Last week, the U.S. government issued a dramatic one-two punch in its fight to manage supply chain risks in tech infrastructure and avoid Chinese companies’ dominance in next-generation 5G wireless networks. Both actions in their own way targeted the Chinese telecom giant Huawei, which has long been a focus of U.S. scrutiny over allegations that the Chinese government could use its products for espionage or sabotage.
First and most acutely, the Commerce Department announced that Huawei will be cut off from U.S. suppliers without special licenses and that licensing applications will be subject to the “presumption of denial.” As a result, Huawei could lose access to components such as specialized microprocessors and to software, including the Android mobile operating system, which runs on the company’s thriving line of smartphones—none of which it can easily replace with non-U.S. alternatives.
Second, an executive order gave the commerce secretary and other officials broad authority to restrict U.S. tech purchases that they deem a risk to national security and linked to a “foreign adversary.” This will likely be used to ban Huawei equipment in 5G networks, but it could end up having a much broader use than that. The U.S. government has 150 days to determine exactly how that order will be implemented. What happens during that period will decide whether the order is a wise response to real cybersecurity risks or a folly that will effectively cut off the U.S. market from useful and harmless products. At the worst, it could duplicate China’s own highly problematic system for deciding which products are secure enough for Chinese use—a system that in effect uses sweeping definitions of national security as justification to block foreign competition, allowing Chinese companies to thrive.
For years, the U.S. government and industry have protested the Chinese government’s opaque regime for security reviews of technology products. Pushback accelerated in the months leading up to the release of China’s Cybersecurity Law in late 2016, as early drafts circulated among industry experts.
Within weeks of the law entering force in 2017, China published a rather obscure draft regulation called the “Measures on the Security Review of Network Products and Services,” though it’s more commonly known as the Cybersecurity Review Regime, or CRR. Currently, the measures are in a “trial” form and require products to undergo security review if their application poses certain types of security risks. U.S. companies began referring to it as a “black box” review, because there are no publicly known metrics or processes to pass it. In effect, the CRR means that companies do not know what they can buy and sell to whom. Reviews could kick in and affect a company after it has already entered the market, creating sunk costs and making upgrades impossible or expensive.
There is little public information about what exactly the CRR means in practice. In part, that’s because not many companies have actually gone through it yet, since the regime has not yet been widely implemented. The very existence of the regime on the books has caused alarm simply because of the threat it could be used at any point. U.S. policymakers and industry groups fear that companies could be compelled to disclose source code or corporate secrets in the process of being evaluated under the CRR. A notice from the Ministry of Public Security even suggested that law enforcement would have authority to conduct random on-site inspections and demand remote access to corporate networks.
When the law and review regime went into effect in June 2017, few beyond China’s tech policy watchers were even aware of the debate surrounding China’s emerging cyberspace governance regime. But less than a year later, that would all change. By March 2018, the U.S. government was preparing a whole-of-government effort to take Beijing to task for all the ways that U.S. companies in China experienced an unfair playing field: cybertheft, pressure to turn over technology and intellectual property to Chinese partners, and the laws and regulations that advantage Chinese companies. Against this backdrop, the Office of the United States Trade Representative issued a nearly 200-page report that ultimately provided justification for imposing tariffs on billions of dollars’ worth of Chinese goods by documenting all of these grievances. And it cited China’s Cybersecurity Law, which undergirds China’s review regime, as forcing U.S. firms to submit to ambiguous reviews in the name of “national security” and “cybersecurity.” China’s black box review was a stated irritant for the United States.
The irony was not likely lost on observers in Beijing, then, that last week’s U.S. executive order used flexible language in announcing new powers to block tech transactions or require unspecified extra steps—perhaps even including security reviews—if linked to vaguely defined “foreign adversaries.” The order gives the U.S. government new authority to consider the provenance of a product or service and block transactions that could jeopardize broad public interests. It’s full of open-ended language. For instance, it targets “an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy.” This huge latitude—what, indeed, counts as a catastrophic effect on the digital economy?—gives the government broad discretion, but it also risks mirroring some of the most troublesome features of China’s own regime.
First, both the Chinese regulation and the U.S. order give officials broad authority to identify the scope of their own power. The U.S. order gives the commerce secretary “discretion” to “design or negotiate measures to mitigate concerns” over product security, effectively granting the authority to create an entire system of procedures and rules not set out by the president or Congress. The Chinese regulation says that “the State shall, in accordance with law, identify third party institutions” to “undertake third party-evaluation work,” leaving the players and procedures in this delegated authority up to bureaucrats.
Second, the Chinese regulation and U.S. order both enumerate some specific areas where their review process may apply, but they also include flexible catch-all language that gives officials the ability to move the goal posts based on their interpretation of “national security.” The Chinese black box review may apply when “other risks that may endanger national security” are at stake, while the U.S. powers apply to transactions that “otherwise pos[e] an unacceptable risk to the national security of the United States or the security and safety of United States persons.”
Third, the ranges of technologies or products subject to the two regimes are so broadly defined as to make it hard for many businesses to determine what is covered or reliably safe. The U.S. order says its scope covers “information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” The Chinese system’s scope includes “important network products and services related to national security network and information system procurement.”
In both cases, further regulatory documents could give more clarity. The Chinese regime probably won’t become less opaque soon, but the U.S. order gives the government 150 days to develop policies to implement its objectives. During that time, officials would do well to remember some of the downsides of China’s own attempt to solve the problem of which equipment to trust.
China’s government has spent years developing a conceptual boundary between “secure and controllable” or “independent and controllable” technologies, generally made in China, versus foreign suppliers that cannot be totally trusted—such as the so-called eight guardian warriors of Cisco, IBM, Google, Qualcomm, Intel, Apple, Oracle, and Microsoft that so much of China’s tech ecosystem once relied on.
Huawei’s rise is seen in China as one way to reduce China’s dependency on these foreign giants. Now, the U.S. government is beginning to draw its own line at trusting Huawei. Yet in doing so, it risks going beyond Huawei in ways that appear to parallel Beijing’s own aspirations for a “secure and controllable IT industry system.”
Security and national origin may be related, but they’re not the same thing. In order to accomplish important cybersecurity goals without causing unnecessary confusion or cost for businesses and consumers, the U.S. government should be targeted and transparent in laying out the scope of “foreign adversary”–based IT regulations.
At least some officials seem to favor this tailored approach. Department of Homeland Security official Robert Kolasky reportedly answered industry concerns about “unintended impacts” by saying, “We will look broadly at where there could be elements of risk … but I’m hoping we’ll be able to be narrow.”
In the case of China’s opaque review regime, one of the top concerns among businesses is that its very secrecy gives Chinese officials room to insert politics or corruption into the IT market. Until the implementation of the U.S. order becomes clearer, similar concerns may apply to the U.S. government—especially since the issue of Huawei is so loaded.
The Trump administration has struggled to separate economic negotiations with China from its global campaign against the use of Huawei equipment for next-generation 5G wireless networks. The president has himself undermined official claims that the arrest of the company’s CFO in Canada last year was a pure law enforcement matter and independent from bilateral negotiations, saying: “If I think it’s good for what will be certainly the largest trade deal ever made … I would certainly intervene, if I thought it was necessary.”
The United States needs government attention to cybersecurity commensurate with the risks and threats that come along with advances in technology, and this order can play a part. But if its implementation allows for the appearance or reality of political entanglements, it risks undermining industry and public trust in government cybersecurity efforts far beyond the question of Huawei or China.