China out to take the lead on global data security

Lt Gen SL Narasimhan (Retd)

Distinguished Fellow, Centre for Air Power Studies

SINCE 2013, when President Xi Jinping announced the One Belt One Road (OBOR) initiative, China has launched a number of initiatives. On September 8, 2020, Beijing launched the Global Initiative on Data Security (GIDS). In September 2021, the Global Development Initiative was unveiled. In April 2022, Xi announced the Global Security Initiative (GSI) during the Boao Forum for Asia. On March 16 this year, China launched the Global Civilisation Initiative.

OBOR has drawn considerable attention, but not the other initiatives. The least attention has been paid to GIDS. That can be attributed to comparatively less effort expended on it by China. But China watchers will agree that once Beijing puts something out there, it is for perpetuity. An example of this is China’s claim to the Second Island Chain. For some time now, it has disappeared from its discourse. China’s increased focus on the Pacific Island Countries recently can be seen as an extension of that claim, in addition to weaning those countries away from Taiwan.

Seen individually, all these initiatives look innocuous, and they are standalone. If analysed together, they indicate that China is looking at creating an alternative security architecture. To understand this, one must critically look at these initiatives and find the common thread that runs through them.

GIDS puts forward six proposals for countries and two for ICT (Information and Communications Technology) companies. For the countries, the first proposal states that they should handle data security in an evidence-based manner and maintain a secure and stable supply chain of global ICT products and services. This proposal seems to emanate from the challenges that China’s companies are facing abroad, banning of Chinese apps on security and strategic concerns and to protect herself from denial of technology for semiconductors.

The second proposal says that states should stand against ICT activities that impair or steal important data of other states’ critical infrastructure or use the data to conduct activities that undermine other states’ national security and public interests. This proposal seems to shift the cyber espionage blame on other countries or for China to play the defensive game. An Advanced Analytics Group report released on June 2 indicates that China is one of the major victims of cyberattacks. Between Q2 and Q3 of 2022, China witnessed the highest increase in data breach (4852 per cent, amounting to 14,157,775 breached accounts). On the other hand, China launched 18.83 per cent of the world’s cyberattacks, and the US came second at 17.05 per cent, as per a CyberProof report (January 2022). This is probably a case of reaping what you sow.

The third one is on personal information, and it asks countries to act against activities that jeopardise personal information and oppose mass surveillance against states. However, China herself does not seem to follow it. An NBC report (May 2022) revealed that APT 41, a China-based group, targeted $20 million US Covid funds. The Security Magazine reported in February 2021 that China had stolen personal data of 80 per cent of the Americans. In contrast, China also lost the data of 7,50,000 citizens to a hacker, who was selling it online in July 2022. China’s proposed signal intelligence station in Cuba to surveil the communications in the US came to light recently.

The fourth ask from countries is on data localisation and says that countries should not force companies to store data collected in the country of operation locally. This seems to be an effort to get the data of other countries for China’s efforts to become a world leader in artificial intelligence.

The fifth and sixth proposals are on obtaining data from other states for law enforcement. The aim is to make data exit only through judicial process. That is very difficult to achieve as legal procedures can be very cumbersome and time-consuming. It also talks about sovereignty and jurisdiction of data, which are extremely difficult to define and get concurrence from other countries.

The last two proposals are for the ICT companies. They are that the ICT companies should not install backdoors in their equipment, not force their customers to upgrade their systems and notify vulnerabilities in their systems to their cooperation partners. Prima facie, it appears that some of them will be difficult for the ICT companies to comply with.

In proposing this initiative, China invoked the ‘community with shared future’. This seems to be a response to the Clean Network programme announced by the US in August 2020 which targeted Chinese technology as ‘malignant and untrustworthy’. Russia, Tanzania, Pakistan, Ecuador, the Arab League, Central Asian countries and ASEAN are said to have supported this initiative so far. China asked the countries to support it through bilateral, regional and international agreements. This has been seen by analysts as China’s way to be part of rule-setting on data management and digital economy.

Even though China did not increase the effort to push GIDS, it enacted the Data Security Law in 2021. In March 2023, China announced the setting up of the National Data Bureau; it is responsible for data management and digital economy. These actions indicate the importance that China gives to data and its management. Since the GSI also refers to data security, GIDS can be bundled with it.

For India, the proposals on data localisation, having an evidence-based approach for dealing with companies, protection of personal data and obtaining data for law enforcement and maintaining supply chains will have ramifications.

Join Whatsapp Channel of The Tribune for latest updates.