Pots and Kettles, Take 2: As Ye Cyber-Sow…

Four years ago this week I posted a piece on the remarkably hyperbolic hypocrisy of Western governments' condemnation of Chinese export financing, titled “Export Financing: Pots and Kettles” (linked).  A New York Times article two days ago (linked), which reported on a letter from a group of U.S. industry groups to the Chinese Government decrying new “discriminatory” Chinese cyber regulations, prompted me to return to the pots and kettles analogy, albeit in a different context.

The joint-associations’ letter calls for “urgent discussion and dialogue regarding the growing trend of Chinese government policies requiring use of ‘secure and controllable’ or Chinese-developed and/or controlled Internet and information communications technology (ICT) products, solutions, and services based on ‘cybersecurity’ justifications. Internet and ICT.”

The letter, specifically referring to a 22-page regulation approved by the Chinese Government late last year, outlines a number of the offending Chinese “secure and controllable” initiatives: “ICT products and services must undergo intrusive security testing, contain indigenous Chinese intellectual property (IP) (e.g., local encryption algorithms), comply with Chinese national standards, and restrict the flow of cross-border commercial data. The same policies also mandate that vendors file sensitive IP, such as source code, with the Chinese government.”

With repeated reference to the inherently global nature of the ICT industry, the letter makes very solid points, such as: “It is in the interest of the global ICT industry to work with all countries to ensure that the ICT supply chain produces secure and trustworthy products for all our customers around the world.” 

Further, the letter informs: “Sovereign interest in a secure and development-friendly cyber economy is best served, in any country, by policies that encourage competition and customer choice, both of which necessitate openness to nonindigenous technologies, as well as close collaboration between industry and government in formal and informal public-private partnerships and other mechanisms.”

Spot. On.

Finally, the letter concludes, reiterating the call for a dialogue “to discuss constructive, alternative approaches toward the goal of enhanced security,” and then hammering home: “…it is of critical importance that policies be developed in a transparent and open manner with adequate public consultation; not interfere with the procurement activity of commercial entities; not discriminate or provide questionable subsidies to domestic products; and not create technical barriers to trade that are more trade restrictive than necessary.”

Damned straight.

Notably, these are not new anti-discriminatory positions for these U.S. trade groups, nor are they limited to China, indeed, they’ve been staked out quite forcefully and on multiple occasions in terms of U.S. development of similarly discriminatory policies masquerading as “cyber-security” initiatives.

In April, 2013, many of the same signatories to the recent joint association letter to the Chinese Government signed on to a letter to the leadership of the U.S. Senate and House of Representatives objecting to a provision included in Appropriations legislation which was later signed into law by the President.  That provision bars select Federal Agencies from acquiring information technology (IT) systems unless ‘the head of the entity, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity’ has made a risk assessment of potential “cyber-espionage or sabotage...associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.”   

The aligned industry groups warned that the provision set a troubling and counterproductive precedent that could have significant international repercussions and put U.S.-based global IT companies at a competitive disadvantage in global markets.

Further, and very, very straight to the essential point, the associations wrote: Fundamentally, product security is a function of how a product is made, used, and maintained, not by whom or where it is made. Geographic-based restrictions run the risk of creating a false sense of security when it comes to advancing our national cybersecurity interests. At a time when greater global cooperation and collaboration is essential to improve cybersecurity, geographic-based restrictions in any form risk undermining the advancement of global best practices and standards on cybersecurity.

Yet further, the April, 2013 letter to Congressional leadership warned – presciently – that the provision could fuel potential retaliation, stating, specifically: “The Chinese government may choose to retaliate against U.S.-based IT vendors by enacting a similar policy for screening IT system purchases in China.”  More generally, the letter worried further about copycat legislation: “Governments in other countries may seek to emulate this policy, harming U.S. IT vendors who wish to sell in those markets. Similar policies are already being pursued by some foreign governments. We are concerned this provision would severely undermine the U.S. government’s efforts to contain these policies.”

Finally, the letter concluded reminding the recipients that “the global IT sector is committed to working with Congress and the Administration to consider constructive approaches that avoid geographic-based restrictions and focus instead on the appropriate and effective methods to meet our cybersecurity challenges. In the near term, we strongly encourage a meaningful bilateral dialogue between the United States and China to address cybersecurity concerns in a manner consistent with best security and trade practices.”

Great stuff (which you hear echoed in the more recent letter to Chinese authorities, excepting the bits about retaliation and copycatting, for, well, the obvious reasons…).

Then in July, 2013, TechAmerica, a signatory of both the April, 2013 letter and the more recent letter to Chinese authorities, wrote to the leadership of the U.S. House of Representatives Appropriations Committee reiterating opposition to the renewal of the offending Appropriations legislation provision

TechAmerica labeled the proposed legislation “problematic at best” and, indeed, “counterproductive,” in that it would hinder “the ability of these departments and agencies to obtain world-class, state-of-the-art technology innovation and services in a timely fashion while essentially undermining the ability of U.S. based ICT firms to conduct international trade and commerce on a level playing field by facing similar retaliatory localization measures by other foreign governments in markets critical to the U.S. commercial sector.”

Then, in September, 2014, the Information Technology Industry Council (ITI), a signatory to both the April, 2013 letter and the more recent joint industry missive to China, wrote to the Senate and House Armed Services Committees objecting to a Defense Authorization provision that require U.S. intelligence agencies to advise the Congress of every instance in which an ICT component from a company “suspected of being influenced by a foreign country, or a suspected affiliate of such a company” is competing for or has been awarded a contract related to a DoD or Intelligence network or “networks of network operators supporting systems in proximity…” 

Per the ITI letter, “in short, we fear the language in Section 1083 will not help the government achieve its security objectives and could have several unintended economic and security consequences.”  ITI went into great detail defining faults in the provision, under the following headings:  “The language is ambiguous and many terms are not defined.”  “Standing alone, a company’s activity in, or relationship with, a foreign country may not be dispositive as to whether its products or services are secure.”  “There is strong potential for global backlash on U.S. ICT companies.”

In November, 2014, the Silicon Valley Leadership Group (not a signatory to any of the previous letters, but with some overlapping membership) also wrote to the leadership of the Senate and House Armed Services Committees, worried about the same provision that ITI targeted, sagely borrowing and extending language from the April 2013 letter detailed above: “Product security is a function of how a product is made, used, and maintained, not by whom or where it is made, or by the relationship a vendor has with any particular government. Geographic restrictions are not helpful to improving cybersecurity and at worst could in fact preclude an organization from procuring the best or most appropriate technologies for their mission.” 

Like in previous letters from other signatories, SVLG also expressed concern for copycat initiatives: “…this approach invites retaliation against U.S. companies in global markets. Governments around the world closely watch U.S. policies, and a U.S. law (or even proposal) that would discriminate against a vendor based on its relationship with a foreign country (or government) could embolden other governments to enact similar restrictions as  a condition of sale into their own markets.”

Are the new Chinese regulations copycat?  Yes.  Well, in many or most ways, with a couple of exceptions... 

First off, the Chinese regulations are also (one might imagine, at least) a partial response to the abysmal treatment that major China-based ICTs have experienced in the U.S., such treatment defined by vague, opaque, “unwritten” policies that have served as quite effective market access barriers.  

Secondly, the Chinese provisions are reportedly quite far-reaching, in terms of, such as, according to the joint industry association letter, demands for access to source code and mandatory back-doors.

But otherwise, yeah, pretty much tit-for-tat regulations.

But, there are differences in terms of implementation and enforcement, which are both infrastructural and cultural.

On the U.S. side, notwithstanding the unwritten policy referenced above, the process has been less about promulgating regulation and more about publicly debating legislation that may or may not ever become laws or rules, often as not with the Administration in cahoots with the Congress.  The end result, in American culture, is practically the same.  With or without enacting a law or rule, American purchasers are “chilled,” dissuaded from buying from vendors of certain geographical heritage even if only because spooked by just the specter of legislation.

The Chinese side doesn’t have the same institutional flexibility, and the culture is almost opposite.  

There is no legislature to use as a sounding board and/or to broadcast the informal chill.  There’s no public debate.  There’s just the government, and then whatever rules emerge.  However, unlike in the U.S. the rules are only sometimes enforced, and, generally speaking, ignored – not even a chill - until enforced, and consistently so.

A relevant case in point would be China’s so-called “Multi-level Protection Scheme,” introduced in 2007, which supposedly mandated that core ICT products used by Government and infrastructure companies, such as banks and transportation, must be provided by Chinese companies.  But the MLPS wasn’t enforced in pretty much any way until after 2010, and then only sporadically (otherwise we wouldn’t be talking about the new regulations promulgated at the end of 2014).

So, summing up, what we have is an escalating mess.  ICT leaders, whether based in the U.S., China or elsewhere, are all suffering, and will likely suffer further if the techno-nationalist trends in both and more countries persist. 

How do we take this in a new direction? 

Given the nature of the regime in China, it would seem unlikely that any China-based company would engage or have any success should they choose to do so in swaying the Chinese government. And a China-based company having any success talking reason into U.S. law- and policy-makers is, in my personal experience, a not-insignificant long-shot.

But, the U.S. regime does lend itself to that sort of influence, and U.S. companies are historically not shy about voicing their opinions to government (see all of the above).  Maybe if the American-based companies want a change in the new Chinese regulations, they might, in a show of good faith to the Chinese authorities, unite their disparate initiatives into one and begin simultaneously championing similarly fair environments in both countries, perhaps even in the context of alignment with their China-based non-members.

Indeed, this would seem a natural threshold to a broader, more rational (commercially and technologically) global conversation about the utterly borderless nature of the ICT industry - and the critical global supply chains that fuel ICT companies - and the irrationality and ineffectiveness of national policies based on old world geographical borders that are largely irrelevant in the digitalized, globalized ICT market.