China's Pursuit of Public International Cybersecurity Law Leadership

By Anthony Rutkowski
Anthony Rutkowski

There are relatively few venues today for the development of public international cybersecurity law among Nation States. One was the United Nations Group of Governmental Experts (UNGGE) at which the U.S. several months ago announced its de facto withdrawal with some concern expressed. A much older, well-established venue is newly assuming considerable significance — the Expert Group on the International Telecommunication Regulations (EG-ITRs). The EG-ITRs activity has the ability to shape the evolution of public international cybersecurity law that has existed over many decades to which most of the nations of the world accede and generally abide by. Indeed, within that treaty provision ensemble, it was the 1988 version of the ITRs that enabled datagram internets to be lawfully implemented across borders globally when the provisions came into effect in July 1990.

China has rarely undertaken a role in developing public international cybersecurity law over the many years the provisions have existed. Only once did it submit a formal proposal — fifteen years ago to the 2002 Plenipotentiary Conference where it introduced a resolution concerning "rapid Internet growth [that] has given rise to new problems in communication security." Thus, a China formal submission to the upcoming third EG-ITRs meeting on 17-19 January 2018 in Geneva is significant in itself.

Furthermore, what China did submit represents a cogent, visionary focus on the key challenges of cybersecurity today, and it deals with the most critical issues facing every nation. Additionally, the participation from China in the EG-ITRs includes knowledgeable senior staff from its key Ministry of Industry and Information Technology (MIIT), with a supporting submission from China Telecom.

The action suggests that China seems now willing and able to assume leadership in the evolution of public international cybersecurity law. The step also is also bolstered by its investing more resources globally in collaborating on related technical specifications in multiple international industry activities than any other nation over the past decade.

The principal focus of the China EG-ITRs submission is cybersecurity — with so-called Over the Top (OTT) virtual services as the prime example. China notes that "the safety and security of the world telecommunications/ICT networks have become a global concern in respect of sovereignty, security and development interests of all nations." It goes on to observe that "there's a severe lack of [public international cybersecurity law] relation to the governance of the international telecommunications/ICT network security."

The OTT exterritoriality example that China chose is compelling. OTT implementations present some of the most difficult public international law challenges today because they enable any arbitrary party from outside a Nation State's jurisdiction to autonomously engage in an unfettered array of network-based actions within that Nation State, including deployment of software agents and management of IoT devices. Some of those actions are commercial in nature or otherwise benign, albeit within the remit of most countries to control as public offerings. Other actions are frequently criminal and cause significant harm on remote systems or devices through malware.

OTT implementations through encrypted tunnels — which frequently occur — are especially problematic. The concern was underscored by statistics provided at a recent international meeting in Singapore by a leading cybersecurity vendor which noted that half of all the attacks today are implemented using these methods. New OTT vendor transmission protocols like QUIC and Transport Layer Security 1.3 exponentially exacerbate the cybersecurity challenges and expand the threat surface. The encrypted OTT attack vectors include recent Russian meddling in the U.S. national elections highlighted by the U.S. Director of National Intelligence.

Looking ahead, the real ultimate "new trend" is the implementation of fully virtualized NFV-SDN architectures across national borders. Massive industry efforts occurring worldwide to bring this about are coming to fruition. Initial mobile network 5G implementations partially using NFV-SDN have been introduced. The platforms enable entire virtual network architectures of multiple datagram internets to be orchestrated from cloud data centers and altered at-will using temporary addresses among any desired endpoints. However, nations will be reticent to allow the orchestration of these capabilities across their national borders from other nations without effective public international cybersecurity provisions. The alternative is complete Balkanization where NFV-SDNs are only allowed domestically which transnational providers would be forced to replicate repeatedly in each national jurisdiction. The stakes here are high for the enormous number of major industry participants. China seems to be positioning itself to take leadership in facilitating the global NFV-SDN marketplace through enabling public international cybersecurity law. The step is measured and visionary by any measure - in a world where multilateral solutions and knowledgeable leadership are badly needed.

By contrast, at the same third meeting of the EG-ITRs, the U.S. position is a traditional one over the past two decades - rejecting "the rationale for a treaty addressing [the provision and operation of international telecommunication services and the] potential effects." It further eschews any treatment of "new trends" asserting that doing so would "render [the provisions] obsolete."

The problem here is that cybersecurity is not exactly a "new trend," nor are many of the basic network developments underway worldwide. A position of doing nothing is untenable for many reasons. International telecommunication via networks in different national jurisdictions are under absolute sovereign control of those jurisdictions. Transporting traffic to and from endpoints in different countries inherently requires global cooperation. Every nation has a sovereign right to inspect and stop foreign communication traffic — the very first public international cybersecurity provision agreed when the first networks were interconnected in 1850 and reaffirmed at every treaty conference since. Over the decades, stable, enduring public international cybersecurity law has grown in importance — especially in today's interconnected global information-based economy. Transnational providers of network-based services today are vitally dependent on effective public international law arrangements that enable providers to engage in their own commercial agreements to transport and terminate traffic.

The obliviousness to new trends position of the U.S. seems unlikely to head off further dialogue on essential new public international cybersecurity law, and stands in stark contrast to pleas by major global IT enterprises like Microsoft at international forums calling for a Digital Geneva Convention on cybersecurity to facilitate the global market for their increasingly data centre based offerings.

The U.S. views on public international cybersecurity law and facilitating intergovernmental organizations like the International Telecommunication Union (ITU) are extremely varied and have witnessed wild swings over the decades. Even today, the U.S. strongly supports radio-related, mass media, and transport layer security activities while depreciating those dealing with telecommunications and datagram internets. The latter views largely arose from a U.S. strategic decision in the 1990s to abandon its previous support for secure OSI internet platforms and facilitate the DARPA internet ones in an unfettered global marketplace. Stable, enduring global multilateral venues like the ITU were abandoned and the obligations ignored in the process.

History shows that many of the key existing public international cybersecurity law provisions were first articulated and significantly advanced by the U.S. after both World Wars, as well as when they were essential to introducing new global communication platforms. Indeed, after the Harding Administration rejected such provisions in the early 1920s for the new global cybersecurity challenges of radio communication, the Herbert Hoover Administration completely reversed course near the end of that decade and led the world to institute innovative cybersecurity treaty provisions and the subsequent creation of the ITU.

Times change. Today, the virtualization of network infrastructures represented by OTT offerings and NFV-SDNs, together with exponential IoT device proliferation, are rather dramatic developments from an international cybersecurity law perspective. However, they are quite similar to challenges once faced with the introduction of global radiocommunication internets a century ago. That technology enabled the orchestration of virtual networks anywhere in the world that were capable of causing significant harm in other national jurisdictions. The creative, necessary public international cybersecurity legal solutions developed then, may well be applicable today. In any case, effective solutions are essential today.

The pursuit of a leadership role in public international cybersecurity law by China today is one once manifested by the U.S. to facilitate the global introduction of new technologies. Doing nothing is not really an adequate answer, and bilateral agreements among 193 countries or inventing another body to accomplish the same objectives are arguably even worse avenues. The U.S. and its allies, as well as major industry representatives, should take a fresh look at the institutional options today. Evolving existing enduring multilateral law and institutional mechanisms seem like a pragmatic and sensible step.

China's closing metaphor on emerging public international cybersecurity law seems chosen to describe a long-term leadership role in international cybersecurity law with unusual, elegant poetry at the end of its submission. "China believes, the whole process will go forward continuously like a wave on the sea, high and low at different times, but it will make progress along with the new telecom development trends, and it will, of course, pave the way for the good development and security of the telecom industry..."

By Anthony Rutkowski, Principal, Netmagic Associates LLC

Related topics: Cybersecurity, Internet Governance, Policy & Regulation