International Governance Process in Cyberspace Examined from the Perspective of the Global Initiative on Data Security

By Zhang Li

On September 8, 2020, the International Seminar on Seizing Digital Opportunities for Cooperation and Development organized by the China Internet Governance Forum was held in Beijing. At the seminar, Chinese Foreign Minister Wang Yi put forward the Global Initiative on Data Security (hereinafter referred to as the Initiative), which has received high attention from the cybersecurity communities at home and abroad. At the invitation of the organizers of the Forum, the author made a brief comment on the Initiative under the title “Examining International Cyberspace Rules from the Perspective of the Global Initiative on Data Security”. The Initiative represents a major move in international governance and diplomacy in cyberspace. It shows that under current situation, China conforms to the trend of the times, keeps up with the developments in cyberspace and digital technology, and shoulders its responsibilities, thus leaving a deep mark in process of international cyberspacegovernance.

I. The Initiative reflects China’s position of upholding international cooperation oncyberspacegovernance.

At present, the scientific and technological revolution and industrial transformation, driven by the new generation of Internet and information technology, is in full swing. Data, widely regarded as a factor of production, concerns personal privacy, economic performance, social management and national security.Without information and communication technologies (ICTs), globalization would not have come this far. Data has never been so important. However, from the perspective of international relations, sovereign states are still the most important actors in human society. National security and national interests are concentrated in cyberspace like never before. That is why governments put great emphasis on data security.How to protect itsown data while making data rules and ensuring the safe, reasonable, free and orderly flow of data to develop the digital economy and improve social governance is an important issue for countries in cyberspace and in the information age.

Cyberspace is often called “the fifth space” by academics to set it apart from land, sea, sky and outer space.In fact, with the setup of satellite Internet, the Internetnow covers and penetrates into the four traditional domains, which are connected by various networks, constantly transmitting all kinds of data and information that are essential to the production and life of human society. Such a new normal is seen as an unprecedented, fully-connected cyberspace, which is of great strategic significance.The digital technology, the core technology of cyberspace, has become a new perspective and way for human beings to understand, use and transform nature.In recent years,data, which is the key element of digital technology, has been growing exponentially.

As dictated by technological development and required by globalization, the most optimal state would bethe unimpeded free flow of data around the world.However, the wrestling in international politics points to a stark reality. As revealed by Snowden, the US, a front-runner in cybertechnologies, carries out ubiquitous Internet surveillance around the world. It has provoked an arms race in cyberspaceand suppressed other countries by any means on trumped-up charges. Without any evidence, the US still imposed sanctions on Chinese IT companies on “national security” grounds. As anyone with a sense of justice would recognize,the rogue actions of the US go against the spirit of the Internet, damages the strategic stability and mutual trust among all parties in cyberspace, and pushes cyberspace to the brink of division.At the end of 2019, the annual meeting of the Internet Governance Forum, one of the most important annual eventson global Internet governance,was held in Berlin, Germany. A German scholar submitted a paper entitled “One World, Two Visions, Multiple Nets” to the conference, and invited comments from government delegations and international organizations like the International Telecommunication Union(ITU).The heated debate sent Internet professionals into deep concerns. In 2020, the US has pursued extremely crazy actions in cyberspace. US Secretary of State Mike Pompeo launched the “Clean Network”Program against China, which sent shockwaves across the globe.In fact, the so-called “clean” policy adopted by the US is nothing but an out-and-out anti-globalization moveto disrupt cyberspace and the global industrial and supply chain. It goes against the trend of the world.

As all parties have noticed, the European Union has launched judicial and anti-trust investigations into American IT giants on data security issues, and has imposed penalties.Threatened and incited by the US, many European countries followed the footsteps of the US and unjustifiably suppressed and pushed out Huawei and other Chinese IT companies on “national security”grounds. As a result of the COVID-19 pandemic that has continued unabated since the beginning of 2020, dialogues on international cooperation on cyberspace governance has stalled. Confrontation and tension in cyberspace is widespread. It is against this background that China, as an advocate of globalization, made its position clear that in the context of closer international cooperation on division of labor, ensuring the security of the supply chain of IT products and services is of vital importance for enhancing user confidence, protecting data security, and promoting the development of digital economy. Therefore, the Initiative cannot be more relevant.

The Initiative calls on all countries to lay equal emphasis on development and security and work out a balance between technological progress, economic development, national security and public interests, and encourages countries to maintain an open, fair and non-discriminatory business environment and promote mutually beneficial and common development.At the same time, countries have the responsibility and right to protect the security of important data related to their national security, public security, economic security and social stability as well as personal information.

The launch of the Initiative is a solid step taken by China to uphold the larger interests of international cooperation in cyberspace governance. Governments, international organizations, IT companies, technology communities, civil society organizations and individuals should follow the principle ofconsultation and sharing, make concerted efforts to follow up on the Initiative, and provide solutions for maintaining data security and promoting the safe and orderly flow of data around the world.China hopes to take the launch of the Initiative as an opportunity to promote communication and deepen dialogue and cooperation on the basis of mutual respect, and jointly build a peaceful, safe, open, cooperative and orderly community with ashared future in cyberspace.

II.Observations on the Initiative.

The Initiative includes eight key paragraphs, the first six of which deal withstates, while the latter two are aimed at companies.Each paragraph is targeted with a clear focus on the priority and difficult issues facing governments and multinationalsin recent years in digital economy, cross-border flow of data, security of industrial and supply chain, cyber security, individual privacy protection, and data security.

Paragraph 1: “States should handle data security in a comprehensive, objective and evidence-based manner, and maintain an open, secure and stable supply chain of global ICT products and services.” That is to say, concerns about data security issues should be based on facts. Technologies should not be politicized. Charges should not be fabricated out of thin air. National security should not be abused to point fingers at and suppress companies.The global supply chain of IT products and services is the natural result of specialization and cooperation among countries over many years of globalization. States should ensure the security of the supply chain with a cooperative attitude, an open spirit and a scientific approach, instead of disrupting and undermining the integrity and stability of the supply chain under the pretext of “national security”.

Paragraph 2: “States should stand against ICT activities that impair or steal important data of other States’ critical infrastructure, or use the data to conduct activities that undermine other States’ national security and public interests.” This paragraph not only responds to the concern of the international community on the security of critical infrastructure, but also takes into account the concerns and interests of different countries on cyberattacks and infiltration that endanger national security and public interests.For example, developing countries are worried that countries that are strong in Internet and IT will interfere in other countries’ internal affairs by means of Internet technologies; and developed countries do not want their election facilities to be impaired by cyber attacksand public opinion to be manipulated by false information.

Paragraph 3: “States should take actions to prevent and put an end to activities that jeopardize personal information through the use of ICTs, and oppose mass surveillance against otherStates and unauthorized collection of personal information of other States with ICTs as a tool.” This is a response to the international community’s call for the USto stop cyberbullying and surveillance against other countries after Snowden revelations. It also highlights the sensitive issue of “unauthorized collection of personal information of other States”, to urge multilateral parties pay attention to this risk.

Paragraph 4: “States should encourage companies to abide by laws and regulations of the State where they operate. States should not request domestic companies to store data generated and obtained overseas in their own territory.” This paragraph responds to some countries’ concerns and doubts about where the data generated by Chinese companies in their overseas operations hasgone and is stored. It also lays down clear requirements on how foreign companiesshould deal with data when they operate in China.It sets the basic direction and principles for companies ofall countries to deal with data when they operate internationally.

Paragraph 5: “States should respect the sovereignty, jurisdiction and governance of data of other States, and shall not obtain data located in other States through companies or individuals without other States’ permission.” This paragraph once again explains why China has not joined the Convention on Cybercrime, also known as the Budapest Convention. It boils down to China’s deep concern about cyberspace sovereignty, judicial independence, jurisdiction, and data security management rights.

Paragraph 6:“Should States need to obtain overseas data out of law enforcement requirement such as combating crimes, they should do it through judicial assistance or other relevant multilateral and bilateral agreements. Any bilateral data access agreement between two States should not infringe upon the judicial sovereignty and data security of a third State.” This paragraph is very important, as it responds to some countries’ doubts and lack of understanding about how China conducts international cooperation in combating cybercrime without joining the Convention on Cybercrime, and also provides specific judicial methods and paths.

Paragraph 7: “ICT products and services providers should not install backdoors in their products and services to illegally obtain users’ data, control or manipulate users’ systems and devices.” This is a warning to providers ofICT products and services. One set of key words is not to “install backdoors”, and the other is “illegally obtain, control or manipulate”. This paragraph is highly practical and targeted.

Paragraph 8:“ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products, nor force users to upgrade their systems and devices. Products providers should make a commitment to notifying their cooperation partners and users of serious vulnerabilities in their products in a timely fashion and offering remedies.” This paragraph is also aimed at providers of ICT products and services, and underscores the issue of“dependence” and“forcing users to upgrade”and the obligation to provide information on product vulnerabilitiesin a timely fashion and offer remedies.

These eight paragraphs are not only China’s proposals, but also conform to the content and spirit of various bilateral and multilateral rules and regulations that have been reached by all parties under the framework of the United Nations and other mechanisms.Adhering to the spirit of openness and cooperation, the Initiative calls on countries to support and confirm the Initiative through bilateral or regional agreements, urges the international community to reach international agreements on this issue on the basis of universal participation, and welcomes global ICT companies to support the Initiative.

III. Current international cyberspacegovernance  through the lens of the Initiative.

The greatest significance of the Initiative lies in its response to the concerns of the international community on data security. And data security governance is only one of the many issues in the process of internationalcyberspace governance. Therefore, the Initiative is only the very first step in a long journey.

There are three main topicson international cyberspacegovernance. First, the basic approach to cyberspacegovernance: a laissez-faire approach or law-basedregulation;Second, the basic position on cyberspace security:to maintain peace and stability, or to deter, preempt, and even provoke conflicts and wars;Third, the basic proposition on the mechanisms of international cyberspacegovernance: all countries share and govern together on the basis of equality, fairness and justice, or let power and might speak and hegemony prevail. Many issues have stemmed from the three main topics and call for urgent solutions.

1. How to define cyber sovereignty and, on that basis, interpret a State’s jurisdiction, independence, equality and self-defense rights in cyberspace?

2. How do the current international laws apply to cyberspace? Can they be copied in cyberspace? Or is there a need to make new laws and rules?

3. How can countries reach consensus on urgent issues such as data security and regulation on cross-border data flow as soon as possible?How to understand the “data sovereignty” proposed by European countries?Can “data property rights” be used to resolve disputes and conflicts?

4. How to bridge the emerging new digital divide?

5. How to ensure the security and integrity of the global IT supply chain in the context of intensifying competition between major countries?

6. How do countries protect citizens’ privacy and human rights in cyberspace?

7. How to track the source of cyberattacks in a credible way, so as to avoid cyber warfare and cyber conflicts between countries and combat cybercrimes and cyber terrorism?

8. How to define the “threshold” of cyber warfare and how to conduct crisis management cooperation for major cyber emergencies?

9. How to cooperate on regulating the new, important sectors in the future (AI, blockchain, digital currency, quantum technology, new generation Internet, etc.)?

Thanks to the joint efforts of all countries, great achievements have been made in international cooperation in cyberspace governance in recent years.In June 2013, after three rounds of meetings, the United Nations Group of Governmental Experts  on Information Security (GGE), composed of 15 countries, unanimously agreed to “cooperate to create a peaceful, secure, flexible and open ICT environment”, and reached consensus on the norms, rules and principles of responsible state behavior, confidence-building measures and capacity building, and put forward recommendations.From 2014 to 2015, the GGE composed of 20 countries completed its mission and made significant progress. Unfortunately, in 2017, despite China’s great efforts and sincerity, the new GGE failed to reach an agreement in New York.At present, the newly formed GGE has adopted the “dual-track approach”, hoping to overcome the impact of the pandemic and the competition between major countries and make real progress.

However, Western countries, led by the US, have dominated rules making based on their leading positions in cyberspace.On April 11, 2017, the G7 Foreign Ministers’ Meeting in Italy issued the Declaration on Responsible State Behavior in Cyberspace, which put forward 12 norms on responsible state behavior in cyberspace, trying to establish rules in cyberspace that are consistent with Western values and further enhance their say. This is a characteristic move taken by the US and the West.

On the other hand, with the rise of emerging countries and the active engagement of the “third force”, namely international organizations, NGOs, businesses and civil society, on cyber issues, cyberspace has been diversified, polarized, and decentralized.Some IT companies began to speak out and come to the fore oncyber diplomacy and governance. A case in point is Microsoft.On February 14, 2017, Microsoft Vice President Brad Smith called for the formulation of a Digital Geneva Convention at the RSA Cyber Security Conference.At the 2018 RSA Conference, Microsoft officially put forward the so-called “Four Principles”.

At the same time, the discussions and research results by some experts onthe Tallinn Manual, as well as the report of RAND Corporation, an American think tank, on the establishment of a “global tracking alliance” all deserve close attention.From 2017 to 2019, I was invited to participate in the “Global Commission on the Stability of Cyberspace”made up of international celebrities. In the Commission, experts provide recommendations for countries to establish rules and regulations in cyberspace.After more than two years’ efforts, the Commission released the final report Advancing Cyberstability on November 12, 2019, based on the series of achievements it had made. The report proposes a framework for cyber stability, four principles, eight norms, and six recommendations. Looking back, I am fully aware that the lack of cybercapabilities, inadequate understanding, huge gap in input, among others, have prevented China and other developing countries from having a bigger say in cyberspace.

At present, forces in cyberspace are being reshuffled, with unfolding confrontation, competition, cooperation and dialogue.To promote and build an international order in cyberspace, effortsshould be made inthe following three respects.

First, there must be internationally accepted values in cyberspace. On this point, the community with ashared future in cyberspace and cyber sovereignty put forward by President Xi Jinping at the World InternetConference in December 2014 constitutes the cornerstone of China’s vision for cyberspace governance.Moreover, China has introduced the position paper and initiativeJointly Building a Community with aShared Future in Cyberspace, and published the concept document ofSovereigntyin Cyber: Theory and Practice and its upgraded version.

Second, there must be institutional arrangements. China is committed to working with the international community, upholding the principle of multilateral cooperation, and promoting relevant processes with the United Nations framework as the main channel and platform.
Third, there must be basic norms.The parties involved need to reach consensus and solutions topriority and challenging issues, such as data security, cross-border data flow, intellectual property protection, theft of commercial secrets, cyber espionage, cyber attack, cyber warfare and cyber crime.

COVID-19 has interrupted international exchanges in cyberspace and held back cooperation and dialogue on international cyberspace governance.Looking to the future, in the face of the increasing tensions on international cyberspace governance and diplomacy, China should follow through onPresident Xi Jinping’s vision for a community with ashared future in cyberspace, and seek cooperation to the fullest extent to maintain peace, security and stability in cyberspace.If China wants to make a difference, it must strengthen itscyber capabilities, safeguard its own interests in the process of formulating international rules on cyberspace, and ensure the Internet and information technologies benefit the entire humanity.

Zhang Li isVice President and Research Fellowof China Institute of Contemporary International Relations.