The advent of the digital age was heralded as the starting point of a borderless world, the global village connected through the free and seamless transfer of information. This was not a blue-sky dream to tech firms with international aspirations, but an operating strategy. However, once you enter the second-largest economy in the world, this dream crushes on an impenetrable and quite real barrier: the Great Firewall of China.
The new digital era was proclaimed as the beginning of the era without borders, a global village linked together via the free and easy flow of information. For tech firms with aspirations of going global, this was not a moonshot, it was a game plan. But, once inside the second-largest economy in the world, this dream crumbles against an unassailable and all-too-real wall: the Great Firewall of China.
The Chinese firewall is a wall as much virtual as massive, which fundamentally redefines the way international firms must think and act around the country territory. China is, after all, weird: access is weird, access is hard, and access brings weirdly outsized rewards — which means that the study of this digital redoubt cannot possibly be an IT problem; it has to be a strategic problem. And how to bypass the firewall, is the question that many people have been asking. Fortunately, we can just use a VPN to access Chinese websites.
But, that said, the reality of engaging Chinese clients and customers is undoubtedly a lot more complex than flicking on an app. In this paper, I will discuss the disguise complexity of the great firewall, including the historical background and its technical base or foundation. The grave reasons why corporations need to erect a lateral way to circumstantial the great firewall.
We’ll be doing more than just the remedies into the full spectrum of the tools to employ, anywhere from consumer grade VPNs to enterprise class network architecture. Most importantly, we will dissect the legal, operational, and cultural ramifications inherent in creating an engineering environment in one of the most secure and regulated digital environments the world has known.
What is the Great firewall?
The informal term describing the vast mixture of policy measures and advanced software through which the People Republic of China controls its internal internet is called the Great Firewall (GFW). More formally, it is also known as the Golden Shield Project, more bureaucratically referred to as a surveillance-heavy censorship apparatus, that was originally introduced in 1998 and has never been stopped since then, it has been going on.
The purpose of the GFW is twofold, since it both prevents access to the internet to some foreign websites, applications, and sources of information, and considerably bogs down internet traffic across the borders. The outcome is an entirely distinct, closely regulated, and relatively closed online sphere, commonly dubbed as the “Chinternet”.
The project was conceived through the profound fear of the Chinese Communist Party that the free internet had the potential to overturn into a formidable way of organizing political protests and promoting thoughts against the state narrative. On the global arena, the government espouses the principle of cyber sovereignty, which it views as its guiding philosophy. This doctrine suggests that each country possesses the complete authority to be able to control the internet in their respective territories, and considers cyberspace as an enlargement of their national space. Practically, it implies that all activities conducted online are expected to face the same, or even more, laws and regulations as those being conducted offline. The government has a wide authority over what content should be viewed, what user should do, and what the terms of online communication should be.
This cyber sovereignty is enforced with the help of an arsenal of dynamic multi-tiered technologies implemented by the GFW. It is not a unit, it is a living structure of choke points and filters. These include:
IP Address Blocking
The simplest way. The firewall has a long list in black-listing IP addresses of undesirable sites and servers like Facebook, YouTube, and other social media platform. Any connection to an IP on which no response is received is merely thrown away, and a timeout occurs to the user.
Spoofing and Poisoning of DNS
This is a more deceitful way. When a Chinese user attempts to open a blocked page, as Google, the computer requests the Domain Name System (DNS) server to provide it with the IP address. GFW stops this request and instead reports a phony, erroneous IP address, bumping the user to another site, or blank page. This is referred to as DNS poisoning or corrupted internet address book.
Deep Packet Inspection (DPI)
Amongst the strongest tools in the GFW arsenal is this. DPI does not just check the origin and endpoint of the data packets, but also the content of the data being transmitted, even through supposedly secure connections. DPI can be set to scan sensitive keywords (such as Tiananmen Square or the name of political dissidents) or the identifiers of circumvention tools. In case of success, it can instantly kill the connection.
Key Word and URL Filtering
The firewall is active in searching URLs containing prohibited words. Although the primary site may be unblocked, a particular page containing a sensitive keyword at the end of its address can be blocked, nevertheless. Search engine queries and posts on social media are also subject to this filtering.
Connection Resetting and Active Probing
GFW does not merely block traffic; it actively scans suspect connections. It can impersonate both the user and the server to examine the connection and in case it sees that it is a possible attempt to evade censorship it sends a “reset” packet to both sides, effectively terminating the connection.
Human Censorship
Technology is just one of the equations. A huge pool of human censors is added to the GFW to review the content of social media, forums, and news sites to delete the publications and freeze accounts that have broken the rules.
The blocked services list reads like who is who of the worldwide internet. The full spectrum of Google services (Search, Gmail, Drive, Maps), Facebook, WhatsApp, Instagram, Twitter/X, YouTube, Telegram, Signal, and Wikipedia remain forever closed. Some significant global news sources such as the BBC, The New York Times, The Guardian, and Reuters are also constantly blocked. These implications are wide and drastic to any company that uses these drop global platforms as its day-in, day-out media of communication, marketing as well as operation.
Why Do Tech Businesses Need to Bypass the Firewall?
The Great Firewall poses a complex business challenge to foreign tech businesses and can hardly be seen as the simple annoyance. It is not an us-against-them desperation to access forbidden content; it is the bare minimum ability to operate.
Staying Connected and Productive in a Global World
Consider a day in the life of a multinational in Shanghai.
- The marketers are unable to log in to Dropbox in global headquarters to retrieve new campaign materials.
- The development team is bogged down because it is very slow and unreliable when accessing the corporate GitHub repository, leading to delays in committing codes.
- The project manager, who uses Slack to communicate with teams in London and San Francisco in real time, has the service fully blocked.
It is not an Armageddon, it is the reality of everyday life. The GFW cuts the digital strings that hold a global business in one piece, resulting in shear friction, lost productivity, and parts of operations that become siloed.
Getting to Business-Critical Information
Business is not carried out in a vacuum.
- Research and development departments should have access to the latest scholarly journals and technical conferences all over the world.
- Market analysis teams should be knowledgeable of global consumer trends, so they may visit international social media and news sites.
- The finance groups would be dependent on unrestricted access to global financial news, as provided by organizations such as Bloomberg and the Wall Street Journal.
The censorship employed by the GFW translates into deficiency in information that inhibits the capacity to make informed and strategic decisions in a global environment, to the extent that innovation is stunted.
Preservation of Data Security and Integrity
Data security is of primary importance, moving sensitive corporate assets, whether data about intellectual property and R&D schematics, or financial reports and customer-related data. Although the GFW is a regulatory instrument, it fails to secure business against cybercrime. Adding to this, in reality, sometimes it can be more risky to create workarounds, as it may be forced. Firms should adopt safe and encrypted transmission lines between their manufacturing establishments in China and worldwide headquarters to secure their most prized resources against industrial espionage and other risks.
It is possible to Unkinder Modern Software Development
The current tech stack is constructed using a global network of open-source tools, libraries, and collaboration tools. Package managers allow developers to fetch code out of shared repositories, such as NPM (JavaScript), Pip (Python) and Maven (Java). The GFW is able to throttle or block these connections, thus making a five-minute software build out a five-hour experience. Minor functions such as searching a solution to a problem of Stack Overflow would base of frustration. The digital friction directly affects the development schedules and the possibility of Chinese development teams to fit within the global software engineering processes.
The Main Instrument: VPNs (Virtual Private Networks)
The Virtual Private Network, or VPN, has become the go-to means of protection used by individuals and businesses over several years. VPN works by establishing a safe, encrypted tunnel between a device and a server in a different country. This tunnel transmits all the internet traffic of the user. This would do two important things: disguise the actual, China-based IP address of the user by substituting it with the IP address of the overseas server. Encrypt the traffic, so that its content cannot be viewed by parties intercepting it, such as the DPI systems used by the GFW.
But gone are the days of easy access to VPN in China. The latter has presented a sustained and evermore complex attempt by the Chinese authorities to eradicate the unauthorized use of them.
Legal Aspect of VPNs
China keeps a deliberately ambiguous legal framework around VPNs. In practice, the government has cracked down on all unapproved VPNs, which was made official in 2017. The Ministry of Industry and Information Technology (MIIT) has regulations, which require all VPN providers willing to legally offer them services to be licensed. These providers, the major state-owned telecoms typically, have to accept terms to get the licence which are interpreted to mean backdoor access to their systems to the government. This of course nullifies the whole reason behind using VPN in terms of privacy and security.
In the case of corporations, they can rent out a government-licensed VPN that has the licence issued by MIIT. These are sold as international private lines and are solely designed to be used internally by the business as a means to enable the office, in China, to reach its foreign headquarters. They are however subject to audit and are limited greatly. You cannot do general browsing of the open internet with them.
Technically illegal is to use a VPN when it is based in another country and not authorised. Although enforcement has traditionally focused on VPN service providers operating in China, with users sporadically affected as individuals lodged in a foreign country, the threats are increasingly rising. To business, using an unapproved VPN to conduct company business poses a great compliance risk. Once found, the penalties and unfavourable government inquiry may arise.
The Infinite Game of Cat and Mouse
Even the people ready to accept the legal risks, it is an unending technological struggle to use a VPN in China. The GFW has become so good at detecting and filtering VPN traffic. It applies DPI and machine learning to identify VPN data patterns and protocols of the more common VPNs.
This has given rise to an unending game of cat and mouse. VPN companies create so-called obfuscation methods (also sometimes referred to as Stealth VPNs) intended to make VPN packets look like legitimate, non-threatening HTTPS traffic, thus more difficult to be identified by the GFW. The GFW algorithms are countered by changing to recognize the subtle indicators of these efforts at obfuscation. The end-user payoff is monumental in solvability. The VPN service, that is functioning well today, might be slow down or blocked the next day. Such crack-downs are especially stringent during politically sensitive periods, as during the annual National People Congress, or anniversaries of important historical events. Such uncertainty is a nightmare to a business which relies on this connection.
How Companies Can Reduce the Dangers of Using Unauthorised VPNs
The possibility of using unauthorised VPNs in China has to be minimised, which can be achieved only by pursuing a multi-layered approach where risk cannot be eradicated. The main aim is to control legal, technical and operational exposure.
One is that companies should develop good governance. This entails having a severe Acceptable Use Policy (AUP) in which the passage to a VPN is restrained to business-critical-only international resources and categorically prohibits viewing illicit or politically controversial materials. The training is essential to make sure that all such rules are known to the employees, and personalised access to which is limited by the need of specific employees reduces the risk profile of the company.
Technically, the companies are to use high-end VPN providers that offer such vital characteristics: obfuscation (stealth) technology aimed at masking Great Firewall traffic; independently verified no-logs policy and a kill switch to prevent leakage of the data in case of connection failure. Operationally, it is important to develop resilience. At the business level, companies must use more than one VPN service as backup options during crackdown operations and employ split tunnelling techniques to decrease the workload and recognizability of the VPN.
In organisations that cannot risk tolerance, the final remedy is simply to circumvent the problem by investing in fully compliant, government-approved solutions. Such are committed international private line, SD-WAN, or MPLS circuits, which provide performance, legal connectivity of mission-critical operations without the use of the public internet.
The Future of VPNs: Connectivity Solutions Continuum
Since standard VPNs are not reliable and are legally questionable, a great number of companies, especially, larger ones, are considering a wider scope of more secure services.
Other Proxies, such as Shadowsocks
Shadowsocks is an open-source proxy with encryption features that were developed by a Chinese coder and is now a commonly attained circumventing packet. A proxy can be setup per-application or per-site, where a VPN often routes all the traffic of a device within the tunnel. It is usually perceived to be lighter in nature and may be more difficult to identify than a standard VPN, however, it remains within the field of fire of the GFW and is vulnerable to the same criminal liabilities.
Software-Defined Wide Area Networking (SD-WAN)
It is quickly emerging as a solution of choice among a number of multinational corporations. SD-WAN is an intelligent networking technology that enhances the process of traffic flow. A business organisation is able to use an SD-WAN implementation between its office in China and its wide area network. The system may be customized so that all traffic carrying business-critical traffic inside (such as ERP or CRM systems) is redirected via an exclusive high performance private line, bypassing the GFW entirely. This internet traffic that are less critical can in the meantime be sent through the web based on the public internet. This composite solution is a compromise in terms of price, performance, and reliability, is a heavy investment and needs technical resources.
Dedicated Lines (MPLS)
Multi-Protocol Label Switching (MPLS) is an alternative technology, which is a gold standard where connectivity is an absolute business necessity and cost is of secondary importance. The concept of an MPLS circuit is basically a dedicated line of data that is leased directly with the provider of telecommunications services and forms a direct connection between an office in China and a data centre beyond the country. It is not connected to the internet at large and so avoids the blockade and throttling of the GFW. It provides maximum standards of reliability and speed that is, however, very costly.
The Firewall practices
The firewall problem has a second side. In case your business requires to offer rapid and stable online service to the customers of countries within China, your website or application cannot be hosted overseas. The cross-border traffic will be inadmissibly slow, blocked by the GFW. Your only option is to install your service on servers in mainland china. This involves collaborating with a local cloud vendor (such as Alibaba Cloud or Tencent Cloud), securing the appropriate ICP licence, and readiness to observe all local data regulations. In customer-facing performance, you cannot use unapproved methods to circumvent the firewall, it is the manner of dodging the rules under its protection that has to be employed.
Finding one way through the Regulatory Minefield: Compliance is Non Negotiated
It is just not enough to have a stable connection in place. An understanding of the complex and continually-tightening regulation situation in China is the most important factor in any tech business that has a physical or digital presence there. Non-compliance may lead to devastating consequences in the form of debilitating fines, rescinding of business licences, and personal liability by the executives.
The main compliance areas are:
- The Cybersecurity Law (CSL): The CSL is a comprehensive law that dates back to 2017 and creates wide-ranging data protection and network security requirements on so-called network operators. Their definition is so broad, it could encompass virtually any firm with a Website or internal computing system within China. It requires tight security and makes compulsory collaboration with security investigations by the states.
- Localisation of Data and Cross-Border Transfers: A controversial and contentious aspect of the CSL and other data laws is the provision that requires “critical information infrastructure operators” (CIIOs) to store all personal information and “significant business data” that it or they collect in China on local servers. Exporting this information is not a simple decision that can be made by companies themselves, especially with governments and international concerns about security and user permission, which may become a significant barrier to the companies with worldwide data management plans.
- ICP Licensing: The Internet Content Provider (ICP) registration is required on any website or online platform operating in China. Two varieties exist, namely an ICP Filing (or a Bei an), a provision of which is necessary with solely informative filled websites, and a more demanding commercial ICP Licence, which is obligatory with any site providing its income, e.g. with e-commerce sites. They are obtained through a registered Chinese business entity, which may be a bureaucratic process. Using one will make you to be blocked.
- Self-Censorship of Content: The laws leave the burden of holding the content control to the platform provider. Legally, companies take all responsibility of the content in their sites and services. Such requires a very high level of proactive self-censorship. Teams are deployed to police and block any material that can be construed as being politically sensitive, pornographic, or generally anything against the vaguely defined rules of acceptable material as per Chinese laws.
A Continuous and Calculated Risk
There is a scale of opportunity that is unrivalled, but the Chinese market presents a unique and very challenging set of issues to tackle, of which the Great Firewall acts as the gatekeeper. Tech companies looking to win in China will want to have an elaborate, multi-faceted approach that extends more than what may be successful as a VPN this week.
Such a strategy requires a profound technical knowledge of all the connectivity options, their cost, advantages, and risks, including proxies, VPN, MPLS, and more. It mandates a staunch, real-time understanding of the dynamic legal and regulatory demands, supported by professional legal advice. And it requires a strong desire to localise, culturally as well as operationally, to products and strategies to a marketplace that does not correspond with globalization norms.
The Great Firewall does not cease to be merely a technical barrier; it is a form of culmination of the Chinese philosophy of cyber-sovereignty. As far as foreign high-tech corporations are concerned, coming to grips with doing business in its shadow is a crucial measure of their strategy, their technical prowess, their risk tolerance and their flexibility. The rewards of getting it right can be enormous, but it is those who come well-prepared, well advised and who are prepared to play a long game by very different rules.
