The Great Firewall of China - Part 1

The Great Firewall is just mind-bogglingly big, repressing freedom of speech and information for over 800 million Chinese internet users every year. The Great Firewall is so big that it’s worth asking: how did the Chinese manage to build it in the first place? 20 years ago, our info-sec technology was much less advanced than it is today. China was a second-rate technology power, not even comparable to their position today. Most of all: a firewall, like the one they proposed, had never existed before--or, for that matter, since. How, then, did they pull it off?

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

The Great Firewall of China - Part 1

“[Nate Nelson] could you start off by briefly introducing yourself?

[“Randy”]: Sure, Nate. My name is [beep] and I work in the cyber security industry. I’ve been doing this job for over 20 years.”

Out of concerns for privacy, in today’s episode of Malicious Life, we’ll not be disclosing the name of our interviewee. For purposes of telling the story, though, we’ll call him Randy. We also can’t disclose what company Randy was working for, about two decades ago, when our story takes place.

What I can tell you about Randy is this: he’s a lot like many of you out there. He joined the cyber security industry at the turn of the millennium. He had a knack for computers but, otherwise, was pretty much just getting the handle on things. A bright-eyed kid, trying to make something of himself.

His first break in the industry was a job with one of the largest software companies in the world. His second break, early on in his tenure there, was a very big assignment.

“[“Randy”]: I was working for a very large organization that gave me the opportunity from an engineering perspective to learn about something of this scale and I was a young kid. So I was really interested.”

Here’s where Randy isn’t like a lot of you out there. He was only recently out of college when his new employer sent him off on a foreign assignment, to help build the single most significant cyber security asset on the planet.

“[Nate] Did you have a sense of just how massive and impactful the project was going to be firstly from a technical standpoint and secondly from the political standpoint.

[“Randy”]: Sure. So as I went into it, I had no idea what it actually meant for the people. I just knew that it was a very big opportunity from an engineering perspective and then I get to work with all the new shiny tools and technologies that were available to me and it was a once in a lifetime opportunity. I didn’t know about the rights and freedoms of the individuals or anything like that. The only consideration was you’re going to go and build the biggest, tallest, strongest wall in the world and you’re an upcoming architect or technologist. Are you interested? I was like, “Oh yeah, for sure.” Like any bright-eyed, bushy-tailed kid as it were would be, if that makes sense. So I went into it believing I was doing the best I could from an engineering perspective.

[Nate]: So you were excited.

[“Randy”]: Absolutely, super excited and happy to do the best job I could do.”

You can sense why a budding, 20-something IT expert would have been excited about such a project, right? He was only just recently out of school, being flown to another country to use some of the shiniest, newest technologies out there, in service of one of the biggest cyber projects ever undertaken. What reason could he possibly have had to turn down the offer?

Actually, there was one reason…

In this episode of our program, we’re covering the single largest, most pernicious internet security asset on the planet: the Great Firewall of China. The Great Firewall is just mind-bogglingly big, repressing freedom of speech and information for over 800 million Chinese internet users every year. For context, that’s more than the combined population of Europe–not the internet-using population of Europe, the entire population.

The Great Firewall is so big that it’s worth asking: how did the Chinese manage to build it in the first place? 20 years ago, our infosec technology was much less advanced than it is today. China was a second-rate technology power, not even comparable to their position today. Most of all: a firewall, like the one they proposed, had never existed before–or, for that matter, since. How, then, did they pull it off?

The answer, to some degree, lies with Randy.

BACKGROUND: CN HISTORY

There was a point in history when the Chinese nation could have transformed into an open democracy. It was when hundreds of thousands of Chinese people, led by a generation of young students, centered in the Tienanmen Square area of Beijing in 1989 to call for economic reforms and political freedoms from their government.

But of course…we all know what happened next.

The cold murder of possibly thousands of innocent civilians could have, under normal circumstances, been a nightmare for the Chinese government. But actually, from the government’s perspective, you could argue that their invasion of Tienanmen Square was a resounding success. The popular protests, which once might have seemed unstoppable, suddenly ended. The state re-captured control of its capital city and, over the following years, took measures to suppress information about what they did to get it.

Crack down, take control, suppress the story. You can attribute much of the success of China’s Communist ruling party to this tried-and-true formula.

Take, for example, June, 1998. If there were ever a point since the Tienanmen Square protests when the Chinese political system could’ve changed, it might’ve been that summer of ‘98. A group of activists, representing hundreds of pro-democracy advocates and former Tiananmen Square protesters, filed to officially register their own political party. They were denied. Beginning the very next day, and continuing for the following year and a half, members of the now-illegitimate Democratic Party of China were systematically arrested.

Crack down, control.

Then there’s step three–suppress the story. Historian Merle Goldman, in “Chinese Intellectuals between State and Market,” indicates how latent democratic movements like this concerned the ruling class. Though quite small, if such groups were able to get their message out, and enough people took interest, they could threaten single-party rule in the state.

The problem would only be compounded by a new technology called “the internet,” which promised greater and freer exchange of ideas among Chinese people. The government would need a way to prevent “harmful” ideas from spreading out of control via the internet.

ORIGIN OF CENSORSHIP

You probably see where this is going. But it’s not quite so simple. There was no instance, no person or board meeting where somebody stood up and said “how about we build a giant firewall?” In reality, it took years of ideas, technological advancement and fine-tuning before such a thing could even be conceived of.

China’s first major step towards internet censorship was a regulation, issued by the state government in 1996, regarding international internet connectivity. Translated, it reads, quote:

“To carry out international networking of computer information, the output and input channels provided by the Ministry of Posts and Telecommunications in its public telecommunication network shall be used.

No units or individuals shall establish or use other channels for international networking on their own accord.”

After just two years of free and open internet, China made it law that all extra-national connections had to make their way through a government agency. A choke point, in other words. This would make it easy to monitor, or potentially block, anything going in or out.

Then, around 1998 or ‘99, a new organization formed within the Ministry of Industry and Information Technology, called the “National Computer Network Emergency Response Technical Team/Coordination Center of China,” or CNCERT/CC, for short. CNCERT’s name is hardly the only confusing thing about it. For example, its website states that it was founded in 2001, when in fact it was operational as early as 1999.

FANG BINXING

We know this, in part, because a man named Fang Binxing, in his online bio, stated that he began working for CNCERT in 1999. And Fang is, by far, the organization’s most famous employee.

Back in 1989, when government protesters were filling Tienanmen Square with messages of economic reform and political freedom, Fang Binxing was finishing a PhD in computer science. Though the protests were student-led, it’s probably safe to assume that the young computer scientist was not a supporter, as he would later come to represent much of what they’d fought against.

In 1999, Fang earned a position as Deputy Chief Engineer at CNCERT. Much of what occurred inside CNCERT is unclear, but whatever was going on, Fang was at the heart of it. Within a year he was promoted to be Chief Engineer and Director of the Center. He was such a good employee that, just one year after his big promotion, he was given a, quote, “advanced individual” award, as well as a “special allowance” directly from the state government.

In a state-sponsored media profile, Fang Binxing was denoted the “father” of the Great Firewall of China. It must have seemed like an honor at the time, but it soon became a curse. The name stuck, and Fang became the nationwide face of internet censorship. The closest equivalent, for us in the U.S., might be Ajit Pai. Remember that guy? Remember the, what we might call, “negative reviews” he was getting in 2017? Fang Binxing was the Ajit Pai of China.

HANJUNYI

And Chinese people were quick to tell Fang what they thought of his work. In 2010, he created a profile with Sina Weibo, China’s equivalent to Twitter. It was hardly noticed, at first, until he tweeted at a famous T.V. anchor, saying, quote: “Hi, I’m on Weibo now, although I don’t dare be as outspoken as you all, haha.” Within days, he was forced to delete the account, in light of a wave of angry comments, curses and threats.

Then, in 2011, a group of young Chinese Twitter users managed to track down a lecture Fang was performing at Wuhan University. One young man going by the name “Hanjunyi” traveled to the site. On Twitter, he documented his mission. He arrived around 2 p.m., wearing a t-shirt in tribute to the artist and dissident Ai Weiwei. According to reports, he was handed an egg prepared for him by students at the university. Once inside the lecture hall, he tossed the egg at Fang Binxing, but it missed. Thinking on his feet (literally) Hanjunyi took off one of his shoes and hurled it. It hit the Father of the Great Firewall directly in the chest. He grabbed his other shoe and threw it too, but two staff members blocked it.

According to legend, as university staff and security attempted to grab the protester, a group of students banded together to block their path. Hanjunyi escaped the campus, on his bare feet. The students brought him a pair of sandals.

After his escape, Hanjunyi posted to Twitter: “I hit the target!” Immediately, he was flooded with support, with supporters offering him cash, designer clothes and shoes, tickets to Hong Kong’s Disneyland, dinners at five star restaurants and more. One anonymous user offered him a job. Some female admirers offered things we can’t describe on the air.

HURDLE: SCOPE

Fang Binxing probably deserves the, what we might call, “negative reviews” he’s gotten over the years. It’s true that his organization, CNCERT, sat at the heart of the nationwide censorship project.

But Fang is best thought of as a figurehead, not a mastermind. No one man, no single organization could have built the Great Firewall in the early 2000s. You see, now that the Great Firewall exists, it doesn’t seem that crazy to us. Back in the late 90s, though, nobody really knew such a thing was possible, because nothing like it had ever existed before.

“[Nate]: So if this was the first firewall of its scale, where did the ideas come from on how to build and get it to work from a logistical standpoint?

[“Randy”]: Well, the entities dealing with this took quite a leap from scalable firewalls that were already existing and the key objective was to make the scale and capable of managing the traffic that would leave and enter the country.”

Building an apparatus to censor the world’s largest country was just a crazy idea in the late 90s. Think about it: China has over a billion people. Have you ever tried to stop your kids from watching violent movies? It’s basically impossible to get one person to not see something, let alone a billion people not seeing lots of things.

[“Randy”]: So what happened in the beginning was there was current technology to be able to handle the policies and processes that the Chinese team were trying to look at. So what happened was they just threw people at it. So more and more people arrived at the team and before long, it was a very, very large team of over 5000 people.

Even thousands of engineers was not enough.

[“Randy”]: So the team looked at building the firewall in such a way where they could leverage existing technologies. There was quite a bit of customization that took place afterwards. But it was more focused on to see what was out there that could be leveraged.

This notion of “leveraging existing technologies” is important. The Chinese government not only had to figure out how to build a firewall, but how to do so at a technological disadvantage. As we mentioned, at the turn of the millennium, China wasn’t quite the technology powerhouse it is today. The U.S. and Western Europe were ahead in the game, with companies like Microsoft, Cisco and Intel paving the way in cyberspace globally.

So how could China, a second-rate technology power, even begin to build the most impressive cyber security structure in the world? By outsourcing.

SECURITY CHINA 2000

It’s November, 2000. A researcher named Greg Walton visits a trade show called “Security China 2000.” It’s being held in Beijing, co-organized by the Communist Party and sponsored by the Ministry of Public Safety.

Once inside, he documents the scene. Quote:

“The trade show [. . .] drew approximately 300 companies from over 16 countries, as well as 24,500 visitors from over 26 of China’s provinces. [. . .] the biggest names in Web technology – “companies that proudly attach themselves overseas to the Internet’s reputation for anarchy” – peddled their wares to China’s secret police and security officials.”

Walton walks by the displays, noting just how massive the event really is. Quote:

“27 Exhibitors included network giants Siemens, Motorola, Cisco Systems, Sun Microsystems, and Nortel Networks. There were participating companies from the US, Israel, France, Germany, the Netherlands, Japan, and Canada, among others. The United Kingdom, world leader in closed-circuit TV, had a special section in the show. [. . .] Many of the companies [. . .] promot[e] their activities as “improving the quality of people’s work and lives,” (Philips) and “connecting anyone, anywhere, anytime… to the resources they need” (Sun Microsystems).”

Why is Security China 2000 this hot? Because China, only five or six years into having an internet, is still in the early stages of deciding how its national internet will one day look. The measures taken now will determine the internet for over a billion people in the years to come. In business dealings, backroom meetings and trade shows like this, the foundations of a future internet are being laid. A lot is on the line. Quote:

“There is enormous competition among telecommunications firms to get a share of the relatively undeveloped but rapidly expanding Chinese telecommunications market – the largest market in the world. Naturally, the lure of potential billions has attracted every major telecommunications corporation, including US-based Lucent and Cisco, European wireless giants Nokia and Ericsson, and Canada’s Nortel Networks – not to mention countless others. From these companies, China is buying more than US$20 billion worth of telecom equipment a year.”

The premier showcase at Security China 2000 is “Golden Shield”–a wide ranging cyber infrastructure project. It’s still in its early stages at this point–more ambition than reality. Among its goals are to build an advanced cyberspying system, a database for keeping records on every Chinese citizen, and a, quote, “citywide fibre-optic broadband network in Shanghai enabling central authorities to monitor the interests of subscribers at the “edge” of the network.” End quote. In other words: a Shanghai-sized model of how internet censorship could one day work nationwide.

NORTEL

The companies that impress at Security China 2000 will go on to earn multi-million-dollar contracts to sell equipment, software and personnel to the CCP. Take, as one example, the big winner of the Shanghai project: Canada-based Nortel Networks. In retrospect, it’s no surprise they got the deal. Nortel has a long, storied history of building the world’s best internet surveillance systems. From Greg Walton, quote:

“As early as 1988, in a program known internally to the [. . .] FBI as “Operation Root Canal,” 9 US law enforcement officials demanded that telephone companies alter their equipment to facilitate the interception of messages. All but one of the major global telecom companies refused to contemplate altering their equipment. The exception was a Canadian company, Nortel Networks, which agreed to work closely with the FBI.”

Nortel’s Security China presentation centered around their “OPTera Metro Portfolio.” OPTera was Nortel’s, quote “personal internet initiative [. . .] designed to enable Internet service providers to better track individual Internet users and their online activities.” End quote. In their marketing, they left no ambiguity as to what OPTera was designed to do. Quote: “Imagine a network that knows who you are, where you are, and can reach you whether you’re on your mobile phone or at your desktop.” End quote.

By building a “personal” internet for Shanghai, Nortel netted well over 10 million dollars. But this was just the beginning of a very fruitful relationship with the Chinese. Atop OPTera, they deployed the “JungleMUX” digital surveillance network–a system for connecting CCTV cameras around the city and sending all the data directly to a centralized police headquarters. They would also co-direct the research project that became the basis for the Great Firewall.

Other corporations with impressive showings at Security China 2000 would also go on to make multi-million-dollar deals. According to Torfox, a Stanford University-based project, quote, “Motorola provided wireless communication devices for China’s traffic police; Sun Microsystems linked all 33 provincial police departments through computer networks; and Cisco Systems provided China with routers and firewalls in the network.”

This is how a guy like Randy ends up halfway across the world.

“[“Randy”]: I worked very closely with some entities on the building and design of the project and it was a lot of fun. [. . .] the experience was really quite interesting because we got to build something on a massive scale [. . .] So I was learning a lot about it and pretty much was involved in the initial components of getting it all working.”

Randy, our interview guest, had been educated in the West, and represented one of the biggest companies in the world at the turn of the millennium. That made him very useful to the Chinese, who had few engineers with such resumes.

[“Randy”]: The people that I was dealing with were very friendly. They all spoke English. They spoke to me in a very respectful way. They wanted to understand what the ins and outs would be and we worked together as a team and it was more an engineering project than anything else, like building a bridge. They would ask, “Well, how far can you stress this? How would you architect that? What would it look like to scale this?”

WESTERN INFLUENCE

We’re getting to something really important here. Notice how Randy describes his time in China: he wasn’t just working alongside the Chinese, he was instructing them. China’s engineers, technicians and managers benefited greatly from bringing in this kind of Western talent and expertise.

[“Randy”]: Most of the people were internal Chinese people. Very, very few people were from the outside. [. . .] But the know-how, the knowledge of, the mechanics of the kernels needed to accelerate the project needed to come from outside. That’s where people like me were involved and several others.

Ultimately, it wasn’t just that Western companies took part in the Great Firewall project. Like Randy bringing expertise that his Chinese co-workers lacked, teaching them how to build a better censorship system, Western companies didn’t merely sell equipment for the Firewall, they sold better tech than the Chinese had access to. Quote:

“Chinese scientists have developed none of the components necessary to implement Golden Shield independently. In each case, they have relied on assistance from Western corporations, either by purchasing components as turnkey solutions, or through technology transfer – either through formal business deals or in exchange for greater market access.”

Consider, as evidence to this point, Cisco Systems. A number of telecom equipment companies supplied the Great Firewall, including Huawei and other, smaller Chinese firms. But Cisco in particular, according to The Atlantic, was the one to supply what are called “mirroring” or ‘Fiber Tapping’ routers. These routers sat at the fiber optic gateways to China’s internet, using dedicated hardware to split the information carrying light beam traveling inside the fiber-optic cables to two identical beams. One beam would continue on it’s normal route through the network, while the other would carry the duplicated information to Chinese government computers. This allowed human censors to view traffic in real time, as it entered and exited the country.

According to Reporters without Frontiers, the Electronic Frontier Foundation and the U.S. Council on Foreign Relations, Cisco did more than just supply uniquely high-tech routers for the Firewall–they went one step further by actually customizing them for the task of state censorship, configuring them to flag certain “subversive” keywords. Cisco, for its part, has consistently denied that they personalized the equipment in this way.

It’s evident that the Chinese appreciated Cisco’s help on the Firewall project, because in 2004, when China began a 100 million dollar network infrastructure project called ChinaNet Next Carrying Network, Cisco was one of the few companies to earn a contract.

THE PRICE OF FREE SPEECH

Not all of you, but most of you listening to this podcast come from countries where free speech is a right, almost a given. We take advantage of this right, and forget that it can go away at any time.

For 800 million people in China, the right to an open internet, with the freedom of information and discourse that we enjoy in the West today, was sold off to companies from the very countries where democracy and liberty are considered so essential. And what was the price tag on that sale? For most of the companies that participated, somewhere around 10 to 100 million dollars. This, listeners, is the price of free speech.

The West’s complicity in Chinese censorship was epitomized in the building of the Great Firewall, but it was hardly limited to that project. In fact, the modern history of Chinese censorship has always, in some way, relied on Western assistance. As Greg Walton recalled walking by the displays at Security China 2000, he noted that, quote:

“Following the Tienanmen Square massacre in 1989, the Chinese authorities tortured and interrogated thousands of people in an attempt to identify the demonstration’s organizers. But even if the students and workers had resisted the terrors of the secret police, the hapless demonstrators stood little chance of anonymity. Stationed throughout Tienanmen Square is a network of UK manufactured surveillance cameras, designed to monitor traffic flows and regulate congestion. These cameras recorded everything that transpired in the months leading up to the tanks rolling into the square.

In the days that followed, these images were repeatedly broadcast over Chinese state television. Virtually all the transgressors were identified in this way. Siemens Plessey, which manufactured and exported the cameras, and the World Bank, who paid for their installation, claim they never had any idea that their “technologically neutral” equipment would be used in this way.”

In the years that followed the Great Firewall project, China continued to go to Western companies for help in quashing free speech. Google self-censored their Chinese search engine throughout the 2000s. In 2004, when the government targeted the journalist Shi Tao, it was Yahoo that supplied the personal information necessary for his arrest, which ultimately led to a decade in prison. In 2006 it was the journalist Michael Anti, and rather than having to shut it down themselves, the government simply had Microsoft take down his blog for them.

Even today, there’s evidence that our most important tech companies are helping propel Chinese censorship. In 2018 there was Dragonfly, Google’s second attempt to offer a censored search engine for China, which was only shut down after details of the project leaked, sparking widespread criticism and protest among employees.

Then, last year, The Intercept revealed that an American non-profit, co-founded by Google and IBM, has been working with a Chinese chip manufacturer called Semptian since 2015. Together, the goal of the project has been to, quote, “advance a breed of microprocessors that enable computers to analyze vast amounts of data more efficiently.” End quote. So why is this an issue? Because Semptian’s most profitable product is called “Aegis”–a massively powerful spying tool which allows the Chinese government to track citizens’ movement, in real time, and even record phone conversations and messages. So Google and IBM working with Semptian on data analysis is like working on chemistry with the Unabomber.

CONCLUSION

In the end, the corporations that earned a quick buck off the Great Firewall would come to reap what they sowed. By 2003, with the Great Firewall live nationwide, China finally had their fully censored, completely controlled national network. And they weaponized it to cripple or outright block Western companies from selling their products and services to Chinese citizens. Today, instead of Yahoo and Google, there’s Baidu. Skype is banned. With Cisco machines deployed nationwide, Huawei has had plenty of sample material to steal, and then use to dominate the markets in East Asia and Africa.

But this story isn’t just about who made money and who didn’t, of course. It’s much deeper than that. It’s about responsibility, and the moral foundations that we claim to hold dear in this part of the world.

A decade after the Great Firewall was finished, an advocacy group took Cisco to federal court. They argued that the company’s business with the Chinese facilitated the torture of thousands of members of a religious group. In one of the most regrettably unknown stories in recent technology history, Cisco Systems was being accused of aiding crimes against humanity.

On our next episode of Malicious Life we explore good and evil, and whether good engineers–good people–are responsible for political strife, torture and persecution in our world today.