On Jan. 1, China’s law governing cryptographic password management came into power. What does it mean?
On Jan. 1, China’s law governing cryptographic password management came into power. Essentially, the act aims to set standards for the application of cryptography and the management of passwords, and, therefore, ultimately reduces China’s cyber vulnerabilities on a nationwide scale.
Some local media outlets rumor that the law is paving the way for the long-awaited release of China’s central bank digital currency, although it does not make any explicit references in that regard. Meanwhile, the private sector is worried about the anonymity of its data.
The law outlines three separate kinds of encryption but provides little information beyond that
The initial draft of China’s Cryptography Law was released in April 2017, months before the local government rolled out the blanket ban on cryptocurrencies. Nevertheless, the law has nothing to do with digital assets, and it never even mentioned Bitcoin (BTC) or any other cryptocurrencies. Instead, it focuses on cryptography: items and technologies that are used to encrypt or certify data.
More specifically, the act divides passwords into three separate categories — core passwords, common passwords and commercial passwords. Under the new law, core and common encryption are required for systems that transmit and store state secrets, while the commercial encryption is intended for business and private use.
Furthermore, it stipulates that the development, sale and use of cryptographic systems “must not harm the state security and public interests.” Moreover, all such systems must be examined and authenticated by the government before they’re used. The bill was passed by the Standing Committee of the 13th National People’s Congress in China on Oct. 26.
There is little information on the Cryptography Law beyond the above-mentioned encryption classifications and general conditions, says Sale Lilly, China Policy Analyst and Professor of Blockchain Technologies at the Rand Corporation, a nonprofit global policy think tank. As Lilly explained to Cointelegraph, the ambiguity comes from the fact that the act defines core and common encryption techniques as a state secret:
“The passwords are to adhere to a particular cryptographic standard, for example the U.S.’s NSA intelligence organization commonly cites SHA 256 as strong hash function, the PRC might adopt something similar based on the State Cryptographic Administration advice. Because the Cryptographic Law is ambiguous on the crypto standard (we don’t know if it’s simply hash standards or something more comprehensive) I’d say that at a minimum it’s a reasonable guess that the terms ‘Core’ and ‘Common’ crypto refer to an undisclosed hash standard plus cyber hygiene requirements like periodicity of crypto rollover (monthly, weekly etc…).”
As for commercial encryption, private entities will continue to be allowed to operate under separate standards subject to audit by the State Cryptographic Administration, says Lilly. “As written, the law does not state that the Chinese government would hold private keys to commercial encryption tools,” he stresses, adding:
“There is a lot of language included in the latter third of the bill aimed at reassuring commercial vendors that these audits (even of foreign registered firms) will not require the firm to turn over source code, which seems a savvy move by the National People’s Congress law authors.”
Nevertheless, some lawyers are worried that it could not be the case. For instance, Steve Dickinson of China Law Blog, a regional outlet curated by international law firm Harris Bricken, writes that “inviting foreign providers and users of cryptography is just a trap for the unwary,” as the new law allegedly allows foreign encryption systems to be sold in China, “provided that the systems have been approved and certified through a certification system that has not yet been described.” Thus, the blog’s author argues:
“Once data crosses the Chinese border on a network, 100% of that data will be 100% available to the Chinese government and the CCP. Cryptography may work well to prevent access by the public, but all this data will be an open book to the PRC government.”
Moreover, Dickinson argues that most firms encrypt their data with open-source software, like GNU Privacy Guard (GPG), whose essential purpose is to allow companies and individuals to keep their information away from state actors. The issue, therefore, is whether the government will allow the use of GPGs:
“If the answer is no, then the entire set of provisions for foreign encryption systems are completely meaningless. If the answer is yes, then the designation ‘commercial’ has no meaning.”
Similarly, other researchers opine that if firms start using a Chinese-owned software service, all of their data stored and managed by that service can be seized by the government under the new act.
Will the new law pave the way for CBDC?
China seems to be firm on its way to become the first country to issue a CBDC. The project has been in development for five years, but it reportedly accelerated last year when Facebook’s Libra was officially unveiled.
The potential release of the digital yuan would fall in line with the general “blockchain-before-Bitcoin” attitude championed by the Chinese government — unlike a private, decentralized cryptocurrency, the CBDC will be controlled by the People’s Bank of China and backed one-to-one by the country’s fiat reserves.
In December 2019, Chinese media reported that the central bank was planning to conduct the first real-world test of its CBDC, while earlier this week, the PBoC issued an official statement confirming that it is “progressing smoothly” with the government-backed currency.
Related: Five Countries Where Crypto Regulation Changed the Most in 2019
Lilly told Cointelegraph that the law “is highly complementary to many of the efforts and tasks required to roll out a CBDC,” and that it covers key Chinese players who participate in implementing the digital yuan, namely the PBoC, the State Administration for Foreign Exchange and the Ministry of Finance, all of which will be required to unify their encryption standards along with the rest of the Chinese government.
However, Lilly notes that the CBDC-related progress will depend on the stringency of the “Core” and “Common” encryption levels, which he compares to the United States military’s “Top Secret” and “Secret” concealment levels, respectively — and, hence, how CBDC private keys will be encrypted:
“If China’s experience in trying to unify government cryptographic standards is anything like the U.S. Military’s experience, higher standards of encryption and trust scale users at a slower rate, so onboarding oracles and trusted agents for a private or permissioned access CBDC blockchain implies a natural trade-off between key security and speed of onboarding digital economy participants; banks, vendors, and a slew of Chinese government entities in tax and finance roles.”
Overall, China is continuing its blockchain-positive, anti-anonymity course with its new Cryptography Law. The country continues to use encryption technologies not only to hide its sensitive data but also to supervise what information private entities might be holding. This is similar to how its CBDC is expected to function — and is exactly what Zuckerberg was warning U.S. senators about back in October.