The structure of the Chinese internet is unlike any other country, being similar to a gigantic intranet, according to research published by Oracle last week.
The country has very few connection points to the global internet, has zero foreign telcos operating within its borders, and Chinese-to-Chinese internet traffic never leaves the country.
All of these allow China to disconnect itself at will from the global internet and continue to operate, albeit with no connectivity to western services.
"Put plainly, in terms of resilience, China could effectively withdraw from the global public internet and maintain domestic connectivity (essentially having an intranet)," Oracle's Dave Allen said. "This means the rest of the world could be restricted from connecting into China, and vice versa for external connections for Chinese businesses/users."
Very few peering points
The most obvious sign that China is different from any other country in terms of how it structured its internet infrastructure is by looking at how the country is connected to the rest of the internet.
Normally, most countries allow local and foreign telecommunications providers to operate within each other's borders. These companies interconnect their infrastructure at physical locations called Internet Exchange Points (IXPs), and all the internet is a giant mesh of IXP peering points interconnecting smaller telco networks.
But China doesn't do this. Rather than allowing foreign telcos to operate within its borders, this market is completely off limits. Instead, local telcos extend China's infrastructure to foreign countries, where they interlink with the global internet.
This way, Chinese ISPs form a closely-knit structure capable of exchanging traffic among themselves. All connections that need to reach foreign services must go through the country's Great Firewall, reach foreign IXPs via closely selected telcos (China Telecom, China Unicom, China Mobile), and then land on the public internet.
This entire structure is very much akin to a corporate intranet, and has quite a few advantages.
First, China can impose its internet censorship program at will, without needing to account for foreign telcos operating inside its borders, and have to deal with their sensitive customer policies.
Second, China can disconnect from the internet whenever it detects an external attack, but still maintain a level of internet connectivity within its borders, relying solely on local telcos and data centers.
Internal traffic never leaves the country
But another advantage of this structure is that traffic meant to go from one Chinese user to another never leaves the country's borders.
This is very different from most internet connections. For example, a user from an Italian town wanting to access their city's website might find it surprising that their connection often goes through servers located in France or Germany before reaching the city's website.
Such "weird" connection paths happen all the time on the internet, and in many countries, but not in China. Here, because local telcos peer primarily with each other and have a few tightly controlled outlets to the external world, internal traffic has no reason to leave the country.
More "national intranets" to follow
The main advantage of this is that foreign intelligence services have very little insight into Chinese traffic, unless users connect to foreign services, and the traffic must cross China's borders.
From a national security standpoint, this is ideal; however, only China has such a system in place -- at least, for now.
"While China's structure is unique in the way it is physically set up to be separate from the rest of the world, other countries have begun to adopt the theoretical approach to cyber sovereignty that China is promoting," said Oracle's Dave Allen.
One of the countries that's trying to replicate this Chinese "national intranet" model is Russia. This March, President Vladimir Putin signed a new law giving the government expanded control over the internet. The law basically forces local internet providers to install devices that route Russian web traffic through government-run servers, where intelligence services are given free will to analyze the traffic.
Furthermore, the country has also been busy building a local backup of the Domain Name System (DNS), and has conducted tests to disconnect the country from the rest of the internet, as part of a planned experiment.
Russia may be a few years behind China, but the writing's on the wall as to Kremlin's intentions.
Related cybersecurity coverage:
- Gigabyte and Lenovo servers impacted by common BMC firmware flaws
- Academics steal data from air-gapped systems via a keyboard's LEDs
- Kazakhstan government is now intercepting all HTTPS traffic
- 93% of porn sites leak data to a third-party
- Microsoft to explore using Rust
- Permission-greedy apps delay Android upgrade so they could harvest more user data
- iOS developers still failing to build end-to-end encryption into apps TechRepublic
- The best identity theft monitoring services for 2019 CNET