It Is Time to Counter China’s Data Strategy

The Cyberspace Administration of China (CAC) closed public feedback last month on a draft regulation to secure and manage data according to its importance to national security. While ostensibly a technical measure to enhance privacy protections, the regulation is part of China’s strategy to strengthen its power in cyberspace through large-scale data collection.

The draft regulation proposes that Beijing’s data handlers identify and track personal information and other data that could endanger national security if leaked or stolen. The draft regulation builds on Beijing’s efforts over the past five years to use legislative mechanisms to authorize the state to amass data. For example, the regulation would require Chinese companies to store data locally and to provide the government with access to it.

According to the new regulation, Chinese companies must also assess the data security, management practices, and trustworthiness of all foreign parties that receive Chinese data. To conduct these assessments, Chinese companies will need their foreign partners, potentially including U.S. companies, to provide China with CAC-approved assessments of their own security. With this information about foreign companies, the Chinese Communist Party (CCP) will be able to identify security vulnerabilities of organizations that process or store data originating from China. The CCP’s hackers could use this information to identify potential avenues for future exploitation and illegal data exfiltration from the foreign data recipients.

Buried within the regulation is another important provision: Article 41 requires routing controls that would ensure that network data originating in China stays within its borders. This is noteworthy because China is attempting to protect its data from the kind of vulnerabilities its own hackers exploit. The CCP leverages technologies at the core of global internet infrastructure to hijack foreign data to ensure it travels through Chinese-controlled servers.

The movement of data across the internet is controlled by the Border Gateway Protocol (BGP). BGP functions like an international post office, digitally linking the internet together so that data can traverse the globe. However, BGP operates like a tourist asking a stranger for directions rather than consulting a map. Thus, while BGP ostensibly picks the most efficient route to send information from one point to another, the system remains susceptible to abuse by malign actors.

China has exploited BGP’s vulnerability by acting as a stranger giving bogus directions to reroute digital traffic through its networks for collection. As a result, traffic originating in the United States and destined for another American location can traverse a route through China without the sender’s knowledge or ability to ensure the route’s efficiency and security.

In Section 1527 of the National Defense Authorization Act for Fiscal Year 2022, Congress took the first step to address this problem by requiring the development of a policy and processes that secure the routing infrastructure within the Department of Defense. However, Congress failed to apply this provision to the entire federal government, as proposed in an amendment by Senator Angus King (I-ME).

Yet American private industry holds valuable trade secrets, intellectual property, and national security-sensitive information. Therefore, Washington should provide guidance to U.S. entities about the security risks they may incur if they disclose their vulnerabilities to their Chinese partners.

More broadly, the U.S. government should consult private-sector stakeholders while developing Washington’s larger strategy to counter China’s data collection efforts. Finally, Washington should work with partner nations and private industry to secure core global internet infrastructure in order to prevent Beijing from undermining the principles of a free and open internet.

Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research analyst. The authors also contribute to FDD’s China Program. For more analysis from the authors, CCTI, and the China Program, please subscribe, HERE. Follow Trevor on Twitter @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.