Open-Source Technology and PRC National Strategy: Part II

Publication: China Brief Volume: 24 Issue: 11

A futuristic image depicting the application of open-source technologies in the PRC. (Source: AI-generated)

Executive Summary:

  • OpenHarmony, an open-source version of Huawei’s HarmonyOS, is widely used in critical infrastructure (such as the energy grid and ports), public security, and the military in the People’s Republic of China (PRC). Some of these are projects that support the PRC’s military-civil fusion development strategy.
  • OpenHarmony is perceived as a key contributor to accomplishing the PRC’s goals of reducing dependence on foreign technologies and becoming a strong open-source nation.
  • The PRC government is cautious about potential cybersecurity issues related to the use of open-source technologies, especially in “AI of Things” applications, which include networked systems of multiple devices in critical domains. They are therefore implementing measures to manage open-source software vulnerabilities, ensuring secure integration into critical infrastructure.
  • The PRC is positioning itself as an early innovator in the regulation of open-source software. Governmental bodies such as the Administration of States Secret Protection (NASSP; 国家保密局) and government-affiliated bodies such as the China Academy of Information and Communications Technology (CAICT; 中国信息通信研究院) are spearheading national-level initiatives.

 

Editor’s Note: This article is the second in a two-part series. The first part, which focused on the OpenAtom Foundation and the OpenHarmony operating system, was published in Issue 10 and can be read here.

OpenHarmony, an open-source version of Huawei’s HarmonyOS, is perhaps the most successful, widespread open-source operating system in the PRC today. It is the most popular open-source operating system on Gitee (码云), the PRC’s largest code hosting platform with 12 million users. OpenHarmony is increasingly used in a variety of sectors, with varying degrees of importance to the country’s national security. As such, it is seen as a strategic asset, helping orient the country toward its desired technology- and innovation-based future and achieve the Party’s goals of self-reliance and technological sovereignty. By developing its own open-source ecosystem, PRC technology is ultimately likely to have robust cybersecurity, reducing its vulnerability to cyberattacks, and safeguarding its supply chain security. Open-source systems, including OpenHarmony, are also deployed in a variety of national security and military-related applications, while also forming the basis for proprietary software that is used in closed-source military systems. This raises questions about continued international collaboration in the development of open-source technology.

RISC-V and OpenHarmony Integration

OpenHarmony is a versatile operating system that can run on a broad spectrum of devices powered by RISC-V processors, [1] from tiny sensors to full-scale data centers. Its initial adoption was driven by a perceived need to secure and stabilize supply chains (China Brief, December 15, 2023). OpenHarmony enhances RISC-V’s utility across various application scenarios, which makes it increasingly attractive to developers and manufacturers. At the 2023 and 2024 RISC-V summits held in the PRC, the use of OpenHarmony was on full display in new products such as tablets, edge computing gateways, and cloud desktop terminals (Sina, August 29, 2023).

The 2023 RISC-V Summit: A speaker shares how to integrate RISC-V and OpenHarmony in commercial products. (Source: Sina)

The 2023 summit spotlighted initiatives like that of Runkaihong (润开鸿), a subsidiary of Jiangsu Hoperun Software (江苏润和软件), which plans to establish a “full-stack open-source ecosystem (全栈开源生态)” combining RISC-V and OpenHarmony. The company’s vice president stated that RISC-V and OpenHarmony will become the mainstream ISA and OS combination in the “artificial intelligence of things (人工智能物联网)” era in the PRC (Sina, August 29, 2023). At this year’s event, ongoing efforts to speed up the application of these developments and to expand the RISC-V ecosystem were promoted. These included solutions developed in collaboration with the Xuantie Team from Alibaba’s DAMO Academy in the areas of smart finance and transportation (阿里巴巴达摩院玄铁团队) (163, March 18).

The 2024 RISC-V Summit Talk on Promoting RISC-V and OpenHarmony Integration. (Source: 163)

OpenHarmony Supports ‘Smart China’ Policies

Open-source systems are at the forefront of the PRC’s efforts to create interconnected and intelligent ecosystems. OpenHarmony constitutes a genuine asset for the PRC by providing significant improvements on previous technologies across various applications. In doing so, they help the country achieve its national goals, including constructing a future that is not dependent on the West.

OpenHarmony has made significant strides in the transportation, energy, manufacturing, and infrastructure sectors. For instance, in Jiangxi Province’s smart tunnel and subway projects, OpenHarmony has been central to developing a “super device management platform (超级设备管理平台)” ensuring that device data is unified and interconnected, enormously improving operational efficiency (OpenHarmony, last accessed May 20). In the port industry, OpenHarmony is used in the network at Tianjin Port, one of the country’s major transport nodes. By collaborating with industry partners, the port developed a system known as “Jinhong (津鸿) OS,” which supports interaction across vehicles, machinery, people, and goods. This “super device” has similarly revolutionized the port’s operations and monitoring capacity (OpenHarmony, last accessed May 20).

OpenEuler, a Linux distribution platform developed by Huawei, is also used in critical infrastructure. For instance, it powers the system for the State Grid’s Dispatch Center (国家电网调度中心) and China Southern Power Grid (中国南方电网公司) (OpenEuler, last accessed May 20). The National Energy Group (国家能源集团) employs a custom server operating system called CEOS (国能磐石服务器操作系) that is based on openEuler. This enhances cybersecurity features and improves database server operations, among other benefits (OpenEuler, last accessed May 20).

OpenHarmony and the Military-Civil Fusion Development Strategy

OpenHarmony, promoted heavily by the PRC state and by OpenAtom Foundation, exemplifies how open-source ideals can support the PRC’s technological ambitions. Its use cases in the PRC space and public security industries are key instances of this.

OpenHarmony is steadily integrating into the space industry, particularly through the OpenHarmony In Space (OHIS) initiative. This initiative, led by the OpenAtom Foundation, involves key partners such as the Chinese Academy of Sciences (CAS), Dalian University of Technology (DLUT), Tsinghua University, Wuhan University, and several leading aerospace entities (DLUT, June 14, 2023). DLUT has explicit links to the military-civil fusion (MCF) development strategy, and participates in classified defense technology projects (Xinhua, August 2, 2018; DLUT, accessed May 6; see ASPI unitracker, accessed May 6). OHIS has made strides in assisting the launch of several satellites and promoting the use of a domestically produced real-time operating system for space applications.

Dalian No.1—Lianli satellite, the first satellite from Liaoning Province operating on a version of the OpenHarmony OS. (Source: DLUT)

One example of the successful deployment of OpenHarmony is in the Dalian-1 Lianli (sometimes rendered as Dalian 1-Lianli) satellite. This satellite, launched last May, uses domestically produced chips running on a customized OpenHarmony OS (DLUT, May 10, 2023). It can conduct low-cost sub-meter high-resolution observation (Xianning Net, September 8, 2023).

The integration of OpenHarmony with small satellites is particularly revolutionary. Microsatellites (11-200kg) and nanosatellites (1.1-10kgs) have traditionally used operating systems developed overseas, such as VxWorks, FreeRTOS, and μC/OS (ITHome, January 11, 2022). The advent of OpenHarmony has allegedly led to a shift toward standardizing satellite onboard systems in PRC space development, shortening development cycles and boosting the deployment of nearly 2,000 micro and nano satellites. DLUT has spearheaded this development, successfully collaborating with Western institutions like the University of Liège and the Liège Space Center in Belgium to use OpenHarmony for satellite control systems (ITHome, January 11, 2022). Experts involved with the OHIS initiative argue that integrating OpenHarmony with space technology is expected to provide a competitive edge over international standards, like those set by SpaceX’s Starlink, and positions the PRC as a leader in space competition (ITHome, January 11, 2022).

Chart showing recent launches of satellites using OpenHarmony technology. (Source: OpenHarmony)

Another domain where OpenHarmony is widely used is in public security. HM Wiselink (鸿元智通), a leading innovator in the field of industrial internet solutions, has been actively collaborating with the Ministry of Public Security (MPS) since early 2021 (51CTO, March 7). The company has invested significantly in research and development within the OpenHarmony ecosystem. OpenHarmony is claimed as providing enhanced system security, more efficient cloud-edge collaboration, and better scalable AI computational power than alternatives (Elecfans, October 20, 2022). The company has collaborated with OpenAtom on 5G-enabled police vehicles, specifically through variants of the ZHWG-U6082 smart gateway device, which allegedly allows for improved data integration and real-time intelligence (Elecfans, October 20, 2022; FromGeek, March 31). Zhong Wenbin (钟文斌), the firm’s General Manager, has recommended the OpenHarmony-based system for mobile police stations, improving command and control (C2) under different social security scenarios. HM Wiselink’s software has also been deployed in critical infrastructure, including electric grids and water management systems (Baijiahao, August 28, 2022; HM Wiselink, last accessed April 30).

Industry General Gateway ZHWG-U6082 device (Source: HM Wiselink)

An additional example is the “Electronic Sentinel (电子哨兵)” terminal, which is compatible with OpenHarmony. This device, launched by IT services company Chinasoft International (中软国际) in January 2023, is used to integrate identity management, temperature measurement, early warning, and access control. Its ability to rapidly verify identities and measure body temperatures in real-time, using face recognition, QR code scanning, or identity card reading, makes it ideal for ensuring security in smart cities, communities, campuses, and offices. It can connect to others other copies of itself and to a “Super Sentinel” cloud network (Baijiahao, January 11, 2023). This would reinforce the existing mass digital surveillance apparatus.

Unmanned aerial vehicles (UAVs) now run on OpenHarmony software too. In April 2023, Shenzhen Kaihong (开鸿) and Zhejiang MMC (科比特) collaborated to produce a drone prototype on display at the OpenAtom Summit 2023 (Baijiahao, October 18, 2023). This collaboration is set to standardize operating systems, interconnection standards, data norms, and business platforms across various UAV applications. MMC, a leading Chinese UAV manufacturer, intend to produce these enhanced drones for smart city management, wind farm inspection, and public safety (Baijiahao, April 14, 2023). Integrating OpenHarmony into UAV systems serves both civic and strategic military ends.

Luo Fuqiang (罗富强), a military expert and former commander of PRC’s United Nation peacekeeping forces, has emphasized the potential of Huawei’s HarmonyOS for improving intelligence, surveillance, and reconnaissance (ISR) capabilities, as well as positioning, navigation and timing (PNT) (Haokan, June 6, 2021). His insights, alongside recent research from the China Ordnance Equipment Group Automation Institute (中国兵器装备集团自动化研究所) on OpenHarmony-based UAV terminal applications, point to a deliberate strategy to actively explore and harness open-source platforms like OpenHarmony for national defense. [2]

Chart showing recent launches of satellites using OpenHarmony technology. (Source: OpenHarmony)

China Leads Research on Open-Source Vulnerabilities

The PRC government recognizes the benefits that open-source projects like OpenHarmony bring to the table, as well as the risks associated with their use. These risks are acute, given how widespread OpenHarmony is in the country’s infrastructure. The government therefore advocates for a balanced approach to technology adoption and integration.

Steps are being taken to formalize the scrutiny and regulation of open-source software (Sohu, November 11, 2022). These are encapsulated in the 2023 national standard initiative led by the China Academy of Information and Communications Technology (CAICT; 中国信息通信研究院), a research unit under the Ministry of Industry and Information Technology (MIIT) that aims to establish a framework for evaluating the security of open-source software. The standard, titled “Information Security Technology—Evaluation Method for Open-Source Code Security of Software Products (信息安全技术 软件产品开源代码安全评价方法),” comprises four distinct evaluation categories that collectively address security considerations necessary for open-source software (Weixin/CAICT, January 16, 2023).

The first category assesses the origin of the open-source code, based on eight indicators. These include the proportion of open-source code, the programming languages used, the copyright holders, the volume of contributions, the versatility of the code, the security protocol, the platforms on which code is hosted and downloaded, and the country or organization with which the code is affiliated. The second category evaluates the code’s quality. Evaluation is based on code vulnerabilities, the exploitability of vulnerabilities, the impact of security breach and exploitation, the assessment of the complexity and feasibility of executing potential attacks, the patching rate, and the quantity of the vulnerabilities. The third category examines intellectual property aspects of the code. For this, there are four indicators: the standardization and variety of open-source licenses, their applications, compatibility with current systems, and patent issues. The fourth category assesses the governance and development of open-source code. Evaluation criteria include the inventory of open-source materials, design practices, code generation, and the performance of the management team which runs the code.

 

Open-source code assessment mechanism proposed by CAICT. (Source: Weixin)

 

Together, these standards establish a structured approach to managing the use of open-source software and to ensure its secure and controlled integration into services and infrastructure. This is being done on a level that other countries are yet to match.

The National Administration of States Secret Protection (NASSP; 国家保密局) has also noted concern over the risks of open-source technology. Despite spearheading the New Infrastructure initiative (新型基础设施建设; 新型基) to support merging traditional infrastructure with open-source software (National Administration of State Secrets Protection, November 27, 2020), NASSP has also published a series of articles expressing security concerns. Reports highlight an alarming increase in the number of vulnerabilities, including high-risk common vulnerabilities and exposures (CVEs) found in widely used components like Apache Tomcat and OpenSSL (NASSP, November 27, 2020). Integrating these without adequate screening could pose risks across entire interconnected systems.

The lack of a robust governance framework exacerbates the challenges of managing vulnerabilities. Many organizations in the PRC operate without an understanding of the components their systems use, often leading to security lapses. In response, experts advocate for the establishment of strict protocols, encompassing the entire lifecycle of software from development to deployment. This includes rigorous security audits, the adoption of security-centric development practices, and continuous monitoring for vulnerabilities (NASSP, November 14, 2023). Risks are often compounded due to prevalent outsourcing of application development. External development partners might not always adhere to stringent security practices. Here, NASSP recommends meticulous vendor selection, regular security training, and the integration of security at every stage of application development (NASSP, November 14, 2023).

PRC experts suggest a dual approach to effectively mitigating risks. First, by enhancing security protocols within organizations by educating and training developers and security teams on best practices. Second, through regulatory measures that enforce strict compliance to security standards across industry. Additionally, they recommend the development of a national vulnerability database and real-time threat intelligence sharing mechanisms (NASSP, November 27, 2020). If these measures are adopted, the PRC will be the first country in the world to take action to secure the implementation of open-source technologies.

Conclusion

The CCP’s decisions to deepen its involvement in the OpenAtom Foundation and support the development of OpenHarmony and other open-source based software raises questions about the genuine independence and neutrality of such open-source endeavors. State oversight of these initiatives suggests that while open-source technology is promoted for its collaborative and innovative potential, it can also serve as an instrument for furthering national strategies which are ultimately antithetical to the ethos of open collaboration that the open-source community espouses.

The PRC’s ambitions for open-source technology align innovation with state interests. The PRC is not only developing open-source technologies to bolster its technological independence but also to exploit the nature of open-source technologies, strengthen its military industrial complex, and contain security risks. It is also positioning itself as a leader in the open-source landscape, as other countries have yet to develop equivalent ecosystems and policies. This strategic depth ensures that PRC remains at the forefront of developing such a crucial piece of emerging technologies on the global stage.

Notes

[1] RISC-V is an open-source Instruction Set Architecture (ISA) that can be deployed in hardware and software systems. It provides an alternative to the industry’s dominant proprietary ISAs—those designed by Intel and ARM Holdings. These firms are subject to foreign intellectual property constraints and geopolitical risks, which makes RISC-V attractive for the PRC. Read more here: “Examining China’s Grand Strategy for RISC-V” (China Brief, December 15, 2023)

[2] Li Jing-Ze; Fan Cheng-Yu;Ouyang Di, “Research on UAV Display Control Application Based on OpenHarmony3.2 Release”, Development & Innovation of Machinery & Electrical Products, China Ordnance Equipment Group Automation Institute, Issue 6, 2023; Li Jing-Ze; Li Long-Jie; Zeng Yi, “OpenHarmonyOS-based UAV Terminal Application”, Development & Innovation of Machinery & Electrical Products, China Ordnance Equipment Group Automation Institute, Issue 2, 2023