Four years ago this week I posted a piece on the remarkably hyperbolic hypocrisy of Western governments' condemnation of Chinese
export financing, titled “Export Financing: Pots and Kettles” (
linked). A
New York Times article two days ago (
linked),
which reported on a letter from a group of U.S. industry groups to
the Chinese Government decrying new “discriminatory” Chinese cyber regulations,
prompted me to return to the pots and kettles analogy, albeit in a different
context.
The joint-associations’ letter calls for “urgent discussion and dialogue regarding the
growing trend of Chinese government policies requiring use of ‘secure and
controllable’ or Chinese-developed and/or controlled Internet and information
communications technology (ICT) products, solutions, and services based on ‘cybersecurity’
justifications. Internet and ICT.”
The letter, specifically referring to a 22-page regulation
approved by the Chinese Government late last year, outlines a number of the
offending Chinese “secure and controllable” initiatives: “ICT products and services must undergo intrusive security testing,
contain indigenous Chinese intellectual property (IP) (e.g., local encryption
algorithms), comply with Chinese national standards, and restrict the flow of
cross-border commercial data. The same policies also mandate that vendors file
sensitive IP, such as source code, with the Chinese government.”
With repeated reference to the inherently global nature of
the ICT industry, the letter makes very solid points, such as: “It is in the interest of the global ICT
industry to work with all countries to ensure that the ICT supply chain produces
secure and trustworthy products for all our customers around the world.”
Further, the letter informs: “Sovereign interest in a secure and development-friendly cyber economy
is best served, in any country, by policies that encourage competition and
customer choice, both of which necessitate openness to nonindigenous technologies,
as well as close collaboration between industry and government in formal and informal
public-private partnerships and other mechanisms.”
Spot. On.
Finally, the letter concludes, reiterating the call for a
dialogue “to discuss constructive,
alternative approaches toward the goal of enhanced security,” and then hammering
home: “…it is of critical importance that
policies be developed in a transparent and open manner with adequate public
consultation; not interfere with the procurement activity of commercial
entities; not discriminate or provide questionable subsidies to domestic products;
and not create technical barriers to trade that are more trade restrictive than
necessary.”
Damned straight.
Notably, these are not new anti-discriminatory positions for
these U.S. trade groups, nor are they limited to China, indeed, they’ve been staked
out quite forcefully and on multiple occasions in terms of U.S. development of similarly discriminatory policies masquerading as “cyber-security” initiatives.
In April, 2013, many of the same signatories to the recent
joint association letter to the Chinese Government signed on to a letter to the
leadership of the U.S. Senate and House of Representatives objecting to a
provision included in Appropriations legislation which was later signed into
law by the President. That provision bars select Federal Agencies
from acquiring information technology (IT) systems unless ‘the head of the
entity, in consultation with the Federal Bureau of Investigation or other
appropriate Federal entity’ has made a risk assessment of potential
“cyber-espionage or sabotage...associated with such system being produced,
manufactured or assembled by one or more entities that are owned, directed or
subsidized by the People’s Republic of China.”
The aligned industry groups warned that the
provision set a troubling and counterproductive precedent that could
have significant international repercussions and put U.S.-based global IT
companies at a competitive disadvantage in global markets.
Further, and very, very straight to the essential point,
the associations wrote: Fundamentally, product security is a function
of how a product is made, used, and maintained, not by whom or where it is
made. Geographic-based restrictions run the risk of creating a false sense of
security when it comes to advancing our national cybersecurity interests. At a
time when greater global cooperation and collaboration is essential to improve
cybersecurity, geographic-based restrictions in any form risk undermining the
advancement of global best practices and standards on cybersecurity.
Yet further, the April, 2013 letter to Congressional
leadership warned – presciently – that the provision could fuel potential
retaliation, stating, specifically: “The Chinese government may choose to
retaliate against U.S.-based IT vendors by enacting a similar policy for
screening IT system purchases in China.” More generally, the letter
worried further about copycat legislation: “Governments in other countries
may seek to emulate this policy, harming U.S. IT vendors who wish to sell in
those markets. Similar policies are already being pursued by some foreign
governments. We are concerned this provision would severely undermine the U.S.
government’s efforts to contain these policies.”
Finally, the letter concluded reminding the recipients that
“the global IT sector is committed to working with Congress and the
Administration to consider constructive approaches that avoid geographic-based
restrictions and focus instead on the appropriate and effective methods to meet
our cybersecurity challenges. In the near term, we strongly encourage a
meaningful bilateral dialogue between the United States and China to address
cybersecurity concerns in a manner consistent with best security and trade
practices.”
Great stuff (which you hear echoed in the more recent letter
to Chinese authorities, excepting the bits about retaliation and copycatting,
for, well, the obvious reasons…).
Then in July, 2013, TechAmerica, a signatory of both the
April, 2013 letter and the more recent letter to Chinese authorities, wrote to the
leadership of the U.S. House of Representatives Appropriations Committee
reiterating opposition to the renewal of the offending Appropriations
legislation provision
TechAmerica labeled the proposed legislation “problematic at best” and, indeed, “counterproductive,” in that it would hinder
“the ability of these departments and agencies to obtain world-class,
state-of-the-art technology innovation and services in a timely fashion while
essentially undermining the ability of U.S. based ICT firms to conduct
international trade and commerce on a level playing field by facing similar
retaliatory localization measures by other foreign governments in markets
critical to the U.S. commercial sector.”
Then, in September, 2014, the Information Technology
Industry Council (ITI), a signatory to both the April, 2013 letter and the more
recent joint industry missive to China, wrote to the Senate and House Armed
Services Committees objecting to a Defense Authorization provision
that require U.S. intelligence agencies to advise the Congress of every
instance in which an ICT component from a company “suspected of being
influenced by a foreign country, or a suspected affiliate of such a company” is
competing for or has been awarded a contract related to a DoD or Intelligence
network or “networks of network operators supporting systems in
proximity…”
Per the ITI letter, “in short, we fear the language in
Section 1083 will not help the government achieve its security objectives and
could have several unintended economic and security consequences.”
ITI went into great detail defining faults in the provision, under the following headings: “The
language is ambiguous and many terms are not defined.” “Standing
alone, a company’s activity in, or relationship with, a foreign country may not
be dispositive as to whether its products or services are secure.” “There
is strong potential for global backlash on U.S. ICT companies.”
In November, 2014, the Silicon Valley Leadership Group (not
a signatory to any of the previous letters, but with some overlapping
membership) also wrote to the leadership of the Senate and House Armed Services
Committees, worried about the same provision that ITI targeted, sagely borrowing and extending language from the April 2013 letter detailed above: “Product
security is a function of how a product is made, used, and maintained, not by
whom or where it is made, or by the relationship a vendor has with any
particular government. Geographic restrictions are not helpful to improving
cybersecurity and at worst could in fact preclude an organization from procuring
the best or most appropriate technologies for their mission.”
Like in previous letters from other signatories, SVLG also
expressed concern for copycat initiatives: “…this approach invites
retaliation against U.S. companies in global markets. Governments around the
world closely watch U.S. policies, and a U.S. law (or even proposal) that would
discriminate against a vendor based on its relationship with a foreign country
(or government) could embolden other governments to enact similar restrictions
as a condition of sale into their own markets.”
Are the new Chinese regulations copycat? Yes.
Well, in many or most ways, with a couple of exceptions...
First off, the Chinese regulations are also (one might imagine, at least) a
partial response to the abysmal treatment that major China-based ICTs have
experienced in the U.S., such treatment defined by vague, opaque, “unwritten”
policies that have served as quite effective market access barriers.
Secondly, the Chinese provisions are reportedly quite
far-reaching, in terms of, such as, according to the joint industry association letter, demands for access to source code and
mandatory back-doors.
But otherwise, yeah, pretty much tit-for-tat regulations.
But, there are differences in terms of implementation and
enforcement, which are both infrastructural and cultural.
On the U.S. side, notwithstanding the unwritten policy
referenced above, the process has been less about promulgating regulation and
more about publicly debating legislation that may or may not ever become laws
or rules, often as not with the Administration in cahoots with the Congress. The end result, in American
culture, is practically the same. With
or without enacting a law or rule, American purchasers are “chilled,” dissuaded
from buying from vendors of certain geographical heritage even if only because spooked
by just the specter of legislation.
The Chinese side doesn’t have the same institutional
flexibility, and the culture is almost opposite.
There is no legislature to use as a sounding
board and/or to broadcast the informal chill.
There’s no public debate. There’s
just the government, and then whatever rules emerge. However, unlike in the U.S. the rules are
only sometimes enforced, and, generally speaking, ignored – not even a chill - until
enforced, and consistently so.
A relevant case in point would be China’s so-called “Multi-level
Protection Scheme,” introduced in 2007, which supposedly mandated that core ICT
products used by Government and infrastructure companies, such as banks and
transportation, must be provided by Chinese companies. But the MLPS wasn’t enforced in pretty much
any way until after 2010, and then only sporadically (otherwise we wouldn’t be
talking about the new regulations promulgated at the end of 2014).
So, summing up, what we have is an escalating mess. ICT leaders, whether based in the U.S., China
or elsewhere, are all suffering, and will likely suffer further if the
techno-nationalist trends in both and more countries persist.
How do we take this in a new direction?
Given the nature of the regime in China, it would seem
unlikely that any China-based company would engage or have any success should
they choose to do so in swaying the Chinese government. And a China-based company having any success
talking reason into U.S. law- and policy-makers is, in my personal experience, a
not-insignificant long-shot.
But, the U.S. regime does lend itself
to that sort of influence, and U.S. companies are historically not shy about
voicing their opinions to government (see all of the above). Maybe if the American-based companies want
a change in the new Chinese regulations, they might, in a show of good faith to the Chinese authorities, unite their disparate initiatives into
one and begin simultaneously championing similarly fair environments in both
countries, perhaps even in the context of alignment with their China-based non-members.
Indeed, this would seem a natural threshold to a broader,
more rational (commercially and technologically) global conversation about the
utterly borderless nature of the ICT industry - and the critical global supply
chains that fuel ICT companies - and the irrationality and ineffectiveness of
national policies based on old world geographical borders that are largely
irrelevant in the digitalized, globalized ICT market.
