As has been widely reported, the central government is starting the process of enforcing its new cybersecurity law, which has been approved by the Standing Committee of the National People’s Congress.
If fully implemented, this new legislation would require firms to localize their data storage within China, and includes a wide range of new cybersecurity requirements for companies operating across diverse fields. Overall, it would deepen the push toward a “managed” internet in a nation that now represents more than 20% of worldwide web users.
Much, though, remains unknown. For example, the Chinese government has said that it wants to regulate “critical information infrastructure” with this law, but the term is not defined in the statute itself.
This vagueness has drawn the ire of a number of foreign firms, including leading tech companies, in part because even though it is ambiguous, the regulation is also quite broad in scope.
An example of this can be seen in Article 21, which includes a “tiered system of internet security protections” that may be subject to any “obligations provided by law or regulation.”
Meanwhile, Article 28 requires internet firms to assist public security organizations in “protecting national security and investigating crimes” – without defining the crimes or related investigatory obligations that this provision might include.
Similarly, Article 51 allows the government to create “systems for cybersecurity monitoring, early warning, and notification,” which foreign firms will have to execute.
The law is designed to enhance domestic cybersecurity and operationalize the notion of “cyber sovereignty,” which has been a guiding light of Chinese cybersecurity policymaking throughout the administration of President Xi Jinping.
In this way, it is the latest manifestation of a now decades-long debate about the evolution of internet governance, with a central question being: how much control should governments be given over the internet’s core functions?
As such, it is important to view China’s new cybersecurity law in context. Indeed, the notion of “cyber sovereignty” has proponents from a diverse range of nations outside of East Asia. This includes Russia, which has long been a driving force behind the idea of a “managed” internet in which the state plays a large role in ensuring “information security.”
But it also includes the United Kingdom, with Prime Minister Theresa May calling for “internet controls” in the wake of the June 2017 London terror attacks.
Even the US government has not been immune from these calls with the Trump administration’s strategy for an “America First” approach to international relations. So far the election of Trump has not led to a change in US support for multi-stakeholder internet governance, but only time will tell if that continues.
What we are seeing then is a wave of domestic and international proposals for a more “managed” internet from a wide array of geopolitical actors that have traditionally been on different sides of the internet governance debate.
How this evolution plays out, and how much Western powers are willing to compromise on the notion of a “global networked commons,” as former Secretary of State Hillary Clinton famously once described the internet, in the name of national security, counter-terrorism, and trade protectionism, remains to be seen.
But if we are to guard against a worst-case scenario internet Balkanization, in which the global web fragments into a series of heavily state-managed domestic intranets, those who value the multi-stakeholder global platform need to speak up.
Get involved with your local chapter of the Internet Society, or the Internet Engineering Task Force. Speak up in the manner that works best in your particular situation. Only by working together can we continue to realize the benefits of a global internet while enjoying some measure of cyber peace.