Cybersecurity and Deterrence
The U.S. Needs to Get in the Standards Game—With Like-Minded Democracies
Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.
In the latter half of 2016, the Third Generation Partnership Project (3GPP)—one of the largest international bodies that sets standards on mobile technologies—took a series of votes on technology that would make up part of the standard for fifth-generation mobile telecommunications networks (5G). In many ways, the meetings were routine. Engineers from companies around the world gathered, as they had for 3G and 4G before, to decide on the best telecom inventions to include in the new standard. Because systems worldwide need to work reliably with one another, the new standard would be one that everyone used.
At issue in these particular meetings was how to encode information and correct for errors in data transmission in a new enhanced mobile broadband (eMBB) scheme. Three mathematical techniques were proposed—one by Qualcomm, known as a “low-density parity-check” (LDPC), one by Huawei called “polar coding,” and one called Turbo. During an initial vote, the body adopted Qualcomm’s LDPC solution as best-in-class. But Chinese firm Lenovo, which had voted for LDPC, returned home to an online outcry for its “unpatriotic vote”: Following years of investment, Huawei’s “polar codes” had become a symbol of national pride.
Months later, the body voted again on the coding techniques for use in a second part of the standard. This time, Lenovo supported Huawei’s polar codes, which won the day. In explaining the voting pattern, Lenovo founder Liu Chuanzhi wrote: “We all agree that Chinese companies should be united and cannot be played off one another by outsiders.”
Technical bodies like 3GPP—and the hundreds of other international-standards-making organizations that set the rules for cyberspace and the future internet—have become unlikely battlegrounds in the geopolitical contest over the cyber and information space. And the Chinese Communist Party (CCP) is using coordinated attention and top-down industrial policy to drive its global success in these technocratic bodies and in the technologies they yield. To ensure the competitiveness of the United States and other democracies in the future of internet technology and the norms of cyber governance around it, the U.S. and its allies need to get in the standards game.
Why are these abstruse organizations of polar codes and eMBB important?
For one, the companies whose inventions make it into official standards reap ongoing rewards. As firms implement a standard, they have to license the technology from patent holders. In some cases, the dollar figures are substantial. Qualcomm, for example, derives more than one-fifth of its revenue—$5.2 billion—from technology licensing fees. Chinese firms Huawei and ZTE have flooded the standards landscape, and even countries that decline to use them to build 5G networks or smart city technology due to cyber espionage concerns will have to pay the two companies to use their patents.
Second, because they sit at the intersection of technology and governance, standards organizations are increasingly deciding not just whose technology is used but also how it is used. The U.N. International Telecommunications Agency (ITU), for example—a technical organization that has received significant attention from CCP state planning—adopted as international standard a smart street light architecture proposed by ZTE and China Mobile that includes the ability to “add video monitoring capabilities when deploying smart street lights.” The ITU’s forthcoming standard on facial recognition technology reportedly requires database storage of detailed biometric and demographic features on people, from face style and birthmarks to race and skin color. Despite objections from human rights groups, the standard also suggests use cases such as police surveillance of public spaces and “black list alarms” to spot suspected criminals throughout society—in schools, temples, hospitals, airports and malls. And at the ITU’s September meeting, Huawei submitted a “New IP” proposal that would remake the internet, allowing governments more control over citizen access and data. International standards bodies are fora to promote specific technology as well as the authoritarian governance norms those technologies impute.
The CCP has seized on the importance of these bodies for the dual and mutually reinforcing objectives of increasing national competitiveness and building international influence on technology adoption and norms of use. With an explicit goal of becoming “a standards-issuing country,” China coordinates national standards-work across government, industry and academia as part of its push to increase international influence. Its “China Standard 2035” plan, led by the Standards Administration of China and its National Academy of Engineering is dedicated to assessing China’s standardization system and developing standards across virtual reality, information technologies, 5G and the internet of things (IoT). As part of its national plan for IoT development, China’s “Special Project Action Plan for Standards Formulation” calls for China to “actively promote the formation of regional and international IoT standardization bodies, win leadership positions on important international committees like ISO/IEC [a joint technical committee of the International Organization for Standardization and the International Electrotechnical Commission] and ITU, and submit and respond to international proposals and motions, in order to increase China’s international influence and competitiveness.” Even state-sponsored academics have applied game theory to optimize China’s strategy in the standardization process.
The military and cyber-espionage implications of China’s growing standards dominance is equally alarming. A U.S.-China Economic and Security Review Commission report has assessed that “Chinese-backed international standards offers Beijing unparalleled opportunities to compromise trillions of potential future IoT devices through security vulnerabilities it has researched and locked in though international standards bodies, with little or no built-in transparency on these vulnerabilities.” And Article 23 of China’s Standardization Law makes the national security nexus of standards work clear: “The State shall promote standards that encourage civil-military integration and … promote the use of advanced and appropriate civilian standards in the development of national defense and the military.”
By contrast, the U.S. approach to standardization has been bottom-up: allowing open competition from the private sector in a free-market, multistakeholder fashion that resists central planning. For years, U.S. technological dominance in internet technologies meant that a lack of a coordinated approach did not seriously stifle U.S. competitiveness. The CCP’s growing presence in these organizations, and its use of those like the ITU as a forum for promotion of its technology through the “Digital Silk Road,” means that this hands-off approach may no longer be sufficient.
The United States—along with its democratic allies—should increase representation at international standards bodies and actively monitor China’s coordinated efforts to advance particular technologies or actively promote authoritarian internet governance objectives. This requires a full-picture understanding of the CCP’s technical objectives with ongoing input from engineers and industry on how standards and on-the-ground deployments are shaping this landscape. The Cyberspace Solarium Commission report highlights the threat of “losing the international standards race” and has recommended the creation of a State Department Cyber Bureau, which can fulfill some of these objectives. The U.S. should also leverage alliance information sharing to build a common operating picture for standards organizations.
At the same time, stepping up in the standards game will require promoting a positive democratic model for future internet technologies—backed by international standards. This means actively pushing back on standards—such as in facial recognition and social surveillance—that threaten civil liberties and human rights. But the State Department should also work with the National Institute of Standards and Technology to develop and put forth standards that shore up cybersecurity in IoT technologies, limit immediate state access to private citizen data and contemplate what smart cities should look like in democracies. The more these efforts can be executed jointly with allies and partners, the less they will suffer from the appearance of a false dichotomy between the U.S. and China and the more effective their implementation will be.
Finally, the United States and its allies should adopt a strategic approach to standards-setting that distinguishes the areas where the private sector can continue to lead successfully from those where deeper national and international coordination is needed. Without it, democracies may soon wake up to the reality of an authoritarian internet spanning more and more of the globe.