China’s growing clout in 5G telecommunications and other digital technologies, much of it achieved through unfair competition, presents many risks to democracies, including espionage and the spread of disinformation. But the penetration of Western markets by companies that are instruments of an authoritarian state is only one of the risks in our connected and data-driven world. Digital technologies, for all their benefits to society, present risks no matter who owns or operates them—even if the risks are compounded when companies are influenced by authoritarian governments.
On all these risks, U.S. policy falls short: Despite the United States’ leadership in the global digital economy, Washington lacks a vision for governing digital risk even as evidence mounts that the laissez-faire experiment of outsourcing this responsibility to a handful of profit-maximizing technology giants has failed. Some U.S. states have attempted to fill the policy vacuum, with California standing out for its consumer privacy and Internet of Things security laws. But fragmented action by individual states is no substitute for coherent national leadership. Only with a strong national set of digital policies—which should be high on the agenda of President-elect Joe Biden’s administration—can the United States manage the growing risks to society and to national security emanating from the sector.
By now, Americans have learned that market forces alone will not produce the incentives for the private sector to care enough about digital risks. In 2017, for example, the credit rating company Equifax had such lax security in place on its web servers that the Chinese military allegedly exploited an obvious vulnerability to steal the intimate financial details of nearly 150 million Americans. In 2016, Facebook failed to act against Russian interference in the U.S. presidential election, spent the following year denying and obfuscating that fact, and since then has played—or claims to be playing—whack-a-mole against the many propaganda and hate campaigns being waged against liberal democracy on its platform, including the conspiracy theories currently being spread on Facebook about the 2020 U.S. presidential election. Facebook was also charged with misleading customers about its privacy practices by the Federal Trade Commission and paid a $5 billion penalty to settle the charges. And for most of the past decade, Silicon Valley executives embraced capital from and partnerships with Chinese investors and companies, with scant regard for how the Chinese government might abuse these relationships to access the crown jewels of U.S. innovation.
Other countries take a different approach to digital risks. Chinese regulation prioritizes the state’s interests—and although details remain thin, Beijing’s recently announced Global Data Security Initiative is likely to serve the interests of the Chinese Communist Party above all else. The European tradition, with its emphasis on fundamental individual rights and the rule of law, has far more in common with that of the United States. That said, European regulators tend to be much quicker than their U.S. counterparts to intervene in the marketplace. Europe has pursued an active regulatory and enforcement agenda, including the General Data Protection Regulation, the proposed ePrivacy Regulation, the EU Cybersecurity Act, and antitrust action aimed at quasi-monopolistic U.S. tech companies.
The shortcomings of U.S. digital policy have been especially obvious in Washington’s decade-plus effort to stymie the global ambitions of Chinese telecommunications infrastructure providers such as Huawei and ZTE. Already in 2011, the U.S. House of Representatives’ intelligence committee initiated a bipartisan investigation into the two companies. In a 2012 report, the committee warned that “Huawei’s and ZTE’s provision of equipment to U.S. critical infrastructure could undermine core U.S. national-security interests.”
Despite these warnings, Huawei and ZTE managed to penetrate the U.S. telecommunications market. As of 2019, according to data from the Rural Wireless Association, which represents rural internet service providers, up to one-quarter of its members have purchased equipment from either Huawei or ZTE—mainly because their products are far less expensive than their competitors’. “[W]ith nothing to tell us not to do it we chose them,” said John Nettles, the president of the Alabama-based Pine Belt Communications, in a filing with the Federal Communications Commission.
With such laxity at home, it’s no surprise that U.S. attempts to persuade allies to stop doing business with Huawei and other Chinese technology companies have faced stiff headwinds—even if allied governments generally agree on the strategic importance of the 5G network and understand the risk that a foreign government might compel a company under its jurisdiction to conduct surveillance and other cyberoperations on its behalf.
But many allies have a different threat perception of China, often informed by their own strategic interests. This leads them to different conclusions about the risks, benefits, and acceptable trade-offs. Is avoiding the risk of surveillance worth paying 20 or 30 percent more to a non-Chinese supplier? How confident can the purchaser be that non-Chinese equipment would be significantly more secure?
Without a yardstick to measure how the risks that come with Chinese equipment compare to those of other suppliers’, Washington is left with the difficult task of persuading allies to adopt the U.S. threat perception of China—a perception that reflects unique strategic, geographic, cultural, historical, and economic factors. Washington’s complex relationship with Beijing is marked by deep economic interdependence and unapologetic nationalism on both sides, against a backdrop of U.S. security commitments in Asia and a history of past conflict, including costly wars in which the two countries fought each other—in Korea and Vietnam.
Many allies see things differently. French President Emmanuel Macron said in August after meeting with Chinese Foreign Minister Wang Yi that France would not ban Huawei. (French regulatory authorities have announced licensing and other restrictions.) Germany is torn, with German parliamentarians pushing for an outright ban, Deutsche Telekom pressing ahead on a rollout of basic 5G services using Huawei technology in Germany this year, and Chancellor Angela Merkel delaying a proposed IT security law that would restrict—but not ban—Huawei.
In Britain, Huawei equipment has operated since at least 2005—at first unrestricted and then, beginning in 2010, under the ostensible supervision of a Huawei-owned Cyber Security Evaluation Centre. The U.K. instituted a partial ban of Huawei 5G technology in 2019 and expanded it in 2020 to ban the purchase of Huawei equipment beginning next year and to require all existing Huawei equipment to be ripped out by 2027. Several Eastern European countries have also endorsed Washington’s preference for a hard ban.
The incoming administration of U.S. President-elect Joe Biden should pivot away from Washington’s game of whack-a-mole against Huawei and other Chinese technology companies and develop a comprehensive digital risk strategy instead. In the case of 5G, this means supporting research and development, creating incentives for carriers to bring state-of-the-art connectivity to rural and underserved communities, and supporting competition all across the sector. It means pushing ahead with a federal data protection law, similar to those that have been enacted in Europe, that establishes privacy and security obligations for companies handling personal data, regardless of a company’s nationality. It also means defining legal liability and penalties for grossly negligent security practices across the entire spectrum of technology products and services, from app developers to infrastructure providers.
Some of this was tentatively begun by the Trump administration, including its endorsement of digital risk principles in March 2019 and the administration’s National Strategy to Secure 5G a year later. On the other hand, a spate of actions targeting Chinese companies over recent months—such as the Clean Network initiative, expanded sanctions against Huawei, and the measures targeting TikTok and WeChat—have been mostly unilateral and focused only on China.
When and if the Biden administration moves forward, it must do so in cooperation with allies in Europe, Asia, and elsewhere. More unilateral action would deepen the global leadership vacuum that China is well positioned to fill. The chances for cooperation are good, now that the Europeans are increasingly attuned to the elevated risk that Huawei and other Chinese companies pose to European data protection norms. This coincides with a shift toward a more critical view of China in much of Europe over the past half-decade, especially when it comes to trade, the environment, and human rights. There is an opportunity here to forge consensus on multilateral approaches to managing digital risks, including those associated with China, while managing inevitable differences.
That will require Washington, under the incoming administration of President-elect Joe Biden, to give up its penchant for unilateralism and be responsive to allies’ different risk profiles and exposure to China. After all, the end goal of U.S. policy in the digital arena should be to reduce global risk, rather than to alienate allies.