China’s cyberspace is plagued with breaches.
In recent months, photos and documents hacked from Xinjiang province’s police force revealed the brutality of China’s forced labor system. Another cache of data leaked from police in Shanghai gave away information on 1 billion Chinese residents. But that’s just the tip of the iceberg; China tops the world in the volume of data exposed online with no security.
This might seem out of character for a regime that sees data from home and abroad as a top national security priority. But the truth is that China’s surveillance state requires that data in the country not be very secure. New research demonstrates how recognizing that truth can inform our broader understanding of China.
There’s no question that China wants to keep the information within its borders safe; cybersecurity legislation from Beijing in recent years has revealed as much. But data security is not the surveillance state’s only goal. It also needs to access the same data anywhere, anytime it wants — a countervailing objective. One example is China’s encryption law, which started to welcome commercial use of encryption recently but does so by favoring domestic tools over foreign, more secure options. It also demands that the government have the decryption keys. Imagine, then, the U.S. federal government encouraging you to store valuables in a safe at home. But suppose you are also required to send the safe combination to the FBI. Now, imagine that someone hacks the FBI. This dilemma means that even some of the most sensitive data in Beijing’s eye will make it into the open.
In a new Mercatus Center study, my colleague Christine McDaniel and I demonstrate this with an example of Chinese data focused on the escalating situation in Taiwan.
The dataset, obtained from an unguarded Chinese website and provided to us by New Kite Data Labs, an open-source data collection outfit, contains nearly 300,000 “points of interest” in Taiwan, all with latitudes, longitudes, and other details. These locations include military facilities, government offices, transportation facilities, and locations related to information and communication technology.
The data’s original curator is unlikely to be a benevolent, curious soul. Breadcrumb Cybersecurity, along with the FBI, tried to identify the database’s owner. Using open-source tools, it concluded that the same internet protocol address was associated with multiple malicious cybersecurity incidents targeting the United States in the last few years. While the perpetrators’ identity may never be known, the leaked data give the public a peek at the kind of invasion planning China might well have for Taiwan and its vulnerabilities.
It’s anyone’s guess whether Beijing is surprised by breaches like this, but China watchers shouldn’t be. In fact, the Communist Party’s self-contradicting surveillance state implies that the window of opportunity to observe the regime will not be closed simply because others are aware of it. According to a 2020 Lawfare survey, dozens of Chinese government websites had not implemented the more secure HTTPS protocol at the time. Two years have passed, and about half of them have not made that change.
Reasons to be concerned about Chinese surveillance abound, but perhaps that cuts both ways and Big Brother is weaker than we think. That should give hope to those seeking to understand the opaque regime better.
Weifeng Zhong is a Mercatus Center senior research fellow and a core developer of the open-sourced Policy Change Index project, which uses machine-learning algorithms to predict authoritarian regimes’ major policy moves. He is a coauthor of a new study, Submarine Cables and Container Shipments: Two Immediate Risks to the US Economy if China Invades Taiwan.
