- CHINA LAW BLOG - Oct 12, 2020 -
This is the second in a multi-part series on China cybersecurity. This series stems from the recent webinar at which I discussed cybersecurity in China. To watch that webinar, go here. To read part 1 of this series, go here. Part 1 described the cybersecurity situation in China. This part 2 explains why cryptography is not a solution and then it looks at the Golden Tax Malware Program as an example of CCP malware.
IV. Cryptography is not a solution.
The PRC National People’s Congress enacted the long-awaited Encryption Law (密码法）, which came into effect on January 1, 2020. The official text of the law can be found here and an English language summary can be found here.
Cryptography is a key technology that will be used to achieve the goals of the comprehensive cybersecurity program. Normally, cryptography is used to protect the confidentiality of information transmitted and stored on networks. But its use presents the Party with a dilemma: the same cryptography that hides information from the general public can also be used to hide information from the government itself. In this case, the Chinese government is presented with the issue of how it can require cryptography while still maintaining its open access to the network system.
The Law divides encryption into three categories: core, common and commercial. Core and common are intended for systems that transmit and store PRC state secrets. Commercial encryption is intended for business and private use. Foreign encryption systems can be sold in China, if approved and certified through a certification system that has not yet been described. Use of encryption will be subject to the provisions of the Cybersecurity Law and the associated MLPS 2.0 regulations. Article 26. The State Cryptography Administration (SCA), an office of the CCP, will have authority to monitor and inspect implementation and use of the cryptography system. Article 31.
This three-class system ignores the way cryptography is normally implemented. The most important cryptography systems are not commercial systems. Most systems are based on the Gnu Privacy Guard system. This is a completely open system. The source code is generally available to the public. You can download the source code here. It is not conceivable that the organizations that offer PGP systems will cooperate with the PRC government in obtaining review and certification of their product when the focus of these PGP systems is to allow companies and individuals to hide their information from the government. Cooperation with any government would be contrary to that principle.
This then leads to the first question under the new Law. Most cryptography systems are freely downloadable as open source systems. The PRC government is free to examine the source code used to implement the PGP and related open source systems. The real issue is whether the PRC government will allow companies and persons who operate in China to use PGP and related systems, given that that these systems will NEVER be submitted to the PRC government for review and approval. If the answer is no, then the entire set of provisions for foreign encryption systems is meaningless. If the answer is yes, then the designation “commercial” has no meaning.
This then leads to the most important issue. Cryptography techniques are not secret. The most important algorithms are public and available to anyone to use. Governments know exactly how the algorithms work because governments have been the inventors of most of these algorithms. The Cybersecurity Law ‘s focus on cryptography products is nothing more than a head fake. What is critical in cryptography is not protection of the cryptography algorithm; what is critical is protection of the key that allows decryption of the encrypted message or data.