First Monday

China's long game in techno-nationalism by Shazeda Ahmed and Steven Weber

The passage of China’s national cybersecurity law in June 2017 has been interpreted as an unprecedented impediment to the operation of foreign firms in the country, with its new requirements for data localization, network operators’ cooperation with law enforcement officials, and online content restrictions, among others. Although the law’s scope is indeed broader than that of any previous regulation, the process through which it was drafted and eventually approved bears similarities to three previous cases from the past two decades of Chinese information technology policy-making. In comparing these four cases, we argue that economic concerns have consistently overshadowed claims of national security considerations throughout laws directed at foreign enterprises.


Case 1: State Encryption Management Commission (1999)
Case 2: WAPI as a domestic technical standard (2004)
Case 3: Green Dam-Youth Escort (2009)
Case 4: China’s cybersecurity law (2014–present)
Assessment and conclusion




In late 2014, the Chinese government proposed a controversial law with the stated aim to rid China’s banking sector of foreign information technology by the year 2020. The Ministry of Industry and Information Technology (MIIT) and the China Banking Regulatory Commission (CBRC) argued that it was a national security threat for China’s banking sector — defined as critical infrastructure — to use technology imported from the United States, particularly in light of former National Security Agency (NSA) contractor Edward Snowden’s revelations about the NSA’s surveillance operations. In practice, the proposed law would require foreign suppliers to reveal the source code of their software to Chinese law enforcement in order to demonstrate that the technology was not being used to spy on Chinese banks [1].

Predictably, this law prompted a major backlash from large technology firms and U.S. government officials who claimed that it was anti-competitive and a bald attempt to steal intellectual property. In the spring of 2015, the same Chinese agencies that had defended the proposed law announced that it would be ‘suspended’ in order to incorporate comments and suggestions from Chinese banks. The suspension was described broadly in the West as a victory for the global technology suppliers and a step back by the Chinese government.

This series of events, however, is not sui generis. Versions of this story have been repeated, in slightly different forms, at least three times in the last 18 years. This paper ties these four cases together. We argue that they represent a pattern of policy behavior that in turn reveals important insights about long-term strategies for achieving Chinese domestic technology goals. In light of the passage of a national cybersecurity law that overshadowed the banking sector proposal in 2017, these cases can illuminate deep-seated objectives of Chinese policy-makers that have persisted up to the present.

The basic pattern of behavior is similar in each of four cases we investigate, and the stories roughly follow a common narrative. First, the Chinese government proposes the adoption of a sweeping and somewhat vague piece of legislation in the name of national security, which would restrain foreign technology companies’ access to Chinese markets and place intellectual property at risk of theft. This prompts forceful negative responses, first from the companies, then from U.S. and other Western government trade representatives, and finally at times from the most senior government officials as well. This dynamic is Act 1 of the story.

In ‘Act 2’, the Chinese government then suspends or postpones the implementation of the law, but keeps it on the books. Western media labels this (temporary) capitulation a victory for trade and competition, and government pressure subsides.

But in at least three of the four cases, modified versions of the proposed law are later passed and partially implemented, as the issue fades from the spotlight and other conflicting interests come to the fore. That is ‘Act 3’. At the end of the story, techno-nationalist policies have not moved as far forward as was feared in Act 1. But they have moved forward in a way that has cumulated over time to shape the competitive environment — gradually, but with real impact.

We recount in this paper four specific cases that occurred roughly five years apart over the last two decades. Up to now these cases have been treated individually (including legal briefs on the encryption case, analyses of the political economy of technological standardization, and evaluations of the rollout and failure of a nationwide Web content-filtering program). We place them together to draw out their similarities, with one goal being simply to demonstrate a pattern of behavior.

Our second goal is to assess that behavior pattern for strategic coherence. Put simply, we want to know what this observed pattern can tell us about a Chinese techno-nationalist strategy — if one exists. To guide the argument, we offer four candidate hypotheses that could account for the observed pattern, and we assess the evidence in each case against those hypotheses.

The four hypotheses are these:

H1: Each case is in fact sui generis and the commonalities are coincidental. There is no underlying pattern or strategy at work;

H2: The seemingly vague laws represent the jumbled output of bureaucratic politics and a struggle among competing agencies for power, not a coherent ‘state’ strategy per se;

H3: The proposed laws represent the evolution of what is first and foremost a national security strategy, narrowly defined, that is aimed at reducing the vulnerability of Chinese military, government, and commercial information systems to foreign technology intrusions and cybersecurity threats;

H4: The laws represent the evolution of an economic development strategy that is aimed at advancing the competitiveness of the Chinese domestic IT sector.

Foreshadowing our conclusion, we find that the evidence supports Hypothesis 4 most strongly, with increasing support for Hypothesis 3 as a sub-goal in recent years. Put simply, the cases together suggest a techno-nationalist economic competitiveness agenda that also supports national security interests in a secondary role. Contrary to the justifications provided for the most recent iterations of this strategy, the NSA espionage revelations were more of a catalyst for plans China already had under way than they were a groundbreaking prompt to reshape Chinese information technology and cybersecurity laws. When these two rationalizations are combined, which is increasingly the case at present, we anticipate that they will continue to generate overambitious policies that the top leadership is privately willing to suspend, scale back, or loosely enforce.

In the U.S.-China Economic and Security Review’s 2016 report to Congress, the authors warned that “the Chinese government’s sustained commitment to technonationalism is a growing challenge for U.S. and foreign firms seeking to enter China’s market or compete with its state-supported firms abroad” (U.S.-China Economic and Security Review Commission, 2016). The Chinese government is unlikely to abandon the notion that ‘indigenous innovation’ is the preferred approach to competitiveness in the information technology sector and to foreign cybersecurity threats at the same time. Yet these cases demonstrate that the state has been willing to downsize its boldest initiatives, with an eye toward making incremental gains over the longer term. The recent passage of a nationwide cybersecurity law that will further monitor and restrict the behavior of foreign technology firms in China makes it critical to understand the possibilities for compromise with Chinese authorities in the long term.



Case 1: State Encryption Management Commission (1999)

In the 1990s and early 2000s, China heavily relied upon foreign technology firms that supplied its markets with personal computers, including such giants as Microsoft, IBM, and Intel. From those years leading up to the present, an evolving long-term goal of the Chinese Communist Party (CCP) has been for domestic companies to develop the technological capabilities to build a robust information technology sector that will obviate the need for imported devices. One noteworthy early step in this direction that bears remarkable similarity to current debates over revealing source code in banking technology occurred in 1999, when information technology regulations and the institutions that oversaw them were still nascent.

By the end of the twentieth century the CCP was aware of foreign governments’ abilities to build “backdoors”, or hidden channels used to clandestinely access devices and networks, into technology sold to China. Thus they turned their attention to encrypted communications. Encryption is the process through which digital communication can be protected such that only parties on the sending and receiving ends have access to the information being transmitted. Understandably, protecting encryption falls under the purview of national security in general, yet the approach the Chinese government used to propose an encryption law instead gained notoriety for threatening foreign technology companies’ intellectual property rights. At a time when the CCP hastened to create a regulatory environment to address new advances in information technology, the possibilities of overdrawing boundaries and miscalculating what the state could feasibly accomplish were manifold. What makes the encryption case compelling this many years after the fact is how it established a precedent for similar incidents that followed, each of which featured elements of economic protectionism amidst claims of defending national security.

On 7 October 1999, the State Council announced that the then newly-established State Encryption Management Commission (SEMC) intended to pass a law entitled “Regulations on the Management of Commercial Uses of Cryptography” (Office of State Commercial Cryptography Administration, 1999). The law stated that to protect national security, foreign encryption products (and any technology containing them) sold in China for commercial use would have to be registered with and inspected by the SEMC, which required applications for encryption licenses and submission of encryption keys to the SEMC. Registration was required to occur by 31 January 2000 and penalties for violating the law ranged from administrative fines to “the seizure of equipment, confiscation of illegal gains, and even criminal prosecution” (Cloutier and Cohen, 2011; Office of State Commercial Cipher Code Administration, 1999). Inspections would have allowed the SEMC to view the proprietary source code — which enables all functions including encryption — in a host of information technology products.

Major foreign technology companies cited this proposed rule as a violation of international intellectual property law and refused to comply. Their fear was that allowing inspection of source code would enable Chinese government theft of intellectual property on a massive scale, which could have helped China catch up with its foreign competitors at a rapid clip while easing these suppliers out of Chinese markets. Microsoft was incensed enough to appeal to the U.S. Chamber of Commerce and its Japanese equivalent to pressure Chinese regulators to reconsider this move (Gutmann, 2010). The U.S. government, often through Secretaries of Commerce and official trade representatives in this and future cases, then intervened to urge the Chinese government to drop the law, which led the latter to scale down the law’s stipulations within a month of its release.

The attempt to regulate commercial encryption products was then suspended in early 2000. According to a “clarification” Deputy Minister of Foreign Trade and Economic Cooperation Zhang Xiang issued in March 2000, the regulations would not apply to Web browsers, Microsoft Windows software, and mobile phones (Xinhua, 2000; Cloutier and Cohen, 2011). These significant exceptions were not included in the text of the original law, which did, however, exclude embassies and foreign diplomatic offices from having to register encryption products with the government. Zhang issued his statement at a meeting with business representatives from the United States, Japan, France, and South Korea, emphasizing China’s determination to open up its economy and abide by World Trade Organization regulations — a timely declaration given that China was granted WTO membership the following year.

The initial capitulation on the strict terms of the encryption law may have reflected internal disconnect or a lack of consensus over how to regulate encrypted products within the Chinese government. Early intergovernmental competition for Internet control could have factored into the relatively uncoordinated response, with Karen Sutter observing at the time that “absent a national legal framework, various government agencies have been jockeying for regulatory control over the Internet in China and the lucrative opportunities associated with e-commerce” [2]. In a move that further contradicted the national security grounds on which the law was supposedly based, the Ministry of Information and Industry Technology (MIIT), then known as the Ministry of Information Industry, undermined the new law in agreeing to a deal to sell mobile phones that contained U.S. encryption technology (Ostry, et al., 2003). Limited documentation of the processes that led to the law’s proposal make it difficult to ascertain the precise degree to which bureaucratic politics ultimately led to its being scaled back.

The types of revisions made to the law suggest that economic interests were far more influential than security ones from its inception to its withdrawal. The focus on encryption of commercial products is a peculiar choice for an inaugural national security-focused requirement for registration and inspection of these devices; one would presume technology used in government offices, for example, would be prioritized instead. The SEMC itself was thought to be connected to the Ministry of State Security (MSS), which prompts the question of why the MSS itself did not endorse the law or even serve as the institution in charge of it (Ostry, et al., 2003). As early as 1994, the Ministry of State Security was in fact the bureau assigned with the supervision of information security, and could have been expected to direct policy-making on this issue were it truly deemed a matter of national security (PRC Directive 147, 1994).

The law’s timing was moreover poorly chosen in light of the case it made for security: it came shortly before the launch of the Windows 2000 operating system, which then contained what were considered to be “some of the most powerful encryption software programs available” and went on to be widely used in China [3]. Chinese leaders perhaps realized that the state had not reached the stage where it could stand alone in creating domestic technology to supplant equivalents imported from abroad. Some of the proposed law’s stipulations, which required the Chinese government to approve of research, development, and even marketing of encryption products, could have stifled the domestic market competition necessary to spur home-grown technological advancement (Office of State Commercial Cryptography Administration, 1999). Overall, it seems most likely that at such an early point, the most compelling retrospective explanations for the law’s proposal and reworking involved protection of Chinese economic interests combined with an early trial at developing what would become a strategy geared toward eroding the rights of foreign technology companies in Chinese markets.

After the international furor over the encryption law died down, a slightly modified form of the original guidelines passed into law. Some accounts describe it as having been sporadically enforced; in at least one case Hewlett-Packard was penalized for violation (Yu and Murphy, 2011). Little has been written on what the long-term advantages of this law ultimately were, how inspections are actually carried out, or what the dangers may be for loss of intellectual property. Nonetheless, it is important to note that in the end the state was still able to forcefully regulate the import of foreign-produced encryption products, despite the popular media narrative proclaiming the opposite. In particular, from 2005 to 2007 the SEMC passed a series of encryption regulations that gave them the power to audit virtually all foreign products that used some form of encryption before allowing them to be sold in China (Sutter, 2000). In the SEMC’s next major public appearance, motivations were even more transparently profit-driven.



Case 2: WAPI as a domestic technical standard (2004)

After the failed encryption battle, the Chinese government and the SEMC shifted attention to establishing a technical standard for wireless encryption, which would have drastically affected foreign information technology companies’ sale of WiFi-enabled products to China (Kennedy, 2006). In 2001 the Chinese government formed a Broadband Wireless IP Standards Group to create a standard called WAPI (Wireless Local Area Network Privacy Infrastructure) that the group claimed was more secure than the globally used IEEE 802.11, or Wi-Fi, standard.

At its inception WAPI was a standard China insisted it would only use domestically for national security purposes. The Chinese government selected the company IWNCOMM to develop the standard [4]. According to IWNCOMM’s General Manager Cao Jun, WAPI’s goal was to break down international standards monopolies and attain indigenous, self-sufficient innovation, in line with the techno-nationalist hypothesis. Moreover, in a 2005 article reflecting on WAPI’s value to Chinese innovation Cao briefly mentioned security as an afterthought, rather than as the central force behind WAPI. Cao listed government bureaus including the National Development and Reform Commission, MIIT, State Secrets Bureau, Certification and Accreditation Administration, and the Standardization Administration as WAPI supporters, yet does not mention any military or national security organizations (Cao, 2005).

The Chinese government announced in November 2003 that all Internet-accessible devices in China would need to run on the WAPI standard by 1 December 2003 (Lee and Oh, 2008). Acceptance of the standard would have called for foreign and domestic companies to include a completely different chip set in their computers to be able to access the Internet wirelessly in China, a costly process that would have essentially come down to building a separate version of every device. It was unclear what would happen to products sold before the launch date in order to make them backwards compatible with WAPI, which lends credence to the hypothesis that the standard was pursued in a relatively uncoordinated manner across disparate government bureaus.

The Chinese government chose two dozen domestic companies to be given official access to the WAPI algorithms, and stipulated that foreign firms would have been required to collaborate with these designated companies in order to make WAPI-equipped products. The People’s Daily newspaper identified this as an obstacle for companies like Intel that were “reluctant to pay Chinese companies the expensive licensing royalties” (People’s Daily, 2004). One source of conflict in ‘standards wars,’ in which different groups attempt to establish competing technical standards for the same technology, emerges over hefty licensing fees companies have to pay to use the dominant standard. The People’s Daily assessment was correct in identifying one source of Western ire, and in locating where the Chinese government’s interests in rapid implementation of WAPI lay.

The WAPI regulations would have given domestic Chinese companies a leg up over foreign competitors in creating information technology that accorded with the new technical standard, and as Kim, et al. have indicated, “Japan argued that the Chinese authorities had disclosed the technical content of WAPI to domestic manufacturers six months before foreign manufacturers ... the WAPI measure appeared to be in favor of domestic firms” (Kim, et al., 2014). Compared to the one-month notice foreign companies were given, it is likely that this was a strategic move. The new rules around WAPI would have provided the government-approved Chinese companies with ample access to the technology of foreign partner companies, which the U.S. Semiconductor Association argued would make the latter “share an unprecedented amount of intellectual property with their Chinese competitors” (Perez, 2004). Foreign firms stood to lose the most, and thus drew the U.S. government’s attention to the matter.

Intel announced in March 2004 that as a result of the new regulation, it would no longer ship its Centrino Wi-Fi chips to China after May of that year (Griffith, 2004). This would have been a major blow for China had it occurred, as by one estimate half of the notebook computers in the country at the time used Centrino chips (Open Source Center, 2004). Thereafter, U.S. Secretary of State Colin Powell, Trade Representative Robert Zoellick, and Secretary of Commerce Donald Evans directed a letter appealing for a reworking of WAPI to China’s Vice Premiers, Wu Yi and Zeng Peiyan (Bloomberg Businessweek, 2004). At the U.S.-China Joint Commission on Commerce and Trade (JCCT) later in 2004, China said it would “indefinitely suspend” its attempts to make WAPI a domestic standard (Television Technology [电视技术], 2004). Yet later that same year China submitted WAPI for consideration to become an international standard, and the International Organization for Standardization/International Electrotechnical Commission Joint Technical Committee Subcommittee 6 (ISO/IEC JTC1 S6) formally rejected it.

By Chinese accounts, this Western response was seen as an almost conspiratorial slight against China’s technological ambitions. Cao Jun of IWNCOMM makes indirect accusations of nepotism by contending that some of the main figures responsible for the final decisions made on WAPI’s internationalization had direct ties to organizations that would benefit from the standard’s rejection. The bid for WAPI’s international recognition suggests an early, emergent strategy to diminish the power of foreign firms in Chinese IT markets. Cao provides a glimpse into the internal doubts over WAPI in China, noting that some parties felt China was either technologically unprepared for or in some cases not even in need of such a standard. Cao implies that these internal divisions contributed to WAPI’s initial defeat, which supports the argument that at this point in China’s technological development, coordination between the state and private companies was weaker than at present. The doubters would not have been alone, with president of the U.S. Semiconductor Industry Association George Scalise stating that “a unique Chinese national standard will slow the development of China’s information technology industries because it will hamper the ability of Chinese firms to access the innovations emerging from thousands of companies around the world” [5].

Security standards thinly veiled the deep-seated economic factors motivating China’s bold attempt to usher in WAPI. Although Kim, et al. note that the “mandatory implementation process of the WAPI standard was partly attributable to the pressure from former military bureaucracies in the MIIT,” they also indicate that security was a secondary concern at best: “not mandating WAPI would have not been risky, given that the equivalent standard used in the West and beyond, 802.11i (Wi-Fi Protected Access II, WPA2), was being developed to provide solutions to Wired Equivalent Privacy (WEP) security problems in 2004” [6]. As in the SEMC case, the possibility that this standard was an attempt to sever Chinese reliance on Western technology is more convincing than the security arguments made on WAPI’s behalf at the time.

In sum, the Chinese government lost the battle for WAPI in the face of Intel’s refusal to back down at a time when China lacked reliable domestic alternatives. Internal disagreements over whether the standard was even necessary further contributed to its later, partial defeat. Despite the foreign media attention this incident garnered at the time, the domestic adoption of WAPI went largely unnoticed. In 2009–2010 Apple (in partnership with domestic telecommunications provider China Unicom) and Dell began creating phones that supported both WiFi and WAPI (Fletcher, 2010). This move was likely taken to maintain a foothold in Chinese markets and to obtain network access licenses for foreign products — a concern for both the companies and the regulators at a time when black market iPhones from Hong Kong were a popular substitute. More so than the unpublicized passage of the encryption law, these companies’ compliance with the WAPI standard signaled the growing power of Chinese regulators to pressure foreign firms into complying with policies that demanded partnership with local companies, a theme that has re-emerged in recent years. The tech firms’ submission was an instrumental input into some of the ongoing development of a techno-nationalist strategy because it signaled the conditions under which even the biggest firms could be coerced into cooperating. The end of the five-year wait for foreign companies’ recognition of WAPI coincided with another instance in which the Chinese government tested out a new path to Internet control.



Case 3: Green Dam-Youth Escort (2009)

On 19 May 2009 China’s Ministry of Industry and Information Technology (MIIT) published a notice that all personal computers sold in China from 1 July of that year onward would have to come pre-installed with a Web filtering program called Green Dam-Youth Escort. The software’s alleged function was to block pornography and other content deemed a hazard to children. Western information technology companies once again rallied against a sweeping regulation that would have complicated their manufacture of technology for China, the main difference from the previous cases being that this time free speech advocates joined them.

Although the effort to impose such an invasive regulation at a nationwide level surprised Western technology firms, in China it was simply a measure to scale up a program that had until then met with success. Zixue Tai has pointed out that in April 2009 the MIIT, State Council Information Office, and Ministry of Finance successfully launched a similar program directed at computers in Internet cafes and elementary schools in China, and that “MIIT officials later admitted during interviews with Chinese media that the 19 May decision to extend coverage to all computers within China was partly encouraged by their fleet success in the schools and Web cafes” [7]. Thus regulators may not have anticipated the backlash from Chinese Internet users and from state media, whose complaints targeted the high cost of Green Dam as well as its challenges to privacy and civil liberties (Cai, 2009). Foreign and domestic tech companies were riled by the vague and overwhelming demands handed down to them, in part because (much like in the WAPI case) the MIIT directive offered no instructions on what was to be done with computers already being used in the country.

Shortly after the law mandating the installation of Green Dam was announced, on 24 June 2009, the U.S. Chamber of Commerce sent a letter of protest to the Chinese government bureaus responsible for Green Dam, followed by another letter the leaders of 22 international business organizations and companies including Dell and Hewlett-Packard sent to then-Prime Minister Wen Jiabao. Both U.S. Secretary of Commerce Gary Locke and U.S. Trade Representative Ron Kirk then sent a letter to the MIIT and the Chinese Ministry of Commerce urging them to reconsider implementation of Green Dam, which they claimed gave rise to “fundamental questions regarding regulatory transparency” (Chao, 2009). At the time the U.S. government also brought up the possibility of filing a World Trade Organization complaint against China for establishing technical barriers to trade, which may have met with opposition given that the case China made for Green Dam was on moral grounds, and could therefore be protected under WTO regulations.

The moral argument to protect children was evidently thin, as cybersecurity researchers at the University of Michigan found when they ran tests on the Green Dam software proving that it also blocked sensitive political content. Typing in phrases such as “Falun Gong,” or “evil Jiang [Zemin]” would open a pop-up window labeling the content “harmful”, followed by the browser closing and making the page inaccessible. Researchers also found that 3,000 lines of code from Green Dam were identical to that of a similar program, CyberSitter, created by the small Californian software company Solid Oak (Riley, 2012; Chuban Cankao, 2010) [8]. The University of Michigan team published their findings on 11 June 2009 and two days later the Chinese company that created Green Dam issued an updated version of the software that both no longer filtered political content and was missing the pirated code (Li, et al., 2010).

Soon after, international pressure from trade groups and from the revelatory cybersecurity research report on Green Dam, combined with widespread objections from Chinese citizens, led the Chinese government to announce they were suspending the law one day before the July 1 deadline (Tan, 2010). At the time, MIIT Minister Li Yizhong stated that this decision was meant to give computer companies more time to install the software. Ultimately the MIIT’s compromise was to make Green Dam mandatory only for public computers in schools, libraries, and internet cafes, which MIIT Minister Li later professed was its goal all along, calling the backlash against the law a “misunderstanding” due to its poorly written guidelines.

There may have been internal doubts about the Green Dam venture from the start, given that the groups hired to design, install, and provide user services for the software, Beijing Dazheng Human Language Technology Academy (Dazheng) and Zhengzhou Jinhui Computer System Engineering (Jinhui) stopped receiving the Chinese government’s financial support by mid-2010 (BBC, 2010). General Manager Chen Xiaoming of Dazheng noted that government funding had only been issued for the year from 2008–2009 with no mention of renewal. This could have reflected Chinese government insecurity over taking on a project that could incur backlash from foreign companies and incite protests at home, especially in light of prior experiences with the 1999 encryption law and WAPI. The Green Dam incident suggests further development of a prudent strategy in putting forward a law that could easily be scaled back to meet some Chinese government demands, and in providing limited funding to test the success of the measure before fully committing.

Of the three cases detailed thus far, Green Dam was the most overtly concerned with social stability and public opinion, which the Chinese Communist Party views as major components of national security. Green Dam would have had major economic repercussions for foreign firms had it passed in its original form. Were foreign PC makers willing to comply, their purchase of the software could have potentially reaped huge rewards for the Chinese government. Alternately, had the law passed and Western companies refused to adhere to it, China would have had to grow more reliant on (mostly domestic and regional) companies that would pre-install Green Dam. This was yet another instance in which the Chinese government felt it lost face internationally, and was again forced to weaken its demands rather than lose access to much-needed foreign technology. Yet it was also a step towards the development of a techno-nationalist strategy insofar as it enabled regulators to test moral and national security arguments for overbroad technology laws. By the time a similar effort to make drastic changes regarding imported information technology arose, the political and economic landscape had significantly changed, in some ways to China’s benefit.



Case 4: China’s cybersecurity law (2014–present)

Between the Green Dam-Youth Escort case and the present, the once-marginalized concept of cybersecurity skyrocketed to becoming a top concern of Chinese policy-makers following the Snowden leaks and a growing number of high-profile allegations the United States government has made concerning Chinese state-sponsored espionage for military and commercial advantage. Cybersecurity has become a top priority under President Xi Jinping, who heads the new Cyberspace Administration of China and has repeatedly called for China to become a “cyber power” (网络强国 wangluo qiangguo) with offensive and defensive capabilities on par with the United States and Russia. The emerging domestic narrative of China as a rising “cyber power” that is more often the victim rather than the aggressor of cyber attacks and espionage has been used to justify a comprehensive new cybersecurity law. In light of these changes, it would seem as though the invocation of national security concerns to justify new technology laws would carry greater force than it had previously, yet the prevalence of economic concerns outweighing security ones still continues. The case that has most recently captured the public’s attention — and eclipsed previous instances in which the Chinese government has made exorbitant demands on foreign technology companies — began with proposed regulations on the technology used in China’s national banks and extended to the passage of a national cybersecurity law unprecedented in scope.

At the end of 2014 the Chinese government announced that a law would be passed demanding foreign tech firms that supply Chinese banks with software and hardware to share their source code as proof that they were not building back doors into the technology to conduct espionage. The law’s long-term objective is that “75 percent of technology products used by Chinese institutions must be classified as ‘secure and controllable’ by 2019” (Mozur, 2015). This includes banks, military institutions, and state owned enterprises. In January 2015, bank representatives from around China reported that they attended an unpublicized government meeting where they were instructed to reduce the use of foreign technology at their institutions as much as possible. Secret meetings such as this suggest a multifaceted approach in comparison with the three cases described above, and directly support the hypothesis that a techno-nationalist economic strategy has solidified over the course of each of these cases. By one measure, fewer than fifteen percent of Chinese banks meet the state’s criteria for “secure and controllable,” an oft-repeated phrase that two years later has yet to be clearly defined (Dou, 2015). Foreign firms immediately protested the demand to share source code as a violation of their intellectual property rights.

In late January 2015 the affected foreign business groups collectively addressed a letter of protest that labeled these acts as protectionism to the Central Leading Group for Internet Security and Informatization that Xi Jinping heads. Business groups also sent a letter to the Obama administration, calling on the president to directly address these issues during Xi’s first official visit to the United States. In mid-April 2015 the China Banking Regulatory Commission and the MIIT published a letter in which they stated their intent to briefly suspend the law in order to incorporate “amendment suggestions” that banks and other organizations had offered since it was first proposed (Mozur and Perlez, 2015).

The goals of the proposed banking law were swept into a broader cybersecurity law that the Chinese government approved in November 2016, and which went into effect in June 2017. The section of the law pertaining to “critical information infrastructure” (including financial institutions) stipulates that the state will conduct security inspections of imported technology used in these sectors, which also include government, telecommunications, energy, education, and medicine (Dou, 2016). In addition to data localization requirements demanding that foreign companies store data on their Chinese users within the country, security audits in which firms must reveal segments of source code and encryption keys, as well as a host of other specifications on network operations and cooperation with local Chinese law enforcement, this law represents a culmination of the goals the previous three cases took a more piecemeal approach to effecting (National Law Review, 2016).

To compare the cybersecurity law with the previous three cases, it is crucial to identify its marked departure from former approaches to passing and implementing technology policy, which may signal lessons learned from these previous instances. One major difference, as mentioned above, is that the Cyberspace Administration of China (CAC) is now the central leadership’s top-down coordinating body that will guide other government bureaus on enforcing the new law. The three cases that precede the law’s passage were handled by disparate government offices, none of which had as clearly articulated a commitment to cybersecurity as a national security issue.

A second new feature is the longer period of time between when the Chinese government announced it would develop a cybersecurity law and when the law was passed. Over the course of two years, a draft version of the law was presented for public comment, which gave regulators time to gauge domestic and international responses to the law’s provisions. This extended period of review enabled a third element of the revised approach, namely consultations with foreign firms that helped policy-makers ascertain how the cybersecurity law’s stipulations might be received and which could be scaled back, as discussed below.

Perhaps the biggest difference between the cybersecurity law and the previous three cases is the scope of what its provisions have sought to accomplish. Elements of at least two previous cases’ objectives reappear in this law, from stipulations on encryption to limits on the type of online content considered harmful to so-called “social stability.” Although WAPI itself is not directly referenced, support for the local tech sector runs tacitly throughout the new law. This is most visible through foreign firms’ need to partner with domestic data storage providers as part of the new data localization requirements — a direct echo of the former proposal to partner with handpicked Chinese firms on creating WAPI-enabled products. The cybersecurity law, however, does not only affect tech companies: any firm operating in China and generating data on Chinese citizens or that relates to loosely-defined “critical infrastructure” in the country is subject to these regulations. The three previous cases unfolded in business environments that were less reliant on big data, cloud storage, and other technological infrastructure that is now indispensable for any firm operating overseas.

Despite these changes, however, core elements similar to the previous cases remain true of the cybersecurity law’s drafting and implementation process. For one, foreign firms pressured their government representatives to write letters castigating the draft law. One notable joint effort came from the China ambassadors of the United States, European Union, Germany, Japan, and Canada, urging reconsideration not only of sections of the cybersecurity law but also two controversial draft laws regarding terrorism and foreign NGOs (South China Morning Post, 2016). The letter framed issues such as data localization as running counter to values of IP protection and digital privacy.

Some may question the effectiveness of such high-level pushback against the Chinese government given that several firms had by then individually capitulated to local pressures prior to the law’s passage. For example, since 2003 Microsoft has shared selections of source code with Chinese regulators in so-called “cleanrooms” from which this IP cannot be removed. In 2015 Microsoft has also announced that it would create a version of its Windows operating system solely for Chinese government and state owned enterprises’ (SOEs) use, a joint venture pursued with SOE China Electronics Technology Group (Mehdi, 2015). Well before the cybersecurity law’s enactment, Intel, Qualcomm, and IBM similarly partnered with Chinese companies in what many see as an ineffective effort to retain market access. As of August 2015, Apple began to move its data on mainland Chinese users to data centers within China’s borders, almost two years before the passage of the cybersecurity law.

The ambassadors’ letter may not have affected the cybersecurity law, but after it was sent, the draft counterterrorism law was revised. The main difference between the draft and final versions of the counterterrorism law was that Internet service providers and telecommunications operators would not be forced to install backdoors into their technology to enable law enforcement access, but rather would have to provide assistance to state investigations of possible terrorism by other means including decryption (Sacks, 2016).

The letter-writing, combined with international media criticism of the cybersecurity law’s onerous demands, may have led to the second similarity between this and prior cases: when the law was passed on 1 June 2017, the CAC granted a grace period for firms to comply with the data localization provisions by 31 December 2018. This flexibility differs from the previous cases in being openly announced rather than covertly exercised at a time when media attention died down — an unlikely option for a law with such far-reaching consequences. That the grace period was provided at all suggests that regulators have adapted from earlier instances where excessively rigid compliance requirements drew sharp backlash.

The introduction and eventual passage of the cybersecurity law raises critical questions about how the Chinese government will negotiate future domestic information technology policy. Although the cybersecurity law has attracted so much media attention that it may appear to be the ultimate suite of rules for Internet-related and other data-intensive industries within China, rapid technological developments almost guarantee that this will not be the case for long. Foreign and domestic firms are both struggling to comply with the law, with the latter in particular facing additional challenges in the aftermath, such as a recent announcement of data privacy audits of some of the most popular Chinese apps including mobile payment provider Alipay, messaging service WeChat, and Baidu Maps (Zhang, 2017).

Moving forward, foreign firms will find it harder to push back against excessive demands Chinese regulators enforce on them unless they continue to collectively seek support from their home governments. The minor but still significant changes five countries were able to jointly achieve in expressing their concerns about the counterterrorism law serve as a reminder that diplomatic solutions are possible when a variety of actors work together. Foreign firms should not limit themselves to thinking of other multinational corporations as sharing their interests, but should also consider how new regulations will constrain domestic companies’ operations as well. This approach may enable creative thinking within tech and other sectors about precise points to contest in future efforts to regulate data flows and information technology imports.

Although national security arguments fueling the passage of the cybersecurity law have a stronger basis than did those offered to support the previous cases this paper covers, the economic arguments are stronger in light of slowed growth in China combined with increased investment in the domestic information technology industry. The stunning growth of domestic Chinese technology firms, accompanied by the creation of domestic cybersecurity companies well-versed in the rapidly changing local laws, are making it increasingly easy for the state to edge out foreign competition.



Assessment and conclusion

The Chinese government now touts the Snowden leaks as proof that the United States is an untrustworthy “hegemon” in the technological sphere, an argument used to justify China’s stringent new cybersecurity policies. In light of past attempts to slowly weed foreign technology out of Chinese markets, it is clear that economic concerns have outweighed security ones for many years. The recent formation of groups such as the Cyberspace Administration of China and the Central Leading Group for Internet Security and Informatization further demonstrate cybersecurity’s rise to importance. Part of why the national security argument insufficiently explains the first three cases this paper presents, however, is because the Chinese government bureaus involved simply did not prioritize cybersecurity as a national security issue at the time, and the government entities that were deemed responsible for information security were not involved in the proposed laws examined here. Much has changed since then, and plans to reduce dependency on foreign technology are now embedded into long-term technological development goals, a gradual phasing-out rather than the more extreme reforms attempted in the past.

Had national security concerns truly been the main driver in the first three cases, China may not have compromised quite so readily with Western governments, losing out on the opportunity to import high-quality foreign technology. In such a scenario China could have chosen to only import technology from countries that were willing to comply with the new laws, which local East Asian firms and even a handful of Western companies expressed interest in doing. Additionally, had Chinese state security organizations been the ones to propose these measures, they could have made national security-related appeals to the World Trade Organization that would have cast these steps not as technical barriers to trade, but as necessary provisions for protecting China from security threats. For legal propositions that were undertaken in the name of national security, it is noteworthy that not one of them was headed by a government bureau explicitly devoted to that cause. In contrast, the recent militarization of cybersecurity issues in China conveys the extent to which this issue has become deeply intertwined with Chinese national security at present, which was far from the case when the first three examples in this paper took place.

The patterns that emerge from Chinese government behavior and the U.S. response in the first three cases are worth reflecting on in order to trace the origins of the strategy that has enabled China’s rubber-stamp parliament to have recently passed so uncompromising a cybersecurity law after three rounds of review. These cases demonstrate how the groundwork for indigenous innovation was laid not long after China first gained Internet access.

As the state increasingly deploys techno-nationalist rhetoric to advocate for indigenous innovation and reliance on domestically produced technology, one question that needs to be addressed now regards what may have changed in light of experience the Chinese government gained from “losing face” and toning down its demands. For one, China has since established restrictions that leave foreign multinational corporations (MNCs) such as IBM and Intel with limited options beyond establishing joint ventures with Chinese firms for particular products, a strategy that was proposed in the WAPI case and later adopted by Apple. Unlike in the past, however, these MNCs seem less quick to appeal to the U.S. government and more willing to share intellectual property they would have guarded more closely in the past. Although official statements from these companies defend their actions as being taken for the sake of greater transparency, the ultimate outcome of this information sharing has resulted in a loss of bargaining power for tech companies who seek to push back against Chinese government demands. Recent criticisms have arisen within the United States of major tech companies that are seen as pandering to Chinese leaders to gain access to China’s markets and in more extreme cases, U.S. tech firms are being accused of collaborating with companies that have explicit ties to the Chinese military (Shih, 2014).

Another concern that is far more pressing now than in the past are regular allegations that Chinese state-sanctioned actors are hacking into U.S. information systems to steal valuable intellectual property used to boost Chinese industry and technology (U.S. Department of Justice, 2016). There needs to be closer consultation between the U.S. government and tech companies, as the short-term profit the latter makes could inhibit long-term resolutions the former seeks in discouraging economic cyber-theft and tougher Chinese trade restrictions. Although the pattern in which tech companies appeal to the U.S. government, government trade representatives write letters to top leadership in China, and Chinese officials decide to suspend contentious laws has continued up until recently, if tech companies become more complacent and are willing to comply with some of these laws’ provisions over time, there may not be much the U.S. government can or would do on firms’ behalf if the regulations grow far more prohibitive in the future.

Although the line between economic and security concerns is even harder to distinguish than it was two decades ago, an important question that can help clarify this distinction is if China truly is building more secure information systems than it can obtain from abroad, especially now that the stakes are higher and critical infrastructure in China could be threatened by technical vulnerabilities. Many technology experts believe the strong push for indigenous innovation has still arisen too soon to benefit China, despite the enormous technological leaps the country has made. As China seeks to develop domestic operating systems to replace foreign ones, it would be worth conducting cybersecurity evaluations of this new technology to gauge the extent to which it matches or potentially surpasses the (mostly Western) systems the country wants to abandon.

The recently passed cybersecurity law is the newest and boldest iteration of a strategy that has taken years to hone. In each of the first three cases the paper reviews, the Chinese government eventually secured a pared-down version of its initial demands without raising protest from abroad — in essence, the leadership won each of its battles without gloating. If the cybersecurity law is to serve as indicator, in the future this may happen more swiftly and without the back-and-forth of negotiation, given the centralization of cybersecurity governance, the top leadership’s personal dedication to building China into a “cyber power,” and the years of experience that have culminated in the strategy that the Xi administration is now using to legitimize protectionism under the guise of security. End of article


About the authors

Shazeda Ahmed is a Ph.D. student at the School of Information at the University of California Berkeley. She has worked as a researcher for the Citizen Lab, Ranking Digital Rights, and the Mercator Institute for China Studies. Her research focuses on the development of China’s social credit system, as well as China’s information technology policy and role in setting norms of global Internet governance.
E-mail: shazeda [at] ischool [dot] berkeley [dot] edu

Steven Weber is Professor at the School of Information and Department of Political Science at the University of California Berkeley. He is the author of The success of open source (Cambridge, Mass.: Harvard University Press, 2004) and co-author of Deviant globalization: Black market economy in the 21st century (London: Bloomsbury, 2011). He studies the political economy of data and is currently writing How to organize a global enterprise: Economic geography in the post financial crisis world.
E-mail: steve_weber [at] berkeley [dot] edu



1. For those who question the extent to which viewing source code and reverse engineering actually enable competitors to catch up with more advanced manufacturers, an example from Douglas Fuller’s (2016) book Paper tigers, hidden dragons: Firms and the political economy of China’s technological development is particularly illustrative. Fuller describes Chinese government review boards that are responsible for ensuring the safety of imported telecommunications hardware. While members of these boards naturally included government officials, at times representatives from championed national firms including Huawei, were invited to participate as well. One remarkable footnote in a chapter detailing the factors of Huawei’s success cites “several interviews” in which representatives of domestic firms were allowed to participate in these review boards: “Huawei and ZTE’s major domestic competitors lost out despite their right to sit on the same government review boards that tested and approved foreign communications equipment for the Chinese market. Sitting on these boards, Huawei and ZTE learned how to copy foreign designs while testing and opening the equipment of foreign vendors as part of the approval process.” See Fuller, 2016, pp. 82–;83.

2. Sutter, 2000, p. 61.

3. Ostry, et al., 2003, p. 198.

4. Notably, IWNCOMM received research support from China’s 863 Program, a Chinese government-funded initiative that seeks to decrease China’s dependence on foreign technology. Suttmeier, et al., 2004, p. 28.

5. Suttmeier, et al., 2004, p. 30.

6. Kim, et al., 2014, p. 596.

7. Tai, 2010, p. 63.

8. For a disturbing, fascinating account of the years-long cyberattacks and near-bankruptcy Solid Oak endured in trying to sue the Chinese government for theft of source code, see Riley, 2012.



BBC, 2010. “China Green Dam web filter teams ‘face funding crisis’” (13 July), at, accessed 13 December 2015.

Bloomberg Businessweek, 2004. “Online extra: Letter from Bush administration officials to Beijing protesting Wi-Fi encryption standards” (15 March), at, accessed 20 February 2018.

[in Chinese] Cai Jing [蔡京], 2009. “Green Dam–Youth Escort” [绿坝–花季护航], Modern Marketing (Marketing Institution Edition) [现代营销 (营销学苑版)], volume 6, p. 100, accessed 20 February 2018.

[in Chinese] Cao Jun (曹军), 2005. “A Review of the Independent Innovation from WAPI” (从 WAPI 看自主创新), China Soft Sciences (中国软科学 ), volume 7, at, accessed 27 November 2015.

Loretta Chao, 2009. “U.S. trade officials urge China to revoke PC rule,” Wall Street Journal (25 June), at, accessed 27 November 2015.

Christopher T. Cloutier and Jane Y. Cohen, 2011. “Casting a wide net: China’s encryption restrictions,” WorldECR, at, accessed 4 September 2017.

[in Chinese] Chuban Cankao — Industry Information Edition [出版参考 — 业内资讯版], 2010. “U.S. Company Sues ‘Green Dam,’ Massive Claims for Damages Cause Controversy,” [美公司告 “绿坝” 侵权巨额索赔引争议] volume 2, p. 4, accessed 20 February 2018.

Eva Dou, 2016. “China’s cyber strategy stresses securing infrastructure,” Wall Street Journal (27 December),, accessed 14 January 2017.

Eva Dou, 2015. “U.S., China discuss proposed banking security rules,” Wall Street Journal (13 February), at, accessed 11 December 2015.

Owen Fletcher, 2010. “Apple tweaks Wi-Fi in IPhone to use China protocol,” PCWorld (3 May), at, accessed 11 December 2015.

Douglas Fuller, 2016. Paper tigers, hidden dragons: Firms and the political economy of China’s technological development. Oxford: Oxford University Press. pp. 82–83.

Eric Griffith, 2004. “Intel tells China: No more chips,” Internet News (11 March), at, accessed 27 November 2015.

Ethan Gutmann, 2010. “Hacker nation: China’s cyber assault,” World Affairs, volume 3, at, accessed 14 January 2017.

Scott Kennedy, 2006. “The political economy of standards coalitions: Explaining China's involvement in high-tech standards wars,” Asia Policy, number 2, pp. 41–62.
doi:, accessed 15 April 2018.

Dong-Hyu Kim, Heejin Lee, Jooyoung Kwak, and DongBack Seo, 2014. “China’s information security standardization: Analysis from the perspective of technical barriers to trade principles,” Telecommunications Policy, volume 38, number 7, p. 596.
doi:, accessed 15 April 2018.

Heijin Lee and Sangjo Oh, 2008. “The political economy of standards setting by newcomers: China’s WAPI and South Korea’s WIPI,” Telecommunications Policy, volume 32, numbers 9–10, p. 665.
doi:, accessed 15 April 2018.

Frankie Li, Hilton Chan, Kam-Pui Chow, and Pierre Lai, 2010. “An analysis of the Green Dam-Youth Escort software,” In: Kam-Pui Chow and Sujeet Shenoi (editors). Advances in Digital Forensics VI. Berlin: Springer-Verlag, p. 51.
doi:, accessed 15 April 2018.

Yusuf Mehdi, 2015, “Bringing Windows 10 to public sector customers in China,” Windows Blogs (16 December), at, accessed 4 September 2017.

Paul Mozur, 2015. “New rules in China upset Western tech companies,” New York Times (28 January),, accessed 1 December 2015.

Paul Mozur and Jane Perlez, 2015. “China halts new policy on tech for banks,” New York Times (16 April),, accessed 11 December 2015.

National Law Review, 2016. “China seeks comment on seven draft cybersecurity and data privacy national standards” (21December), at, accessed 14 January 2017.

Office of State Commercial Cipher Code Administration, 1999. “State Council regulations on administration of commercial encryption” (7 October), at, accessed 14 January 2017.

Open Source Center, 2004. “PRC creates new wireless encryption standard, Taiwan firms able to enter market,” OSC code: CPP20040315000232 (15 March).

Sylvia Ostry, Alan S. Alexandroff, and Rafael Gomez (editors), 2003. China and the long march to global trade: The accession of China to the World Trade Organization. New York: RoutledgeCurzon. pp. 198–199.

People’s Daily, 2004. “China’s new wireless standard met with Intel resistance” (12 March), at, accessed 11 December 2015.

[in Chinese] People’s Republic of China State Council Directive 147 (中华人民共和国国务院令147号发布), 18 February 1994. “People’s Republic of China Computer Information Systems Security Protection Regulations” (中华人民共和国计算机信息系统安全保护条例), Netinfo Security (信息网络安全), volume 7, at$9A4hF_YAuvQ5obgVAqNKPCYcEjKensW4ggI8Fm4gTkoUKaID8j8gFw!!, accessed 4 September 2017.

Bien Perez, 2004. “Encryption crisis will benefit Intel rivals,” South China Morning Post (16 March), at, accessed 7 December 2015.

Michael Riley, 2012. “China mafia-style hack attack drives California firm to brink,” Bloomberg (27 November), at, accessed 27 November 2015.

Samm Sacks, 2016. “Apple in China, Part I: What does Beijing actually ask of technology companies?” Lawfare Blog (22 February), at, accessed 4 September 2017.

Gerry Shih, 2014. “Chinese Internet regulator welcomed at Facebook campus,” Reuters (8 December), at, accessed December 11, 2015.

South China Morning Post, 2016. “Major world powers team up to pressure China over new laws covering terrorism, cybersecurity and NGOs” (1 March), at, accessed 4 September 2017.

Karen M. Sutter, 2000. “Foreign firms struggle with new rules on encryption products,” China Business Review, volume 27, number 2, p. 61.

Richard P. Suttmeier, Xiangkui Yao, and Alex Zixiang Tan, 2004. “China’s post-WTO technology policy: Standards, software, and the changing nature of techno-nationalism,” National Bureau of Asian Research, special report, number 7, p. 28, and at, accessed 15 April 2018.

Zixue Tai, 2010. “Casting the ubiquitous net of information control: Internet surveillance in China from Golden Shield to Green Dam,” International Journal of Advanced Pervasive and Ubiquitous Computing, volume 2, number 1, p. 63.
doi:, accessed 15 April 2018.

[in Chinese] Tan Yimin [覃怡敏], 2010. “Green Dam — An Embarrassment for Whom?” [尴尬绿坝 尴尬了谁], New Finance [新财经], volume 9, p. 90, accessed 20 February 2018.

[in Chinese] Television Technology [电视技术], 2004. “China, U.S. Agree to Indefinitely Delay WAPI Implementation Date” [中美就WAPI达成协议无限期推迟实施日期], volume 5, p. 33, accessed 20 February 2018.

U.S.-China Economic and Security Review Commission, 2016. “2016 Report to Congress of the U.S.-China Economic and Security Review Commission” (16 November), at, accessed 14 January 2017.

U.S. Department of Justice, 2016. “Manhattan U.S. attorney announces economic espionage charges against Chinese man for stealing valuable source code from former employer with intent to benefit the Chinese government” (14 June), at, accessed 20 February 2018.

Xinhua, 2000 “PRC official comments on scope of encryption regulations” (16 March).

Xia Yu and Matthew Murphy, 2011. “The regulation of encryption products in China,” Bloomberg Law Reports, number 4.

[in Chinese] Zhang Weiwei, 2017. “Cyberspace Administration of China and Four Government Ministries Evaluate Privacy Policies of WeChat, Taobao, Alipay, and Others,” (网信办等四部委评审微信淘宝支付宝等隐私条款), NetEase (网易) (21 August), at, accessed 29 August 2017.


Editorial history

Received 11 September 2017; revised 21 February 2018; accepted 24 February 2018.

Copyright © 2018, Shazeda Ahmed and Steven Weber.

China’s long game in techno-nationalism
by Shazeda Ahmed and Steven Weber.
First Monday, Volume 23, Number 5 - 7 May 2018