How China’s Control of Information is a Cyber Weakness

In 2015, news broke that Chinese hackers had breached computer networks at the U.S. Office of Personnel Management, exposing the personal data of millions of government employees. In response, the White House took the initiative to improve government network security through a variety of measures. Among other actions, the White House Office of Management and Budget called for all government websites to have implemented HTTPS by the end of 2016. HTTPS, an acronym for Hyper-Text Transfer Protocol (Secure), ensures that the visitor’s connection to a website remains confidential, that the website is “authentic”— meaning that it is the website visitors thought they were logging into—and that the data between the visitor and the website has not been modified. HTTPS implementation on a website is not a panacea to fend off malicious cyberattacks, but it makes the widespread tracking and interception of browsing traffic more difficult. Likewise, while it is not clear whether a lack of HTTPS on government systems played a role in the Office of Personnel Management breach, implementing HTTPS eliminated a security flaw that could have been exploited by future hackers.

Ironically, while the U.S. government pushed to get HTTPS in place after a high-profile cyberattack by China, HTTPS is rarely used within China itself. HTTPS traffic that uses both TLS1.3—the newest version of Transport Layer Security, which provides secure communication between web browsers and servers and the specific content visited on a website—and ESNI—Encrypted Server Name Indication, which prevents third parties from seeing what websites a user visits—is blocked entirely in the country. The Chinese government imposed the ban because TLS1.3, when run via ESNI, makes it difficult for Chinese censors to see what sites a user is visiting and thereby reduces the government’s information control capabilities. Even foreign platforms such as the BBC or Wikipedia were banned as soon as they migrated to HTTPS.

Yet the Chinese government’s efforts to disincentivize encryption—to allow for censorship and surveillance—have created an online environment where even websites that carry sensitive government, health and commercial data remain unencrypted. This leaves them open to exploitation by intelligence agencies and cybercriminals.

Today, a majority of internet browsing is conducted over HTTPS on desktop computers, and more than 2 billion people use end-to-end encryption to communicate securely. Former national security officials, such as former Defense Secretary Ash Carter and former CIA and National Security Agency Director Michael Hayden, have defended strong encryption as in the interests of national security, reasoning that any weakness in encryption will be inevitably exploited by criminals or foreign governments.

There has been some pushback. Western governments have welcomed the weakening of encryption to facilitate criminal investigations by law enforcement. Only recently, members of the Five Eyes intelligence alliance (Australia, Canada, New Zealand, the U.K. and the U.S.), along with India and Japan, called upon tech companies to give governments access to end-to-end encrypted content. Australia has been the most active in this space, passing a law that obliges companies to introduce backdoors for the Australian government. But despite these initiatives, encryption remains widespread in most democracies, increasing resilience against malicious attacks and exploitations.

Encryption has met greater resistance in China. The government’s encryption regulations and implementation thereof are among the most restrictive in the world, giving the government full access to all encrypted content within its domestic territory. Become a supporter of IT Security News and help us remove the ads.