#58 Deep-Sea Cables, Amazon's bet on Anthropic, and China's Draft Data-Flow Regulations.
Submarine Cables as Critical Assets, Amazon x Anthropic, CAC’s latest draft regulations on controlling the flow of data beyond borders.
Cyberpolitik 1: Submarine Cables as Critical Assets
— Bharat Sharma
Submarine cables have been described as the world’s communication highways, given that they are responsible for 97 per cent of the data and information flows that result in trans-continental communication. The growth in digital connectivity and communications has spurred their proliferation, raising global demand at an annual growth rate of 4.8% from 2022 to 2030. The attractiveness of 5G and emerging technologies like AI and cloud services for the Indian landscape, as well as the centrality of India’s digital economy, has meant that regional undersea infrastructure, like submarine cables, is experiencing a similar pace of change. Data traffic has risen 3.2 times in India over the last five years. Data consumption in India is expected to reach a monthly average of 46GB by 2027 from its current 20GB. India’s international bandwidth demand is expected to increase 10 times between 2021 and 2028. Because global connectivity is on the rise, India’s geographic location means that connections, for instance, between Europe and Asia, make places like Mumbai and Chennai one of the busiest landing stations,
The more and more we depend on such infrastructure for essential services, the more critical they become. The attacks on Nord Stream gas pipelines in Europe have triggered a discussion on the security of undersea cable infrastructure and what Europe can do to protect it. The debate on the undersea cable system (including how to maintain its security and shield it from vulnerabilities) has evaded public and policy attention. If they are so critical to our economies and national securities, what explains their lack of attention?
Researchers Bueger and Liebetrau discuss three reasons why the submarine data cable network suffers from an “invisibility” problem. The first is that infrastructures — in general — are, in some sense, invisible. (Roads, ports, and buildings are visible infrastructures.) They are so familiar to our everyday lives that they fade into the background, although they remain just as critical. The second reason is connected to the first: the invisibility is amplified in the case of undersea systems like cables. As opposed to the visibility of electricity transformers and their role in bringing my locality electricity — for instance — the link between international financial transactions and the undersea cable system is only noticeable in an abstract sense. They are the least visible type of infrastructure and do not cause significant disruption in their building and construction. So, this again makes them invisible in their critical usage. What again amplifies this is the third reason.
Subsea cables — by virtue of being under sea as opposed to land — are affected by some form of “sea blindness” or the public idea that seas and oceans are empty voids and spaces absent of human activities. Maritime security agendas, moreover, only recently incorporated thinking about vulnerabilities at sea as part of the “maritime security” concept.
The need to reform the regulatory environment for submarine cable systems has received attention from the Telecom Regulatory Authority of India (TRAI). The TRAI has provided recommendations, including streamlining the licensing framework and regulatory mechanisms for submarine cable landing stations and adding provisions in the Indian Telecommunication Bill 2022 to “promote, protect, and prioritise ‘Cable Landing Station’ and ‘submarine cable’ in India. It also suggested granting “critical infrastructure” status to the landing stations and accord “essential service status” for the repair and maintenance of the cables.
Cyberpolitik 2: Amazon x Anthropic
— Josiah W. Neal
Amazon has invested a substantial $4 billion in Anthropic, an AI startup founded by former OpenAI employees. The primary goal of this collaboration is to advance the development of cutting-edge, secure, and highly controllable AI models using Amazon Web Services (AWS) infrastructure. Anthropic will leverage AWS's in-house custom silicon solutions, Trainium and Inferentia. This partnership involves an immediate investment of $1.25 billion, with an option for an additional $2.75 billion. Amazon's minority stake does not entail a board position.
The investment mirrors Microsoft's earlier venture with OpenAI, combining capital injection with an exclusive licence to integrate OpenAI's models into its ecosystem. This collaboration empowers Amazon's developers and engineers to integrate generative AI into their applications and create novel customer experiences. AWS cloud users gain access to future Anthropic models, like their ChatGPT/Bard equivalent, Claude 2, via Amazon Bedrock. LexisNexis Legal & Professional has used a custom Claude 2 model for conversational search, summarisation, and legal drafting. Bridgewater Associates is developing an investment analyst assistant, while Lonely Planet has significantly reduced its itinerary generation costs using Claude 2.
This collaboration highlights the ongoing strategic alliances between cloud service giants and innovative AI startups. Anthropic's CEO, Dario Amodei, confirmed their partnership with Google to develop services on Google Cloud infrastructure will continue, further solidifying the startup's influence in the AI landscape. Having participated in Anthropic's recent $450 million fundraise, Google has also reaffirmed its commitment to Anthropic.
Anthropic has stood out against its competitors by emphasising ethical guidelines in constructing, training and deploying AI models. Amazon and Anthropic actively engage in organisations promoting responsible AI development, including the OECD AI working groups, the Global Partnership on AI, the Partnership on AI, the International Organization for Standardisation, the National Institute of Standards and Technology, and the Responsible AI Institute.
Amazon's investment in Anthropic marks a pivotal moment, reshaping the AI landscape and positioning both companies as influential players in the race for AI supremacy. As the partnership unfolds, the world watches to see how this collaboration will shape the future of AI technology and its global impact.
Cyberpolitik 3: CAC’s latest draft regulations on controlling the flow of data beyond borders
-Anushka Saxena
**This post first appeared on the Oct. 2nd edition of the Eye of China newsletter**
CAC's latest draft regulations
On September 28, 2023, the Cyberspace Administration of China (CAC) released the Draft' Regulations for Standardizing and Promoting Cross-Border Data Flow' (English translation), and is seeking public comments on the document till October 15, 2023.
As stated by the CAC, the aim of laying down these regulations is "to safeguard national data security, protect rights and interests in personal information, and to further regulate and promote the orderly free flow of data in accordance with relevant laws."
Here, relevant laws broadly refer to:
People's Republic of China Cybersecurity Law of 2017;
People's Republic of China Data Security Law of 2021;
People's Republic of China Personal Information Protection Law of 2021; and
CAC's 'Measures on Security Assessment of Cross-Border Data Transfer' of 2022.
I would also include the 'Revised Counter-Espionage Law of PRC', which came into effect in July this year, under the framework of "relevant laws."
Despite all of this, the 'Draft Regulations' actually aim to ease restrictions on the sharing of some types of data beyond borders. What are these types?
As per clause 1 of the draft,
"Where the export of data in international trade, academic cooperation, or cross-border manufacturing and marketing activities does not include personal information or important data, it is not necessary to make data export security assessment declarations, conclude a standard personal information export contract, or pass personal information protection certification."
No specific parameters are detailed in the draft for what constitutes "important data." However, Article 19 of the above-mentioned CAC' Data Transfer Security Assessment Measures' (which came into effect on September 1, 2022), defines "Important Data." It reads:
"The term "important data" referred to in these measures means data that, if tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, economic operations, social stability, public health, and safety, among other things."
Moreover, an interpretation of clause 2 of the draft can also be helpful here because it tells us that when relevant governmental departments declare through a public notification or announcement that some type of data is "important data," then the cross-border flow of such data will have to be put through security measures (making security assessment declarations, concluding a personal information export contract, or obtaining a personal information protection certification).
Other exceptions to data export control measures, as listed in the draft, include:
Overseas provision of personal information that was not collected or produced domestically (clause 3);
Where personal information must be provided overseas as needed to conclude or perform on a contract to which the individual is a party, such as for cross-border purchases, cross-border money transfers, air and hotel reservations, and handling visas (clause 4.1);
Where the personal information of internal staff/ employees must be provided overseas to carry out human resources management in accordance with lawfully drafted labor rules systems and lawfully concluded collective contracts (clause 4.2);
Where personal information must be provided overseas in urgent situations in order to protect natural persons' security in their lives, health, and property (clause 4.3);
Where it is estimated that the personal information of less than 10,000 individuals will be provided overseas in one year [with the rule that where personal information is provided overseas on the basis of an individual agreement, the data subject's consent shall be obtained] (clause 5); and
If data being exported abroad does not fall into the specific 'negative lists' of Chinese 'Pilot Free Trade Zones' [these may independently formulate a list of data (referred to as a "negative list") that needs to be included under data export security measures] (clause 7).
Clause 8 also provides that "where sensitive information involving the Party, government, military, and units involved with secrets or sensitive personal information are provided overseas, it is to be carried out in accordance with relevant laws, administrative regulations, and departmental rules."
Thoughts: A joint reading of the terms of this 8th clause, as well as an understanding of the overall cybersecurity and data control atmosphere of China, tells us that things wouldn't be as simple for foreign firms collecting data from Chinese citizens, as described in the exceptions above.
For example, any decision to export data would not just be governed by this particular set of 'Regulations' but a broader spectrum of cybersecurity and personal information laws, including regulations and notifications released by the State Council, the CAC, and even negative lists of the PFTZs (as curated across 20 such Zones in China as of 2022).
…And not all businesses can look to exercise these exceptions. In August 2021, China concluded 'Critical Information Infrastructure Security Protection Regulations' on the basis of one of the "relevant laws" mentioned above, the PRC Cybersecurity Law. As per Article 2 of the Regulations (English translation), 'Critical information Infrastructure' firms include "important industries and sectors such as public telecommunications and information services, energy, transportation, water, finance, public services, e-government, national defense science, technology, and industry." This automatically means that any firm that recognises itself as associated with one of these industries is ineligible to export data without undertaking appropriate security measures.
Moreover, as each and every aspect of governance has become more and more securitised under Xi Jinping, anything can become "important data" at any time, given that it depends solely on the party-state and its judiciary to define its constituents. Hence, I believe that navigating the data export environment in China will only become more complex with the adoption of these draft Regulations.
What We're Reading (or Listening to)
[Opinion] What China’s missing officials tell us about its politics, by Manoj Kewalramani and Anushka Saxena.
[Podcast] Should People Go To Space? [All Things Policy]
[Discussion Document] Takshashila Discussion Document - Open RAN: Challenges and Pathways for Adoption, by Bharath Reddy.