The US “Clean Network” Risks Undermining a Rules-Based Tech World

The new technological Cold War between the United States and China threatens to divide the world into rival blocs, says David Morris of the UNESCAP Sustainable Business Network. It is not just about a choice of phone company or short-video app and it is more than a battle for or against Huawei or TikTok. Fears of global espionage and cyberattacks will disrupt supply chains and undermine international cooperation. At stake is who sets the rules for the communications, data and artificial intelligence-driven networks of the future.

As its strategic and technological competition with China heats up, the US is constructing a “Clean Network”. According to the State Department, this is a “comprehensive approach to safeguarding the nation’s assets including citizens’ privacy and companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party”. But creating a “sanitized” tech space is not proportionate risk management. This strategy fancifully assumes that adversaries will relent and stand down, letting the US and those in its trusted network prepare for the challenges of an interconnected world. And in the meantime, it threatens the very rules-based order that the US led efforts to construct.

In 2012, Australia was the first country to fire a shot in the emerging tech war when it banned China’s Huawei Technologies from participating in the buildout of the country’s broadband network. Six years later, Canberra blocked Huawei and ZTE, another Chinese telecommunications firm from bidding to supply technology for Australia’s wireless 5G network. It based its decision on an assessment of potential cyber threats to critical infrastructure. The prime minister at the time, Malcolm Turnbull, sent the Australia-China relationship into a tailspin, warning that it was not just the theoretical capability of a cyberattack that made Huawei a threat but that “intent can change in a heartbeat”. Australia, which had benefited so richly from its trade and investment relations with China, had determined that, for national security reasons, it could not trust Chinese companies, a decision that signalled the deepening of systemic distrust of Beijing among the US and its allies.

Huawei had long been suspected by the US national security establishment of facilitating espionage. (In 2012, the US House of Representatives’ intelligence committee, identified Huawei and ZTE as threats to American national security.) The Shenzhen-based company has repeatedly denied the claims and, indeed, no evidence of espionage has been presented. Nevertheless, China does have national security legislation that could be wielded to force the hands of its firms, as indeed does the US. Intelligence analyst-turned-whistleblower Edward Snowden, who took refuge in Moscow in 2013, documented in detail American espionage and surveillance programs and techniques.

But the tech war is about more than spying: the risk of sabotage, as raised by Australia, after suffering a series of cyberattacks on major institutions, elevated the threat scenarios to a new level. Washington soon followed Canberra in blacklisting Huawei. It then went further, funding “rip and replace” removal of Huawei equipment from US networks and leading a campaign of extraterritorial economic coercion to pressure countries to shun Huawei’s products and services, thereby depriving the Chinese multinational of key customers. The US has also pressured chipmakers to stop supplying Huawei with semiconductors. Taiwan’s TSMC has confirmed that it ceased further shipments to Huawei in the middle of September.

The paradox Is that, in the rules of engagement of this new tech war, evidence of malicious cyber activity is not required to trigger restrictions or punitive measures. Just naming the risk is enough. In the absence of trust and international cooperation, simply being unable to invalidate worst-case scenarios is all that is needed to raise the threat level. In a deteriorating geopolitical climate, in which confrontation may possibly escalate into conflict, it is of course rational for decision makers to guard against cyber-risks. In a world of devices connected to instant global flows of data through impossibly complex networks, the potential for any state (or other actor) to weaponize its technological assets is, to be sure, a risk that must be mitigated.

TikTok and WeChat are the latest to be cast as cyber risks in the US, and now attention is being turned to DJI, which dominates the US and global market for drones. In the new US-China tech war, risks are potentially everywhere, and the next target could be electric cars, or cloud computing, or artificial intelligence, or data networks. For businesses and economies that are interdependent with Chinese supply chains there is a new generation of geopolitical risks that could become the next phase of US attention.

Meanwhile, the US has given a name to its campaign against Chinese tech, with the US Secretary of State, Mike Pompeo, recently unveiling his vision for a decoupled Clean Network. The proposal is for an alliance of “trusted” countries and companies, committed to removing “malign actors” from their cyber supply chains. Washington is not pulling any punches. This has all the hallmarks of a full-blown US campaign to undermine the legitimacy of China as a leader or even competitor in the global race for tech dominance. Critics claim Beijing has brought the world’s distrust upon itself with its deepening authoritarianism and more assertive international posture, as well as exporting its surveillance tech to countries along its so-called “digital silk road”.

But where does the Clean Network take us? How will taking over TikTok, banning WeChat, and carving the tech world into rival zones of geopolitical power make Americans and their allies safer? It might simply lead to heightened cyber competition with China that results in a victory for Beijing in the long run. There might be other, more prudent ways to manage risks. Meanwhile, undermining international cooperation creates its own uncertainties, not to mention the risks of unwinding globalization itself and ushering in a new law of the jungle.

The problem is that new cyber risks have emerged faster than our capacity to address them. Not only are national governments lacking the technical means to manage risks, but also there is a critical gap in global rules applying to the cyber world. In most other complex systems with critical risks, such as food supplies and aviation, the world has managed to come to agreement on basic rules, norms, standards and enforcement measures for most, if not all, players to be satisfied that risks are minimized and manageable. Multilateral cooperation is coordinated by a single body such as the Food and Agriculture Organization (FAO) or the International Civil Aviation Organization (ICAO). National governments have accordingly built technical capacities to match global standards. But the world is not ready for the challenges of coordinating a sector as complex and diverse as new tech.

During the past three decades, as the predominant global power, the US has failed to establish rules for new tech. Indeed, in the first phase of the digital revolution, when huge US firms held monopoly power, Washington fiercely resisted the development of global rules for data or communications. Now, as China flexes its muscles and proposes new forms of global governance, with its own concept of cyber sovereignty in mind that allows countries to control data within their borders, the whole concept of global cooperation is dismissed as naïve.

Yet the most sophisticated approach to govern new tech can be found in the elaborate set of laws, rules and standards set by the European Union (EU) that apply at least to its 27 member states. The EU’s comprehensive Cybersecurity Act, General Data Protection Regulation (GDPR) and Directive on Security of Network and Information Systems provide a strong model at a regional level for what could surely be developed, with some more constructive leadership, at a global level. Risks can emerge from anywhere (including rogue individuals or other non-state actors) so a risk-management strategy that is blind to suppliers, with layers of monitoring and testing for vulnerabilities, as well as system resilience and robustness, is more likely to prevent security risks than a one-eyed geopolitical approach.

Washington’s so-called Clean Network, seeking to isolate and contain Chinese tech, is highly likely to spark more confrontation and conflict. It has set a dangerous precedent, deploying economic coercion to target firms from one country, rather than working through an evidence- and rules-based process. The European way, on the other hand, offers a more measured attitude toward risk management and mitigation. Moves to strike a deal between Oracle and ByteDance, that would see a trusted US firm overseeing the TikTok’s data management, offers another method. This could be enough to reassure the US that the feared app does not pose a threat to national security.

Regardless of all the geopolitical bluster, it is dubious that the Clean Network can really stand alone, any more than a self-sufficient Chinese tech world could, given the instant global flow of data along interconnected supply chains that will be required for the next phase of the digital revolution. Perhaps some delay to the rollout of that new digital future, because of the current US-China stand-off, provides a welcome wake-up call for the rest of the world to consider carefully next steps and design more robust risk-management measures rather than just issue blame and hope for the best.

Further reading:

Martin, David X. (August 26, 2020) “The Impact of the Clean Network Initiative on American Companies”, Brink, Marsh & McLennan Advantage, Washington, DC, USA.

Morris, David. (August 13, 2020) “Decoupling: Trump’s Challenge to the Global Order”, AsiaGlobal Online, Asia Global Institute, The University of Hong Kong.

“The Clean Network”, US Department of State, Washington, DC, USA.

Wong, Chun Han. (September 8, 2020) “China Launches Initiative to Set Global Data-Security Rules”, The Wall Street Journal, New York, NY, USA.

Originally published by Asia Global Online on September 24, 2020