Politico | China, EU seize control of the world’s cyber agenda
The US guided global internet policy for decades. Now, the EU and China are taking the lead
This story is published in a content partnership with POLITICO. It was originally reported by Eric Geller on politico.com July 22, 2018.
The United States is losing ground as the internet’s standard-bearer in the face of aggressive European privacy standards and China’s draconian vision for a tightly controlled Web.
The weakening American position comes as the European Union, filling a gap left by years of lax US regulations, imposes data privacy requirements that companies like Facebook and Google must follow. At the same time, China is dictating companies’ security practices with mandates that experts say will undermine global cybersecurity – without any significant pushback from the United States.
Experts in cyber policy say the trends could slow the internet’s growth, stunt innovation and erect new market barriers for American businesses. And while these trends began before Donald Trump became president, his administration has yet to devise a clear plan to rebut either of these agendas.
“The US cannot afford to be on the sidelines,” said Chris Painter, America’s top cyber diplomat from 2011 to 2017, who is now with the Global Commission on the Stability of Cyberspace. “Other countries are doing things legislatively that affect the US … and the US is on the back foot.”
One result of this shift is the erosion of the freewheeling US vision of the internet that had reigned for decades. “The US model looks both paralysed and somewhat feckless, while the Europeans and the Chinese are making progress and, in many cases, damaging the openness of the internet,” said Adam Segal, director of the Council on Foreign Relations’ cyber policy programme. “And we don’t particularly have a coherent response to it.”
The lack of US leadership also harms ordinary Americans by letting industry block the adoption of strong protections against cyberattacks, said Democrat Senator Ron Wyden (Oregon), one of Congress’ leading voices on cybersecurity and technology issues.
“The United States is failing on cybersecurity because our Congress has been captured by corporations who have successfully killed any effort to impose meaningful cyber standards,” he told POLITICO in an email.
For years, the US objected aggressively when China and other authoritarian regimes tried to co-opt international venues to push their cyber agendas. In 2015, China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan introduced a “ code of conduct for information security ,” which would have codified their vision of content regulation, but behind-the-scenes work by the Western governments halted its momentum.
“In all bilateral and multilateral encounters heretofore, the United States has successfully and consistently, in a bipartisan way, opposed” authoritarian visions for cyberspace, said a former State and Commerce department official who spent eight years working on cyber issues and requested anonymity to speak candidly.
The US is at a disadvantage, Painter said, because while China and others roll out ambitious plans, American diplomats call for only modest reforms. “If the US line is, ‘Leave the status quo as it is,’ that’s always hard,” he said.
Chinese Communist Party leaders see cybersecurity “as a fundamental part of their governance model,” said Samm Sacks, a senior fellow at the Center for Strategic and International Studies. And President Xi Jinping has taken a personal interest in the topic, beyond how most world leaders engage with the issue.
Meanwhile, Beijing’s grip on domestic affairs gives it an advantage over the US when it comes to laying down the law.
These businesses must let Chinese officials test their equipment and software at any time. They must also store their data in China so investigators can access it. One provision could let Beijing demand companies’ decryption keys, which would effectively ban the unbreakable encryption found in apps like Signal.
Cyber experts suspect China’s generosity is driven by its strategic self-interest: Beijing wanted to have a foothold in these emerging countries’ computer networks. Evidence has occasionally emerged to support this view.
“China’s influence is second to none in terms of its relationships with developing countries and in terms of its expanding relationship, recently, with developed countries,” said the former State Department official. As a result, he said, “Chinese companies are essentially the lead [and] have inside access” to countries’ systems.
Both of these laws will force US companies with European footprints to redesign their security measures to comply, and the more they do so, experts said, the more the EU position becomes the default.
The question for the US is whether to abandon its insistence on a voluntary, industry-led approach and enact more regulations that reflect a clear US vision. Many experts said the American tradition of letting the private sector shape the debate has undercut the nation’s standing globally.
Other countries “have looked around and said, ‘All right, this doesn’t really seem to be accomplishing very much,’” Segal said.
James Lewis, a cyber expert at CSIS, said the US was the only country where extreme distrust of government prevented meaningful cyber regulations. “That’s not how it works in the rest of the world,” he said. “And I say that for both democracies and dictatorships. This overwhelming angst we have about government is not reflected anywhere else on the planet.”
Industry executives say regulations aren’t the answer. Chris Boyer, assistant vice-president of public policy at AT&T, said the best “opportunity for the US to proactively lead this conversation” lay in voluntary standards.
But many security experts argue that isn’t enough. “These voluntary frameworks,” said Segal, “have not really, as far as we can tell, improved US security significantly.”
Regardless of how the US moves forward, experts said it must engage more aggressively in the international debate. “We should try to provide a clear roadmap of the type of approach we want to see other countries adopting,” said the former State official. “Silence just cedes the ground to other views and other approaches that we fundamentally disagree with.”
Sustained engagement will require a strategy on the part of the Trump administration. For now, the former official said, US diplomats attending these meetings “don’t say anything” and are “not relevant.”
The State Department did not make Strayer available for an interview about the US strategy.
“The degradation or the removal of certain roles is hugely important,” said Josh Kallmer, the senior vice-president for global policy at the Information Technology Industry Council. He said his meetings with administration officials often involve “trying to reverse those things.”
The battle isn’t over yet, and China’s agenda still faces hurdles. For one thing, although its cyber law is technically in place, many of its provisions have not yet been enacted, and regulatory agencies are competing over how to implement it. Plus, Chinese firms that want to dominate global markets are pushing back on Beijing’s attempt to balkanize the internet.
“There are constraints internally in China’s system that are going to be a check on some of the more alarming parts of this vision,” Sacks said.
But even so, China is making a greater effort than the US, and the EU isn’t far behind. “For the first time,” said the former State Department official, “many, many, many countries … rank much higher in influence than the US”.
Lewis, reflecting on his recent conversations in Europe and Asia, was pessimistic. “The internet is going to be regulated, and it’ll be regulated from Brussels and Beijing,” he said. “We’re kind of out of it, because we don’t have a good counter.”
