On October 26, China’s National People’s Congress passed the Cryptography Law, two years after an initial draft was released in April 2017. Long overdue given the importance of cryptography in cyber and information security, the Law, which will go into effect on New Year’s Day 2020, will bring sweeping changes to existing regulations, with both security and commercial implications. The stated purpose of the Law is as follows: 1) to regulate encryption application and management; 2) to facilitate the development of the encryption industry; 3) to protect network and information security; 4) to safeguard national security and public interest; 5) to protect the legal rights of citizens, legal persons, and other organizations (Article 1).
“Cryptography” in this Law refers to “technologies, products, and services that apply specific transformations to information to effect encryption protection and security authentication.” In other words, the Law deals only with encryption, not decryption. The Law underlines the Chinese Communist Party’s leadership in cryptographic work, which is delegated to the State Cryptography Administration (SCA). The SCA is a single organization bearing two names. When communicating with extra-Party entities, it presents itself as the SCA. However, its Party designation is the Office of the Central Cryptography Leading Group. The SCA’s immediate superior is not the State Council, but the Party Central Committee General Office.
Concerned with cryptography policy formulation, coordination, and implementation, the SCA system runs from the central level to provinces, municipalities, and counties. For an organization dealing with confidential work, the SCA is surprisingly transparent. The SCA headquarters is located at 7 Dianchang road in Beijing’s Fengtai district. The exact locations of its subordinate organizations are available on SCA’s official web-page.
The SCA’s official mandate charges it to: 1) organize the implementation of Party and state guidelines and policies on cryptography, and propose suggestions for solving major problems in cryptographic work; 2) come up with development plans on cryptographic work, draft cryptographic work regulations and be responsible for the interpretation of cryptography regulations, and organize the development of cryptography-related standards; 3) perform lawful cryptography administration duties, manage cryptography research, production, sales, evaluation, and application, investigate and deal with leaks of confidential cryptography-related information, investigate illegal development and use of cryptography, and be responsible for cryptographic work relating to foreign entities, provide overall leadership in cryptographic work; 4) handle the planning and management of cryptographic systems in networks and information systems, in addition to planning, building and managing [China’s] national cryptographic infrastructure; and 5) guide professional cryptography education and exchange, organize education and training of professional cryptographers, and guide research and exchange of basic cryptography theory and applied technology at institutions of higher learning, scientific research institutions, and academic organizations.
With that being said, the SCA will be the main organization behind the Cryptography Law’s implementation.
National Security Implications
The Cryptography Law identifies two categories of encryption relating to national security: “core” and “ordinary” encryption. China’s State Secrets Law classifies confidential information into three levels based on potential harm to state security and national interest. The three levels are “secret” (would cause harm if disclosed), “highly secret” (would cause serious harm if disclosed), and “top secret” (would cause extremely serious harm if disclosed). While core encryption protects all three levels, ordinary encryption only protects the secret and highly secret levels.
Although not explicitly mentioned in the Cryptography Law, the National Administration for Protection of State Secrets (NAPSS) will likely work closely with the SCA in the area of national security-related cryptography. Another organization with two names (its Party designation is the Office of Central Secrets Protection Commission), the NAPSS, like the SCA, reports to the Party Central Committee General Office and is tasked with protecting state secrets and classified information outlined in the State Secrets Law.
The Cryptography Law’s section on core and ordinary encryption shows the state’s strong interest in building well-regulated encryption systems for national security protection. The Cryptography Law demands all organizations involved in core and ordinary encryption development, production, service, assessment, installation, application, and erasure to abide by law and regulations and strengthen management systems in order to safeguard the security of core and ordinary encryption. The Law also stipulates that all national security information transmitted through wired and wireless communications and information systems that store and process national security information must be encrypted with core and ordinary encryption and security authentication (Article 14). Likewise, the Law called for the establishment of early warning, risk assessment, communications, and emergency response systems to jointly and efficiently support core and ordinary encryption systems (Article 17). Moreover, Article 18 specifically calls for the establishment of “management systems for the recruitment, selection, security clearance, assessment, training, wages and benefits, rewards and punishments, professional exchanges, and discharge of personnel working with core and ordinary encryption” — possibly indicating an imperfect personnel management system at present.
Section 3 of the Cryptography Law deals specifically with commercial encryption and has a comforting undertone. Article 21 embodies the amiable sentiment by expressing state support for commercial encryption research and development, academic exchange, transformation of research achievements, and promoting product application. Furthermore, the state will play a role in ensuring the commercial encryption market system is uniformed, open, competitive, and orderly. All entities, foreign or domestic, involved in the research and development, production, sales, service, import and export of commercial encryption will be treated equally under the law without discrimination. In fact, foreign investment in commercial encryption is encouraged. All cooperation between foreign and Chinese entities regarding commercial encryption will be voluntary. Forced transfer of commercial encryption technology using administrative means is forbidden under the Cryptography Law. Article 31 forbids the SCA and relevant organs from demanding source codes and proprietary information from organizations that employ, inspect, and certify commercial encryption products. Likewise, state organizations must keep confidential all trade secrets and private personal information learned while conducting official duties.
It is no wonder the price of bitcoin surged over the weekend in reaction to the new Law and Chinese President Xi Jinping’s speech supporting blockchain technology. I would say this is precisely China’s intention in producing an open-for-business-type law regarding commercial encryption, especially after years of standing against cryptocurrencies. Critical to information security, the importance of commercial cryptography will only increase as time goes on. As part of China’s strategy to offset pressure from the trade war, taking an open stance on this issue has wide implications in stimulating technology, finance, and virtual currency sectors that would benefit China’s slowing economy.
However, we must keep in mind that benefits do not naturally flow toward foreign firms. Article 9 of the Law says the state will “encourage and support research and application of cryptographic science and technology… Cultivate teams of cryptography professionals, and award organizations and individuals who made significant contributions in cryptographic work.” A nationwide campaign will be launched to increase awareness and understanding of cryptography among citizens, legal persons, and organizations. In other words, there will be renewed state initiatives to build up China’s indigenous capability in developing cryptography products and ensure Chinese corporations gain a competitive edge in research and development.
Although the Cryptography Law has provided answers to many questions, more information is needed in a few areas. First of all, as one Chinese analyst points out, in an age of facial and iris recognition, the Law skipped over biometric encryption entirely. Second, the Law focuses wholly on encryption, missing decryption, the other leg of cryptography. Third, one cannot help but wonder how much state interference is expected for a foreign entity engaged in commercial cooperation with a Chinese entity employing core or ordinary encryption. Fourth, China’s National Security Law and National Intelligence Law put the state in a strong position in demanding sensitive information from individuals and organizations under the pretext of national security needs — how will that square with the business-friendly orientation of the Cryptography Law? Fifth, Article 43 indicates the Central Military Commission will develop cryptography regulations for the People’s Liberation Army and People’s Armed Police based on the Cryptography Law. This engenders the question of how military and Armed Police cryptography regulations will differ from the civilian version and what will be the national security and commercial ramifications.
In sum, China’s Cryptography Law struck a conciliatory tone on the commercial end of things with the intention to boost Chinese economy with foreign investment and engagement. However, the Law also reveals an existing security gap in China’s cryptography apparatus that needs regulation. In the near future, cryptographic systems in the national security realm will be more regulated and professionalized. Greater cooperation between foreign and Chinese entities in cryptography research and development is expected, yet we must also anticipate additional Chinese state support for domestic cryptography enterprises to become more competitive.
Zi Yang is a Senior Analyst with the China Program at the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University, Singapore. Follow him on Twitter @ZiYangResearch.