__Freedom and order are both necessary in cyberspace: Freedom is what order is meant for, and order is the guarantee for freedom.__ - President Xi Jinping
Can a technology designed to enhance the free exchange of ideas and information be turned into an instrument for limiting that freedom, and for strengthening political tyranny at the expense of individual liberty? Sadly, the histories of the printing press, radio, and television suggest the answer is yes—and over the past decade, the Internet may have been following the same sinister path. Taken as a whole, the Net represents a more complex technology than its analog predecessors. It also enjoys a far larger mass audience, with many more direct portals for instant individual input—and its scale is global. It is this unprecedented immensity and accessibility that repressive governments exploit in seeking to use the Internet for their own ends.
Two in particular, the People’s Republic of China and Vladimir Putin’s Russia, are busy creating a very different Internet from the one we’ve come to know. Theirs is a “closed” Internet that sharply limits the access of their nations’ citizenries to the larger “open” Internet, which the United States created and has overseen through the Internet Corporation for Assigned Names and Numbers (ICANN). The closed Internet uses the same technologies that drive the open Internet but deploys them as tools for total government surveillance and control. Additionally, China and Russia manipulate the openness of the other, freer cyberspace to steal information and intellectual property from the United States and other industrial democracies.
They have had help. Some of our own leading high-tech companies have become increasingly complicit in building what the Economist has dubbed China’s “iron cyber cage,” as well as Russia’s version. Such developments have brought us to a turning point in the evolution of the World Wide Web. Will it ultimately be an instrument of freedom or an instrument of tyranny? This depends in large part on how our leaders respond to the changing digital terrain. The story so far is not encouraging.
Withough question the worst abuser of the Internet, both as a tool for state and industrial espionage and as a tool for state surveillance and control, is China.
China’s role in systematic cybertheft goes back to the 1990s. But it was not until 2007, following a series of severe attacks on the Pentagon, the State Department, and other leading government agencies from China, that the seriousness of the Chinese cyberchallenge became a matter of official concern. In the years since, the threat has only grown in scale and cost. According to a 2014 Intellectual Property Commission report, China is behind 75 to 80 percent of international cyberthefts, which extract an annual total of roughly $400 billion from the world economy. And the bulk of that total is stolen from the United States.
This theft is not random—nor is it, as some might argue, the inevitable cost of Internet freedom in the West. Cyber-espionage is a well-established and conscious strategy employed by China’s economic and military elite. On the economic side, it is used to prop up China’s many, largely unprofitable, state-owned enterprises and to develop new domestic industries (for example, China’s booming pharmaceuticals companies) where virtually none existed two decades ago. It may be difficult to gauge how much of China’s “economic miracle” since the 1990s has been due to cybertheft, but it’s likely to be a large percentage. As the former head of U.S. Cyber Command, General Keith Alexander, has said, China’s strategy has resulted in “the greatest transfer of wealth in history”—and one almost entirely at the expense of the United States and the West.
Cybertheft and “information warfare” also play a major role in China’s defense strategy. The People’s Liberation Army has trained hacker units that have stolen reams of military secrets and documents from defense companies. Such documents include plans for the U.S.’s fifth-generation stealth fighter, the F-35 Lightning II. This is why China’s own J-20 stealth fighter, unveiled in 2010, bears such an uncanny resemblance to the F-35. At the same time, tens of thousands of part-time hackers (many of them said to be young Chinese living abroad on student visas) do their part, either by stealing foreign corporate and government secrets or by impeding efforts to block cyberattacks from mainland China. These part-timers frequently retaliate against foreign companies trying to call attention to the theft of their property.
For the Communist Party leadership, China’s constant raids into foreign cyberspace also serve a proactive purpose: to monitor and edit China’s public image abroad by intercepting or disrupting any messages that contradict how the Party wants to be seen, and wants China to be seen. In this sense, Chinese hackers help plug the remaining holes in the most monstrously complex system of Internet censorship and control ever devised. Its nickname is the Great Firewall of China.
The Great Firewall’s architect is Fang Binxing, who graduated with a Ph.D. in computer engineering from the Harbin Institute of Technology. He began work on its main applications in 1999 as deputy chief engineer of the National Internet Emergency Response Centre—the emergency being, presumably, the possibility of uncensored free speech flowing into China from the World Wide Web. Fang’s goal was to find ways to systematically screen out access to any websites the government deemed harmful or undesirable, especially those with content from Western sources.
The key parts came on line in 2003. By the time Fang left the Internet Emergency Response Center in 2007, his Great Firewall was firmly in place. Periodic upgrades are aimed both at making it more difficult to get access to material critical of Beijing and at protecting China’s own growing Web firms against overseas rivals.
Exactly how the Great Firewall works is a state secret, but experts say its most important component is a Domain Name Server1 (or DNS) block. This ensures that when a Web user enters a given URL domain name and the DNS looks up its IP address, the DNS will be instructed to send back the message “no address.” Another important component is keyword blocking, so that if a URL name contains any forbidden terms such as “democracy” or “Tiananmen” or “human rights,” the server will steer away from that page. Digital scanners also examine page content, meaning that if a Web page contains undesirable material, the connection will be severed for a period of a few minutes to several hours. In short, every property that makes information accessible on the open Internet is turned into a trigger to block access for Chinese citizens.
Someone trying to get back onto a blocked page or site can land in serious trouble. The Great Firewall employs tens of thousands of Internet police who directly monitor Web traffic around the clock, and who can take action against individuals or even companies that dare to violate the rules. A company that does business over the Net in foreign countries but allows illegal content to slip through, for example, could find itself facing its own punitive DNS block—one that can ruin business both at home and abroad.
In truth, the term Great Firewall is a misnomer. What Fang Binxing and the Communist Party leadership have devised is a cyberjail for the country’s 560 million Internet users—a prison in which everything the Communist Party wants gets in, and everything it doesn’t want is kept out.
Last year, a report by the American think tank Freedom House found that China had the most restrictive Internet policies of 65 nations studied. Yet it is a record of which the Communist leadership itself is inordinately proud. The Cyberspace Administration of China, or CAC, has said that its goal is to make the Communist Party the single “strongest voice on the Internet.” It insists that a recent survey shows that 90.6 percent of users are “full of confidence in the healthy development” of China’s Internet (no surprise, given that the CAC’s police are constantly watching over their shoulders). The CAC has also said that it will use China’s Internet-management model “to show the way for changes in global Internet governance.” It’s a promise that the Chinese government is already taking strong steps to advance.
Yet perhaps the most insidious aspect of China’s “closed” Internet model is the way it makes a mockery of the idea of dissent. Fang Binxing is China’s most famous Internet personality, but also its most hated. Blogs often publish scurrilous abuse of the Great Firewall’s founder; during one visit he made at a Chinese university in 2012, student protesters bombarded him with eggs and a shoe. There was little police response; China’s leadership has evidently decided that allowing some limited and carefully monitored expressions of grievance against the government, even protests against censorship, is a useful political safety valve.
The official term for this manipulative tolerance is adaptive authoritarianism, and it extends over China’s entire information-technology industry. Renren (the Chinese version of Facebook) and Weibo (China’s Twitter) mimic their Western social-network counterparts, just as Web-search server Ali Baba and smartphone maker Xiaomi mimic the characteristics of Western-style entrepreneurial start-ups. Xiaomi even likes to boast about its “egalitarian management structure” and divisional autonomy—“everything operates on trust,” enthused one former employee to the Wall Street Journal in June 2015.
But no one doubts that these entities, like Chinese telecom giants Huawei and TZE, strictly adhere to government policy regarding a closed Internet. Ali Baba’s Jack Ma and Xiaomi’s Lei Jun are allowed to behave like Chinese versions of Steve Jobs and Eric Schmidt, but only so long as they help provide the bars of China’s Internet prison.
Chinese President Xi Jinping’s adaptive authoritarianism represents a far more sophisticated approach to Internet censorship than that of his neighbor, Vladimir Putin. This makes sense, as China’s effort at creating a closed Internet has been going on far longer than Russia’s. In the 2015 Freedom House Internet Freedom survey, Russia ranks only 17th among “unfree” nations, compared with China’s first place (Saudi Arabia, by contrast, comes in eighth).
China’s cybertheft program is also far more extensive and carefully conceived as part of a broad national strategy of economic and military supremacy. Russia’s cybertheft industry tends to be atomized and directed mostly toward cybercrime, such as identity fraud and stealing from foreign bank accounts—although many of its chief practitioners are also closely linked to Russia’s secret police.
But when it comes to exercising control over the Internet inside Russia itself, Russia’s push toward a “closed” Internet closely resembles China’s. It uses many of the same cyber tools, such as monitoring and blocking controversial sites, not to mention police surveillance of those who use the Net to spread information or opinion of which the regime disapproves.
Yet an important difference distinguishes the two efforts. China’s cyber goals include transforming the country’s IT industry into a world leader and competitor with Western companies—the same companies from which Chinese companies have stolen their most advanced technology. Russia’s push for control of the Internet, on the other hand, is driven more by the conventional fear that haunts other authoritarian regimes: that economic distress or other grievances might spill out into the street and metastasize into unrest which Moscow will not be able to control. The Arab Spring taught Putin and his colleagues powerful lessons about the dangers of unfettered access to Western Internet sites and social networks. That’s an experience they, and other dictators around the world, do not intend to undergo.
If the heart of China’s closed Internet is the Great Firewall, the heart of Russia’s is the System of Operative-Investigative Measures (SORM). This official surveillance system legally allows Russia’s FSB, the direct successor to the KGB, to monitor, intercept, and block any communication sent electronically, including by cellphone or on the Internet.
Like any good secret-police bureaucracy, SORM divides its functions into separate divisions. SORM-1 captures telephone and mobile-phone communications. SORM-2 intercepts Internet traffic. SORM-3 collects information from all forms of communication within Russia, while also providing long-term storage of all information and data on subscribers, including recordings and locations of their calls and Internet interactions.
By providing comprehensive surveillance of every citizen—what he or she is reading or saying, with whom they’re meeting or talking, and even where they’re doing it (SORM data is coordinated with nationwide surveillance camera data)—SORM is a tool that Josef Stalin or O’Brien, George Orwell’s fictional head of the Thought Police, could only have dreamed of. Without Internet-based technology, its reach would be inconceivable. And without the cooperation of Western IT companies, it would be unrealizable.
To monitor particular phone conversations or Internet communications, an FSB agent need only enter an electronic command into the control center from a local FSB headquarters anywhere in Russia. Indeed, in every Russian town, there are protected underground cables that connect the local FSB bureau with all Internet Service Providers (ISPs) and telecom providers in the region. No less than seven Russian state police agencies have access to the data. The government says the apparatus is there to protect Russians from terrorists, but critics insist it’s a means of controlling and eliminating dissent.
SORM’s history strongly suggests the critics are right. It was first developed during the Soviet years, by a KGB research institute in the mid-1980s. But in recent years SORM has been rigorously and systematically upgraded to stay abreast of every advance in communications technology.
Most Americans learned about SORM’s existence only in 2014, when the Department of Homeland Security’s United States Computer Emergency Readiness Team (CERT) warned those traveling to the Olympic Games in Sochi that “Russia has a national system of lawful interception of all electronic communications.” The warning went on:
Travelers may want to consider leaving personal electronic devices (e.g. laptops, smartphones, tablets) at home or alternatively bring loaner devices that do not already store sensitive data on them and can be wiped upon return to your home country. If individuals decide to bring their personal devices, consider all communications and files on them to be vulnerable to interception or confiscation.
But perhaps the most sinister technology being employed by the Russian surveillance agencies, with the telecom companies’ cooperation, is “deep packet inspection.” This allows intelligence agencies to filter Internet users by particular keywords. “For example,” says journalist Andrei Soldatov, co-author with Irina Borogan of The Red Web, “you can use the keyword Navalny, and work out which people in a particular region are using the word Navalny,” referring to Alexei Navalny, Russia’s best-known opposition politician. “Then, those people can be tracked further,” Soldatov adds, since SORM-3 can provide a complete record of all their previous communications with anyone anywhere.
Today every Internet server in Russia is required to install deep-packet-inspection applications in their networks, as part of their compliance with SORM regulations. It’s one more step in Putin’s effort to keep track of every dissident, every dissident’s utterance, and all his friends at all times. It’s hard to think of a better way to chill “loose talk” on the Net or on a cellphone, especially when coupled with the Russian police’s brutal record in dealing with those deemed hooligans or enemies of the state.
Dissidents like Navalny, Garry Kasparov, and others still hold out hope that the Internet outside Russia, and the companies that serve it, can remain a portal through which free speech inside can be preserved. But in July 2015, Vladimir Putin took steps to close down that option. The Russian president signed a law requiring “data localization” of all Net communications inside Russia. The law forces companies that obtain information online from Russians to store that data on servers physically located in the country—ostensibly to protect Russians from unwanted intrusions into their privacy, but actually to keep track of them.
This means that companies such as Google, Facebook, LinkedIn, and Twitter would have to move or build data centers in Russia if they wanted to continue doing online business there. If a company doesn’t comply, Russian Internet users will be blocked from accessing its content. Thus far, American technology companies have publicly opposed the law, with some positive result. Russian officials have assured Twitter that the definition of “personal data” will not include the information it happens to gather on its users. Additionally, implementation of the law was put off, from September 2015 to September 2016. But when the law does come into effect, the big question will be whether foreign Internet companies, including U.S. companies, will bow down and comply.
As one might expect, Russia and China have found ways to cooperate in their efforts not only to build their own closed Internets but also to export the concept of “Internet sovereignty” (as the Chinese put it) to other, similarly minded countries. In 2005, for example, Russia and China joined forces to insist that overall supervision of the Internet be taken away from ICANN, which currently operates under a renewal contract with the U.S. Department of Commerce, and that it be passed to an institution that will be more subject to pressure from national governments—including Russia and China. The institution they chose was the UN’s International Telecommunications Union or ITU. At the ITU conference in Dubai in 2014, the two dictatorships unveiled their plan for increasing the control that individual governments can exercise over the Net, to widespread applause.
Not surprisingly, NSA “whistleblower” Edward Snowden’s sensational revelations in June 2013 about the NSA’s eavesdropping on cellphone calls, including foreign-government cellphone calls, gave fodder to Russia and China in insisting that the Internet was too important to be left in the control of the U.S. government (even though NSA has nothing to do with Internet governance). At one point, Putin even described the creation of the Internet itself as a “CIA plot.”
The ITU Dubai conference failed to endorse their Internet-takeover plan. This was due largely to pushback from the United States and other democratic countries that belatedly realized the future of a free and open Net was hanging in the balance.2 Despite that setback, in January 2015, Russia and China drafted a document called “The International Code of Conduct for Information Security” and found four other countries belonging to the Shanghai Cooperation Organization willing to sign it. The document underlined the principle that governments have the sovereign right to monitor communications, including Internet communications, inside their borders, and it was sent to the UN General Assembly in the hope that still other countries would sign it, including democratic nations such as Brazil and India.
Then, in May 2015, Vladimir Putin and President Xi signed a deal for more integrated cybersecurity cooperation between their two countries. They agreed not to conduct cyberattacks on each other and to work together to counteract technology that might “destabilize the internal political and socio-economic atmosphere,” “disturb public order,” or “interfere with the internal affairs of the state.” They agreed, in short, to blunt the impact that adverse information or dissenting voices on the Internet might have on their regimes.
Putin and Xi also struck a deal to exchange information between Russian and Chinese law-enforcement agencies, and to exchange technologies to “ensure security of information infrastructure.” This will mean helping each other to screen out unwanted facts and opinions. In effect, it’s the Internet version of the 1941 Nazi-Soviet pact—a landmark nonaggression agreement that aims to extend the Great Firewall principle across a broad Eurasian perimeter.
China in particular sees an opportunity for its growing IT industry by turning the Great Firewall into a profitable export industry. It is having some success with Iran.
Iran has long used government control over the Internet to censor and filter websites, keep track of Internet users, limit the use of foreign applications, and implement other restrictions consistent with the cyber policy of an Islamic police state. It also uses the Web to run its own state-sponsored hacking operations (Iran comes in at second place in the Freedom House list of the most “unfree” nations).
For years, Iran’s rulers have yearned for what they call a “national Internet” or “clean Internet” free of any unwanted foreign content. Now, with China’s help, they are getting ready to accomplish that goal. Iran’s Ministry of Communications and Information Technology reached agreement with China’s Information Council in January 2015 to cooperate in creating the sort of top-down state control it has long sought.
In Africa, Chinese telecoms have been instrumental in assisting governments’ repression of civil society and opposition. Human Rights Watch has accused Huawei and ZTE of providing the Ethiopian government with network-control technology it can use to silence dissent. Freedom House and the Norwegian Peacebuilding Resource Centre have also documented examples of Chinese telecom equipment being used in both Zimbabwe and Zambia to further government efforts at censoring the Internet and jamming shortwave radio.
For Ethiopians living in a country that is now the sixth-worst offender against Internet freedom, self-censorship is the safest response. “They know everything we do,” said one glum Ethiopian to a Human Rights Watch observer. For Third World countries, doing IT business with China guarantees a state-controlled Internet that allows citizens to read only what the government wants them to read, to say only what the government permits them to say, and to meet over the Net only those whose governments exercise the same protocols of surveillance and control.
Will America’s biggest IT companies become accomplices to online repression?
Facebook and Twitter were bounced out of China in 2009 when the government accused them of helping to stir up a violent riot in Xinjiang province that killed almost 200 people. YouTube has also since been banned in China, and Google left the country in 2010 in a disagreement with Beijing over how to comply with the standards of the Great Firewall.
Returning to China, however, is an obsession for Facebook chief executive Mark Zuckerberg. His wife is Chinese; he has studied Mandarin and even conducted a press conference in Mandarin with China’s state-owned CCTV. Zuckerberg has courted China’s new president Xi Jinping assiduously, inviting him to a special conference in Seattle at Facebook’s headquarters in September (Twitter and Google were conspicuously not invited). Zuckerberg and his wife seated themselves directly next to the Chinese president and his wife. At one point the founder of Facebook even asked Xi if he would give an honorary Chinese name to the Zuckerbergs’ unborn baby girl. Xi said no.
Despite Zuckerberg’s desperate efforts, most experts agree Facebook is not getting back into China any time soon. The Chinese government sees monitoring Facebook’s vast network of users and followers, and all their links and opinions, as too formidable a task even for the Great Firewall.3
Where Facebook has failed to tap into the Chinese market, Apple has succeeded in a big way—but at a price. At present, Apple is the first foreign company that has agreed to let China carry out security checks on its devices in obedience to the counterterrorism and national-security law passed in November 2014. Apple obligingly stores its information on Chinese users on servers in China; it has also agreed to inspections by Internet police of the data stored there.
Apple’s relations with the Chinese government, however, have been rocky. In 2013, the company became the target of a Chinese media onslaught, blaming Apple for treating Chinese customers as second-class citizens and for not providing sufficient IT support for users. Apple went out of its way to apologize for what the media dubbed its “arrogant” behavior. That apology caused amused chuckles among Apple’s competitors in the United States, but it was clearly aimed at complying with an officially sponsored bullying exercise.
With Apple’s strong presence in the Chinese mobile-phone market (last year it sold more iPhones in China than in the United States), and with 70 percent of its manufacturing based in China, it’s not surprising that Apple executives will do little or nothing to endanger the company’s relations with the Communist government. There are still questions, however, about Apple’s willingness to facilitate Chinese surveillance of citizens. Will Apple executives agree to install “back doors” in products enabling the Chinese government to enhance its snooping? Will the company hand over to the Communist government source codes for the encryption of iPhones (something it refused to do in the case of the American federal government)?
The fact that American companies are helping reinforce the Great Firewall is bad enough. IBM, for example, is providing Beijing with processers it needs to build the supercomputers that can sift Big Data and close the remaining gaps in the Great Firewall—and at no cost. Intel, Cisco, Hewlett-Packard, and other corporations have contracts with Chinese IT companies with strong military ties, which means they are already part of China’s closed Internet architecture, willingly or not.
Further cooperation from Apple, Google, and Facebook would increase the potential for great leaps in Chinese cybertheft and espionage. There are powerful reasons for worrying that if Apple turned over source codes for its iPhones and other devices, China could turn them into platforms for widespread hacking operations. And the possibility exists that China could corrupt existing social networks. By stealing personal information through the network linking Facebook users, Chinese hackers could enhance their profiles of high-value targets. China has already culled such profiles from stolen personnel files. This past spring, for example, Chinese hackers stole 22 million identities from the Office of Personnel Management in order to create phony or duplicate identities of people with top security clearances.
While U.S. firms have not exactly given in yet, neither have they been as resolute as one would hope. In the summer of 2015, American companies doing business in China were presented with a document from Beijing. It asked them to promise that any data they had about Chinese users of their products would be stored inside China. It also asked them to pledge their commitment to turn over all user data and intellectual property Beijing considered important to its own national security.
The Information Technology Product Supplier Declaration of Commitment to User Security, as the letter is titled, requires every American company to agree henceforth to “permit the user to determine the scope of information that is collected and products and systems that are controlled, to collect user information only after openly obtaining user permission, and to use collected user information to the authorized purposes only”—the user being, in this case, not the individual customer but the Chinese government.
The document triggered an Internet furor but not, significantly, a united front of American technology companies declaring their refusal to comply. In the past, companies such as Apple, Cisco, Western Digital, Hewlett–Packard, and Intel have acquiesced to China’s demand that the needs of the Internet are subservient to the needs of the state. From Beijing’s perspective, there was no reason to believe that those presented with this latest missive would not follow suit.
The letter also followed another request that foreign attendees at a conference organized last year by Beijing’s chief Internet watchdog, CAC, agree to a declaration that every country has the right to set its own Internet laws. A storm of objections did force Beijing to withdraw that declaration, but soon afterward the Chinese government put heavy pressure on U.S. technology firms wanting to do business in China to hand over proprietary source code and encryption keys so that Chinese authorities could access individual user information.
President Obama replied in a press conference: “As you might imagine, tech companies are not going to be willing to do that.” But in truth the leading American companies engaged in IT in China have hitherto largely complied with the Communist government in order to have access to an Internet involving an estimated 560 million users, more than in Europe and North America combined. How much further they are willing to go may depend more on what signals Washington, not Beijing or Moscow, sends them.
‘If you want a vision of the future, imagine a boot stomping on a human face—forever.” Those words from George Orwell’s 1984 are proving shockingly relevant. The Internet does provide unprecedented means for the imposition and expansion of tyranny. Yet the means for preventing that tragedy are at hand, and they involve the very same American companies that developed and extended the Internet’s reach. Apple, Google, Facebook, Cisco—all these have the power to limit the reach and scope of the closed Internet, simply by refusing to cooperate.
Their role is crucial to the future because Russia’s and China’s Internet-surveillance systems, and those of other countries copying them, are parasitic on Western technology and the open Net. The Great Firewall, SORM, and their offshoots exist only because of technology developed in the West, which was then either bought from companies or stolen through the Net. Chinese IT companies have not been able to introduce a single innovation or development that Western companies have found themselves obliged to compete with or emulate.
The key to generating a united response from American IT companies in support of Internet freedom lies with the federal government, particularly the White House. Alas, on this matter the Obama administration’s record has been poor, if not disgraceful. In trying to stop Chinese cyberattacks, it meekly issued indictments of five minor officials of the People’s Liberation Army—none of whom will ever see the inside of a federal courtroom. Even worse was the signed agreement between Obama and President Xi in October, pledging that each country would refrain from engaging in commercial espionage against the other—an agreement that, according to cybersecurity watchdog Cloudstrike, Chinese hackers violated just hours after it was signed. More serious still, the Obama administration’s push to terminate the Commerce Department’s long-standing contract with ICANN would inevitably hand the running of the Internet over to what is euphemistically called the “international community,” which today means Russia, China, and their allies.
What is needed instead is a president who understands that there can be no Internet as we know it unless we strongly assert the Western ideals of freedom of access and freedom of expression. We need a president willing to tell Beijing that its cybertheft days are over, a president who will encourage America’s information-technology companies large and small to stand up to Chinese and Russian demands.
This is not just a matter of cybersecurity, important as that may be to America’s present and future economic well-being. The nature of the Internet is at stake, as is the Western ideal of freedom it should embody.