage, Forcing a Switchover Is Not the Best Option

Southern Metropolis Daily Original

2017-06-12 13:20

China Information Security Monitoring Centre General Engineer Wang Jun

Academician Ni Guangnan of the Chinese Academy of Engineering stated recently in a media article that the Windows 10 version for the Chinese government has not passed cybersecurity review, and should remain outside of the government procurement catalogue. What is cybersecurity review? How does this matter implement the regulatory system just established on 1 June, and what network products is it aimed at?

A Southern Metropolis Daily (SMD) journalist interviewed Wang Jun, General Engineer at the China Information Technology Security Evaluation Center (CNITSEC). Wang Jun has answered these questions from an expert perspective, he indicated that cybersecurity review has a set of activations and review procedures exclusive to itself, these are identical for domestic and foreign products, there is no difference.

Wang Jun indicated that cybersecurity should be discussed in an open environment. The Chinese government version of Windows 10 may be considered as a positive trial in order to resolve the objective requirements concerning operating systems inside China at present, and raising our own technological levels and capabilities.

The general security review for Window 10 has begun, the security review situation for the governmental version is hitherto not understood.

SMD: Has the Chinese Government version of Windows 10 undergone security review?

Wang Jun: The forerunner of the Chinese Government version of Windows 10 is the common version of Windows 10, it is a commercial product of Microsoft, and is the common version distributed worldwide. As I understand it, our country has already started its cybersecurity review (hereafter named security review) of the common version of Windows 10. CNITSEC is designated by the Cyberspace Administration of China, and has undertaken third-party evaluation work of the common version of Windows 10; but at present, I have not seen a decision by the controlling department concerning whether it passed or not.

With regard to whether the governmental version of Windows 10 is on the way towards cybersecurity review, I have not yet heard about the circumstances in this matter.

SMD: And what is the result of the third-party evaluation by CNITSEC of the common version of Windows 10?

Wang Jun: We have major conclusions in two areas: the first is that we have discovered that in comparison with Win8, Win7 and earlier operating systems, the security functions in Windows 10 have been improved substantially. Second, a number of security risk points still exist, in fact, in the common version of Windows 10. According to the work agreement, we are not yet able to reveal details.

SMD: Security review has only been determined by law in the past few years, did we have similar work before this?

Wang Jun: The cybersecurity review system was only finally established in 2016, but before that, similar work actually had been begun.

In 2003, the National Development and Reform Commission authorized CNITSEC to act as a national monitoring body, and represented China in concluding a Government Security Program agreement for source code inspection with Microsoft; this is a multilateral agreement, and Microsoft has concluded GSP agreements with many countries. Considering that a fair few national governments have security concerns with Microsoft operating systems, Microsoft agreed to, through the GSP program, open up source code in a small scale and with secrecy protection, but because this involved intellectual property protection, it only took place in in a small scale, and did not turn into open source. Microsoft, from its side, exhibited a positive attitude, and where we were concerned, this added a channel for understanding.

GSP is an agreement in which both sides are equal, and security review means that when there are risks in a product that may influence national security, we represent the country in conducting a review, and the scope of security review may be broadened.

SMD: Some experts say Windows 8 and Windows 10 use trustworthy technology; will this mean manufacturers have a strong controlling power over operating systems?

Wang Jun: I basically agree with this point of view, in the common Windows 10 operating system, the manufacturer has a very strong controlling power over the system. But the strengthening of this sort of controlling power may have a double-edged sword effect. If it is especially strong, it possibly may mean that user controllability over this system is weakened; on the other hand, if user controllability over operating systems is extremely strong, hackers can equally have these kinds of capabilities, and in this kind of situation, it may also bring new security risks, because of that, we need to find a point of balance.

Where China is concerned, the common version of Windows 10 is not a complete black box.

SMD. So where the Chinese government is concerned, Windows 10 is not a black box after all, right?

Wang Jun: Right. According to the GSP agreement, Microsoft has provided an opportunity to review source code, but as to what the details are that come up in review, these may only be made public with the agreement of both sides.

In the national security review process of the common version of Windows 10, our center has undertaken third-party evaluation work, in Beijing. It has also inspected and verified the source code of the common version. Furthermore, the scope of its review and verification of source code is broader than under the original GSP agreement.

SMD: Can one guarantee security through inspecting source code?

Wang Jun: Between conducting source code inspections and coming to a conclusion whether a product is safe or not, there is a lot of technical work that needs to be done. One cannot simply say that “I give you the source code to look at and so it is absolutely safe,” one should also not simply believe that technological monitoring means going through source code line by line. 

SMD: What technical methods are required to reach a determination of security?

Wang Jun: Source code security examination is in fact one of the methods for the third-party evaluation part of cybersecurity review or information security evaluation, but it is not the only method. Determining the security of network products is a comprehensive process requiring multiple methods. For instance, monitoring program behavior in the real work environment is one evaluation method, as is reverse engineering of executable files.

There are also international common criteria (CC) for security examination of network products (if operating systems are considered a kind of product). CC are also an important reference indicator for our Evaluation Center’s product security evaluation.

Operating system source code can run as long as 100 million lines. How much to look at, what part to look at, and how to judge the code are decided according to objectives of the technology evaluator in the third party evaluation process. Reading every single line is perhaps ideal, but doing so would require an enormous amount of time and resources. On the other hand, from the perspective of a technology evaluator’s methods, looking at every line may not be necessary. But as evaluators we ask for 100 percent of the source code and then, starting from a foundation of analyzing the program’s structure and how it integrates with the user’s machine, we decide which modules specifically require examination and verification.

Cybersecurity reviews must be triggered by someone, and they do not separate domestic from international.

SMD: Are national cybersecurity reviews the same thing as “user testing” and “security testing”?

Wang Jun: Simply put, security reviews and technological evaluation or user evaluation are not the same thing. In the process of security review, however, technology evaluation or user evaluation may be included. Security reviews are about the possibility of network products and services influencing national security.

According to the Security Review Measures for Network Products and Services, the security review process must first be triggered, and the measures clearly enumerate several conditions for triggering. One is if relevant national authorities believe a type of product or service requires cybersecurity review. Two is if national trade associations recommend security review. Three is if the market reflects that it must be done. We believe the market includes the masses, users, etc.

As soon as someone suggests security review, a legally determined work procedure must be undertaken. This work procedure should be defined ahead of time by the competent national department. Security review is serious and important work that cannot be taken lightly and executed at a word; it requires a work procedure and official confirmation before beginning.

SMD: What is the work procedure for national cybersecurity reviews?

Wang Jun: In my understanding of the relevant laws and regulations, once it is initiated, there are several steps. First, a third-party evaluation organization appointed by the competent department undertake objective evaluation of the network product or service for requirements such as security, controllability, reliability, data validation (材料的真实性), user control of the product, etc.

At the same time, there is another set of work, for instance relevant examinations, background investigations, determination of whether there is any unfair competition or influence on the national economy and market. This comprehensive investigation can take place at the same time.

Once the technology evaluation and comprehensive investigation are complete, the results are be submitted to a committee of experts for opinions, independent examination, and judgment. The competent organ finally determines whether review has been passed. It cannot listen only to one side’s opinion, so it asks a high-level experts’ committee to submit judgment and opinions. We are all responsible for our own conclusions and work independently.

Finally, the cybersecurity review office synthesizes the views and reports up to the cybersecurity review committee, which issues the result of the security review.

SMD: Does national cybersecurity review only target foreign network products?

Wang Jun: According to my understanding of the spirit of the Cybersecurity Law, the cybersecurity review does not distinguish between domestic and foreign, cybersecurity review does not have a nationality preference, and it’s not the case that foreign things are all examined while domestic things are not.

I believe that, it doesn’t matter if it’s Microsoft’s general use edition of Windows, the joint venture C&M Information Technology Co.’s Windows 10 China Government Edition, or another Chinese-made operating system. If the product needs to undergo relevant security review, according to the law- and regulation-decided procedure, they can all go through cybersecurity review. The legal requirements are the same.

Once technological evaluation or security investigation, the procedure, standards, and requirements are the same. Of course, different product circumstances may determine different emphases, but on the whole the requirements are the same.

“Developing Windows 10 China Government Edition was a kind of attempt”

SMD: Many people believe a Chinese operating system should replace [Windows]. As an expert, do you agree with this view?

Wang Jun: My own personal view is that our country has a portion of professions and fields that at this stage objectively need to use the Windows platform. Technologically, Windows is in some ways advanced, and it has formed an ecosystem. Many of our applications have developed a certain extent of dependency on the Windows system, and without saying whether this dependency is rational, it’s an objective fact. I understand that some professional users, including some in critical information infrastructure areas, would have difficulty simply switching to a non-Windows operating system.

Thus under these conditions, forcing switchover to non-Windows systems is not necessarily the best choice.

On the other hand, in the open environment, if we can ensure security and controllability of a piece of advanced foreign technology, we can at least say there’s no need to exclude it or decide not to use it.

SMD: How do you view Windows 10 China Government Edition?

Wang Jun: Windows 10 China Government Edition was jointly developed by China Electronics Technology Group (CETC) and Microsoft, and the C&M Information Technology Co. was set up with CETC holding 51% of shares and Microsoft holding 49%. According to my understanding, in their cooperation, Microsoft is willing to open source code under the condition that intellectual property is protected. I believe developing Windows 10 or another later government-use edition in this method is a positive and meaningful attempt.

We understand the goal of this method is to try to give government and critical information infrastructure users an improved edition that suits Chinese users’ security requirements better than the general edition. This is a way to explore new solutions to problems at this stage. I think it’s something to look forward to.

SMD: Do you think that developing a Windows 10 Chinese government version and developing a domestic operating system is not contradictory?

Wang Jun: For the R&D of a domestic operating system, plus the time required to put one into use,  and packaging this to form an ecological environment requires a certain amount of time.

The use of the Windows 10 China Government-specific version, and the R&D and vigorous promotion of the application of a domestic operating system, including the construction of an ecological environment, can be carried out in parallel. In deciding whether or not to implement this parallel situation, it may well be worth considering the issue in terms of improving the degree of control over China’s cybersecurity, and the actual needs of users. We should allow this attempt in a tolerant manner.

Of course, this is for government departments and critical information infrastructure users. Other social users, and business users, must decide according to their own needs what kind of operating system to use.

A “Domestic system does not mean that it must be secure”

SMD: For domestic operating system security issues, what are your views? Is a domestic operating system secure?

Wang Jun: From a security point of view, domestic systems have some advantages compared to some foreign systems, but we cannot simply think that a domestic system must be secure. There are several reasons for this, first of all, any product has vulnerabilities, and vulnerabilities are a fundamental problem of cybersecurity, there is no certain security situation.

Second, some of our own domestically produced systems can be more reassuring in some aspects of security than for foreign products, for example, we do not have to worry about deliberate or passive implantation of malicious programs by the designer; but we may have gaps in terms of other aspects of security with other people, such as our understanding and mastering of security issues and anti-attack capabilities, there may be areas that we are not sufficient. The question of security is a comprehensive consideration.

Third, there are some equipment may be OEM abroad (the original design is abroad, we just got the production license); there are some domestic systems that use open source software, but for OEM and open source itself, domestic systems may also carry security issues.

Moreover, because the special nature of open source systems, there is not a manufacturer, so there may be loopholes and no one to solve the situation. Taking these factors together, we cannot simply say that the domestic network products must be secure.

SMD: So, do you think the Windows 10 China Government Edition requires a complete network review?

Wang Jun: As I just said, network products and services, whether domestic or foreign, whether it is domestic firm or joint venture, are also required in accordance with relevant national laws and regulations to carry out the necessary security assessment, or even a security review. The Windows 10 China Government Edition should also be no exception. Of course, to start a security review requires things to be done in accordance with the relevant legal procedures. If you meet the conditions for triggering the security review, in accordance with the legal procedures, it is possible to conduct a cybersecurity review.

SMD: Is it not the government procurement of critical information network infrastructure that requires conducting a cybersecurity review? So the security review and government procurement are naturally bound into one piece?

Wang Jun: As far as I know, the two are not naturally bound together. Government procurement also has its own procedural requirements. In the Cybersecurity Law, there is a provision for procurement that states that “network products or services that have not passed a security assessment or security review” may not be purchased. We should pay attention to the understanding of “have not,” which should be understood as “should undergo but did not undergo a cybersecurity review.”

Therefore, according to the current law, I think it is clear that if a product did not pass a security review, and clearly announced that it did not pass, it cannot be entered into the procurement directory.

SMD: The current technical testing for security is usually just testing a sampling, how to ensure that each computer operating system is secure?

Wang Jun: We are currently testing the methods, concerned about the two aspects of dynamic and static, but we are limited by the current technology and methods, and there is more of a focus on the static state. We are responsible for certain samples and security conclusions at a given point in time, but these are not permanent and it is difficult to achieve permanent security testing. However, the evaluation agency will try to make up for the relevant deficiencies, such as continuous monitoring, on-line monitoring or testing methods to strengthen the understanding, and mastering of the dynamic security situation.

SMD: Some people worry about the security of foreign products, fearing incidents such as described by Snowden. Is this not justified?

Wang Jun: This concern is reasonable—no one dares to say no. This is one of the reasons we have always stressed security and controllability. But we should not ask for absolute security, just as we do not stop driving a car because of the risk of traffic accidents. In fact, we also have a certain degree of anti-risk ability, through our work, to improve the security and controllability of foreign products, so that the risk is reduced to an acceptable level. Then we can use foreign advanced products.

Southern Metropolis Daily reporter Wu Bin from Beijing

U.S.–China Week: Top diplo in Beijing resigns & Calif. governor meets Xi over climate; Chinese gov’t Windows edition; beyond FONOPS (2017.06.12)

Welcome to Issue 102 of U.S.–China Week. As always: Please encourage friends and colleagues to subscribe to U.S.–China Week. Here is the web version of this issue, ideal for sharing on social media, and you can follow me on Twitter at @gwbstr. Please send your comments, quibbles, and suggestions to [email protected].

Acting U.S. ambassador in Beijing resigns rather than deliver notification of Paris climate agreement withdrawal

David Rank, a career Foreign Service officer who had been serving as acting ambassador in Beijing (Chargé d’affaires) reportedly resigned rather than formerly notifying China’s government of President Donald Trump’s decision to begin the process to withdraw from the Paris climate agreement. Rank, who had served as Deputy Chief of Mission, was the interim leader of the embassy awaiting former Iowa Governor Terry Brandstad’s formal transition to the ambassadorship. Rank was replaced by Jonathan Fritz, another veteran Foreign Service officer. John Pomfret reported on Twitter that “Rank called a town hall meeting” to announce his decision to colleagues.

Meanwhile, a State Department spokesperson had no information to provide on dates for the first meeting of the new U.S.–China Diplomatic and Security Dialogue, which the State Department had previously reported would take place this month in Washington.

ANALYSIS: China is one of the only countries to which the Trump administration has nominated and confirmed an ambassador. Nonetheless, Rank was still on duty as Branstad prepared to take the position. Such a public show of dissent from within the Foreign Service is extraordinary, and if Chinese officials needed any more evidence that the U.S. government and political community is divided, this surely helped. If the new U.S.–China bilateral meeting actually takes place this month, with Secretary of State Rex Tillerson and Secretary of Defense James Mattis chairing the U.S. side, this public discord will certainly hurt the Trump administration’s credibility.

California Gov. Jerry Brown meets Xi in Beijing, brings home agreements on emissions trading, climate, clean tech

President Xi Jinping received California Governor Jerry Brown in the Great Hall of the People in Beijing with some of the optics usually befitting a head of state. “California has important economic and social influence in the United States,” Xi said according to Xinhua. “I hope California can contribute to the advancement of U.S.–China regional relations and advance bilateral cooperation in areas like technology, innovation, and green development.” Asked about Brown’s trip, State Department Spokesperson Heather Nauert said, “Well, Jerry Brown is not a part of the Trump administration,” and “this is the first I’m hearing about it.” Matt Sheehan’s Chinafornia newsletter this week has a great roundup of the trip and its reported outcomes. / Meanwhile, NYT reports on management-worker tensions at a Chinese-owned auto glass factory in Ohio, and Treasury Secretary Steven Mnuchin said the U.S.–China bilateral investment treaty (BIT) negotiations are on the Trump administration’s agenda but will follow more focused market access issues.

Expert calls for moratorium on Microsoft’s new Chinese government Windows edition pending security review

The prominent computer security expert and Chinese Academy of Engineering Academician Ni Guangnan argues in the Southern Metropolis Daily that the Chinese government should suspend purchases and use of Microsoft’s new Windows 10 China Government Edition. Ni writes that Microsoft claims to have undergone “user testing” and “security testing,” but has not undergone the national security review required under the Cybersecurity Law now in effect. Moreover, Ni writes, performing a thorough security review requires greater access to source code than Microsoft has so far provided. (I’ve translated the opinion piece in full at Transpacifica.net.) In a blog post announcing the custom Windows 10 edition, a Microsoft representative wrote that “over the last two years, we have earnestly cooperated with the Chinese government on the security review of Windows 10.”

ANALYSIS: As a major figure, Ni’s criticism may well carry some weight, but it is best read an example of the relatively tough end of a spectrum of Chinese views on how to proceed with the national security review system required under the Cybersecurity Law and the National Security Law. (Ni also “has for some time been a tireless promoter of an indigenous operating system to compete with Windows,” Eurasia Group’s Paul Triolo pointed out in an e-mail. Baidu Baike dates his advocacy on this front back to 1995.) Implementing measures aimed at establishing the new review system were released a few weeks ago in “interim” form, suggesting they may be revised, and although they went into effect on June 1 alongside the Cybersecurity Law, they call for setting up a Cybersecurity Review Committee and third-party assessment system that has not fully emerged. It seems likely to me that Microsoft’s close work with China’s government will ease any eventual further security review of its special Windows 10 edition. It is the details of Ni’s argument that should give foreign firms pause: While not everyone agrees with Ni that full source code access is required for effective security reviews, he is not necessarily an outlier here. Microsoft provides government customers with “transparency centers,” including in Beijing, where experts can examine code in a secure environment. If this is enough to satisfy China’s security reviews, expect other companies to follow suit; if not, we’re in for several more rounds of controversy. (On that note, see a pretty full-throated dismissal of foreign concerns about the Cybersecurity Law from the People’s Daily‘s “Zhong Sheng” column.)

Dutton and Kardon: ‘Forget the FONOPs—Just fly, sail, and operate wherever international law allows’

In a refreshing piece for Lawfare, Peter Dutton and Isaac Kardon of the Naval War College argue, in a partial echo of what I’d speculated last year, that the USS Dewey’s recent activities near Mischief Reef in the South China Sea were “probably—but maybe not” a Freedom of Navigation Operation (FONOP) as defined by the formal FON Program. They argue that “FONOPs should continue in routine, low-key fashion wherever there are specific legal claims to be challenged (as in the Paracel Islands, the other disputed territories in the SCS); they should not be conducted—much less hyped up beyond proportion—in the Spratlys. Instead, the routine exercise of freedom of navigation is the most appropriate way to use the fleet in support of U.S. and allied interests.” / Meanwhile: South Korea reportedly paused deployment of the THAAD missile defense system one-third through pending an environmental assessment.

ANALYSIS: Dutton and Kardon’s most important prescriptive insight is that, whether or not the U.S. government considers the recent Dewey maneuvers a FONOP, “a formal FONOP is the wrong tool for the job.” That’s because FONOPs challenge excessive claims, and no one has made a specific claim in the area to challenge. There is some possibility that U.S. authorities have decided to regard China’s behavior in warning away other countries’ vessels and aircraft, sometimes referring to an ill-defined “military alert zone,” as constituting an excessive claim. We will find out when the next annual FONOP report is released by the Department of Defense: If there is not a new category of claims challenged compared to the past, the Dewey voyage was not counted. In any case, the U.S. government and advocates for U.S. demonstrations against Chinese activities should carefully disentangle the discussion about FONOPs from the discussion about making broader points.

‘$8.9-Million Is Given in Ford Fund Grants”

“The Ford Foundation announced yesterday that it had made 29 grants totaling $8,913,000 for educational and related purposes. Five of the grants, totaling $5-million, were made for research to expand Western understanding of China and for the training of specialists to fill teaching and government posts in the field of Chinese study. Harvard University received $1.5-million, the largest award, to be used for China study at its East Asian Research Center. The other grants in that category were $1.2-million to Columbia University for its East Asian Institute; $900,000 to the University of California for its Berkeley Center for Chinese Studies; $900,000 to the University of Michigan for its Center for Chinese Studies and $500,000 to Cornell University for its China-studies program. Harvard also received $800,000 to help support research on contemporary Japan at the university’s East Asian Research Center. The African-American Institute received a $500,000 grant for general support and the Association of Research Libraries $500,000 to help establish a China Materials Development Center in Washington.”

(Source: The New York TimesThis entry is part of an ongoing feature of U.S.–China Week that follows U.S.–China relations as they developed in another era of change and uncertainty, 50 years ago.)


U.S.–China Week is a weekly news and analysis brief that covers important developments in U.S.–China relations and features especially insightful or influential new policy analysis.

Graham Webster is a senior research scholar, lecturer, and senior fellow of the Paul Tsai China Center at Yale Law School, where he specializes in U.S.–China diplomatic, security, and economic relations through research and Track II dialogues. He is also a fellow for China and East Asia with the EastWest Institute. His website is gwbstr.com.

Disclaimer: Opinions expressed here are my own (and I reserve the right to change my mind).

Free Subscription to U.S.–China Week by clicking here or e-mailing me is open to all, and an archive of past editions appears at my long-running website on East Asia and the United States, Transpacifica.

Contact: Follow me on Twitter at @gwbstr. Send e-mail to [email protected].

Ni Guangnan: China should suspend purchases and use of Windows 10 China Government Edition pending security review (translation)

(Chinese original follows / 中文在后)

See also related items: 核心安全审查专家回应Windows10政府版被建议禁用:现阶段强行切换系统并非最佳选择,  倪光南炮轰Win10政府版没过审查 微软合作方回应

*  *  *

The Government Should Suspend Purchase and Use of Windows 10 Government Edition

By Ni Guangnan

Southern Metropolis Daily, June 8, 2017, Page: AA15

A few days ago, Microsoft Greater China CEO Alain Crozier said the China Government Edition of Windows 10, produced according to the “secure and controllable” principle, had already undergone user testing at three major enterprises, proving that it is reliably secure and thus ready for wide deployment. Reports followed saying “Windows 10 Government Edition Has Completed Domestic Security Testing.” People should ask: Why are they making a big deal out of Windows 10 passing “user testing” and “security testing”?

As everyone knows, China’s Cybersecurity Law has officially gone into effect. It requires: “Critical information infrastructure operators purchasing network products and services that might impact national security shall undergo a national security review organized by the State cybersecurity and Informatization departments and relevant departments of the State Council.” In contrast to this regulation, it’s not difficult to see that claiming Windows 10 passed “user testing” or “security testing” is probably designed to give create the false impression that Windows 10 Government Edition has already passed “national security review,” in order to open the door to government procurement.

According to the Security Review Measures for Network Products and Services issued by the Cyberspace Administration of China, cybersecurity review has strict procedures, for instance requiring third-party evaluation by a nationally recognized cybersecurity review organization.

In 2015, before the establishment of the joint venture between China Electronics Technology Group Corporation (CETC) and Microsoft, Microsoft issued Windows 10 Government Edition. At that point, the Security Review Measures for Network Products and Services were being drafted, and on related aspects Windows 10 Government Edition underwent a round of cybersecurity review and did not pass. Since then, Windows 10 Government Edition has never again undergone this kind of review. No matter what kind of “user testing” or “security testing” it later went through, therefore, it still has not passed cybersecurity review.

Experts specifically point out that Windows 10 has subjectively and objectively not passed cybersecurity review, because:

(1) Although China does not lack operating system experts, because Windows is closed-source, proprietary software, no expert outside Microsoft can be fully familiar with it. It is not realistic, then, to rely on a few experts not fully familiar with Windows to accurately estimate the security and controllability of Windows 10 Government Edition with only a short period in which to examine 100 million lines of source code.

(2) Undertaking security review of software at minimum requires access to the software’s refactorable (可重构的) and complete source code, but Microsoft has never provided China with Windows’ complete source code, let alone allowed it to refactor. If a piece of software has millions of lines of non-open source code, it is like a black box, and there is fundamentally no way to accurately estimate its security and controllability.

Today, no substantive change has resulted from experts making the above points. Even if Windows 10 Government Edition again undergoes cybersecurity review, the degree of difficulty will not decrease. Furthermore, because the structure of Windows 10 incorporates trustworthy computing, reviewing it requires verifying that it complies with the Electric Signature Law (电子签名法) and the Provisions on the Administration of the Use of Commercial Encryption Products (商用密码管理条例). Additionally, it requires surveying how domestic and international information security firms integrate trustworthy computing and antivirus software with Windows 10 and deal with the issue of unfair competition. Clearly Windows 10 Government Edition must again undergo cybersecurity review in what will be a protracted process.

In 2005 and 2014, because Windows Vista and Windows 8 were not controllable, the government ordered a halt of purchases. In 2015, Microsoft quickly updated editions and released Windows 10. Several authoritative Chinese security evaluation organizations concluded that, “the Windows 8.1 and Windows 10 kernel are basically the same, there were not more substantial changes, and to a great extent the upgrade was for the sake of commercial publicity.” (This evaluation only determined whether the two editions were the same and did not touch upon security and controllability estimation, and so it was relatively easy to complete.)

In conclusion, seeing that Windows 10, Windows 8, and Windows 10 Government Edition have not passed cybersecurity review, relevant issues will hopefully be given attention, and government procurement and use of Windows 10 (including Windows 10 Government edition) should be prohibited according to law.

Ni Guangnan, a member of the first class of academicians of the Chinese Academy of Engineering, is devoted to indigenous and controllable core information technologies and industries, and has received lifetime achievement awards from the Chinese Information Processing Society of China and the China Computer Federation. 

Translated by Graham Webster.


来源:南方都市报 2017年06月08日 版次:AA15 作者:倪光南


日前,微软大中华区CEO柯睿杰表示:基于“安全可控”原则打造的中国政府版W in10正处于上市销售前的准备当中,该版本Win10已经通过3家大型企业的用户测试,证明该版本系统拥有可靠的安全性,接下来将进行大规模的部署。接着有报道呼应说,“Win10政府版已经在国内完成安全测试”。人们要问:他们为什么要大肆宣传Win10通过“用户测试”、“安全测试”呢?





一、中国虽然不缺少操作系统专家,不过因为Windows是不开放源代码的专有软件,微软以外的专家谁也无法精通W indow s.现在想指望一些不精通Windows的人,在短时间里对亿行源代码规模的“Win10政府版”的安全性、可控性作出准确评估,显然是不现实的。

二、要对一个软件进行安全审查至少应获得该软件的可重构的全部源代码,但微软从未对中方提供过W indow s的全部源代码,更谈不上可重构了。而如果一个软件有数以百万计的源代码不开放,这就像一个黑盒子,根本无法对其安全性、可控性作出准确评估。


在2005年和2014年,我国政府因Vista和Win8不可控,都明令禁止采购。后来到2015年,微软快速更新版本号,推出了Win10.对此,我国几家权威安全测评机构进行测评后认为,“Win8 .1与Win10内核基本一致,并不存在较大幅度的变化,而版本号的大幅度升级更多是为了商业宣传的需要”。(按:这里的测评只需判断两者是否一致,不涉及安全性、可控性的评估,因而较易实施。)



U.S.–China Week: A ‘FON’ op. or not? Cybersecurity Law in effect, Mattis at Shangri-La: ‘Bear with us.’ (2017.06.05)

Welcome to Issue 101 of U.S.–China Week. This edition covers three weeks of news, so it is far from thorough, but significant South China Sea and cyberspace policy developments deserve attention. We’re back to a broader agenda next Monday.

As always: Please encourage friends and colleagues to subscribe to U.S.–China Week. Here is the web version of this issue, ideal for sharing on social media, and you can follow me on Twitter at @gwbstr. Please send your comments, quibbles, and suggestions to [email protected].

U.S. destroyer in possible ‘FON’ op. at Mischief Reef; PLA jet in close intercept of U.S. spy plane; ‘Code of Conduct’ moves

A U.S. Navy guided missile destroyer, USS Dewey, reportedly navigated within 6 nautical miles (nm) of the Chinese outpost constructed atop Mischief Reef in the South China Sea’s Spratly Islands on May 25 local time. USNI News had the most detail, saying the Dewey spent 90 minutes within 12nm of Mischief, where it zig-zagged and conducted a man overboard drill. A Pentagon statement sent to journalists but not published would not confirm details of the operation, but said “We are continuing regular FONOPS [Freedom of Navigation (FON) operations], as we have routinely done in the past and will continue to do in the future. Summaries of these operations will be released publicly in the annual FONOPS report, and not sooner.”

Most reporters and analysts said the Dewey maneuver was a FON operation, but it’s not clear it was officially so. As I argued last year at Lawfare, a U.S. military sail-by at Mischief Reef does not easily fit into existing patterns in the FON program, because China has carefully avoided making formal claims of maritime rights or jurisdiction surrounding its installation there and FON operations are designed to challenge “excessive maritime claims.” Official Chinese responses to the Dewey’s activities continued to avoid assertions about legally significant terms such as “territorial sea,” but a Foreign Ministry spokesperson did note that the U.S. ship did not have permission to be in the area.

Meanwhile: U.S. sources told media a Chinese fighter jet performed an unsafe intercept of a U.S. spy plane over the South China Sea; it wasn’t clear in reports whether this followed or preceded the Dewey voyage. / Chinese officials said they were “strongly dissatisfied” with mention of the East and South China Seas in a G7 statement. / China and ASEAN governments reportedly had a “framework” brewing for South China Sea Code of Conduct negotiations, with a Singaporean official saying a “draft” framework would be submitted to the China-ASEAN foreign ministers’ meeting in August.

ANALYSIS: Though China’s government has not formally claimed a territorial sea surrounding Mischief, the Dewey’s action appeared designed to express the U.S. view that, under the UN Convention on the Law of the Sea (UNCLOS) and according to the tribunal in the Philippines v. China arbitration, there could be no territorial sea surrounding an outpost constructed atop the low-tide elevation at Mischief. In the annual FON reports since 1991, there is no example of the U.S. government using the FON program for this purpose. On the other hand, Vice President Mike Pence told graduating cadets at the Naval Academy “just yesterday one of our mighty ships conducted freedom of navigation operations.” Whether a formal FON operation or not, it is likely that news of the operation, preceding the Shangri-La Dialogue in Singapore, did not emerge entirely by accident.

China’s Cybersecurity Law goes into effect amid uncertainty and with implementation partially delayed

Before the Cybersecurity Law was to go into effect June 1, the Cyberspace Administration of China (CAC) held a meeting with “around 100” participants including from the international technology industry. At the meeting, CAC presented a revised draft of regulations on transferring “personal information and important data” out of China that has not been formally published but has circulated among analysts and reporters. Most significantly, the revised measures said adherence to the rules starting December 31, 2018, rather than this month, giving businesses time and giving regulators room to adjust the rules. Also in the lead-up to June 1, the Chinese standards-setting body Technical Committee 260 (TC260) issued draft guidelines for cross-border data flows that add significant detail to what Chinese regulators are likely to treat as “important data” (重要数据), a crucial term in defining what data are subject to limits on cross-border transfers in the Cybersecurity Law. Detailed definitions of “critical information infrastructure” (关键信息基础设施), however, are still in question. TC260 has also released numerous sector-specific draft standards, some of which might be made binding through reference in further regulations that will implement the law.

ANALYSIS: As I told AFP, the law is part of an evolving regulatory regime for cyberspace and the digital economy that does not switch on like a light with the June 1 implementation date. That regime will continue to develop through a network of related regulations, evidence about implementation, and interaction with the changing regulatory environment in other jurisdictions. At Lawfare, Samm Sacks has a the best single explanation of the significance and role of the Cybersecurity Law to date.


  • Microsoft issues Windows 10 edition customized for Chinese government. Microsoft release | WSJ story
  • Google’s AlphaGo AI beats top Chinese human go player, as event streaming blocked in China. FT story
  • U.S. Director of National Intelligence Dan Coats: private sector says “cyber activity from China…significantly lower than before the bilateral Chinese-U.S. cyber commitments of September 2015.”
  • “Big data, Chinese surveillance, and Donald Trump could keep China’s biggest payments company from entering the US” Quartz story on Ant Financial’s effort to buy MoneyGram
  • Kunlun Tech, a Beijing-based game company, buys remainder of dating app Grindr after purchasing controlling stake in January. Caixin story
  • China’s government is increasing funding for AI projects while the United States and Europe stagnate or reduce support, NYT reported.
  • Elsa Kania on “China’s Employment of Unmanned Systems: Across the Spectrum from Peacetime to Wartime” at Lawfare
  • Flashpoint: “Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors
  • “Chinese state media says U.S. should take some blame for cyber attack” Reuters story
  • “Symantec Says ‘Highly Likely’ North Korean Hacking Group Behind Ransomware Attack” Reuters story
  • Overseas users of Sina Weibo blocked from posting pictures or video on June 4 Tiananmen anniversary. SCMP story

China skips big speech at Shangri-La, cancels Xiangshan; Mattis pushes ‘rules-based order,’ says ‘bear with us’

At the annual Shangri-La Dialogue defense gathering in Singapore, China “sent a lower-ranking delegation … and, in a stark contrast to previous events, none of its members” was to give a keynote speech, SCMP reported. After Shangri-La, SCMPreported China’s government would also cancel its similar meeting, the Xiangshan Forum, at least for this year.

Secretary of Defense James Mattis did give a keynote speech at Shangri-La, one that included a lengthy section on U.S.–China ties amidst an emphasis on the “rules-based order.” Chinese officials reacted negatively to Mattis’ comments on the East and South China Sea. His comments on the topic were fairly direct:

“The 2016 ruling by the Permanent Court of Arbitration on the case brought by the Philippines on the South China Sea is binding. We call on all claimants to use this as a starting point to peacefully manage their disputes in the South China Sea. Artificial island construction and indisputable militarization of facilities on features in international waters undermine regional stability. The scope and effect of China’s construction activities in the South China Sea differ from those in other countries in several key ways. This includes the nature of its militarization, China’s disregard for international law, its contempt for other nations’ interests, and its efforts to dismiss non-adversarial resolution of issues. We oppose countries militarizing artificial islands and enforcing excessive maritime claims unsupported by international law. We cannot and will not accept unilateral coercive changes to the status quo.”

Mattis also spoke of providing arms to Taiwan but emphasized the One China policy in Q&A. Also in Q&A, Mattis left the impression he’s not entirely satisfied with the administration’s efforts to date: “To quote a British observer of us from some years ago, ‘Bear with us. Once we’ve exhausted all possible alternatives, the Americans will do the right thing.'”

‘U.S. Warns China on Vietnam War: Official Asserts Washington Would Meet Intervention With Everything It Has’

“WASHINGTON, May 23[, 1967]—A State Department official declared today that if Communist China were to intervene with massive forces in Vietnam, the United States would have to take action against mainland China with everything it has. Although officials acknowledged that the warning was slightly ambiguous, the State Department said it was intended to refer only to the use of conventional American weapons rather than nuclear weapons. State Department officials added, however, that they considered a major Chinese intervention in Vietnam very unlikely. They said there were no signs in Peking’s recent propaganda or other activity pointing toward a major Chinese intervention. The question came up during a briefing at the State Department for newspaper editors and broadcasters. Under the rules of the briefing, the official who made the statement could not be identified…”

(Source: The New York TimesThis entry is part of an ongoing feature of U.S.–China Week that follows U.S.–China relations as they developed in another era of change and uncertainty, 50 years ago.)


U.S.–China Week is a weekly news and analysis brief that covers important developments in U.S.–China relations and features especially insightful or influential new policy analysis.

Graham Webster is a senior research scholar, lecturer, and senior fellow of the Paul Tsai China Center at Yale Law School, where he specializes in U.S.–China diplomatic, security, and economic relations through research and Track II dialogues. He is also a fellow for China and East Asia with the EastWest Institute. His website is gwbstr.com.

Disclaimer: Opinions expressed here are my own (and I reserve the right to change my mind).

Free Subscription to U.S.–China Week by clicking here or e-mailing me is open to all, and an archive of past editions appears at my long-running website on East Asia and the United States, Transpacifica.

Contact: Follow me on Twitter at @gwbstr. Send e-mail to [email protected].