In this article, first published in China Briefing, Thomas Zhang, Dezan Shira & Associates’ Group IT Director, introduces the PIPL and explains several key considerations for companies to build a roadmap for compliance.

PIPL states that a company should appoint “a person in charge of personal information protection” when processing personal information on a large scale based on the criteria specified by the CAC. Is the appointment of a Data Protection Officer (DPO) mandatory under the PIPL?

No, it is not mandatory; however, for companies that don’t have an office in China and still want to provide services in China, a DPO or representative is necessary. In general, in cases where the company has an office in China and they can find a local person to play the role of representative, there is no need to have a DPO. Nevertheless, many companies don’t have enough internal resources to support this, so an external DPO can be very helpful.

Can a company send aggregated information derived from personal information across borders, especially if it doesn’t contain any specific personal information on Chinese citizens?

Yes, because we are talking about aggregated data – which doesn’t have any specific personal information of individuals. This means that it will be “abstract” data that cannot be tracked to one single individual. In this case, the data will not be treated as personal information or as sensitive personal information, and you are allowed to transfer it outside of China.

A company is exchanging data with its headquarters via SAP. Will this be deemed a cross-border transfer and require a Data Protection Impact Assessment (DPIA)?

If your IT system is located in the UK, but your business operations in China are processing personal information, you will need a DPIA. Whether you are allowed to transfer personal information out of the country or not is based on the scale of the personal information. The Cyberspace Administration of China (CAC) will specify the criteria about which kind of personal information will not be allowed to be transferred out, but for now, we will need to wait for more details from the government.

Many international schools store student data. What about the protection of data for children under 14 years old? Are there special protections under the PIPL?

Yes. Information from people under 14 years of age will also be regarded as sensitive information. If you are going to process sensitive personal information, you must collect separate consent and conduct a DPIA.

Are employee names and mobile phone numbers in an active directory considered personal information?

Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual. Names are also a kind of personal information. Although a name can be common and used for multiple people, under the PIPL it is still considered personal information.

Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual.

Are security logs (e.g., firewalls and active directories) considered personal information (as they are usually linked to an IP address or account name and not directly linkable to the user)?

Yes. Under the GDPR, IP addresses are defined as personal information, and this is the same for the PIPL. We know that IP addresses are dynamic, but from an IT perspective, we can still trace an individual to their IP address most of the time with certain efforts, making IP addresses one kind of personal information under the PIPL.

If processed personal information is stored by a third-party vendor such as Google Drive, does it fall to the vendor to formulate proper information protection that complies with the PIPL?

Similar to GDPR, under PIPL, it is the information controller – the one who makes decisions on how to collect and store the data – that assumes the responsibility for personal information protection. Therefore, if you are the information controller, and you make the decision to collect personal information and make the decision to transfer it out to save in Google Drive, you are responsible for everything. Of course, you can make a service agreement with your vendor to specify what kind of measures should be taken to protect the personal information.

If an IP address is a company private IP address, for example, 10.0.0.1, is it considered personal information?

From a technical perspective, yes. For example, in China, the cyber police require companies to set up a firewall or security device, which can allow the company to track the website access logs for users. This means that even if you are using a private IP of your company, your firewall or security can still track these records, and IT can use these records to trace back to the individual using this IP address. In practice, however, at the current stage, IP address information is really a minor consideration for the authorities. There are other more significant issues for the authorities to pay attention to.

This article was first published by China Briefing, which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in China, Hong Kong, Vietnam, Singapore, India, and Russia. Readers may write to info@dezshira.com for more support.

The post What does China’s new data privacy law mean in practice? appeared first on Focus - China Britain Business Council.

The post Understanding China’s cybersecurity and data protection risks appeared first on Focus - China Britain Business Council.

The main objective of this new law is to strengthen central government control over information flows and data security, as well as preventing cyber attacks, computer viruses and other network security violations (such as unauthorised data leakage or theft). A further objective is to strengthen China’s data privacy regime and as a key measure to protect private citizens.

The new law is expected to have an adverse impact on many foreign technology companies operating in China, although its broad scope is also likely to affect companies operating in other areas. Many foreign companies are currently assessing what impact these new rules are likely to have on their China operations, and what steps they should take to comply with the new legislation.

This CBBC Insight sets out some of the key highlights of the new law and considers the potential impact on British companies operating in China.

Key principles of cybersecurity law

The cyber security law contains 79 articles in seven chapters, detailing a number of new cyber security requirements, including:

• Safeguards for national cyber space sovereignty
• Protection of critical information infrastructure (CII)
• Security obligations of network service providers and operators
• Improvements to personal information protection regulations
• Establishment of a key information infrastructure security system
• Rules for cross-border data transmission

Network operators

The new law mandates that network service providers and operators will be required to strictly maintain confidentiality of user information and to install protection systems to defend user information. Network operators are defined as companies that own networks, manage networks and provide network services, which is sufficiently broad to encompass telecoms operators, internet providers and social media companies. Networks operators are also required to provide “technical support and assistance” to government authorities. It remains unclear whether this will include providing backdoor and decryption assistance for encrypted data.

Critical Information Infrastructure (CII)

The cyber security law has a core focus on “critical information infrastructure” (CII). Critical infrastructure is defined as key industries controlling data that could pose a national security or public interest risk if damaged or lost, including areas such as energy, finance, transportation, telecommunications, medical and healthcare, electricity, water, gas and social security.

There is significant ambiguity in terms of how the cyber security law and draft measures on data export will be put into practice

Article 35 of the cyber security law also requires CII companies to go through a national security review when procuring products and services, as well as conducting an annual security risk assessments regarding their data. Technologies will be assessed on whether they are “secure and controllable”, which has created significant concern among foreign companies that this could involve handing over source code or other trade secrets to government regulators. While foreign business groups have lobbied the government to pursue non-discriminatory policies in line with WTO commitments, there remains a lack of clarity in terms of how these new requirements will be implemented in practice.

CII operators are also required to comply with much stricter requirements on cyber security measures in place, including:

• Setting up dedicated cyber security governance and designate responsible persons
• Organising periodic cybersecurity training
• Implement disaster recovery backup for important systems and databases
• Formulate emergency response plans and organise periodic drills

The law also requires the government to conduct periodic spot-checks of critical information infrastructure and give directions to remedy any identified security risks

Suppliers of network products

Suppliers of network products and services will be required to comply with relevant national and industry standards and ensure the security of their products. Products determined to be “critical network equipment and network security products” are required to go through testing by third party evaluation centres prior to being sold in China. The Cyberspace Administration of China (CAC) will also release a catalogue of critical network equipment and network security dedicated products that require mandatory certification or testing in accordance with compulsory requirements of national standards.

Data localisation and cross-border transfers

One of the most significant and controversial features of the cyber security law is the requirement that all sensitive personal information and important data produced and gathered by CII companies must be stored on servers located in mainland China. Where it is necessary for data to be transferred outside mainland China, a security assessment must be carried out. Consent of the data subject must also be sought before data can be transferred overseas.

In April, the CAC published a draft of “Measures for Security Assessment of Personal Information and Important Data Leaving the Country”, expanding this data localisation to network operators and “other individuals or organisations”. The widespread interpretation of these measures is that the data localisation requirements will apply to most businesses collecting data from individuals or organisations in mainland China, and not just network operators or CII providers.

Article 37 of the cyber security law refers to two types of data: personal data on individuals and “critical data” (eg. group based data) collected and generated within the territory of China. Personal data includes information such as an individual’s name date of birth, identification number, personal biometrics data, address or phone number. Critical data is not defined, other than other than that it relates to national security, economic development and public interest.

According to the draft, below data are not allowed to be exported:

• Personal data for which no prior consent was sought for export or where an export might jeopardise personal interest
• (Any) data for which an export brings risk to national security (eg. politics, economy, technology, national defence) or may possibly affect national security and damage public interest
• Other data for which an export is barred by administrative authorities like the CAC, police and/or other national security authority.

According to the draft measures, network operators are required to undertake a self-assessment on an annual basis, which should consider the necessity of data transfer, the type and sensitivity of the data, the security protection measures and capabilities of the data recipient, the risk of loss or unauthorised access to the data and any national security risks.

A mandatory assessment is required if the data to be transferred includes any of the following:

• Personal information that involves or accumulates more than 500,000 individuals
• Data volume that exceeds 1,000GB
• Data in fields such as nuclear facilities, chemical biology, defence and military, population health, as well as data involving large-scale engineering projects, marine environment or sensitive geographical information
• Network security information including system bugs and safety protection of CIIs
• Provision by CII operators of personal information and important data abroad
• Other data that, in the opinion of the industry regulator, may affect national security and social public interests and should be subject to security assessment.

Implications for UK businesses

There is significant ambiguity in terms of how the cybersecurity law and draft measures on data export will be put into practice. In particular, the definition of “critical information infrastructure” and “network operators” remains vague, and to whom the rules should apply. Similarly, there is currently no clear single definition as to what constitutes “important information”.

An obvious implication of the new cyber security law is that any UK companies providing network services or the provision of CII in China should carry out an immediate review of their security infrastructure and data protection procedures to comply with new security requirements.

In a similar vein, any foreign company whose business model involves collecting and storing data from Chinese individuals or entities on servers located outside China should consider taking proactive steps towards localising data to servers in mainland China. There may be significant cost implications where foreign companies are required to migrate data to Chinese servers, along with possible concerns around data security and IP leakage.

Any UK companies supplying network security and equipment into the market should take steps to comply with certification requirements and pass a national security review as soon as these requirements are clarified. Some network and security technology vendors may be forced to withdraw from the market if there are substantive risks to intellectual property being compromised by an overly-invasive security review process.

Given the wide scope implied by the measures on data export, it is possible that foreign companies in non-technology areas may face restrictions on transferring basic information (such as employee data) to servers outside China. This may require companies to undergo the self-assessment process, or to move data to servers in mainland China for the foreseeable future.

Non-resident foreign companies that currently collect, manage or store Chinese data on overseas servers may need to consider setting up a legal entity in China to manage data, or to consider an alternative business model. Alternative business models as a result of this are likely to involve licensing/tech transfer to a local Chinese partner, which will inevitably involve greater commercial/IP leakage risks.

CBBC is continuing to monitor the situation and will update members as soon as further clarity becomes available. We encourage any members who may be unsure about how these new rules will affect them to reach out to CBBC for further advice and support and can recommend a number of member companies for more in-depth legal advice on these issues.

For more information contact CBBC’s ICT sector lead mark.hedley@cbbc.org

The post China’s cyber security law will strengthen government control over information appeared first on Focus - China Britain Business Council.

On Valentine’s Day, Queen Elizabeth II and Prince Phillip attended a formal opening in a cavernous, steel and glass building in Victoria, central London. One of the only public appearances the Queen has made this year, the visit was to open the government’s National Cyber Security Centre (NCSC). The centre has been established to combat cybercrime and attacks on government and British businesses, as well as to protect the economy and society at large.

In October 2016, as the NCSC was just starting operations, the sitting head of Mi5, Andrew Parker, gave an interview to a newspaper. In the only interview an incumbent Mi5 chief had given in the organisation’s 107-year history, Parker said that, while much attention was focused on Islamic extremism, cyber terrorism and cybercrime pose a major threat to the UK.

In a speech, in November 2016 Philip Hammond, the UK’s chancellor of the exchequer, said that the UK must “keep up with the scale and pace of the threats we face”. He announced a £1.9 billion package to be spent “proactively attacking those that attack”. That package also helps fund the NCSC and the estimated 50 newly recruited specialists who work there, while more than 100 private sector experts have been seconded to work there, funded by the companies from which they came.

“Government cannot protect business and the general public from the risks of cyber-attack on its own. It has to be a team effort,” said Hammond. “It is only in this way that we can stay one step ahead of the scale and pace of the threat that we face.”

The NCSC is under the purview of GCHQ – the government’s intelligence-gathering centre – and is being headed up by Ciaran Martin, formerly cyber security director of GCHQ. “We will help secure our critical services, lead the response to the most serious incidents and improve the underlying security of the internet through technological improvement and advice to citizens and organisations,” Martin said.

In the three months since opening, the NCSC saw 188 Category Two or Three cyber attacks. The UK has yet to fall victim to a Category One attack, the highest level, such as the theft of confidential details of millions of American government workers in June 2015.

At the February opening of the NCSC Hammond said that “the cyber-attacks we are seeing are increasing in their frequency, their severity, and their sophistication”. And Martin, the centre’s chief executive said that the UK has “had significant losses of personal data, significant intrusions by hostile state actors, significant reconnaissance against critical national infrastructure”.

The centre will protect critical infrastructure, such as energy and transport and create automated defences to safeguard citizens and businesses and deter attacks from criminals and “hostile actors”, said Hammond.

One of those hostile actors, according to Mi5 chief Parker, is Russia. “It is using its whole range of state organs and powers to push its foreign policy abroad in increasingly aggressive ways – involving propaganda, espionage, subversion and cyber-attacks,” he said. “Russia is at work across Europe and in the UK today.”

Parker’s comments were made in October and the events over the subsequent months that saw Russia influence the American democratic process prove the dangers of state-sponsored cyber crimes.

There has also been a string of high profile attacks across Europe that has seen the Germany Parliamentary Channel and the French television channel TV5 Monde both shut down – attacks orchestrated by the Kremlin, according to investigators. France and Germany have also warned of the possibility of Russian interference in their elections this year.

British secretary of defence, Sir Michael Fallon, said about Russia: “today we see a country that in weaponising misinformation has created what we might now see as the post-truth age. Part of that is the use of cyber weaponry to disrupt critical infrastructure and disable democratic machinery.”

But it is not just an existential threat to democracy that concerns government and businesses. In 2007, an attack on Estonia saw websites belonging to parliament, banks, ministries, media and broadcasters all shut down. In 2015 a power station in Ukraine was taken offline by a cyber attack leaving 225,000 without power during winter. The effects of banks being shut down to the economy are obvious. The idea of electricity grids, air traffic control or water systems being shut down is terrifying.

Whether from sabotage or espionage, cyber crime costs businesses £365 billion annually. China is one of the five cyber superpowers (along with America, Russia, the UK and Israel) and there have been accusations from a number of countries of Chinese attacks on intelligence materials. However, much of China’s resources have been spent on sourcing international intellectual property. Defence contractors, including Lockheed Martin and NASA, are thought to have been victims of attacks that have originated from China and Chinese telecoms company Huawei has failed in its bid to win contracts in the USA due to security concerns.

“China will be using [cyber technology] as a theatre of relations with other nations, they will be using this as a theatre of economic advantage, and they will be using it as a theatre of war, just as everybody else is,” says Lord Paddy Ashdown, former leader of the Liberal Democrats and senior advisor to cyber security firm G3.

China has its own concerns over cyber security and has just launched a new cyber security law. “Essentially the law requires foreign technology companies to disclose source code and other commercial secrets,” explains Kirk Wilson, CBBC’s executive director. The law, which will be implemented in June, says that all network transmissions must be monitored and all “important” business data must be stored on Mainland Chinese storage devices. Essentially this gives Beijing access to foreign companies’ technology. It also states that no company can use the internet to endanger national security, promote terrorism, or spread false information to disturb the economic order – wording that is very much open to interpretation. If any wrong-doing is suspected the law states that companies must also give government investigators full access to their data.

The American Chamber of Commerce in China issued a statement saying that the new law will do little to protect security of digital systems but will be a barrier to trade and innovation. With foreign companies being required to store data locally in China and only employing technology that is deemed secure, it will, according to the Chamber, give locals an advantage over foreign rivals.

Chinese digital companies are aware that survival relies on providing the government access to their data. WeChat is the latest Chinese company that reportedly allows the authorities to monitor messages. And while emails and digital messages are routinely monitored in other countries, as Lord Ashdown points out, the UK is “necessarily restrained in our activity by the rule of law. Other nations and China would be one, would not be so scrupulous about this.”

So who might be at risk from cyber crime and why? “If you are in or anywhere near to the defence area you are going to find yourself a subject of [an attack] as you would anywhere else,” Ashdown says.

“I advise a small business that makes power tools. Are they going to be the result of state sponsored intervention? One would have thought not – they would be too far below the radar for that,” says Ashdown, “But on the other hand, it is relatively cheap to have private means to do that so you shouldn’t assume anything you do is going to be beyond the reach of the state or private investigators.”

Hackers might be working for political reasons, money or simply just the challenge of it, but hacking technology is simpler to use and cheaper to obtain than ever before. “Previously the scale and technical knowledge needed to operate such attacks was a barrier but this is no longer the case,” says CBBC’s Wilson.

Additional reporting by Nancy Pellegrini

The post The growing threats of cyber crime appeared first on Focus - China Britain Business Council.

Malware: Malicious software design to damage a computer or network or gather information.

Phishing: An attempt, usually by email, to get sensitive information, such as usernames, passwords or card details by pretending to be a trustworthy and legitimate business such as bank.

Spear Phishing: Emails are more targeted than the generic phishing emails, and sent to specific users to create a higher penetration rate.

Social Engineering: Psychological manipulation of people to divulge sensitive information. This might be to befriend someone through social media sites to gain their trust and to receive sensitive information from them.

Spyware: Software design to gather information from a computer or network without the user being aware.

Tail gating: Where someone enters a secure area by following an employee who often holds the door open for the person who does not possess the correct valid permits to be there.

Trojans / Trojan Horse: Malware designed to look like something other than that of its true intent. Through email or physical discs, the software might purport to be one thing but is actually another.

The post The cyber-security terms you should know appeared first on Focus - China Britain Business Council.

“Cyber threats are framed as something existential, technical and expensive, and the usual response to fear, fees, and something incomprehensible is to do nothing,” says Malcolm Taylor, head of cyber security at G3. “Security can be managed with a limited level of investment. Business owners are good at managing risk. Seeing this as just another business risk makes it more comprehensible.”

Ensure your staff are aware

“Businesses need to make it easy for staff to report suspicious emails, calls, and visitors,” says Jenny Radcliffe, head of training and consultancy at Jenny Radcliffe Training. “The only way to help prevent social engineering is to have a workforce who are comfortable reporting issues and suspicions to management, and who are not blamed for their mistakes or for false suspicions. Attacks are complex, sophisticated, and nuanced enough to get past at least some of the people, most of the time – which is all it takes to breach many organisations. This could mean helpdesk staffers pressured into giving out details, or employees letting fake delivery people gain access without checking IDs.”

Know what to look for

Educate users on how to spot a [phishing] email, says Gavin Millard, EMEA technical director of Tenable Network Security. “Making sure they know why you shouldn’t share personal information or install software from unknown sources can benefit them at work as well as at home.”

Be careful what information you share

“I have heard about losses of up to £50,000 from fairly small businesses due to simple social engineering such as CEO fraud,” says Jamie Randall, CTO of IASME Consortium. “These targeted attacks often use information from LinkedIn and Facebook to build up their story, such as knowledge that the CEO is on holiday with family.” 

Back up and encrypt data, and install antivirus software

It’s obvious but incredible how many companies still fail to install the latest antivirus software or back up their data. It is important to have a backup of servers or databases on an encrypted hard drive or back-up server that is on a separate network to the main server.

For more information, see the UK government’s “Ten Steps to Cyber Security” on the National Cyber Security website  https://www.ncsc.gov.uk/guidance/10-steps-cyber-security.

The post How to protect your business from cyber attacks appeared first on Focus - China Britain Business Council.

China is a genuinely open market and one of huge potential for anyone who is prepared to be commercial and a bit adventurous. In economic terms they are reliable. The rule of law of course is less effective than you’d find in a western country but it is still there.

But it is genuinely competitive market and if that’s what you are, there are great gains to be made but, as in any state-run economy, you should remember you are always dealing not just with the businessman, but the state institution that lies behind it. And that means if you get yourself into difficulties that are believed to be counter to the interest of the state, it’s politics that will dominate, not economics.

My own view is that whereas Russia is a kleptocratic state that doesn’t enormously rely on the rule of law (and the rule of law can always be bent, in relation to the political governors or a nation, above all Putin and the KGB) China genuinely tries to be a law-abiding citizen in the world and will always want to be seen to be acting in a law-abiding manner. But behind that lies a number of things. First of all, it is a state-run organisation, it is a mono-political structure, it is not run on Western democratic lines and if the interest of the state conflicts with whatever you happen to be doing – whether legal or not – it is the interest of the state that will dominate.

Be enthusiastic, be adventurous, take chances but always be aware that behind it, whatever you do, you are not going to enjoy the same objective operation of the rule of law (although better than in other countries), as elsewhere.

Are businesses taking cyber security as seriously as they should?

Cyber security is the new front line in terms of operational advantage, economic advantage and state advantage. Taking the case of the issue of security and conflict I have often argued that the first four or five thousand years of warfare, say from Alexander the Great through to the battle of Blenheim, he who won on the land won; after the next hundred years from the battle of Trafalgar, he who won on the sea won; since the early days of the 1930s and the Spanish Civil War, he who won in the air wins. I think what is next and what people fail to understand and what is the strategic difference of the new operation of conflict and inter-relations of nations, it is now cyberspace – and he who wins in cyberspace, wins.

So you can be sure that all of those advanced countries (and technologically and you have to count China as one of those, and perhaps one of those at the forefront) they will be using this as a theatre of relations with other nations, they will be using this as a theatre of economic advantage, and they will be using it as a theatre of war, just as everybody else is.

I think in many ways none of us has come to grips with what I would call the synoptic change that is taking place.

He who wins in cyberspace, wins

In the 18^th century you would have had couriers on horseback dashing around carrying pieces of information that everybody is trying to get at both commercial and economic and inter-state. Later on it would be tapping the airwaves, and now this is the new theatre where these things happen. China is particularly good at it, and particularly more able to reach into corners (which may be less advanced nations wouldn’t be able to reach, though I suspect they are not particularly better than we are).

Whereas we would extend that power, we in the West do extend that [power] to relations with other states, being able to intervene and intercept the communications of other states. To be able to dominate the battlefield we probably would not extend much into the commercial theme because we have laws of privacy but China I expect would not be bound by such niceties. And by the way, as a superpower, we behave not too differently when we were the superpower in the world, and the state advantage and economic advantage are quite closely tied together and we want to be able to make sure that one reinforces the strength of the other.

We are [one of the five cyber-superpowers] and we are necessarily restrained in our activity by the rule of law. Other nations, and China would be one, would not be so scrupulous about this. But I don’t think they are exceptional in this matter.

Should small businesses be worried?

If you are in or anywhere near to the defence area you are going to find yourself a subject of that as you would anywhere else.

I work with and advise a small business that makes power tools. Are they going to be the result of state sponsored intervention? One would have thought not, they would be too far below the radar for that. But on the other hand, it is relatively cheap to have private means to do that at a relatively cheap level so you shouldn’t assume anything you do is going to be beyond the reach of the state or private investigators. So ensure you have the best cyber protection you possibly can. It makes common sense.

Will the recent polarisation of UK politics see a new central-left party emerge and how can the Liberal Democrats benefit from the leadership challenges of the Labour Party?

If you remember history, and far too few of us read history and far too politicians do (which means you’ve got no mechanism for accurately judging what you are doing at the moment), but if you look at history, you’ll see that in the early decades of the 20^th century there was a fundamental shift of the politics of Britain and the politics of the Western world.

If you go back to the days of the Changing of the Guard and Gilbert and Sullivan, they said you were even a little liberal or a little conservative. The Liberal Party then spanned what you might call intellectual metropolitan voter or person, and also was a representative of the working class of Britain.

In the second decade of the 20^th century, Labour took that position and it was impossible for Liberals to straddle that gap. I think Labour now is in precisely the same situation. Mr [Jeremy] Corbyn has helped it get in to the same situation (but it was going to get there anyway and even if Mr Corbyn was changed it wouldn’t make much difference).

The bottom line is that Labour has lost all traction in Scotland without which they can never be the government of Britain again as the single majority party, and now they are losing their northern working class areas to UKIP and perhaps even the Tories a bit. We will wait and see. And meanwhile they are finding it impossible to straddle what you might call the London metropolitan natural voter and the working class areas of Britain. And the classic example of that is over Brexit.

What we are beginning to see now, the probability (unless Labour can find a way out of it and I don’t think they can, I think their problem is a lot more electoral than it is to do with Corbyn) then Labour looks to me, in long-term terminal decline.

You win battles now in the field of public opinion and if you can’t bring public opinion with you, you can’t win

You then have this curious phenomenon. Politics has spun now away to extremes. Mr Corbyn has taken the Labour Party into a position where it no longer makes any attempt to occupy the centre-left but is proudly a 1950s-style semi-state socialism and Mrs [Theresa] May has taken her party, in terms of position, which is indistinguishable from UKIP. I don’t mean they are the same as UKIP but the policy position they have adopted is now pretty much indistinguishable.

The vast centre ground where I think the vast majority of the British political centre of gravity lies now, is the new unrepresented and the new voiceless. Occupying that ground you have a collection of parties (it reminds me very much of the 1930s by the way) and so you have a collection of parties of which the most comfortable one (and that’s why the liberal democrats have seen such a huge surge in their membership) and also in their capacity to win votes. Particularly you see it in by-elections but you also saw it in Richmond.

But the problem with the Lib Dems is – and I adore them and I love them and they are my party and I will never vote for anything else and I advise people to join them – but the reality is that we have nine MPs. So I characterise the Liberal Democrats’ dilemma as: previously we needed a strategy to find a small space to stand on. Now we are too small to occupy the space that’s available.

And so my view is that there needs to be, to make sense of our politics, some realignment of those who are the voiceless, the moderate centre-left of Britain. Can the Lib Dems do it by themselves? If they can I would be delighted but my guess is in the time they are not going to be able to. So I think the point becomes how do they work with others to create some political voice for those voices that feel they are left out in the Brexit debate, for instance. And I don’t think that will happen organisationally. I don’t think that will happen by people saying you must leave your tribe to join mine. I don’t think it will happen by sitting in darkened rooms saying you have this seat; I will have that. I have tried that and it doesn’t work. It didn’t even work in the 1980s when the SDP [Social Democratic Party] was caused, let alone what will happen now when people aren’t much prepared to do what the centre tells them.

My view is that it is more likely to happen organically rather than organisationally, that we create a space in which people can work together and in a sense, More United – the organisation that I am involved in – is part of that.

So what I think I’d say about the Lib Dems is it is necessary that they are strong. They need to be as strong as they can, they will grow fast, I will certainly be supporting them as they do, and I hope they grow faster than we can conceivably imagine. So a strong Lib Dems is essential. It’s necessary but not sufficient. We need to have a wider gathering of the moderate forces of the centre.

By and large, China’s interest is in a more stable world than a more turbulent one

Now the UK has voted to leave the EU, what is the best Brexit scenario?

The best scenario is we find our way back into the European Union. Without a shadow of doubt. We are beginning to understand the cost of the decision we took. I don’t think rushing around saying, “give us another referendum” is the way to do that. And I think there is a moment where you may well find – some time towards the middle of the year or in the third quarter – where the public mood changes, where the worm turns, where we understand the cost.

But I don’t think on this occasion, politicians can do very much to lead. We have to wait for the moment and then take it when it comes. If we cannot find our way back into the European Union – and it is by far the option that I would prefer (although it is not easy to find a route that will take us there at the moment) – then we need to be as close to the European Union as we can be.

Mrs May claims that she has a mandate for Brexit. We have to agree with her that she does but she has no mandate whatsoever to take us out of the single market, not least because the Conservatives promised in their manifesto that we’d stay in it and the vast majority of people judging by opinion polls want us to stay in it. And so Brexit is taking us into a position, which is inherently not helpful, but in taking the most brutal and extreme form it is doing something which I think is very damaging indeed.

So I think the best we can do at the moment is prepare for the moment when the worm turns, when the public opinion shifts, if it does, and use every force we have to make sure that in leaving the European Union we remain as close to it as we can possibly get.

Will Brexit have an effect on trade with partners outside the EU?

I have no doubt about it whatsoever. It will have a huge effect on us. But not just that, but on our standing. I am particularly conscious of the fact that Britain used to be a medium-sized world power that was listened to and had influence. And that influence has been catastrophically cut because of the decision we took – I had someone say to me the other day: “We looked on you as a global power who had influence and who we listened to but I’m not sure you are going to be very much [more influential than a country like] Denmark in the future.” I don’t agree with that but I know where he is coming from.

Building relationships based on common interest, commercial interest and political interest is the way forward

If you are measuring the effect of this on other nations, you don’t just measure it in terms of economics, but you also measure it in terms of political influence in the world, which has been catastrophically diminished. And furthermore we’re only left with two options. If we don’t get close to Europe, then we have to get close to Trump, and that’s not a very appetising prospect.

You know the line in “The Lobster Quadrille” – the further we are from England the closer we are to France. Well the further we are from Europe the closer we are to Washington, and I’m not sure if I particularly want that at the moment and I am not sure too many others do either.

With America being increasingly inward looking and Europe possibly collapsing, is China starting to look like the good guy in all this?

It’s looking like a leader. Not just looking like a good guy but it’s certainly looking like a leader.

There is every sign that certainly European leaders and a significant number of their population are now saying “hang on – we will reject Anglo Saxaon exceptionalism and isolationism and take refuge in European solidarity” and that’s the right way to go. I guess if we can get past the French and German elections that is what will happen.

But underlying this is something much more fundamental. We are moving away from a mono-polar world, which is a rather rare circumstance, there has probably only ever been three in the world: the Roman Empire, the British Empire and the last 70 years of the American century – to a multi-polar world. America maybe the strongest in a multi-polar world but they do not dominate it like they did in the past.

If you want a picture of what I think politics looks like and statesmanship looks like – it doesn’t look like what it’s looked like in the last 50 or 60 years. It looks much more like Europe in the 19^th century when there was a five-sided balance of power and there was a period of shifting relationships. It looks much more like that.

Whether America understands that (and particularly America under Trump) I really get worried that Trump completely fails to realise the geopolitical position of the United States and uses military and other means to thrash about trying to preserve the un-preservable.

And so the second point that I think is really important is that we are probably ending a 400-year hegemony of Western power, Western values and Western institutions. Up until now, when the West got its act together, it could do anything it wanted. We are now moving into a world in which the centres of power are no longer based around the Atlantic and the Mediterranean but are probably much more widespread and we are going to have to deal with that.

So you don’t think that China will be stepping up into this role as global leader?

Of course. I mean China will do everything they can to occupy the role – why would they not? It sees itself as a superpower and it’s very difficult to disagree with it and it will behave like a superpower.

My general view is that China wants to be viewed as a good world citizen. If you see the way that it behaves in the World Trading Organization, it is a good member of the WTO. Russia manifestly isn’t. I think multilateral organisations are now playing a major part in international peacekeeping, though no one notices it. They have 5,000 troops now in Africa under the UN. They want to be acting in multilateral structures and they are obviously taking as much raw material out of Africa as they can, but then so did we, so I’m not sure we’re in a position to argue there.

They will nevertheless behave like a superpower. You see them doing that in the South China Sea, they will try and be muscular and make space for themselves and they might not be too careful about the needs of others when they do so. But generally speaking the strategic opportunity at the moment – and this is where Trump worries me so much – is to test China’s interest in sustaining a rule-based order and trying to do things in a multilateral basis rather than driving them into a corner like we did with Russia after the end of the cold war.

Is this therefore a threat for the whole idea of Western liberal democracy?

I don’t think it is. I really don’t think it is. I think it is a threat to those that believe that the West still has hegemonic power. That line was exposed brutally in Afghanistan and Iraq. In Libya and in Syria, of course. Unless we do deals with others we won’t get our way in the world. For those who believe that the year is 1945 [and that] you can have a Bretton Woods institution that can solve the problems of the world – they’d better wake up and smell the coffee.

By and large China’s interest it seems to me is in a more stable world rather than in a turbulent one

Take a simple fact. The G8 had to become the G20. We had to involve them when we set the rules for the world order.

Now the question is: what is China? Are they going to become like Russia, throw their weight about, become aggressive (I think that’s Russia’s weakness not its strength) or are they interested as a trading power in basically a rule-based order – even one necessarily shaped to include their views rather than Western liberal democracy? I think they are. Why would you not be if what you’re actually getting your power through is not military adventurism but trade.

But testing that proposition for China seems to me to be crucial. I think they will seek to be leaders where they can, perhaps in climate change. They will seek to exercise diplomatic power. They will seek to use commercial power. They will back that up as nations always do, by being able to extend and project that power when they need to do so including through military power. But by and large their interest it seems to me is in a more stable world rather than in a turbulent one.

So therefore that’s a positive thing for British business?

I think it is a positive opportunity for Britain. If you take a look at the 19^th century and use that as your model, Britain’s key thing was that it was building relationships which didn’t last long and were all over the place. We were called “Perfidious Albion” as a result. I think British diplomacy and British businesses should be seeking out alliances with people with whom we don’t necessarily share values but we do share interests.

The classic diplomatic place for this is the attack on the Somali pirates. What’s the largest naval unit protecting us against the scourge of Somali pirates? Answer? The Chinese. Of course it is. They want to keep the sea lanes open, just as we did.  And so building those relationships based on common interest, commercial interest and political interest, it seems to be is the way forward and there is huge opportunity for us there. If we stay stuck in the view that we are one of the world’s great powers and things are like they were in the past, where the West can get its way whenever it wants it, then we’re not going to be very successful.

If we begin to think about building relationships, which may not be so long lasting but can deliver advantages to us politically and commercially, then I think we can be clever enough to benefit from that.

As wars are fought increasingly for “hearts and minds” and the power of social media changes the landscape of the traditional battlefield, has the need for military hardware diminished?

It hasn’t diminished it has grown. If you read Rupert Smith’s remarkable book, he was saying that you win battles now in the field of public opinion and if you can’t bring public opinion with you, you can’t win. It’s called the “The Utility of Force”, and this has always been the case.

But now social media gives that a huge new impetus. You cannot be successful in politics, in statesmanship, probably in large chunks of business but certainly in democracy, and winning hearts unless you can make use of this new medium. Very much like printing when it was first invented. It produced a huge flood of idiotic false news, but at the same time it is the medium by which people changed the minds of others. I guess that means you have to be good at managing it.

There is an argument that says a Western liberal democracy creates soldiers that are problem solvers fighting for a cause, rather than blindly following autocratic leaders. Might this cause a problem for new newly nationalistic and increasingly autocratic Western countries?

If it happens, yes, but it won’t. What has changed our lives? It is the advent of new technology, this extraordinary boost in communication. A historical parallel is very clearly with printing. People tried to control it for a bit but it failed because you just can’t do that. And you see it most particularly in China. China now has understood very clearly. It has actually made the change from a communist, state-run economy to a liberalised economy, ok with some caveats, but basically a liberalised economy. And it realising this has produced a huge upsurge in people that want to have a liberalised society as well. And China is having to cope with that.

China’s biggest problem today is how do they liberalise? Can they liberalise at a pace which is acceptable to their people but doesn’t blow the whole system apart? Whatever you think, whatever attempts made to control it, they will be as fruitless and useless as the attempts to control printing.

Lord Ashdown is an advisor for cyber security firm G3. He spoke to Tom Pattinson

This interview has been edited for clarity and style.

The post Former Liberal Democrat leader Paddy Ashdown talks about cyber security, the rise of China and the fall of Western hegemony    appeared first on Focus - China Britain Business Council.