China’s law that governs cryptographic password management came into effect on January 1. Importantly, the proposal aims to set standards for cryptography applications and passwords management. Hence, it will eventually reduce the country’s cyber vulnerabilities on a national level.
According to rumors, the law is clearing the way for the much-anticipated release of China’s central bank digital currency. But, the involved law does not make any explicit references in that context. In the meantime, the private sector is rattled by the anonymity of its data.
The first draft of China’s Cryptography Law was written in April 2017. That happened several months before the local government banned all crypto activities within its jurisdiction. But, the law does not target digital assets, and it notably did not mention Bitcoin or any other cryptocurrency. On the contrary, it focuses on cryptography; these are technologies and items used to encrypt and authenticate data.
This law divides passwords into three separate categories, including common passwords, core passwords, and commercial passwords. Under this law, common and core encryption are needed for systems that transmit and store state secrets. On the other hand, commercial encryption will cater for private and business use.
According to the law, the development, sale and use of cryptographic systems must never harm public interests and state security. Furthermore, all these systems must be reviewed and validated by the government before they are re-used. The Standing Committee of the 13th National People’s Congress in China passed this bill on October 26.
Nothing much is available regarding the Cryptography Law beyond the above-mentioned general conditions and encryption classifications. This ambiguity arises since the act defines core and common encryption techniques as a state secret:
“The passwords are to adhere to a particular cryptographic standard. For example, the U.S.’s NSA intelligence organization commonly cites SHA 256 as a strong hash function; the PRC might adopt something similar based on the State Cryptographic Administration advice.”
Since the Cryptographic Law appears ambiguous on the crypto standard, nobody knows whether it is just hash standards or anything else that is more comprehensive. Thus, analysts think that the terms ‘Core’ and ‘Common’ crypto refer to withheld hash standards and cyber hygiene needs like the periodicity of crypto rollover.
In the case of commercial encryption, all private entities will continue to get authorization to operate under various standards depending on the audit by the State Cryptographic Administration. According to one China Policy Analyst and Professor of Blockchain Technologies, Sale Lilly, working at the Rand Corporation:
“As written, the law does not say that the Chinese government would hold private keys to commercial encryption tools. There is a lot of language included in the latter third of the bill. It aims at reassuring commercial vendors that these audits (even of foreign-registered firms) will not need the firm to turn over source code, which appears as a savvy move by the National People’s Congress law authors.”
But, some lawyers are worried that it might not be the case. For example, Steve Dickinson of China Law Blog writes that inviting foreign providers and cryptography users is a trap for the naïve. This law permits foreigner encryption systems to be sold in China.
The systems can enter the Chinese market provided that they have been validated and certified via a certification system yet to be described. Dickinson continues:
“Once data crosses the Chinese border on a network, 100% of that data will be 100% available to the Chinese government and the CCP. Cryptography may work well to prevent access by the public, but all this data will be an open book to the PRC government.”
Currently, most firms encrypt their data with open-source software, including GNU Privacy Guard (GPG), to keep their information hidden from state actors. If firms use Chinese-owned software service, all their stored data can be impounded by the government under this law.
Will The Cryptography Law Pave The Way For Digital Yuan
China appears to be en-route to becoming the first country to issue a CBDC. The project has taken five years to develop but was allegedly accelerated after Facebook announced its Libra project officially in June 2019. The digital Yuan falls in line with the general “blockchain-before-Bitcoin” attitude adopted by the Chinese government.
This CBDC will be entirely controlled by the People’s Bank of China and tethered one-to-one with the country’s fiat reserves. According to Lilly, the law is highly complementary to most of the tasks and efforts needed to roll out a CBDC. It covers the major players participating in digital Yuan implementation, including the State Administration for Foreign Exchange, the PBoC, and the Ministry of Finance.
All these participants must unify their encryption standards along with the entire Chinese government. But, any CBDC-related progress is dependent on the strictness of the “Core” and “Common” encryption levels. That compares to the US military’s “Top Secret” and “Secret” concealment levels, respectively.
In General, China appears to be promoting its blockchain-positive, anti-anonymity course by introducing this new Cryptography Law. The country uses encryption technologies to hide sensitive data and supervise the information that private entities might be holding. This is similar to how China’s CBDC will function, and it is also what Mark Zuckerberg was warning US senators about back in October 2019.