With nearly 900 million monthly users, China’s powerhouse super app – WeChat (微信)– has access to an unprecedented amount of social, financial, political, and personal data. Since its government-backed conception in 2011, WeChat has continued to expand steadily with 93% of people in tier one Chinese cities now regularly using the app. WeChat helps its users do everything from simply messaging and calling their friends to paying their bills, ordering their morning coffee, making medical appointments, taking taxis to see movies with WeChat-purchased tickets, and booking hotels as well as the trains and planes needed to get them there. WeChat users do this all whilst willingly surrendering their personal privacy to parent company Tencent, its partnered advertisers, and the Chinese government. WeChat has made most aspects of day-to-day life in China dramatically simpler – but at what cost?

The 2014 and 2016 Yahoo hacks, the largest data breaches in the history of the internet, display emphatically how unregulated and unprotected the realm of cyberspace currently stands around the world. The scale and scope of the personal information linked by the majority of Chinese citizens to their WeChat accounts – including 200 million bank cards – grants hostile individuals, non-state actors, and other nations access to multiple, unpredictable breach points that could wreak havoc on the lives of millions of Chinese citizens, and subsequently on the Chinese state. WeChat has a notable lack of encryption security, which is especially unusual when compared to the tough personal security standards of Western apps such as iMessage, Facetime, and WhatsApp. The ultra-deep penetration of WeChat into Chinese society suggests that a cyber attack on its users could effectively disrupt any aspect of Chinese life – from revealing personal identification numbers to exposing bank information and medical data.

Thus, this leads us to make two assertions that are unique to China. Firstly, in order to most efficiently contend with the threat of cyberspace, the Chinese government must be the primary actor bearing the task of countering cyber threats. Secondly, the blurred lines of public versus private corporate ownership in China make it so that any private sector security effort would effectively become a government project in China from the get-go.

What is Cybersecurity?

The U.S. Congressional Research Service states that the act of protecting ICT systems and their contents has come to be known as cybersecurity. It also states that the term cybersecurity is broad and sometimes defies a precise definition. To that end, it contends that cybersecurity is “a set of activities and other measures intended to protect—from attack, disruption, or other threats—computers, computer networks, related hardware and device software, and the information they contain and communicate, including software and data”.

Why the Government must be involved: Public vs. Private in China

There is no clear distinction between the public and private sectors in China. In the West, there is ample merit to the idea of keeping cybersecurity defences in the hands of the private sector to prevent political escalation between states and a host of other actors. However, the lack of transparency imbedded in the Chinese government would make it unreasonable to task private companies with acting in the realm of cybersecurity without automatically triggering an extensive amount of government involvement.

The lack of separation between public and private in China informs our assertion for why the Chinese government should take responsibility in the protection of WeChat users. Any private sector initiative would have to be examined, approved, surveilled and even potentially funded by the Chinese government. Calling any significant Tencent effort for the encryption of WeChat purely private would show a lack of understanding of Chinese public-private relations. Considering that the Chinese government would undoubtedly oversee a private institution’s attempt to encrypt WeChat, it is more efficient to directly assign the Chinese state with the responsibility in the first place. This would streamline the process and facilitate cooperation both between private companies themselves and between private companies and state regulatory agencies.

While the argument against government-led cybersecurity has much merit in the West, it is simply unrealistic in China and the risk posed by a potential breach of WeChat is too great to be left up to chance.

Why the Government must be involved: State Capacity

Serving as another key justification for the Chinese government’s potential role in securing WeChat is the creation of its admirably robust national infrastructure. China’s hyper-modern tier one cities stand in testament to the fact that China’s infrastructure has long surpassed the crumbling infrastructure in the United States. For example, between 2011 and 2015, China added 28,000 kilometres of operating railroads across the nation. An even more remarkable statistic is that China’s 20,000 kilometres of high-speed railways account for more than 60 percent of the world’s total. Needless to say, the nation has made it a priority to provide rail infrastructure to its people and has done an impressive job of it.

In the same way that China has spent the past three decades building up its physical national infrastructure, the contemporary Chinese government is the only entity large and powerful enough to effectively deal with the enormity of the task of extending this infrastructure to the digital realm. With the immense quantity of data the government has already collected in this field, the government is also knowledgeable enough to ensure the protection of its citizens from the vulnerabilities they are exposed to in cyberspace every day.

The government is also the only entity with the authority to train and assign technologically literate technicians to understand the vastness of cyberspace and to combat its many threats. The government must prioritize the ‘state of nature’ that currently exists in cyberspace, and as it has done with its impressive physical infrastructure, it must establish a robust cybersecurity framework to include the protection of super apps such as WeChat.

Future of WeChat

Since its creation by Tencent in 2011, WeChat has redefined the idea of what a smartphone app can do, and has pushed the limits on how much can be integrated into one convenient space. In Q1 of 2017, WeChat reached 938 million monthly active users (MAU), representing a year on year growth rate of 28%.

This is impressive not only in absolute terms but especially considering that the app has been nearing market saturation for over a year already. As of April 2016, 93% of Chinese citizens living in tier one cities (i.e. Shanghai, Beijing, Guangzhou, Shenzhen, Tianjin, and Chongqing) had already registered to use the app – near total market penetration. According to The Economist, more than one-third of all time spent on mobile internet in mainland China is spent on WeChat, with a “typical user [returning] to it ten times a day or more.”The app integrates the features of what would be dozens of apps in the West. It includes functions comparable to those of Facebook, WhatsApp, Twitter, Instagram, Uber, Amazon, Postmates, ApplePay, any number of travel booking and transportation apps, apps to help one reserve movie tickets, and many more. All are housed under the omnipotent roof of WeChat, within three finger taps of the opening page. The New York Times even referred to it as the “Swiss Army knife of apps” – the epitome of a super-app.

The centralization and authoritarian nature of the Chinese state makes firm the case for employing government resources to bear on the vast cybersecurity threats associated with WeChat. In the same way that China has spent the past three decades investing in its expansive national infrastructure system, the Chinese government is the only entity powerful enough to completely protect its citizens from the vulnerabilities they are exposed to in cyberspace every day. Adding further depth to this argument, no powerful private entity in China operates without the tacit consent or even direct control of the government, and so no private sector actor could act independently on this issue anyway. All of these factors make it evident that the only practical option for ‘protector of the WeChat realm’ is, in fact, the Chinese government.