Background: Network Security and the Digital Silk Road
Since it was announced in 2013, the Belt and Road Initiative (BRI) has served as China’s premier economic and foreign policy program. As billions of dollars in Chinese investment have poured into road, port, and railroad infrastructure projects across Eurasia and Africa, China has concurrently sought to construct a “Digital Silk Road” (数字丝绸之路) across the BRI network. This digital dimension of BRI focuses on constructing and expanding existing telecommunications infrastructure and promoting exchanges via the establishment of digital marketplaces. The People’s Republic of China (PRC) has supported this effort through partnerships with China-based cybersecurity firms to provide network security for BRI investment recipients.
Until now, PRC efforts to promote cybersecurity as part of BRI have remained a relatively underexplored topic. Nevertheless, it is clear that Beijing views investment in cybersecurity architecture as a cornerstone of infrastructure development in Eurasia. This is demonstrated in a 2018 address in which President Xi Jinping identified network security development as a key component of the Digital Silk Road. Other PRC officials have assessed that network security will play an increasingly important role in BRI development projects, especially as advanced network infrastructure such as smart cities become more prevalent. In order to meet this demand for security, the PRC has sought to encourage China-based cybersecurity firms to “go out” (走出去) and invest in BRI recipient states.
This strategy is laid out in a guidance document published in 2017 by China’s State Information Center (SIC, 国家信息中心) entitled “Leveraging the ‘Belt and Road’ to Accelerate the Growth of Cybersecurity Enterprises in China” (借力“一带一路”加快我国网络安全企业走出去). The document assesses that BRI presents a significant opportunity for China-based cybersecurity firms to expand their overseas presence while noting that such companies are currently hampered by factors such as a lack of international brand recognition and insufficient experience operating abroad. SIC instead proposes establishing “linkage mechanisms” between the PRC government and select cybersecurity companies so that these enterprises can “cooperate and support the [PRC]’s national strategic aims, understand the needs of partner countries, and construct an interactive support architecture between the state and security enterprises.”
Case Study: Partnership Between Beijing Venustech and the Chinese Association for Friendship (CAFF)
A recent initiative undertaken by Beijing Venustech (启明星辰信息技术集团股份有限公司) serves as an instructive case study on the implementation of this public-private partnership strategy. Venustech is currently one of China’s largest and most prominent cybersecurity vendors, and boasts extensive ties with the PRC government. For example, it provides network security services for the municipal governments in Yunnan and Kunming, runs the Tianjin Security Operations Center (SOC), and has worked with both the Ministry of Public Security (中华人民共和国公安部) and the National Administration for the Protection of State Secrets (国家保密局) in developing national network security standards.
In 2018, Venustech signed a “Strategic Cooperation Agreement” with the China Association for Friendship (CAFF, 中国友谊促进会) to promote network security in BRI countries as part of the Digital Silk Road Initiative. CAFF is an institution subordinate to the PRC’s Ministry of Civil Affairs (中华人民共和国民政部), which claims the somewhat nebulous mission of “supporting friendship and mutual understanding between China and the international community,” and has been heavily involved in outreach to BRI partner countries. Moreover, CAFF maintains strong ties with both the CCP and China’s security services. For example, CAFF’s chairman, Chen Zhimin (陈智敏), is the former Deputy Minister of Public Security, and is also a member of the 13th National Committee of the Chinese People’s Political Consultative Conference.
While the details of Venustech and CAFF’s strategic cooperation agreement have not been made publicly available, it appears to have been made with the purpose of expanding Venustech’s presence within BRI partner states. Accordingly, both entities have worked together to expand outreach efforts to BRI countries. For example, in October of 2018 CAFF and Venustech co-sponsored a forum on network security as part of the “Silk Road Business Summit” (2018丝绸之路工商领导人峰会) in Zhangjiajie. The forum brought together more than 500 representatives from BRI participant governments, and featured a keynote address by Chen Zhimin which highlighted the need for network security infrastructure development as part of BRI. The forum also featured a presentation by Mao Weihua (茆卫华), a senior vice president at Venustech, who argued that adoption of privately owned “third-party security solutions” (第三方独立运营) was an ideal model for strengthening network security in BRI member states.
In sum, it appears that Venustech and CAFF’s efforts to co-sponsor the Silk Road Business Summit and other events like it represent a concerted effort to actively court new investment opportunities in BRI partner countries. However, it is important to note that this is not a unique partnership. For example Hangzhou-based cloud security firm DBAPPSecurity Ltd. (杭州安恒信息技术股份有限公司) also signed a similar cooperation agreement with CAFF. Moreover, other firms such as Meiya Pico (厦门市美亚柏科信息股份有限公司) and NSFocus Information Technology Co. (北京神州绿盟信息安全科技股份有限公司) have rapidly expanded their presence in BRI recipient areas. Given the range and scale of these investments, it is highly probable that Chinese cybersecurity firms will play an increasingly outsized role within Eurasia’s future network security infrastructure.
This emerging partnership between Beijing and private Chinese cybersecurity firms will have a significant impact on network security across Eurasia and Africa.
First, it is clear that the PRC seeks to play an extremely active role in helping its indigenous cybersecurity firms rapidly expand their presence abroad. The aforementioned SIC document notes that expansion into BRI marketplaces presents a huge investment opportunity for Chinese network security firms, highlighting potential markets in Pakistan and Laos as opportunities to get in on the ground floor and thus capture as much market share as possible. Assuming that these investments are successful, it is possible that Chinese cybersecurity firms like Venustech will grow to rival other major players such as Kaspersky and Symantec in the global cybersecurity market space.
Second, it is likely that the PRC will leverage its investments in network security infrastructure abroad to evangelize its vision for Internet governance. China has already sought to build support for its vision for internet governance through forums such as the “'One Belt, One Road’ Digital Economy International Cooperation Initiative,” which advocate stronger state controls over the flow of information under the guise of “cyber sovereignty.” Concurrently, as Chinese firms have expanded into Eurasia, they have begun to offer cybersecurity training for military and law enforcement entities in areas like Sri Lanka. Taken together, these instances present a unique opportunity for China to shape institutional network security practices within BRI partner countries at both the national and local levels. In the future, China will undoubtedly leverage these relationships to more forcefully shape the evolution of global cybersecurity standards and norms.
Third, integration of Chinese security software into critical infrastructure across Eurasia could serve as a boon to China’s espionage and security services. In a 2018 report, the cybersecurity firm FireEye assessed that BRI investment would lead to an uptick in “cyber threat activity.” This sentiment was echoed by a Council on Foreign Relations report that surmised that BRI projects could be used as a means for China to insert “backdoor mechanisms” that aid its intelligence services within BRI telecom infrastructure. While it has not been conclusively proven that Chinese cybersecurity enterprises have acted on behalf of the Chinese state, there is ample evidence suggesting that these firms have a cozy relationship with China’s security services. Moreover, under China’s 2017 Cybersecurity Law, all network enterprises (including security firms) have an obligation to provide data and information to Chinese security services if called upon to do so.
In its totality, China’s approach to network security as part of BRI is both ambitious and far reaching. Indeed, as China seeks to change the dynamics of global trade by pouring money into intercontinental transformation infrastructure, it also seeks to reshape the digital economy by investing in telecommunications and cybersecurity architecture. Should these ventures prove successful, it is certain that they will have profound consequences for digital governance writ large.
Kieran Green is a China-focused analyst currently working as a U.S. government contractor. His past professional experiences include time spent working at the Department of Defense, National Defense University’s Center for Technology and National Security Policy, and the Army War College. He holds a BA from Tufts University, where he graduated with a double major in Chinese and International Relations, and is proficient in Mandarin Chinese. You can follow him on Twitter @kgreen42.