Category Archives: Uncategorized

Biden must summon the courage to undo Trump’s excesses (2020.12.18)

Welcome to Transpacifica—the successor to U.S.–China Week.

For the second issue back from hiatus, I offer some thoughts on the type of courage and boldness the Biden administration needs to summon in the coming year. It won’t be easy, but a balance must be struck. And the Trump administration’s China antagonism on the way out the door is not a valid starting point.

Back next year with more traditional issues tracking specific events and analysis. May 2021 be a better year. –Graham

As always: Please encourage friends and colleagues to subscribe to the Transpacifica newsletter; here is the web version of this message, ideal for sharing on social media; and you can follow me on Twitter at @gwbstr. Please send your comments, quibbles, and suggestions to [email protected].

The Biden administration cannot be afraid to reverse Trump’s China excesses



The Biden team certainly has its work cut out for it, and U.S.–China relations are both central and secondary to the most urgent tasks. With the COVID-19 pandemic, the incoming administration faces a catastrophic fire burning out of control and a political opposition crowding around to cheer for the fire and spit on the fire brigade. I am certain, however, the new administration will persevere and move assertively to bring this human-assisted disaster to a close.

I am less certain they will have the drive and political courage to head off the disaster with China that the Trump administration seems determined to set in motion on the way out the door.

For several years it has been a truism that there is a new bipartisan U.S. consensus on China, often summarized as an agreement that competition is the dominant feature of bilateral ties. That consensus is real, as far as it goes. But competition is vague, and there is nothing even resembling a consensus on the nature of that competition, let alone on what to do about it. 

The Biden team’s prescriptions for what to do about real problems in China ties—from the vulnerabilities related to tech interdependence to evolving military competition and human rights atrocities—are very different from the Trump approach, and the Trump team knows it. That’s why Secretary of State Mike Pompeo and others have led a chorus of speeches and almost ritual affirmations to cement their frame of a contest to the death with China and the Communist Party. And that’s why the administration has rushed to implement more and more export controls, visa restrictions, and other measures that can unravel even the healthy parts of bilateral ties. The Trump administration is trying to lock in enduring conflict that doesn’t yet exist, knowing they will soon be out of power.

The Biden administration must counter these excesses, and it will have to muster the courage to reverse large numbers of Trump actions en masse to do so.

The temptation to leave Trump’s astrategic China antagonisms in place will be strong, but it must be resisted. Politically ambitious Republicans have deployed Cold War muscle memory, with China substituted as the rival of our time, and they will try to smear as appeasers those who deviate from their messianic zeal. Biden’s team must realize this name-calling will happen regardless of what they do and resolve to do what’s right.

It will also be tempting to use measures that hurt the United States as much or more than they hurt the Communist Party as bargaining chips in negotiations with China’s government, but Chinese officials would see through this gambit and give little. Instead, the Biden team must isolate the existing policies that they actually support and keep or strengthen them, while rolling back the numerous excesses. Chinese negotiators will then face the resolve of an administration serious about its punitive measures—whether on trade and economic practices, human rights, or security. They will not be able to play on U.S. officials’ ambivalence about their own position, as they have with the divided Trump administration.

Pull back, but don’t fall

Over the last five or six years, U.S. political elites and much of the public have become far more conscious of the risks of the prior status quo. U.S. supply chains for crucial products were over-reliant on China, potentially jeopardizing supplies in case of confrontation and raising concerns about espionage and sabotage as more and more products are Internet-connected. U.S. businesses and officials were ill equipped to navigate human rights implications throughout bilateral ties. The reflex to pull back and regroup is well grounded.

However, there has been precious little deep thinking about the downstream effects of efforts to pull back—or, in the Trump administration’s style, to lash out. As Yan Luo, Samm Sacks, Naomi Wilson, and Abigail Coplin documented for DigiChina in August, in the area of science and technology alone, the aggregate of measures to “decouple” or otherwise unravel from China is larger, and the collateral damage more consequential, than it may seem if examining the polices individually. Since then, and even today, the Trump team has only piled on.
 
At the extreme, of course, the side effects could add up to a slip toward total U.S.–China rivalry resulting in catastrophic war. While we can be hopeful that both countries can avoid an old-fashioned conflagration, there are dire possibilities short of war. If the United States and China sink into an arms race mentality and duplicate, rather than share, production capacity across all industries, the global costs in terms of carbon emissions could quietly doom humanity to a creeping cataclysm. Unknown opportunities could be lost if scientific collaboration is stymied. Avoiding these outcomes calls for pulling back from a troubled entanglement while careful not to fall into destructive mutual isolation.
 
The era of U.S.–China relations that stretched from Nixon and Mao to recent years needed revision, but Trump and Xi cannot be allowed to set the tone for the next half century. Biden’s team must summon the courage and wisdom to reverse irrational policies that hurt U.S. interests and risk a slip toward uncontrolled conflict. They must reinforce U.S. leverage and use it where it’s most needed, and fix their gaze on a horizon where the United States, China, and the world can meet collective challenges far more effectively than we have managed this year.

About Transpacifica

The Transpacifica newsletter is produced by me, Graham Webster, a research scholar at Stanford University’s Freeman Spogli Institute for International Studies and editor of the DigiChina project at the Stanford Cyber Policy Center. I launched Transpacifica as a blog on the U.S.–Japan–China triangle in 2006, and this newsletter is the successor to the U.S.–China Week newsletter that ran for three years from 2015–2018. Beginning in November 2020, it will appear about once or twice a month, delivered by free e-mail subscription. The opinions expressed here are my own, and I reserve the right to change my mind.

Transpacifica is back. What’s next in China policy? 2020.11.13

Welcome back to Transpacifica—the successor to U.S.–China Week. It has been more than two years since this newsletter went on hiatus, and obviously it’s been an eventful interlude in U.S.–China relations and technology policy.

Now is an ideal time to get back at it. The outcome of the U.S. election raises huge questions about continuities and discontinuities in U.S. policy toward China, and tracking the possible, probable, and problematic is more fun with friends. Meanwhile, my day job—leading the DigiChina project and writing and editing on Chinese technology policy—is in a newly steady state, having moved headquarters to the Cyber Policy Center at Stanford University’s Freeman Spogli Institute, where I am now a research scholar.

Most of the people receiving this message were with me for at least part of the three-year run of U.S.–China Week, which covered the full range of issues in bilateral ties from 2015–18. I remain grateful for everyone’s engagement, whether as readers, commenters, occasional tipsters, or indeed detractors, and I learned a great deal. I expect Transpacifica to come out every 2–4 weeks going forward and to cover U.S.–China relations with particular attention to technology issues, which have only become more prominent in the relationship over the last five years.

I’m looking forward to following along with you. For this first return, a welcome back issue in four parts.

As always: Please encourage friends and colleagues to subscribe to the Transpacifica newsletter; here is the web version of this message, ideal for sharing on social media; and you can follow me on Twitter at @gwbstr. Please send your comments, quibbles, and suggestions to [email protected].

1. Biden transition signals about China policy

There are a few elements of conventional wisdom that are likely to be correct about how President-elect Joe Biden’s team will make policy choices regarding China.

First, and most fundamentally, we can expect a much higher degree of policy coordination within the administration. While differences of opinion and clashes of approach will still occur, Biden’s team will largely handle them internally. This may not sound profound, but in key areas such as trade and economic negotiations, this means the U.S. side will no longer be constantly undermining itself. The president will not be getting into spats with his own staff over the structure of agreements in front of the Chinese delegation and the press. Second, the Biden team will work hard to coordinate its China priorities with allies, and to roll back policies that antagonize erstwhile U.S. friends.

Relevant personnel listed in the Transition’s Agency Review Teams suggest continuity with Biden’s Obama administration teams, with two former Biden deputy national security advisers listed by the transition: Jeff Prescott heads the National Security Council effort, and Eli Ratner is a member of the Defense Department team. Kelly Magsamen, a former principal deputy assistant secretary of defense for Asian and Pacific Security Affairs, is also on the NSC team. Mark Wu, a Harvard Law professor who has written on “The ‘China, Inc.’ Challenge to Global Trade Governance,” is on the team for the Office of the U.S. Trade Representative, where he previously worked. We shall see how their efforts and the related appointments unfold.

Meanwhile: Doug Fuller separately provides a rumor that “Biden administration has decided to appoint someone very close to the American semiconductor industry as the head of the Department of Commerce’s Bureau of Industry and Security (BIS),” and says the pick “portends radical scaling back of the semiconductor controls aimed at Huawei and other companies.”

Other good reading on Biden and China:

2. Reprieve for TikTok

WSJ reports: “The Commerce Department said Thursday it wouldn’t enforce its order that would have effectively forced the Chinese-owned TikTok video-sharing app to shut down.” The news came just as the order was to take effect, and after a federal judge had issued a preliminary injunction preventing the TikTok ban pending the outcome of a case that challenged the Trump effort on free speech grounds. The fate of the shotgun marriage of TikTok, Oracle, and Walmart remains unclear.

I have argued in MIT Technology Review that “the Trump administration’s actions against the two Chinese-owned social-media platforms are driven more by politics and an effort to seem tough on China than by actual privacy, safety, or national security concerns.” The strongest evidence for this, in my view, is that the bans on TikTok and WeChat were announced in an attention-getting way with new and not very carefully-prepared executive orders, and without any attention to smaller or non-Chinese platforms that pose huge privacy or national security challenges in the way they handle user data. “The true scandal,” I argued, “is not that the Chinese government might exploit personal data—a well-documented and unsurprising move from a major intelligence apparatus. It’s that doing so is so easy for them and many others, and will remain so even if TikTok and WeChat are banned.” Short of comprehensive privacy and data security regulation, this will remain the case.

The prospects for TikTok and WeChat bans between now and Inauguration Day, as well as afterward, are still uncertain, but many are reading the administration’s posture as essentially a lack of interest in pursuing the matter further. That may be, but what the Trump administration might do on China issues in its remaining days is far from certain, which leads us to…

3. Trumpworld’s parting shots on China

Donald Trump remains the U.S. president, and while he seems distracted by denial over the election outcomes and a fundamentally anti-democratic need to stoke doubts about the clear Biden win, many of his staff appear to have unfinished work.

Already it seemed Secretary of State Mike Pompeo and others were motivated to change facts on the ground as much as possible before a potential loss of power, moving to entrench broad conflict between the United States and China. (The White House released a PDF “book” of administration speeches that have in part served this effort. For some reason, it omitted one of the most sensible speeches from the administration, by Assistant Secretary of State David R. Stilwell last December, that is worth reading even if I don’t endorse it 100 percent.)

This week it was an expansion of U.S. efforts to deny military-industrial complex–linked Chinese firms access to U.S. financial markets. There are about 12 weeks left. The Biden team cannot be at all certain just yet what they will start with in January.

4. Mapping the sprawling China policy agenda

A few days ago, I started making a list of questions, choices, and challenges the incoming U.S. administration faces when it comes to China. Emily Rauhala of the Washington Post had already started a thread.

Here, with minimal commentary, in no particular order, and with plenty missing, is a selection. Forgive the morass, but I think it’s worth showing that there is a morass:

  • What does a Biden administration’s return to climate action look like in bilateral ties?
  • Is there good work toward a “Phase Two” deal that can be adapted to something in the Biden administration?
    • Will the Biden administration unilaterally rescind any of the tariffs they would never have implemented in the first place?
  • Will the U.S. government take action, after all, against TikTok and/or WeChat?
  • What will be the U.S. posture toward Huawei?
    • Does it remain cut off from key U.S. components?
    • Will its executive Meng Wanzhou remain in extradition proceedings in Canada, and will China continue to hold hostage two Canadians—Michael Korvig and Michael Spavor?
    • How much pressure will the U.S. government exert on foreign governments to avoid using Huawei hardware?
  • What becomes of the State Department’s “Clean” initiative, in which the only things deemed unclean are Chinese things, tying some legitimate questions about tech security and governance to a maximalist frame and familiar racist trope against Chinese people?
  • Will anything serious come of the discussions about democratic alliances on technology such as the D-10?
  • What becomes of the 2019 executive order on supply chain security, which Samm Sacks and I wrote about for Slate?
  • How will the U.S. government handle industrial policy on things like 5G?
  • What becomes of the semiconductor standoff?
  • What will be the U.S. posture toward the terrible human rights abuses in Xinjiang?
    • Continued or additional sanctions?
    • Increased openness to Uyghur or other targeted peoples seeking asylum in the United States?
    • A 2022 Beijing Olympics boycott?
    • Speak strongly and change little?
  • What will be the U.S. posture toward the Chinese government’s ending of the one country, two systems arrangement in Hong Kong?
    • Open to asylum seekers from Hong Kong?
    • How to treat the Hong Kong territory in immigration and market designations
  • Is anyone paying any attention to human rights issues in Tibet anymore?
  • Are Chinese students again welcome in the United States?
    • Changes in limits on STEM visas?
    • Changes in time limitations for student visas across all countries?
  • What becomes of the Justice Department’s China Initiative? (Read Maggie Lewis on this.)
  • What will the Biden administration’s posture toward Taiwan look like?
    • More arms sales?
    • What kinds of government-to-government engagement?
  • Will U.S. and Chinese journalists and media workers get back to work in each other’s countries?
  • Is there more financial market disentanglement to come, or are the delisting debates dying?
  • Remember the South China Sea?
  • What on earth is going to happen with North Korea?

OK, friends: What are we missing?

Drop me a line at [email protected], and tell your friends to subscribe today. It’s great to be back.

About Transpacifica

The Transpacifica newsletter is produced by me, Graham Webster, a research scholar at Stanford University’s Freeman Spogli Institute for International Studies and editor of the DigiChina project at the Stanford Cyber Policy Center. I launched Transpacifica as a blog on the U.S.–Japan–China triangle in 2006, and this newsletter is the successor to the U.S.–China Week newsletter that ran for three years from 2015–2018. Beginning in November 2020, it will appear about once or twice a month, delivered by free e-mail subscription. The opinions expressed here are my own, and I reserve the right to change my mind.

China policy in Trump’s new National Security Strategy: Excerpts and commentary

After a quick read of the Trump administration’s new National Security Strategy, here several passages bearing on U.S.–China relations, as well as a few comments on them. Not included are several mentions of China’s involvement in other regions of the world.

  • “Every year, competitors such as China steal U.S. intellectual property valued at hundreds of billions of dollars. Stealing proprietary technology and early-stage ideas allows competitors to unfairly tap into the innovation of free societies. Over the years, rivals have used sophisticated means to weaken our businesses and our economy as facets of cyber-enabled economic warfare and other malicious activities. In addition to these illegal means, some actors use largely legitimate, legal transfers and relationships to gain access to fields, experts, and trusted foundries that fill their capability gaps and erode America’s longer-term competitive advantages. We must defend our National Security Innovation Base (NSIB) against competitors. The NSIB is the American network of knowledge, capabilities, and people—including academia, National Laboratories, and the private sector—that turns ideas into innovations, transforms discoveries into successful commercial products and companies, and protects and enhances the American way of life.  The genius of creative Americans, and the free system that enables them, is critical to American security and prosperity” (21).
    • COMMENT: This not just about intellectual property theft, but also about preventing “legitimate” transfers of IP to strategic rivals.
  • “While maintaining an investor-friendly climate, this Administration will work with the Congress to strengthen the Committee on Foreign Investment in the United States (CFIUS) to ensure it addresses current and future national security risks.  The United States will prioritize counterintelligence and law enforcement activities to curtail intellectual property theft by all sources and will explore new legal and regulatory mechanisms to prevent and prosecute violations” (22).
    • COMMENT: CFIUS reform has strong bipartisan support in Congress, and it is in no small part aimed at erecting or legitimizing barriers to Chinese investments that would result in IP transfer.
  • Leading language under Pillar III, “Preserve Peace Through Strength: — “A central continuity in history is the contest for power. The present time period is no different. Three main sets of challengers—the revisionist powers of China and Russia, the rogue states of Iran and North Korea, and transnational threat organizations, particularly jihadist terrorist groups—are actively competing against the United States and our allies and partners. Although differing in nature and magnitude, these rivals compete across political, economic, and military arenas, and use technology and information to accelerate these contests in order to shift regional balances of power in their favor. These are fundamentally political contests between those who favor repressive systems and those who favor free societies. China and Russia want to shape a world antithetical to U.S. values and interests. China seeks to displace the United States in the Indo-Pacific region, expand the reaches of its state-driven economic model, and reorder the region in its favor. Russia seeks to restore its great power status and establish spheres of influence near its borders. The intentions of both nations are not necessarily fixed.  The United States stands ready to cooperate across areas of mutual interest with both countries. For decades, U.S. policy was rooted in the belief that support for China’s rise and for its integration into the post-war international order would liberalize China. Contrary to our hopes, China expanded its power at the expense of the sovereignty of others. China gathers and exploits data on an unrivaled scale and spreads features of its authoritarian system, including corruption and the use of surveillance. It is building the most capable and well-funded military in the world, after our own. Its nuclear arsenal is growing and diversifying. Part of China’s military modernization and economic expansion is due to its access to the U.S. innovation economy, including America’s world-class universities” (25).
    • COMMENT: This is the broadest top-level statement of Trump administration views on China. It places China alongside Russia as actors intentionally seeking to move the world away from U.S. interests. It categorizes both as challengers alongside Iran, North Korea, and terrorism. China is unmistakably situated as the most capable “challenger,” set apart from the others in this framing by technological prowess that is both impressive and illegitimately obtained.
  • “In addition, after being dismissed as a phenomenon of an earlier century, great power competition returned. China and Russia began to reassert their influence regionally and globally. Today, they are fielding military capabilities designed to deny America access in times of crisis and to contest our ability to operate freely in critical commercial zones during peacetime. In short, they are contesting our geopolitical advantages and trying to change the international order in their favor” (27).
    • COMMENT: Chinese diplomats might call this “Cold War thinking,” but it’s long been the case that U.S. strategists perceived a strategic competition between the United States and China. The irony of the Chinese accusations of a Cold War mentality has always been that Chinese strategists think that way too. This new U.S. strategy is strong on recognizing some realities of competition, but weak on assessing how today’s global economic and security environment are drastically different from earlier eras of “great power competition.” There really is a downside in depending too much on analytical tools from another era.
  • “[A]dversaries and competitors became adept at operating below the threshold of open military conflict and at the edges of international
    law” (27). “China, Russia, and other state and non-state actors recognize that the United States often views the world in binary terms, with states being either ‘at peace’ or ‘at war,’ when it is actually an arena of continuous competition” (28).

    • COMMENT: Lyle Morris points to the former quote as the “First instance of an NSS identifying the gray zone challenge to the U.S. Certainly not the last.”
  • “Maintaining America’s central role in international financial forums enhances our security and prosperity by expanding a community of free market economies, defending against threats from state-led economies, and protecting the U.S. and international economy from abuse by illicit actors” (34).
  • Information Statecraft: America’s competitors weaponize information to attack the values and institutions that underpin free societies, while shielding themselves from outside information. They exploit marketing techniques to target individuals based upon their activities, interests, opinions, and values. They disseminate misinformation and propaganda. Risks to U.S. national security will grow as competitors integrate information derived from personal and commercial sources with intelligence collection and data analytic capabilities based on Artificial Intelligence (AI) and machine learning. Breaches of U.S. commercial and government organizations also provide adversaries with data and insights into their target audiences. China, for example, combines data and the use of AI to rate the loyal of its citizens to the state and uses these ratings to determine jobs and more.” (34–5).
    • COMMENT: As U.S. scrutiny of official Chinese influence operations abroad rises, here it is melded rhetorically with oblique references to both authoritarian Internet censorship and (perhaps even) Russian election interference. For obvious reasons, a deeper meditation on the Russian operations is set aside. What’s left is an allusion to the OPM hack, one to the hype-and-reality of AI/ML factors in national security, and a reference to China’s “social credit system” that conflates the government’s plans and some capabilities already installed in privately-run systems. 
  • “Today, the United States must compete for positive relationships around the world. China and Russia target their investments in the developing world to expand influence and gain competitive advantages against the United States. China is investing billions of dollars in infrastructure across the globe. Russia, too, projects its influence economically, through the control of key energy and other infrastructure throughout parts of Europe and Central Asia.  The United States provides an alternative to state-directed investments, which often leave developing countries worse off. The United States pursues economic ties not only for market access but also to create enduring relationships to advance common political and security interests” (38).
    • COMMENT: I suppose then the U.S. plan to compete with Chinese and Russian influence through investment is to just let the private sector do what it will and bet on a positive result, eh?
  • Ensure Common Domains Remain Free: The United States will provide leadership and technology to shape and govern common domains—space, cyberspace, air, and maritime—within the framework of international law. The United States supports the peaceful resolution of disputes under international law but will use all of its instruments of power to defend U.S. interests and to ensure common domains remain free. Protect a Free and Open Internet: The United States will advocate for open, interoperable communications, with minimal barriers to the global exchange of information and services.  The United States will promote the free flow of data and protect its interests through active engagement in key organizations, such as the Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Governance Forum (IGF), the UN, and the International Telecommunication Union (ITU)” (41).
    • COMMENT: The strategy does not advocate for the ratification of the UN Convention on the Law of the Sea (UNCLOS), so I’m not sure what to make of claims that “international law” should be the framework for maritime governance. “International law” isn’t really the animating framework behind all the cyberspace institutions listed, either. 
  • Under the Indo-Pacific regional section: “A geopolitical competition between free and repressive visions of world order is taking place in the Indo-Pacific region. … Although the United States seeks to continue to cooperate with China, China is using economic inducements and penalties, influence operations, and implied military threats to persuade other states to heed its political and security agenda. China’s infrastructure investments and trade strategies reinforce its geopolitical aspirations. Its efforts to build and militarize outposts in the South China Sea endanger the free flow of trade, threaten the sovereignty of other nations, and undermine regional stability. China has mounted a rapid military modernization campaign designed to limit U.S. access to the region and provide China a freer hand there. China presents its ambitions as mutually beneficial, but Chinese dominance risks diminishing the sovereignty of many states in the Indo-Pacific. States throughout the region are calling for sustained U.S. leadership in a collective response that upholds a regional order respectful of sovereignty and independence” (45–6).
  • Action items under the Indo-Pacific regional section: “Political: Our vision for the Indo-Pacific excludes no nation. We will redouble our commitment to established alliances and partnerships, while expanding and deepening relationships with new partners that share respect for sovereign, fair and reciprocal trade, and the rule of law. We will reinforce our commitment to freedom of the seas and the peaceful resolution of territorial and maritime disputes in accordance with international law. We will work with allies and partners to achieve complete, verifiable, and irreversible denuclearization on the Korean Peninsula and preserve the non-proliferation regime in Northeast Asia. Economic: The United States will encourage regional cooperation to maintain free and open seaways, transparent infrastructure financing practices, unimpeded commerce, and the peaceful resolution of disputes. We will pursue bilateral trade agreements on a fair and reciprocal basis. We will seek equal and reliable access for American exports. We will work with partners to build a network of states dedicated to free markets and protected from forces that would subvert their sovereignty” (46).
    • COMMENT: The political vision “excludes no nation” but promises to work with “new partners that share respect for sovereign, fair and reciprocal trade, and the rule of law.” So does that include China? The economic vision promises bilateral trade agreements and a “network of states dedicated to free markets.” Given those goals, wouldn’t it make more sense to get that network together for a broader, more interoperable trade regime—say based on a modified Trans-Pacific Partnership? 
  • “We will maintain our strong ties with Taiwan in accordance with our ‘One China’ policy, including our commitments under the Taiwan Relations Act to provide for Taiwan’s legitimate defense needs and deter coercion” (46).
    • COMMENT: Taiwan was not mentioned in the Obama administration’s February 2015 National Security Strategy. For comparison, here’s the full paragraph on China from that document: “The United States welcomes the rise of a stable, peaceful, and prosperous China. We seek to develop a constructive relationship with China that delivers benefits for our two peoples and promotes security and prosperity in Asia and around the world. We seek cooperation on shared regional and global challenges such as climate change, public health, economic growth, and the denuclearization of the Korean Peninsula. While there will be competition, we reject the inevitability of confrontation. At the same time, we will manage competition from a position of strength while insisting that China uphold international rules and norms on issues ranging from maritime security to trade and human rights. We will closely monitor China’s military modernization and expanding presence in Asia, while seeking ways to reduce the risk of misunderstanding or miscalculation. On cybersecurity, we will take necessary actions to protect our businesses and defend our networks against cyber-theft of trade secrets for commercial gain whether by private actors or the Chinese government.” Other mentions in that version flagged “China’s rise” as a condition that needs to be handled and celebrated U.S.-China cooperation on climate change. The Trump document does not see the climate as a challenge, but does flag climate regulation as a barrier to energy sector success.

Chinese IT security examiner describes review process, clarifies status of Chinese government Windows edition

A public controversy among computer security experts in China has erupted over the degree of national security assessment required in general and what specifically is required by the new Cybersecurity Law and related regulations. Ni Guangnan, an academician with the Chinese Academy of Engineering and a longstanding proponent of indigenous technology in China, recently argued (in a piece translated here) that the new Windows 10 China Government Edition should not be approved for government procurement because it has not yet formally passed the new law’s national security review process. Here, Wang Jun, lead engineer of the China Information Technology Security Evaluation Center (CNITSEC) which is a third-party review organization for the Chinese government, argues that the Microsoft-CETC joint venture behind the new custom Windows edition was developed in consideration of Chinese government security priorities and therefore should be given due consideration as “secure and controllable.” Wang also provides important insights into the degree to which the nascent national security review system has already started to operate and describes in detail his view of how the process is expected to work.

The following was translated from the Chinese original by Rogier Creemers, Paul Triolo, and Graham Webster. 

Core Security Examination Expert on Calls to Suspend Use of Windows 10 China Government Edition: At This Stage, Forcing a Switchover Is Not the Best Option

Southern Metropolis Daily Original

2017-06-12 13:20

China Information Security Monitoring Centre General Engineer Wang Jun

Academician Ni Guangnan of the Chinese Academy of Engineering stated recently in a media article that the Windows 10 version for the Chinese government has not passed cybersecurity review, and should remain outside of the government procurement catalogue. What is cybersecurity review? How does this matter implement the regulatory system just established on 1 June, and what network products is it aimed at?

A Southern Metropolis Daily (SMD) journalist interviewed Wang Jun, General Engineer at the China Information Technology Security Evaluation Center (CNITSEC). Wang Jun has answered these questions from an expert perspective, he indicated that cybersecurity review has a set of activations and review procedures exclusive to itself, these are identical for domestic and foreign products, there is no difference.

Wang Jun indicated that cybersecurity should be discussed in an open environment. The Chinese government version of Windows 10 may be considered as a positive trial in order to resolve the objective requirements concerning operating systems inside China at present, and raising our own technological levels and capabilities.

The general security review for Window 10 has begun, the security review situation for the governmental version is hitherto not understood.

SMD: Has the Chinese Government version of Windows 10 undergone security review?

Wang Jun: The forerunner of the Chinese Government version of Windows 10 is the common version of Windows 10, it is a commercial product of Microsoft, and is the common version distributed worldwide. As I understand it, our country has already started its cybersecurity review (hereafter named security review) of the common version of Windows 10. CNITSEC is designated by the Cyberspace Administration of China, and has undertaken third-party evaluation work of the common version of Windows 10; but at present, I have not seen a decision by the controlling department concerning whether it passed or not.

With regard to whether the governmental version of Windows 10 is on the way towards cybersecurity review, I have not yet heard about the circumstances in this matter.

SMD: And what is the result of the third-party evaluation by CNITSEC of the common version of Windows 10?

Wang Jun: We have major conclusions in two areas: the first is that we have discovered that in comparison with Win8, Win7 and earlier operating systems, the security functions in Windows 10 have been improved substantially. Second, a number of security risk points still exist, in fact, in the common version of Windows 10. According to the work agreement, we are not yet able to reveal details.

SMD: Security review has only been determined by law in the past few years, did we have similar work before this?

Wang Jun: The cybersecurity review system was only finally established in 2016, but before that, similar work actually had been begun.

In 2003, the National Development and Reform Commission authorized CNITSEC to act as a national monitoring body, and represented China in concluding a Government Security Program agreement for source code inspection with Microsoft; this is a multilateral agreement, and Microsoft has concluded GSP agreements with many countries. Considering that a fair few national governments have security concerns with Microsoft operating systems, Microsoft agreed to, through the GSP program, open up source code in a small scale and with secrecy protection, but because this involved intellectual property protection, it only took place in in a small scale, and did not turn into open source. Microsoft, from its side, exhibited a positive attitude, and where we were concerned, this added a channel for understanding.

GSP is an agreement in which both sides are equal, and security review means that when there are risks in a product that may influence national security, we represent the country in conducting a review, and the scope of security review may be broadened.

SMD: Some experts say Windows 8 and Windows 10 use trustworthy technology; will this mean manufacturers have a strong controlling power over operating systems?

Wang Jun: I basically agree with this point of view, in the common Windows 10 operating system, the manufacturer has a very strong controlling power over the system. But the strengthening of this sort of controlling power may have a double-edged sword effect. If it is especially strong, it possibly may mean that user controllability over this system is weakened; on the other hand, if user controllability over operating systems is extremely strong, hackers can equally have these kinds of capabilities, and in this kind of situation, it may also bring new security risks, because of that, we need to find a point of balance.

Where China is concerned, the common version of Windows 10 is not a complete black box.

SMD. So where the Chinese government is concerned, Windows 10 is not a black box after all, right?

Wang Jun: Right. According to the GSP agreement, Microsoft has provided an opportunity to review source code, but as to what the details are that come up in review, these may only be made public with the agreement of both sides.

In the national security review process of the common version of Windows 10, our center has undertaken third-party evaluation work, in Beijing. It has also inspected and verified the source code of the common version. Furthermore, the scope of its review and verification of source code is broader than under the original GSP agreement.

SMD: Can one guarantee security through inspecting source code?

Wang Jun: Between conducting source code inspections and coming to a conclusion whether a product is safe or not, there is a lot of technical work that needs to be done. One cannot simply say that “I give you the source code to look at and so it is absolutely safe,” one should also not simply believe that technological monitoring means going through source code line by line. 

SMD: What technical methods are required to reach a determination of security?

Wang Jun: Source code security examination is in fact one of the methods for the third-party evaluation part of cybersecurity review or information security evaluation, but it is not the only method. Determining the security of network products is a comprehensive process requiring multiple methods. For instance, monitoring program behavior in the real work environment is one evaluation method, as is reverse engineering of executable files.

There are also international common criteria (CC) for security examination of network products (if operating systems are considered a kind of product). CC are also an important reference indicator for our Evaluation Center’s product security evaluation.

Operating system source code can run as long as 100 million lines. How much to look at, what part to look at, and how to judge the code are decided according to objectives of the technology evaluator in the third party evaluation process. Reading every single line is perhaps ideal, but doing so would require an enormous amount of time and resources. On the other hand, from the perspective of a technology evaluator’s methods, looking at every line may not be necessary. But as evaluators we ask for 100 percent of the source code and then, starting from a foundation of analyzing the program’s structure and how it integrates with the user’s machine, we decide which modules specifically require examination and verification.

Cybersecurity reviews must be triggered by someone, and they do not separate domestic from international.

SMD: Are national cybersecurity reviews the same thing as “user testing” and “security testing”?

Wang Jun: Simply put, security reviews and technological evaluation or user evaluation are not the same thing. In the process of security review, however, technology evaluation or user evaluation may be included. Security reviews are about the possibility of network products and services influencing national security.

According to the Security Review Measures for Network Products and Services, the security review process must first be triggered, and the measures clearly enumerate several conditions for triggering. One is if relevant national authorities believe a type of product or service requires cybersecurity review. Two is if national trade associations recommend security review. Three is if the market reflects that it must be done. We believe the market includes the masses, users, etc.

As soon as someone suggests security review, a legally determined work procedure must be undertaken. This work procedure should be defined ahead of time by the competent national department. Security review is serious and important work that cannot be taken lightly and executed at a word; it requires a work procedure and official confirmation before beginning.

SMD: What is the work procedure for national cybersecurity reviews?

Wang Jun: In my understanding of the relevant laws and regulations, once it is initiated, there are several steps. First, a third-party evaluation organization appointed by the competent department undertake objective evaluation of the network product or service for requirements such as security, controllability, reliability, data validation (材料的真实性), user control of the product, etc.

At the same time, there is another set of work, for instance relevant examinations, background investigations, determination of whether there is any unfair competition or influence on the national economy and market. This comprehensive investigation can take place at the same time.

Once the technology evaluation and comprehensive investigation are complete, the results are be submitted to a committee of experts for opinions, independent examination, and judgment. The competent organ finally determines whether review has been passed. It cannot listen only to one side’s opinion, so it asks a high-level experts’ committee to submit judgment and opinions. We are all responsible for our own conclusions and work independently.

Finally, the cybersecurity review office synthesizes the views and reports up to the cybersecurity review committee, which issues the result of the security review.

SMD: Does national cybersecurity review only target foreign network products?

Wang Jun: According to my understanding of the spirit of the Cybersecurity Law, the cybersecurity review does not distinguish between domestic and foreign, cybersecurity review does not have a nationality preference, and it’s not the case that foreign things are all examined while domestic things are not.

I believe that, it doesn’t matter if it’s Microsoft’s general use edition of Windows, the joint venture C&M Information Technology Co.’s Windows 10 China Government Edition, or another Chinese-made operating system. If the product needs to undergo relevant security review, according to the law- and regulation-decided procedure, they can all go through cybersecurity review. The legal requirements are the same.

Once technological evaluation or security investigation, the procedure, standards, and requirements are the same. Of course, different product circumstances may determine different emphases, but on the whole the requirements are the same.

“Developing Windows 10 China Government Edition was a kind of attempt”

SMD: Many people believe a Chinese operating system should replace [Windows]. As an expert, do you agree with this view?

Wang Jun: My own personal view is that our country has a portion of professions and fields that at this stage objectively need to use the Windows platform. Technologically, Windows is in some ways advanced, and it has formed an ecosystem. Many of our applications have developed a certain extent of dependency on the Windows system, and without saying whether this dependency is rational, it’s an objective fact. I understand that some professional users, including some in critical information infrastructure areas, would have difficulty simply switching to a non-Windows operating system.

Thus under these conditions, forcing switchover to non-Windows systems is not necessarily the best choice.

On the other hand, in the open environment, if we can ensure security and controllability of a piece of advanced foreign technology, we can at least say there’s no need to exclude it or decide not to use it.

SMD: How do you view Windows 10 China Government Edition?

Wang Jun: Windows 10 China Government Edition was jointly developed by China Electronics Technology Group (CETC) and Microsoft, and the C&M Information Technology Co. was set up with CETC holding 51% of shares and Microsoft holding 49%. According to my understanding, in their cooperation, Microsoft is willing to open source code under the condition that intellectual property is protected. I believe developing Windows 10 or another later government-use edition in this method is a positive and meaningful attempt.

We understand the goal of this method is to try to give government and critical information infrastructure users an improved edition that suits Chinese users’ security requirements better than the general edition. This is a way to explore new solutions to problems at this stage. I think it’s something to look forward to.

SMD: Do you think that developing a Windows 10 Chinese government version and developing a domestic operating system is not contradictory?

Wang Jun: For the R&D of a domestic operating system, plus the time required to put one into use,  and packaging this to form an ecological environment requires a certain amount of time.

The use of the Windows 10 China Government-specific version, and the R&D and vigorous promotion of the application of a domestic operating system, including the construction of an ecological environment, can be carried out in parallel. In deciding whether or not to implement this parallel situation, it may well be worth considering the issue in terms of improving the degree of control over China’s cybersecurity, and the actual needs of users. We should allow this attempt in a tolerant manner.

Of course, this is for government departments and critical information infrastructure users. Other social users, and business users, must decide according to their own needs what kind of operating system to use.

A “Domestic system does not mean that it must be secure”

SMD: For domestic operating system security issues, what are your views? Is a domestic operating system secure?

Wang Jun: From a security point of view, domestic systems have some advantages compared to some foreign systems, but we cannot simply think that a domestic system must be secure. There are several reasons for this, first of all, any product has vulnerabilities, and vulnerabilities are a fundamental problem of cybersecurity, there is no certain security situation.

Second, some of our own domestically produced systems can be more reassuring in some aspects of security than for foreign products, for example, we do not have to worry about deliberate or passive implantation of malicious programs by the designer; but we may have gaps in terms of other aspects of security with other people, such as our understanding and mastering of security issues and anti-attack capabilities, there may be areas that we are not sufficient. The question of security is a comprehensive consideration.

Third, there are some equipment may be OEM abroad (the original design is abroad, we just got the production license); there are some domestic systems that use open source software, but for OEM and open source itself, domestic systems may also carry security issues.

Moreover, because the special nature of open source systems, there is not a manufacturer, so there may be loopholes and no one to solve the situation. Taking these factors together, we cannot simply say that the domestic network products must be secure.

SMD: So, do you think the Windows 10 China Government Edition requires a complete network review?

Wang Jun: As I just said, network products and services, whether domestic or foreign, whether it is domestic firm or joint venture, are also required in accordance with relevant national laws and regulations to carry out the necessary security assessment, or even a security review. The Windows 10 China Government Edition should also be no exception. Of course, to start a security review requires things to be done in accordance with the relevant legal procedures. If you meet the conditions for triggering the security review, in accordance with the legal procedures, it is possible to conduct a cybersecurity review.

SMD: Is it not the government procurement of critical information network infrastructure that requires conducting a cybersecurity review? So the security review and government procurement are naturally bound into one piece?

Wang Jun: As far as I know, the two are not naturally bound together. Government procurement also has its own procedural requirements. In the Cybersecurity Law, there is a provision for procurement that states that “network products or services that have not passed a security assessment or security review” may not be purchased. We should pay attention to the understanding of “have not,” which should be understood as “should undergo but did not undergo a cybersecurity review.”

Therefore, according to the current law, I think it is clear that if a product did not pass a security review, and clearly announced that it did not pass, it cannot be entered into the procurement directory.

SMD: The current technical testing for security is usually just testing a sampling, how to ensure that each computer operating system is secure?

Wang Jun: We are currently testing the methods, concerned about the two aspects of dynamic and static, but we are limited by the current technology and methods, and there is more of a focus on the static state. We are responsible for certain samples and security conclusions at a given point in time, but these are not permanent and it is difficult to achieve permanent security testing. However, the evaluation agency will try to make up for the relevant deficiencies, such as continuous monitoring, on-line monitoring or testing methods to strengthen the understanding, and mastering of the dynamic security situation.

SMD: Some people worry about the security of foreign products, fearing incidents such as described by Snowden. Is this not justified?

Wang Jun: This concern is reasonable—no one dares to say no. This is one of the reasons we have always stressed security and controllability. But we should not ask for absolute security, just as we do not stop driving a car because of the risk of traffic accidents. In fact, we also have a certain degree of anti-risk ability, through our work, to improve the security and controllability of foreign products, so that the risk is reduced to an acceptable level. Then we can use foreign advanced products.

Southern Metropolis Daily reporter Wu Bin from Beijing

Ni Guangnan: China should suspend purchases and use of Windows 10 China Government Edition pending security review (translation)

(Chinese original follows / 中文在后)

See also related items: 核心安全审查专家回应Windows10政府版被建议禁用:现阶段强行切换系统并非最佳选择,  倪光南炮轰Win10政府版没过审查 微软合作方回应

*  *  *

The Government Should Suspend Purchase and Use of Windows 10 Government Edition

By Ni Guangnan

Southern Metropolis Daily, June 8, 2017, Page: AA15

A few days ago, Microsoft Greater China CEO Alain Crozier said the China Government Edition of Windows 10, produced according to the “secure and controllable” principle, had already undergone user testing at three major enterprises, proving that it is reliably secure and thus ready for wide deployment. Reports followed saying “Windows 10 Government Edition Has Completed Domestic Security Testing.” People should ask: Why are they making a big deal out of Windows 10 passing “user testing” and “security testing”?

As everyone knows, China’s Cybersecurity Law has officially gone into effect. It requires: “Critical information infrastructure operators purchasing network products and services that might impact national security shall undergo a national security review organized by the State cybersecurity and Informatization departments and relevant departments of the State Council.” In contrast to this regulation, it’s not difficult to see that claiming Windows 10 passed “user testing” or “security testing” is probably designed to give create the false impression that Windows 10 Government Edition has already passed “national security review,” in order to open the door to government procurement.

According to the Security Review Measures for Network Products and Services issued by the Cyberspace Administration of China, cybersecurity review has strict procedures, for instance requiring third-party evaluation by a nationally recognized cybersecurity review organization.

In 2015, before the establishment of the joint venture between China Electronics Technology Group Corporation (CETC) and Microsoft, Microsoft issued Windows 10 Government Edition. At that point, the Security Review Measures for Network Products and Services were being drafted, and on related aspects Windows 10 Government Edition underwent a round of cybersecurity review and did not pass. Since then, Windows 10 Government Edition has never again undergone this kind of review. No matter what kind of “user testing” or “security testing” it later went through, therefore, it still has not passed cybersecurity review.

Experts specifically point out that Windows 10 has subjectively and objectively not passed cybersecurity review, because:

(1) Although China does not lack operating system experts, because Windows is closed-source, proprietary software, no expert outside Microsoft can be fully familiar with it. It is not realistic, then, to rely on a few experts not fully familiar with Windows to accurately estimate the security and controllability of Windows 10 Government Edition with only a short period in which to examine 100 million lines of source code.

(2) Undertaking security review of software at minimum requires access to the software’s refactorable (可重构的) and complete source code, but Microsoft has never provided China with Windows’ complete source code, let alone allowed it to refactor. If a piece of software has millions of lines of non-open source code, it is like a black box, and there is fundamentally no way to accurately estimate its security and controllability.

Today, no substantive change has resulted from experts making the above points. Even if Windows 10 Government Edition again undergoes cybersecurity review, the degree of difficulty will not decrease. Furthermore, because the structure of Windows 10 incorporates trustworthy computing, reviewing it requires verifying that it complies with the Electric Signature Law (电子签名法) and the Provisions on the Administration of the Use of Commercial Encryption Products (商用密码管理条例). Additionally, it requires surveying how domestic and international information security firms integrate trustworthy computing and antivirus software with Windows 10 and deal with the issue of unfair competition. Clearly Windows 10 Government Edition must again undergo cybersecurity review in what will be a protracted process.

In 2005 and 2014, because Windows Vista and Windows 8 were not controllable, the government ordered a halt of purchases. In 2015, Microsoft quickly updated editions and released Windows 10. Several authoritative Chinese security evaluation organizations concluded that, “the Windows 8.1 and Windows 10 kernel are basically the same, there were not more substantial changes, and to a great extent the upgrade was for the sake of commercial publicity.” (This evaluation only determined whether the two editions were the same and did not touch upon security and controllability estimation, and so it was relatively easy to complete.)

In conclusion, seeing that Windows 10, Windows 8, and Windows 10 Government Edition have not passed cybersecurity review, relevant issues will hopefully be given attention, and government procurement and use of Windows 10 (including Windows 10 Government edition) should be prohibited according to law.

Ni Guangnan, a member of the first class of academicians of the Chinese Academy of Engineering, is devoted to indigenous and controllable core information technologies and industries, and has received lifetime achievement awards from the Chinese Information Processing Society of China and the China Computer Federation. 

Translated by Graham Webster.

建议政府停止采购和使用“Win10政府版”

来源:南方都市报 2017年06月08日 版次:AA15 作者:倪光南

开放专栏

日前,微软大中华区CEO柯睿杰表示:基于“安全可控”原则打造的中国政府版W in10正处于上市销售前的准备当中,该版本Win10已经通过3家大型企业的用户测试,证明该版本系统拥有可靠的安全性,接下来将进行大规模的部署。接着有报道呼应说,“Win10政府版已经在国内完成安全测试”。人们要问:他们为什么要大肆宣传Win10通过“用户测试”、“安全测试”呢?

众所周知,我国《网络安全法》已正式施行,它要求“我国关键信息基础设施的运营者采购网络产品和服务,可能影响国家安全的,应当通过国家网信部门会同国务院有关部门组织的国家安全审查”。对照这个法规,人们不难理解,宣传Win10通过“用户测试”、“安全测试”,可能是想造成“Win10政府版”已通过国家安全审查的假象,从而为它进入政府采购敞开大门。

按照网信办发布的《网络产品和服务安全审查办法》,网络安全审查有严格的程序,并需由国家统一认定网络安全审查第三方机构,承担网络安全审查中的第三方评价工作。

2015年,早在CETC与微软的合资公司成立前,微软就做出了“Win10政府版”。那时,《网络产品和服务安全审查办法》正在制订中,有关方面对“Win10政府版”进行了一次网络安全审查,结果没有通过。此后,对“Win10政府版”并没有再做此类审查。因此,不管后来它做了什么“用户测试”、“安全测试”,它至今仍是一个没有通过网络安全审查的产品。

那时专家们还特别指出,当前不具备对Win10进行网络安全审查的主客观条件,因为:

一、中国虽然不缺少操作系统专家,不过因为Windows是不开放源代码的专有软件,微软以外的专家谁也无法精通W indow s.现在想指望一些不精通Windows的人,在短时间里对亿行源代码规模的“Win10政府版”的安全性、可控性作出准确评估,显然是不现实的。

二、要对一个软件进行安全审查至少应获得该软件的可重构的全部源代码,但微软从未对中方提供过W indow s的全部源代码,更谈不上可重构了。而如果一个软件有数以百万计的源代码不开放,这就像一个黑盒子,根本无法对其安全性、可控性作出准确评估。

今天,专家陈述的上述情况并没有发生实质变化,即使对“Win10政府版”再作网络安全审查,其难度也没有减少。而且由于Win10的架构集成了可信计算,审查需验证它与我国《电子签名法》和《商用密码管理条例》的合法、合规性。此外,还需调查国内外信息安全厂商对Win10捆绑可信计算和杀毒软件、实施不正当竞争的投诉问题。可见,“Win10政府版”要想再作网络安全审查,也将是旷日持久的事。

在2005年和2014年,我国政府因Vista和Win8不可控,都明令禁止采购。后来到2015年,微软快速更新版本号,推出了Win10.对此,我国几家权威安全测评机构进行测评后认为,“Win8 .1与Win10内核基本一致,并不存在较大幅度的变化,而版本号的大幅度升级更多是为了商业宣传的需要”。(按:这里的测评只需判断两者是否一致,不涉及安全性、可控性的评估,因而较易实施。)

综上所述,鉴于Win10等同于Win8以及“Win10政府版”并未通过网络安全审查,希望有关方面予以关注,应依法继续禁止政府采购和使用Win10(包括“Win10政府版”在内)。

倪光南(中国工程院首批院士,一直致力于自主可控的信息核心技术和产业,曾获得中国中文信息学会与中国计算机学会终身成就奖)