#29 - Cybersecurity Administration of China (CAC) and the China Internet Investment Fund (CIIF)
中国互联网投资基金 - China Internet Investment Fund
In recent years, the Cybersecurity Administration of China (CAC / 中华人民共和国国家互联网信息办公室) has thrust itself into the international spotlight by fining Didi Chuxing (China’s Uber) $1.2bn, purchasing 1% management stakes in ByteDance (TikTok’s owner) and Alibaba, as well as announcing that a similar stake in Tencent is under consideration. By Western observers, the CAC is often referred to as a “regulator,” but this could not be further from the truth. The CAC is a Chinese Communist Party (CCP) led organization that functions as a disciplined political weapon to achieve Party goals. One of the primary ways the CAC accomplishes its goals is through the China Internet Investment Fund (CIIF / 中国联网投资基金).
What is the Cybersecurity Administration of China (CAC)?
The CAC is an incredibly opaque CCP political organ under the supervision of the Central Cyberspace Affairs Committee (CCAC / 中共中央网络安全和信息化委员会), which is itself directly subordinate to the Central Committee of the Chinese Communist Party (中国共产党中央委员会), headed by Xi Jinping. The Central Committee currently functions as China’s executive power. An organizational chart detailing the nature of these structures is below.
China’s system places the state (the government) in permanent subordination to a single political party (the CCP). In this relationship, the state is the administrative body that executes policy decided by the political party. The various ministries under the State Council (the highest state government body) direct and manage day to day affairs, but ultimate decision making power rests within the integrated political cadres. These cadres keep reporting up to senior political party officials until the buck stops with the Central Committee of the CCP. This system bears more resemblance to a military chain of command than a constitutional republic like the US. Also unlike the United States, there is no public input on who the senior decision makers are. These positions are hand-selected by the Politburo, the Politburo Standing Committee, or the General Secretary of the CCP, Xi Jinping.
Within the party, there are organizations that mirror their state counterparts. For example, the Ministry of Foreign Affairs is mirrored by the Central Foreign Affairs Commission, the Ministry of National Defense by the National Security Commission, and so on. These relationships are unique in the sense that there is no back and forth between the two entities. The party organization issues a decree and the state executes.
The CAC is not mirrored but exists as a merged part-state institution. These entities came into existence out of political reforms in 2017-18 that marked a strategic shift of power even more towards the CCP apparatus. State administrative bodies were effectively folded under CCP organs. In doing this, they retained their administrative powers, but abandoned their state oversight and reporting requirements.
What used to be called “separation of party and state” (党政分开) became now “one post two responsibilities” (一岗双责 - CN). An example of this transformation is below.
As a merged institution, the CAC does not answer to the State Council (the State Council explicitly stated the CAC is not a state entity in 2018 - CN), does not publish meeting notes or organizational information, and only occasionally coordinates with state agencies when issuing policy documents. The CAC only answers to the leadership of the CCP.
As previously mentioned, many analysts refer to the CAC as a “regulator,” but this is misleading. Its main purpose is to advance CCP policy through legislative, regulatory, legal, party-owned investment, and military means. The CAC accomplishes this through its ability to control licensing, channel strategic investment, create laws, dispense administrative punishments, block content, and direct cyber attacks. Equating the CAC to a US regulatory agency such as the Securities and Exchange Commission (SEC) is incongruous.
For more information on the CAC, please view this article from Stanford University.
Why is it important?
The CCP can obfuscate its actions by employing merged party-state institutions to accomplish policy goals. An example of this is the $1.2 billion fine imposed on Didi Chuxing (Didi, 滴滴出行).
Didi is China’s largest ride hailing company with over 550 million users and on June 30, 2021, Didi listed on the New York Stock Exchange (NYSE). At the time, this was widely seen as a testament to the resilience of Chinese tech companies during COVID. However, Beijing was not pleased. CCP officials wanted Didi to postpone its listing, but Didi went ahead at the behest of its investors. Just two days after listing, the CAC announced that they were conducting a full cybersecurity review of Didi and on July 4th, the CAC announced that Didi was being removed from all app stores in China.
The CAC did not mention which laws Didi violated, but according to China Briefing (Dezan Shira & Associates), Didi violated Article 6, Article 17, and possibly Article 28 of the Personal Information Protection Law (PIPL) that was adopted in August 2021. The CAC stated that there were a total of 16 violations, with eight of these are below:
Illegally collecting almost 12 million screenshots from users’ mobile phone photo albums.
Collecting 8.3 billion pieces of information from users’ clipboards and application lists in excess of the scope necessary to carry out operations.
Collecting 107 million pieces of facial recognition data, 53.5 million pieces of information on age groups, 16.3 million pieces on occupations, 1.4 million pieces of information on family relationships, and 153 million “home” and “company” addresses from passengers, in excess of the scope necessary to carry out operations.
Collecting 167 million pieces of information on the precise location (longitude and latitude) when passengers evaluated the driver services, both when the app was running in the background and when the mobile phone was connected to the Orange Video Recorder app (an app developed by Didi that enables dashcam recordings) in excess of the scope necessary to carry out operations.
Collecting 142,900 pieces of information on drivers’ education and storing 57.8 million drivers’ ID numbers in plain text in excess of the scope necessary to carry out operations.
Analyzing almost 54 billion pieces of information on passengers’ travel intent information, 1.5 billion pieces of information on passengers’ city of residence, and 304 million pieces of information of passengers’ non-local business and travel information without clearly telling passengers.
Frequently requesting irrelevant phone permissions of passengers when using the ride-hailing service.
Failing to accurately and clearly explain the purpose for processing 19 types of personal information, including user device information.
More information on these violations can be found at China Briefing.
While these are egregious violations of personal privacy, the PIPL was retroactively applied to Didi’s actions, something that is unconstitutional in the United States. This example illustrates that the CCP is able to use the party-state institutions to rapidly punish companies who dare to go against the whims of the party, not necessarily those who violate laws.
What is the China Internet Investment Fund (CIIF)?
The China Internet Investment Fund (CIIF, 中国联网投资基金) is the vehicle through which the CAC directs party-owned investment and is how the CAC acquires management stakes, known as “golden shares,” in key Chinese companies. These shares are typically equivalent to 1% of the firm’s ownership, which allows the CAC to gain board representation and veto rights for key business decisions. The CIIF fund description can be found on their website (CN) and is translated into English below:
“CIIF was established in accordance with the decision-making and deployment of the Party Central Committee, approved by the State Council, and jointly initiated by the Central Cyberspace Administration of China and the Ministry of Finance. The establishment of the CIIF is a major measure to implement the decision-making of the Party Central Committee and the State Council, deepen supply side structural reforms, innovate investment and financing mechanisms, and promote the implementation of the strategy of strengthening the country through the Internet. The total planned size of CIIF is 100 billion RMB (US $14.75 billion). China Internet Investment Fund Management Co., Ltd. is responsible for the market-oriented operation and professional management of the fund.
CIIF adheres to the national strategic orientation, follows the investment strategy of "making up for weaknesses, forging strengths, and laying out frontiers", and mainly adopts direct equity investment methods, focusing on investment in the Internet field. China network investment focuses on key Internet technologies and facilities, network security, artificial intelligence, Internet +, big data, cloud computing, network information services and other key areas, and selects network information companies that are in line with national strategies and have good prospects to help the development of the digital economy.”
Clearly, an institution that declares it is dedicated to both supply side structural reform as well as adhering to the national strategic orientation is more than a little schizophrenic. Regardless of the window dressing, the CIIF is the party-owned investment arm of the Cybersecurity Administration of China and the CCP. The CIIF allows the CCP to directly invest in strategic technology and take management control over private Chinese corporations that can help achieve policy goals.
Note: Wangtou Zhongwen (网投中文) is the entity that invested in Bytedance. It is jointly owned by CIIF and Beijing Cultural Investment Development Group, another party organization (CN).
Why is this important?
According to the CIIF’s fund description and investment portfolio (which can be found at the end of this article), the CIIF primarily invests in AI and machine learning, advanced chip manufacturing, and big data analysis. Aside from these industries being central to the CAC’s mandate, they are critical because the Party believes that global leadership in these fields will further China’s push towards national rejuvenation and economic independence.
AI capabilities allow China to enhance national security by developing AI-enabled audio, video, and internet surveillance as well as AI-enabled “direction” of online public opinion. At an international level, China is able to export these systems to other authoritarian regimes and use them to further anti-democracy operations. Additionally, China has stated multiple times that AI is central to military development. Potential use cases for AI in a military context include “smart deterrence” and AI-enabled aerial, surface, and underwater robotic platforms that have autonomous strike capabilities. Ownership and access to the top Chinese AI firms will enhance the party’s ability to direct effort towards these goals.
Advanced chip manufacturing is a major Chinese economic Achilles’ heel. The CCP has made repeated attempts to jumpstart their domestic chip manufacturing industry. These attempts have met with little success and their future has been further dimmed by recent US chip bans.
The CCP is re-attacking the problem in the form of direct ownership over chip manufacturers as well as greater directed investment (previous directed investment failed). The CIIF allows the party to pick national champions and avoid the disruption created by tech CEOs. Major manufacturers include ASR Microelectronics, Benyuan Microelectronics, Biwin Technology, Chipone Technology, ESWIN Computing, ESWIN Material, GTA Semiconductor, and Phytium (entity list). In addition to CIIF, all of these firms have multiple party-state institutions as key investors.
Additionally, CIIF investments in these industries lead to additional private capital flows as investors know that the party will protect these companies even if they do poorly.
It should also be noted that three US investment firms (GSR Ventures - Clounix, GGV Capital - Chipone, and Goldman Sachs - Ximalaya) have co-invested with CIIF.
What can the US do?
In recent years, multiple CIIF portfolio companies have been added to the BIS (Bureau of Industry and Security) Entity List. These firms include Cloudwalk Technologies, Sensetime, and Phytium.
The remainder of CIIF investments need to be investigated and added to the entity list if these companies are developing technologies that could be used for military applications or authoritarian repression. The mere fact that they are funded by the CCP indicates the high likelihood that they engage in activities that are contrary to the national security and foreign policy interests of the United States. In addition, US funds that co-invest with the CIIF need to be penalized for engaging in financial activity with a foreign entity that is hostile to the United States.
See below for a full list of CIIF investments. Companies highlighted in red are companies that are currently on the BIS entity list. Companies highlighted in orange are companies that are backed by multiple party-state institutions, indicating their elevated strategic importance.