PRC Response To U.S. Clean Networks

The PRC responds to  the U.S.’ Clean Networks with call for international, multilateral standards

In a speech given by the People’s Republic of China’s (PRC) Foreign Minister Wang Yi, the PRC proposed international, multilateral cooperation in addressing data security around the globe. In doing, Wang took some obvious shots at recent policies announced by the United States (U.S.) and longer term actions such as surveillance by the National Security Agency (NSA). The PRC floated a “Global Initiative on Data Security” that would, on its face, seem to argue against actions being undertaken by Beijing against the U.S. and some of its allies. For example, this initiative would bar the stealing of “important data,” yet the PRC stands accused of hacking Australia’s Parliament. Nonetheless, the PRC is likely seeking to position itself as more internationalist than the U.S., which under President Donald Trump has become more isolationist and unilateralist in its policies. The PRC is also calling for the rule of law, especially around “security issues,” most likely a reference to the ongoing trade/national security dispute between the two nations playing out largely in their technology sectors.

Wang’s speech came roughly a month after the U.S. Department of State unveiled its Clean Networks program, an initiative aimed at countering the national security risks posed by PRC technology companies, hardware, software, and apps (see here for more analysis.) He even went so far as to condemn unilateral actions by one nation in particular looking to institute a “clean” networks program. Wang framed this program as aiming to blunt the PRC’s competitive advantage by playing on national security fears. The Trump Administration has sought to persuade, cajole, and lean on other nations to forgo use of Huawei equipment and services in building their next generation 5G networks with some success.

And yet, since the Clean Networks program lacks much in the way of apparent enforcement mechanisms, the Department of States’s announcement may have had more to do with optics as the Trump Administration and many of its Republican allies in Congress have pinned the blame on COVID-19 on the PRC and cast the country as the primary threat to the U.S. This has played out as the Trump Administration has been choking off access to advanced semiconductors and chips to PRC firms, banned TikTok and WeChat, and order ByteDance to sell musical.ly, the app and platform that served as the fulcrum by which TikTok was launched in the U.S.

Wang asserted the PRC “believes that to effectively address the risks and challenges to data security, the following principles must be observed:

  • First, uphold multilateralism. Pursuing extensive consultation and joint contribution for shared benefits is the right way forward for addressing the deficit in global digital governance. It is important to develop a set of international rules on data security that reflect the will and respect the interests of all countries through broad-based participation. Bent on unilateral acts, a certain country keeps making groundless accusations against others in the name of “clean” network and used security as a pretext to prey on enterprises of other countries who have a competitive edge. Such blatant acts of bullying must be opposed and rejected.
  • Second, balance security and development. Protecting data security is essential for the sound growth of digital economy. Countries have the right to protect data security according to law. That said, they are also duty-bound to provide an open, fair and non-discriminatory environment for all businesses. Protectionism in the digital domain runs counter to the laws of economic development and the trend of globalization. Protectionist practices undermine the right of global consumers to equally access digital services and will eventually hold back the country’s own development.
  • Third, ensure fairness and justice. Protection of digital security should be based on facts and the law. Politicization of security issues, double standards and slandering others violate the basic norms governing international relations, and seriously disrupt and hamper global digital cooperation and development.

Wang continued, “[i]n view of the new issues and challenges emerging in this field, China would like to propose a Global Initiative on Data Security, and looks forward to the active participation of all parties…[and] [l]et me briefly share with you the key points of our Initiative:

  • First, approach data security with an objective and rational attitude, and maintain an open, secure and stable global supply chain.
  • Second, oppose using ICT activities to impair other States’ critical infrastructure or steal important data.
  • Third, take actions to prevent and put an end to activities that infringe upon personal information, oppose abusing ICT to conduct mass surveillance against other States or engage in unauthorized collection of personal information of other States.
  • Fourth, ask companies to respect the laws of host countries, desist from coercing domestic companies into storing data generated and obtained overseas in one’s own territory.
  • Fifth, respect the sovereignty, jurisdiction and governance of data of other States, avoid asking companies or individuals to provide data located in other States without the latter’s permission.
  • Sixth, meet law enforcement needs for overseas data through judicial assistance or other appropriate channels.
  • Seventh, ICT products and services providers should not install backdoors in their products and services to illegally obtain user data.
  • Eighth, ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products.

As mentioned in the opening paragraph of this article, the U.S. and many of its allies and partners would argue the PRC has transgressed a number of these proposed rules. However, the Foreign Ministry was very clever in how they drafted and translated these principles, for in the second key principle, the PRC is proposing that no country should use “ICT activities to impair other States’ critical infrastructure.” And yet, two international media outlets reported that the African Union’s (AU) computers were transmitting reams of sensitive data to Shanghai daily between 2012 and 2017. If this claim is true, and the PRC’s government was behind the exfiltration, is it fair to say the AU’s critical infrastructure was impaired? One could argue the infrastructure was not even though there was apparently massive data exfiltration. Likewise, in the third key principle, the PRC appears to be condemning mass surveillance of other states, but just this week a PRC company was accused of compiling the personal information of more than 2.4 million worldwide, many of them in influential positions like the Prime Ministers of the United Kingdom and Australia. And yet, if this is the extent of the surveillance, it is not of the same magnitude as U.S. surveillance over the better part of the last two decades. Moreover, the PRC is not opposing a country using mass surveillance of its own people as the PRC is regularly accused of doing, especially against its Uighur minority.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Hanson Lu on Unsplash

State Department Touts Its Clean Network Program

A U.S. government agency publicizes a plan light on specifics but heavy on rhetoric to eliminate PRC equipment, services, and apps from U.S. systems.   

The United States (U.S.) Department of State unveiled “[t]he Clean Network program…the Trump Administration’s comprehensive approach to safeguarding the nation’s assets including citizens’ privacy and companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party.” This new program is an expansion or even a repurposing of a Congressional mandate to remove suspect and unsafe equipment and systems from federal agency networks. Nonetheless, there was scant detail provided on how the Department of State will accomplish its goals to remove technology from the People’s Republic of China (PRC) from U.S. networks and systems. The Department of State’s announcement comes at about the same time the Trump Administration announced executive orders designed to ban TikTok and WeChat, two PRC apps, suggesting the announcement was timed to coincide with the White House’s news.

Clean Networks is an expansion of the Clean Path , a program to address the risks created by having PRC 5G equipment and services on the agency’s networks. In April 2020, Secretary of State Mike Pompeo “announced that the U.S. Department of State will begin requiring a Clean Path for all 5G network traffic entering and exiting U.S. diplomatic facilities.” The Department of State noted:

  • The 5G Clean Path is an end-to-end communication path that does not use any transmission, control, computing, or storage equipment from untrusted IT vendors, such as Huawei and ZTE, which are required to comply with directives of the Chinese Communist Party.
  • The 5G Clean Path embodies the highest standards of security against untrusted, high-risk vendors’ ability to disrupt, manipulate or deny services to private citizens, financial institutions, or critical infrastructure.

In launching the Clean Path for 5G, the Department of State was responding to language in a recent National Defense Authorization Act aimed at removing equipment and systems from the PRC and other nations of concern. However, this language did not require the agency to take these additional steps and is likely acting under a more general grant of authority from Congress to regulate its acquisition and use of technology. However, this program sweeps wider than the Department of State and would normally be coordinated in the White House by an entity like the Office of Management and Budget (OMB). In fact, the Department of State is claiming to be spearheading this effort for the Trump Administration. The Department of State asserted

The Clean Network program is the Trump Administration’s comprehensive approach to safeguarding the nation’s assets including citizens’ privacy and companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party (CCP).

In a fact sheet, the Department of State explained the “Clean Network Lines of Effort:”

The Clean Network initiative is a comprehensive effort to address the long-term threat to data privacy, security, and human rights posed to the free world from authoritarian malign actors, such as the CCP. The Clean Network is rooted in internationally accepted digital trust standards and is a reflection of our commitment to an open, interoperable, and secure global internet based on shared democratic values and respect for human rights. This effort represents the execution of a multi-year, all-of-government enduring strategy, built on a coalition of trusted partners.

  • 5G Clean Path: To protect the voice and data traversing 5G standalone networks entering and exiting U.S. diplomatic facilities at home and abroad. Announced by Secretary Pompeo on April 29, 2020, the 5G Clean Path is an end-to-end communication path that does not use any transmission, control, computing, or storage equipment from untrusted IT vendors, such as Huawei and ZTE, which are required by Chinese law to comply with directives of the CCP. The 5G Clean Path embodies the highest standards of security against untrusted, high-risk vendors’ ability to disrupt, manipulate or deny services to private citizens, financial institutions, or critical infrastructure. All mobile data traffic entering American diplomatic systems will be subject to new, stringent requirements.
  • Clean Carrier: To ensure untrusted People’s Republic of China (PRC) carriers are not connected with U.S. telecommunications networks. Such companies pose a danger to U.S. national security and should not provide international telecommunications services to and from the United States.
  • Clean Store: To remove untrusted applications from U.S. mobile app stores. PRC apps threaten our privacy, proliferate viruses, censor content, and spread propaganda and disinformation. On August 6, 2020, President Trump signed two Executive Orders to address the threats posed by TikTok and WeChat. TikTok and WeChat capture vast swathes of data from their unsuspecting users and are compelled by Chinese law to turn over this private information to the CCP upon request. The American people’s most sensitive personal and business information must be protected on their mobile phones from exploitation and theft for the CCP’s benefit.
  • Clean Apps: To prevent untrusted PRC smartphone manufacturers from pre-installing—or otherwise making available for download—trusted apps on their apps store. Huawei, an arm of the PRC surveillance state is trading on the innovations and reputations of leading U.S. and foreign companies. These companies should remove their apps from Huawei’s app store to ensure they are not partnering with a human rights abuser.
  • Clean Cloud: To prevent U.S. citizens’ most sensitive personal information and our businesses’ most valuable intellectual property, including COVID-19 vaccine research, from being stored and processed on cloud-based systems built or operated by untrusted vendors, such as Alibaba, Baidu, China Mobile, China Telecom, and Tencent.
  • Clean Cable: To ensure the undersea cables connecting our country to the global internet are not subverted for intelligence gathering by the PRC at hyper scale. We will also work with foreign partners to ensure that undersea cables around the world aren’t built or operated by untrusted vendors.

As noted, the Clean Path program had its genesis in a provision in a recently enacted bill. Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) was drafted to address the threats posed by the presence of Huawei and ZTE equipment and services throughout the systems and supply chains of the federal government and its contractors. The ultimate goal is the complete phaseout, if possible, of these and any other suspect systems that could possibly be compromised or exploited in the future. Consequently, Russian equipment and systems are also targeted. All federal agencies must inventory and then work to remove this equipment and products within the next few years.

As a result, a rulemaking changed the Federal Acquisition Regulations (FAR) to put into effect the Section 889 required ban on Huawei and ZTE products. Specifically the August 2019 interim rule bars federal agencies from buying Huawei, ZTE, and related Chinese “equipment, system[s], or service[s] that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system” unless an exception allows the agency to disregard this general ban. This rule has already taken effect, and it is likely the DOD and other agencies will issue a final rule, which may change the interim rule on the margins but will likely maintain the substance of the prohibition. It bears note that this interim rule is applicable to all contracts going forward and some solicitations offered and contracts signed before August 13, 2019.

In July 2020, federal agencies released an interim rule to implement the second half of the Section 889 government-wide ban on buying or using Huawei, ZTE, and other equipment and systems considered risky or suspect by the U.S. government. This part of the ban extends the prohibition to entities that would contract with US agencies. Therefore, as a general matter, such contractors would need to certify their services, systems, and equipment are free and clear of “covered telecommunication equipment,” which is largely technology developed and manufactured in the People’s Republic of China (PRC) or the Russian Federation. This rule will take effect on 13 August but may possibly affect contracts entered into before that date. And yet, comments are being accepted on this rule until 14 September, which will likely affect the rule on the margins when a final version is issued but not its substance.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Pete Linforth from Pixabay