China claims it is tired of western-centric internet governance, and now seeks to establish a less centralized global internet based on newer, native products that reflect China’s policy agenda. What would the success of China’s model mean for the future of internet governance? What would it mean for human rights? Dominique Lazanski, principal consultant of Last Press Label, a UK consultancy that specializes in cybersecurity and internet policy, joined the latest episode of “Explain to Shane” to discuss her new essay, “Standardising the Splinternet: How China’s Technical Standards Could Fragment the Internet.”
Below is an edited and abridged transcript of our talk. You can listen to “Explain to Shane” on AEI.org and subscribe via your preferred listening platform. You can also read the full transcript of our discussion here.
Shane Tews: Dominique, thank you for this great paper
that you, Emily Taylor, and Stacie Hoffmann wrote, titled “Standardizing the
Splinternet: How China’s Technical Standards Could Fragment the Internet.” This
is an issue I’ve been following for quite a while, but you did a very good job
of being succinct in the topic. It’s really about how the Chinese are learning
to game the standards process to make sure the weights go in their favor. So
explain the importance of the standards process to us.
Dominique Lazanski: Back
before liberalization, the standards process was really important for
government in terms of spectrum and managing telephones and all of that stuff.
That’s done, and was done, in the UN. Then the internet came around in the ’70s
and ’80s through bottom-up, very spontaneous, working-together processes that
were quite messy. The standards that developed on the internet that are used,
but are not formal, in addition to TCP/IP, which we all know and love,
basically developed very much as “you’re using it and that happens.” Over at
the UN, and in other standards organizations like 3GPP, which does standards
for 5G, as well as regional standards groups like ETSI and others, there’s a
more formal process that comes together, and primarily industry is driving
standards that will be adopted and used.
There was a conscious choice, which is a very detailed
story, but what happened was members of the ITU in the late ’80s chose not to
standardize the internet. And because of that, it’s gone to the Internet
Engineering Task Force (IETF). There’s a lot of acronyms in this, as you know,
which has developed a bottom-up process, through the stewardship initially of
Vint Cerf and others in the Internet Society. It’s again very messy but very
multi-stakeholder. I know you just had David Gross on talking about the IGF.
Well, that process effectively is transposed into the internet technical
processes and it’s very fluid, so the gap that’s been left at the UN has
increasingly been filled by China.
What’s interesting
about standards, as you point out in your paper, is that once a company or a
government has chosen a standard, it tends to lock them into a specific path
that can become outdated and substandard quickly, which is why the internet
runs on requests for information, which are considered best current practices
because they’re easier to update. Is that going to be a challenge? When do you
use a standard, and when do you just say “best practices”?
That’s a very good question. They’re now being used
interchangeably. But I guess the thing that’s happening now is if you want to
standardize something that’s more finite, like how the network communicates
with a mobile phone to authenticate it, for example, things like that are
something that doesn’t change. The actual physical technology might change, but
the process and the technical aspect of it doesn’t change, whereas where the
internet is the growth of encryption and a number of other issues that you
probably talked about — encrypted DNS and various things like that — have been
typically put into use as cases first, and then brought to the IETF, became an
RFC, and then became more standardized. I think the language is something
that’s shifting quite a lot now.
I love the example in your paper about Hikvision, the Chinese surveillance company. The company is on the US sanctions list, and it became the editor of the surveillance standards of the ITU. In 2019, they noted that they were really good at identifying Uighur ethnicity. This is the entity that is holding the pen at the ITU, which is basically a long arm of the Chinese government.
Let’s talk about the
network layers, because this is where the real pull factor comes in — you know,
chills down my spine — because the internet has been amazing because of its
ubiquitous nature, and has been open, and you’ve always been able to improve
upon it, and now it looks like we’re looking to invert that process with some
of the work that the Chinese and the ITU are doing. How are they accomplishing
this?
Well, it’s really interesting. So in the paper, like I said,
we have a really brief diagram of the OSI model, and then the TCP/IP model, and
then the DII model. What the DII model does — so you have seven layers of the
OSI model with TCP/IP, you’ve got four layers, just to remind you: application,
transport, internet, and network access. What happens in the DII model is
there’s a third-party application, there’s research management, there’s
blockchain, and then there’s the physical component. This sounds kind of like,
“Oh, this could possibly work.” But what’s interesting is when you look at it
more closely, first of all, there aren’t a lot of details. We’ve never seen
this actually demonstrated. We don’t know if there’s a lab running a version of
this in China. We’ve never actually seen the specific details. But the second
thing that it brings up is the internet. As you said, it’s decentralized,
right? It survived a massive cyber attack in 2016 where it was so resilient
that, though we noticed that it was the Dyn attack, it came back up. It was
quite resilient because it is decentralized. Same thing for all of us working
at home globally, right? 30 percent more traffic suddenly, not just working at
home, but Netflix and all that as well; again, resilient and able to route
traffic quite quickly.
With the DII models, it’s very point-to-point. It’s almost
mimicking telecom infrastructure: very linear. My argument has always been that
this approach mimics the political system, so it’s more of a top-down
management process versus a decentralized process. It has a single point of
entry. It has various nodes, but each node has to have a fixed identifier. What
happens with the domain name system is you can have DCHP, so you have different
devices connecting and then releasing the IP address. So if you think about it
almost from a political point of view, it makes sense. It fits into that way
with China.
In your paper, you also
talk about how the social elements of technology — including identifying the
economics of security, full security, cultural security, and social stability —
are things that the Chinese have pointed out as they want more of a top down
approach. They consider all of this as part of their cybersecurity program,
which then leads to the question of what happens to human rights? Because human
rights is a big point when discussing the internet governance structure.
That’s a really good point. I’ve been trying to listen closely to the language in the last couple of weeks. In the UK, the Huawei discussion is quite heated, and there was a decision just taken that they’re going to ban Huawei equipment from the UK 5G network. So the ambassador from China in the UK has been saying quite a lot of heated things. On top of that, the UK is going to offer a path to citizenship for a number of people from Hong Kong. Pretty much anybody in Hong Kong can come and live and work in the UK. And what I’m hearing more and more is China saying, “This is a national matter. The Uighurs? It’s a national matter. Hong Kong? It’s a national matter. This does not pertain to you.” The language they’re using is completely not addressing human rights.
I think human rights
is not even going to be on the table. If you look at the Human Rights Council
at the UN that just finished meeting for this particular term, there was not
one bullet item about the Uighurs, not one. Venezuela was on the map, and Syria
was on the map. All of that, but nothing from China. So politically, they’re
able to keep themselves off of that agenda. But from a technical point of view,
if they start saying “this is our infrastructure. This is what we’re doing and
we’re sharing it with our allies,” they’re going to say human rights was not
something that particularly pertains to that, and that is really worrying. That
sort of breaks up the multi-stakeholder model, don’t you think?
For those who are
interested in these topics, what should we be looking out for?
China just launched a new standards policy called Standards
2035, which states the goal of being really active in international standards,
not just for technical and internet, but for all global standards, and takes it
to a new level. So they’ve reorganized themselves. They have President Xi as
the head of the Standards Committee. He’s probably the head of all the
committees for everything, but he’s definitely head of the Standards Committee.
There’s a really big push to have more leadership across standards. So again,
it’s the Standards Strategy 2035. I think that’s going to be coming up in the
news quite a lot.
The other thing that’s coming up is, as you know Shane,
every four years, the ITU has different departments in its agency and its
organization, and the big one for technical standards has a big meeting called
the WTSA coming up in November, but it’s potentially going to be moved — pretty
much 99 percent going to be moved — until February.
So you’ll start to see a lot more discussion, and people will be a lot more aware of the tensions between China and, in particular, also Huawei and a number of the countries that have had these debates like we have had in the UK. That’s going to start to play up because there’s a number of them. I know I mentioned, or you mentioned, Hikvision; there’s a number of companies that are on the US sanctions lists that have been active in addition to Hikvision in the ITU. So you’ll start to see how that’s going to work itself out to this big meeting where there will be multilateral negotiations for future plans of what to do in the ITU for technical standards. So China’s putting quite a lot of resources into that. Those are the two newsworthy things that I think, if I were kind of new to this, I’d start looking at. You’ll hear much more about that in the next couple of months.