Skip to content

China’s Use of Foreign Open-Source Software, and How to Counter It

Image Source: Fotis Fotopoulos/Unsplash

This article was originally published on The Strategist blog of the Australian Strategic Policy Institute and is republished here under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

The Wall Street Journal recently exposed a 2022 Chinese government directive, named Document 79, that requires state-owned enterprises to replace proprietary foreign software such as operating systems, email services and word processors in their IT systems with Chinese-built versions by 2027. It was part of Beijing’s multi-decade effort to become technologically self-sufficient in the face of strategic competition from other countries, and it’s using open-source software as a means to close the technological gap

This poses a dilemma for the US, Australia and its partners. Since open-source software is shared freely and developed collaboratively, China’s efforts to develop local versions forces democracies to decide whether they should allow their own software engineers to contribute to Chinese projects that may end up modernizing the country’s military, intelligence and political systems.  

China’s pursuit of open-source software started in the 1990s when Gong Ming, the founder of Beijing Ningsi Software (aka Linx Software), transferred copies of the Linux operating system from Finland to China. For that action, Gong is now known as the father of China’s Linux and continues to develop software for the government. This includes software for the Ministry of State Security (MSS), which has been central in shaping Beijing’s policies to build its own open-source ecosystem that it can control. 

Operating systems and other critical software are important because they can pose significant cybersecurity risks if their vulnerabilities are not patched, as made evident by EternalBlue, a computer exploit developed by the US National Security Agency. That’s why Beijing has long been suspicious of foreign operating systems such as Windows and macOS, worrying that foreign governments could be hoarding vulnerabilities that they could exploit to cripple the Chinese government’s computer networks. 

In response to these concerns, China is making some progress in developing indigenous operating systems. Gong’s company Linx Software was one of many that helped launch China’s first version of an open-source desktop operating system, OpenKylin, in 2023. According to Linx Software’s website, the MSS and other provincial state security departments now use Linx’s security servers and operating systems. 

Another reason behind China’s development of local software is the country’s dependency on foreign operating systems and the risk of regulatory interception by Western governments. Windows is still the dominant operating system in China, which means the US and its partners could respond to aggression from Beijing by forcing Microsoft, through legislation or export controls, to revoke its software licences or stop supporting Chinese companies. In 2020, two Chinese universities were prevented under US Export Administration Regulations from using the US software MATLAB, due to their ties with the Chinese armed forces.   

China’s security establishment understood as early as 1999 that dependence on proprietary foreign software was a vulnerability. He Dequan, an academician with the Chinese Academy of Engineering, that year proposed developing strategic technologies for information security. He called for China to develop its own operating system. 

In 2001, Zhu Rongji, then premier of China’s State Council, told government departments to study He Dequan’s information security concepts and formulate relevant policies. The views of He were likely taken seriously by senior Chinese leaders because he wasn’t just another academic; he was also an influential intelligence officer. In 2000, the People’s Daily referred to He as the director of the Science and Technology Commission of the MSS. According to ASPI analysis of other publicly available information, he was also likely a director of the 16th Bureau of the MSS, which researches and develops information technology applications.  

While Beijing’s policies are starting to erode the dominance of Windows in China, local companies have so far only built alternatives that use existing open-source software. For example, the first version of Huawei’s mobile operating system, HarmonyOS, had no discernible differences from Google’s Android. The large language model (LLM) Yi-34B, released by Kaifu Lee’s startup 01.AI based in Beijing, shares the same architecture as Meta’s open-source LLM, Llama, a fact that was acknowledged only after other developers pointed it out. And OpenKylin is considered to be a remix of Ubuntu, an open-source version of the Linux operating system. 

In China’s efforts to build its own open-source software, it’s not surprising that Linux is one example of a Western operating system that’s being emulated. Linux has been one of the most secure operating systems, thanks to a global open-source community of engineers hunting for vulnerabilities and patching software bugs. Operating systems can still have unknown bugs or vulnerabilities that foreign intelligence agencies could exploit, even if they’re built by trusted engineers.  

That explains why new Chinese open-source platforms are relying on foreign talent to grow. Gitee is a state-backed alternative to GitHub, Microsoft’s open-source coding platform. It is one of the few Chinese websites that allows users to sign up using Google accounts, suggesting it wants overseas developers to contribute to its projects.  

At the same time, Beijing is blocking foreign options to manipulate the domestic market. Hugging Face, a popular French-US open-source platform that hosts machine-learning models and tools, was reportedly made inaccessible in China last year. Likewise, there are questions about how long GitHub will remain accessible in China.  

So should the US and other democracies prevent their own software engineers contributing to Chinese open-source projects? It’s a difficult call to make because the two sides are increasingly intertwined. For example, the Chinese artificial intelligence firm iFlytek, which was sanctioned in 2019 over its role in human rights violations and abuses of Uyghur Muslims and other ethnic groups, has repositories on GitHub and a joint project with the Harbin Institute of Technology on Hugging Face

As long as democracies are locked in strategic competition with China and Xi Jinping continues to signal that he is willing to use force to reshape the world order, they should restrict developers contributing to projects on Gitee and other platforms controlled by the Chinese Communist Party (CCP). This will prevent developers from supplying the next generation of critical software and AI technologies and unwittingly helping Beijing gain a military advantage. At a minimum, democratic governments should raise public awareness of the involvement of China and other authoritarian regimes in emerging open-source software platforms.  

For global open-source communities, there should be an international code of conduct that promotes transparency about project funding sources and contributors, supports ethical decisions and addresses concerns about open-source technologies being used for harmful purposes. 

Democratic governments also need to reassess which products should not be made open-source because they’re at risk of being weaponized by malign actors. Some cutting-edge software, such as generative AI, is already being co-opted by the CCP against democracies in disinformation campaigns.  

Lastly, governments should protect and foster the global open-source community of software developers, who are a critical resource in cybersecurity and other key areas, and do more to challenge authoritarian governments when they ban or censor open-source platforms like Hugging Face and GitHub.

Written by

Albert Zhang

Albert Zhang is an analyst with ASPI specialising in cyber, technology and security matters.