中國對亞太地區的網路環境具有極高度影響力。透過分析中國的網路空間與監管作法，人們得以瞥見中國網路生態系的轉變，及網路攻擊行動者的動機與所使用之戰術、技術與流程（tactics, techniques, and procedures, TTP）。本文中，TeamT5 資安威脅情資分析師團隊總結形塑了2021年中國網路空間的關鍵事件，並提出對未來發展態勢的看法。
Why should you read this article?
China presents an enormous influence on the cyber threat landscape of the Asia-Pacific region. By analyzing China's cyberspace and regulatory state, one may catch a glimpse of the underlying shift of the cyber ecosystem and threat actors' TTPs and motivations. In this article, our analysts summarized the key incidents that shape China's cyberspace in 2021 and propose some outlooks for future development.
- 2021 was a significant year for Chinese cyberspace, as it marked the start of China's 14th Five-Year Plan (2021-2025). In 2021, China had launched a sweeping tech crackdown and accelerated consolidation of power in reigning everything within the Great Firewall (GFW).
- The Chinese regulators had taken high-profile actions against major tech companies, especially those operating social media and commerce platforms. Firms like Alibaba, ByteDance, Tencent, Didi Chuxing, and Meituan have faced record fines and cybersecurity probes. In contrast, "hard tech" companies in strategically critical sectors like Huawei and SMIC have been mainly exempted from regulatory scrutiny.
- The Chinese regulators, led by the Cyberspace Administration of China (CAC), introduced and amended a series of regulations to tighten their control over the management and flow of data. The new rules range from privacy protection and data transfer to vulnerabilities disclosure.
- International technology firms also faced pressures and censorship from the Chinese regulators. Famous apps like Clubhouse, Signal, and Quran Majeed have been reportedly blocked in China. Besides, companies like LinkedIn and Yahoo have pulled out of China, citing a challenging environment.
- With China's expansion of power over cyberspace, stakeholders and cybersecurity practitioners should stay vigilant to their network and asset exposure to China's jurisdiction. Besides, we have observed that China's regulatory campaign were often followed by covert cyber operations. Indicators have shown that 2022 will undoubtedly be another challenging year for Chinese and international tech giants.
Overview: A Year of Tech Crackdown
2021 was a significant year for Chinese cyberspace, as it marked the start of China's 14th Five-Year Plan (2021-2025). One of the strategy’s ambitions is to tackle monopolies and review regulations related to the digital economy. Over the past year, the Chinese regulators had taken high-profile actions against major tech companies, especially those operate social media and commerce platforms. Prior to 2021, the relationships between the Chinese authorities and the country’s tech giants have been complex and in flux. For many years, the tech regulators had turned a blind eye to some illegal business practices, anti-competitive acts, and tax evasion of the tech giants, because these companies have brought China robust economic growth. However, in 2021, the Chinese regulators had taken high-profile actions against companies including Alibaba, ByteDance, Tencent, Didi Chuxing, and Meituan, levying record-high fines as well as imposing cybersecurity probes and a six-month rectification program. Companies in online gaming, private tutoring, and cryptocurrency were also among the casualties.
What is notable is that all the regulations and probes are directed at the consumer technology sector, rather than “hard tech” companies that are considered by China as strategically critical sectors, such as semiconductor, new materials, new energy, and aeronautics. Therefore, companies Huawei and Semiconductor Manufacturing International Corporation (SMIC) are largely exempted from regulatory scrutiny.
On the other hand, the Chinese regulators, led by the Cyberspace Administration of China (CAC), had introduced and amended a series of regulations to tighten their control over the management and flow of data. For instance, the CAC has implemented the Data Security Law that restricts cross-border data transfers as well as the Personal Information Protection Law which governs data privacy protection. The latter is also regarded as China’s version of the EU’s General Data Protection Regulation (GDPR). Meanwhile, the CAC also announced a new vulnerability disclosure regulation that requires vendors to share vulnerability reports with state agencies within two days. Because of the new law, Alibaba Cloud has faced punishment for not reporting the most serious vulnerability in recent years, Log4Shell, to the Chinese authorities in the first place.
A More Difficult Environment for Domestic and International Tech Firms
International technology firms also faced pressures and censorship from the Chinese regulators. Famous apps like Clubhouse and Signal have been reportedly blocked in China, as these services allow the online users to exchange ideas without being censored by the Chinese government or Chinese social media platforms. Quran Majeed, a popular app among the Muslim community, was also banned in China, signaling more oppression against the Chinese Uyghurs. Besides, companies like LinkedIn and Yahoo have pulled out of China, citing challenging environment. The abovementioned incidents have indicated that 2022 is very likely to be another difficult year for both domestic and international tech firms.
The following timeline have summed up China’s actions in reigning in the country’s cyberspace in 2021.
CCP: Chinese Communist Party CAC: Cyberspace Administration of China MIIT: Ministry of Industry and Information Technology SAMR: State Administration for Market Regulation
- SAMR launched antitrust investigation into Alibaba
- CAC issued a new law to regulate public accounts to combat disinformation and fake traffic
- SAMR finalized anti-monopoly guidelines
- MIIT drafted new regulations to combat excessive data collection by mobile apps
- US audio-chat app Clubhouse reportedly blocked in China
- CCP's Two Sessions 2021
- SAMR fined 10 big tech firms for failing to report acquisitions
- CAC issued new rules to tighten supervision over big tech’s collection of user data
- Encrypted messaging app Signal reportedly blocked in China
- SAMR imposed record US$2.8 Billion fine against Alibaba
- CAC launches hotline for netizens to report “illegal” history comments
- SAMR announced investigation into delivery giant Meituan
- CCP reviewed “Data Security Law” and “Personal Information Protection Law”
- CAC issue draft rules on users’ privacy protection of mobile apps
- CAC called out 84 apps Including Tencent, Alibaba, and Baidu for violating user privacy
- CCP Passed “Data Security Law” and “Anti- Foreign Sanctions Law”
- China widens cryptocurrency crackdown: mining projects shut down; banks ordered to step up clampdown
- CAC banned Didi Chuxing’s apps after its U.S. IPO
- CAC to amend “Cybersecurity Review Regulations,” tightening controls over foreign-listed firms
- CAC issued new vulnerability disclosure rules
- MIIT launched 6-month rectification program, ordering tech firms to fix anticompetitive, security issues
- 7 Chinese agencies sent officials to conduct on-site cybersecurity inspections at Didi Chuxing
- Chinese state media labeled online gaming “spiritual opium” and called out Tencent
- CAC drafted "Personal Information Protection Law"
- CAC launched regulations to protect critical information infrastructure
- China orders state firms to migrate to government cloud services
- CAC launched “Security Threat Information Sharing Platform” for reporting vulnerabilities
- CAC ruled all crypto-related transactions illegal
- LinkedIn shut down operation in China as compliance challenges increase
- CAC banned cross border transfer of core industrial and telecoms data
- China bans Quran Majeed, one of the most popular Quran apps in the world
- Personal Information Protection Law (PIPL) took effect
- Yahoo pulled out of China, citing 'challenging' environment
- China suspended Tencent apps update and limiting use in state-run firms
- China to ban business use of WeChat and Alipay personal payment QR codes
- China censored tennis star Peng Shuai over sexual assault claims against CCP high-ranking official
- CAC issued rules to block foreign religious content online
- MIIT suspended cooperation with Alibaba Cloud, citing delayed report of Log4j2 vulnerability
- Didi Global delisted from the NYSE
- CAC fined Weibo for publishing illegal information
Outlook: China's Endless Pursuit of Cyber Power and Regulatory Control
So far, there is no indication that the Chinese government will loosen up its grip over the tech firms. With China’s expansion of power over cyberspace, stakeholders and cybersecurity practitioners should stay vigilant to the exposure of their network and asset to China’s jurisdiction. On the other hand, we have observed that China's regulatory campaign were often followed by covert cyber operations. For instance, our telemetry had previously detected that China-nexus Advanced Persistent Threat (APT) groups targeted companies and organizations which were on the list of China's anti-corruption campaign.
The political landscape in China heavily influences the country's strategy in reigning its cyberspace. In August 2022, the Chinese Communist Party (CCP) will be hosting its 20th Party Congress, where the party’s leadership and policy agenda for the next five years will be announced. It is no surprise that the Chinese authorities will continue the enforcement actions, furthering tech crackdown under the name of “common prosperity” and consolidating the state’s position as the country’s most powerful cyber player.
China, digital propaganda, social media, cyber governance, trolling army
Taiwan, Presidential Election, SNS, China, little pink, outsourced
China, APT, cyber threat intelligence, social media, state-media, Operation Juiker, Information Operation