The post Kumar cited in The Banker on Hong Kong stablecoin legislation appeared first on Atlantic Council.

Here’s a look inside the numbers that will frame the summit.

The G7 was formed fifty years ago so the world’s advanced-economy democracies could align on shared economic and geopolitical challenges. But what happens when the cause of instability is coming from inside the G7? That’s the question confronting the leaders as they assemble this week in Kananaskis. 

US President Donald Trump is still getting to know some of his new colleagues, including German Chancellor Friedrich Merz, UK Prime Minister Keir Starmer, Japanese Prime Minister Shigeru Ishiba, and the summit’s host, Canadian Prime Minister Mark Carney. Trump will try to coordinate the group against China’s economic coercion. But the rest of the leaders may turn back to Trump and say that this kind of coordination, which is at the heart of why the G7 works, would be easier if he weren’t imposing tariffs on his allies. The chart above shows the friction points heading into one of the most consequential G7 summits in the organization’s history.

—Josh Lipsky is the chair of international economics at the Atlantic Council, senior director of the GeoEconomics Center, and a former adviser to the International Monetary Fund (IMF). 

Originally created as an economic coordination body, the G7 began to put foreign policy and national security on its agenda in the 1980s, as the Soviet Union’s political influence was waning. Soon after, Russia attended its first G7 Summit as a guest in 1991, formally joined in 1998, creating the Group of Eight (G8), and then was suspended in 2014 due to its annexation of Crimea. 

In the years since, new geopolitical rivals have entered the fray: Since the COVID-19 pandemic, G7 summits and declarations have attempted to address China’s role in the global economy. Last year’s leaders’ communiqué was especially harsh on China—which was mentioned twenty-nine times—on everything from its material support to Russia’s war against Ukraine to Beijing’s malicious cyber activities. But China was once a guest at the forum, first joining in this capacity in 2003.

Other members of the G7+5, an unofficial grouping of large emerging markets—India, Mexico, Brazil, and South Africa—have been invited as guests in recent years. If that sounds familiar, it is because India, Brazil, and South Africa, along with Russia and China, are the founding members of the BRICS group of emerging economies, which some would consider a representation of the geopolitical and economic competition the G7 faces today. 

This year, Australia, Ukraine, South Korea, Brazil, Mexico, and India were invited to attend as guests. These invitations are a signal of broad alignment among the G7 and its guests. These invitations demonstrate the importance of the guests’ economic might on the global stage, even though India has shifted away from the G7 quite significantly in the last fifty years, as seen in the graph above. In 1992, when Russia first attended the G7 as a guest, its gross domestic product (GDP) was less than 1 percent of the world’s GDP, and the combined economies of the five founding BRICS countries made up less than 9 percent of global GDP. At the time, the G7 represented 63 percent of the world’s GDP. Today, the G7’s share is now 44 percent of the world’s GDP and the founding BRICS members’ share has more than doubled to almost 25 percent. 

—Ananya Kumar is the deputy director for future of money at the Atlantic Council’s GeoEconomics Center.

In 2024, G7 countries attracted over 80 percent of global private artificial intelligence (AI) investments, led primarily by the United States. In ten years, private AI investments have grown almost fifteen-fold. This month, the US Department of Commerce rebranded its AI Safety Institute as the Center for AI Standards and Innovation (CAISI)—shifting away from an emphasis on “safety” and toward promoting rapid commercial development.

Carney has said that he plans to put AI at the top of his agenda at the upcoming G7 Leaders’ Summit. He has been a long-standing advocate of AI—dating back to his 2018 presentation on AI and the global economy while he was governor of the Bank of England.

But while the United States leads in AI innovation and investment, Europe continues to set the pace on regulation, and China strategically develops its own AI models. All this leaves Canada asking where it fits in.

That may be why Carney hopes to lead on this issue. The G7 presidency offers Canada a unique opportunity to convene democracies to work together on AI. Rather than trying to outspend the United States or out-regulate Europe, Canada can focus on building connections—creating shared standards, developing trusted public-private data hubs, coordinating strategic investments, and outlining guidelines for common learning and collaboration across borders.

—Alisha Chhangani is an assistant director at the Atlantic Council’s GeoEconomics Center.

Ten years after the first G6 meeting took place in France, another landmark meeting took place at the Plaza Hotel in New York, in September 1985. At the meeting, then US Treasury Secretary James Baker convinced his counterparts from West Germany, France, the United Kingdom, and Japan to support a significant devaluation of the US dollar—what became known as the Plaza Accord.

Today, the dollar’s value relative to its G7 counterparts is on the rise again, fueled by tight monetary policy and expansionary fiscal spending. Although the current appreciation is milder than the surge seen in the early 1980s, the Trump administration may use the G7 Summit to raise concerns about the burden of being the world’s reserve currency, especially when it comes to export competitiveness. In late 2024, the current chair of Trump’s Council of Economic Advisers, Stephen Miran, proposed a “Mar-a-Lago Accord” as an updated version of the Plaza Accord, though no real progress on this is apparent. Moreover, this time a key global player is absent from the conversation—China.

—Bart Piasecki is an assistant director at the Atlantic Council’s GeoEconomics Center.

The finance ministers and central bank governors of the G7 already held their meeting last month in the Canadian Rockies, emerging with a consensus on tackling “excessive imbalances” and nonmarket policies. While the G7’s finance ministers and central bank governors’ communiqué didn’t call out China by name, it’s clear that’s who they were referring to. Simultaneously, the US-UK trade deal called for the United Kingdom to meet US requirements on the security of supply chains, which infuriated Beijing.

Washington wants coordinated economic security partnerships to help counter China and encourage more investment in the United States. But the United States has been calling for allies to divest from China for a while now. In response, G7 counterparts could point to the data above and ask: How much more do we need to give?

Over the past five years, nearly every G7 country, with the exception of Canada, has scaled down their investments in China and scaled up their investments in the United States. For example, Japan has reduced foreign direct investment in China by 60 percent over the past decade, including shuttering a major Honda plant in Guangzhou. Meanwhile, the Japanese carmaker pledged to put $300 million into a plant outside of Columbus, Ohio. This has been the trend as the United States’ G7 partners reassess their economic dependencies on China. But amid ongoing trade wars, how much are they willing to coordinate more closely with the United States?

—Jessie Yin is an assistant director with the Atlantic Council’s GeoEconomics Center.

Foreign aid, or official development assistance (ODA), from G7 countries dropped sharply in 2024, and early projections through 2025 and 2026 suggest even steeper declines ahead for most nations. The United States has exhibited the most drastic retreat, following the effective dismantling of the US Agency for International Development. But European countries have also scaled back development budgets and are redirecting funds toward defense and domestic economic issues. While ODA briefly surged in response to the COVID-19 pandemic and the war in Ukraine, that uptick masked a longer-term downward trend in traditional development funding as a percentage of G7 countries’ economies.

Most G7 nations have failed for years to meet the United Nations Sustainable Development Goals Target 17.2, which called for allocating 0.7 percent of gross national income to ODA. As of 2024, none of them has reached this benchmark. This retreat is particularly troubling given today’s fractured geopolitical and economic landscape. In such times, investing in global partnerships and life-saving aid through ODA is not just a moral imperative—it’s also a strategic one.

—Lize de Kruijf is a program assistant at the Atlantic Council’s Economic Statecraft Initiative. 

A major focus heading into the G7 Summit will be how Carney handles his latest meeting with Trump. The two managed to have a cordial meeting in May, and Carney’s announcement this week that Canada will increase its defense spending could help to placate Trump, who has long complained about Canada’s lagging defense spending.

But Canada is also looking beyond its southern neighbor. Carney has invited the leaders of Australia, Brazil, India, Indonesia, Mexico, South Korea, South Africa, Ukraine, and Saudi Arabia to join him in Alberta. Under former Prime Minister Justin Trudeau, Canada’s relationships with both Saudi Arabia and India reached diplomatic low points. By inviting these leaders, Carney is demonstrating a willingness to reengage partners. In no area is Carney more likely to pursue new partnerships than in the defense sector. Canada stated its desire to join the ReArm Europe Initiative and has signed a major deal for an Australian radar system. Expect Carney to seek new partners as Canada rebuilds its defense capacity, potentially with some of the countries invited to this year’s G7.

—Imran Bayoumi is an associate director at the Atlantic Council’s Scowcroft Center for Strategy and Security.

Canada’s hosting of the G7 Summit in Alberta carries exceptional significance amid escalating tensions with the United States. Trump’s attendance, which will mark his first G7 Summit since 2019, signals renewed engagement with Canada. This could spark talks on renegotiating the United States-Mexico-Canada Agreement (USMCA) ahead of the trade deal’s first joint review in July 2026. The timing of the G7 Summit coincides with heightened Canadian nationalism and intense public focus on Canada-US relations, particularly around tariff disputes affecting sectors such as steel.

The Trump-Carney relationship differs markedly from previous dynamics between Trudeau and Trump, potentially enabling more productive G7 cooperation when US foreign policy dominates global conversations. The trilateral presence of Mexican President Claudia Sheinbaum, Trump, and Carney creates an opportunity for preliminary USMCA discussions. However, critical questions emerge: Will Mexico and Canada align against the Trump administration? Will Canada prioritize repairing bilateral US relations over Mexico-Canada ties? The summit’s outcome is likely to significantly shape hemispheric trade relationships and regional diplomatic strategies.

—Maite Gonzalez Latorre is a program assistant at the Adrienne Arsht Latin America Center and Caribbean Initiative.

Sophia Busch, Ella Wiss Mencke, Ethan Garcia, and Miguel Sanders contributed to the data visualizations in this article. The data visualization titled “US jobs rely on Mexico and Canada more than any other trade partner” originally appeared in an article by Sophia Busch published on January 16, 2025.

The post Seven charts that will define Canada’s G7 Summit appeared first on Atlantic Council.

Thank you Chairman Hill, Ranking Member Waters, and distinguished members of the Committee for holding this hearing continuation and the honor of the invitation to testify on the future of digital assets. I applaud your leadership in convening the Committee on this important issue and continuing the years-long efforts of this Committee across several Congresses to evaluate and build legislation around a clear, comprehensive, and competitive cryptocurrency regulatory framework. I hope my testimony will be helpful in considering some of the most important aspects of frameworks needed to drive innovation in a secure, competitive, safe, and sound digital finance ecosystem that reinforces national security interests, defends consumers, and preserves personal liberty.

I have spent my career working at the intersection of national, economic, and technological security. I have spent two tours at the National Security Council (NSC) leading cryptocurrency initiatives; led crypto and cybersecurity policy at the US Financial Crimes Enforcement Network (FinCEN), the US anti-money laundering and countering financing of terrorism (AML/CFT) regulator; and served on advisory boards for the US Commodity Futures Trading Commission (CFTC), the Idaho Department of Finance, and the New York Department of Financial Services (NYDFS). Over recent years, I have observed massive growth, collapses, experimentation, exploitation, and innovation across the digital asset market. Of course, innovation and exploitation in finance are not unique to digital assets, and the risks and benefits of one blockchain system are not equivalent across all assets — they depend significantly on the design and features of specific systems. To make best use of the benefits and mitigate the critical risks, we need to ensure that technology, operations, and policy are aligned along critical safeguards and also with driving competitive and liquid US markets.

That brings us to this critical juncture – the current alignment and implementation of protections in digital assets is not working. The status quo has not benefited consumers, markets, or national security. As just one example, the largest heist in history just occurred in February of this year targeting this sector, perpetrated by North Korean actors as part of their revenue generation to fund activities like their proliferation program. This incident also was not in a vacuum but instead was yet another cyber theft as part of a years-long building trend in this industry exploiting both pervasive cybersecurity and AML/CFT vulnerabilities. This is just one example, which sits alongside highly volatile markets that have lost trillions and defrauded consumers, but also an environment that is reportedly set to drive the best developers abroad rather than inspiring them to stay here and build to agreed upon guardrails. Inaction by both government and industry will not achieve desired outcomes for protecting consumers or businesses.

I applaud Congress for continuing to elevate the issue of digital asset legislation to ensure appropriate regulation in the United States. Despite calls from some to avoid regulation of digital assets that may seemingly legitimize an immature sector, I maintain that regulation is critical to give a north star that demands legitimate and responsible activity within an industry with many actors who aim to bring positive evolutions in finance and cryptocurrency. Regulation also provides legitimate authorities and levers to supervisors and enforcement agencies to hold accountable illicit actors that seek to defraud consumers, launder criminal proceeds, and undermine the integrity of the US financial system. As I have testified to previously, clear and comprehensive guardrails are necessary to protect consumers, national security, and US competitiveness in financial innovation. While timely progress is critical after several Congresses being unable to establish a comprehensive approach, these frameworks must also be deliberate, thoughtful, and comprehensive of the real and present risks, as well as opportunities, that we have observed in the digital asset ecosystem and broader financial system.

The stated goals of the Digital Asset Market CLARITY Act of 2025 (the “Clarity Act”) to help address regulatory gaps and to provide clarity for an industry seeking it are laudable. Unfortunately, the tenets of the proposed legislation as drafted appear to be overly complex, forging notable gaps for coverage under consumer and market protections rather than closing them; leave insufficiently or unaddressed key areas like meaningful implementation and enforcement measures, countering illicit finance, and cybersecurity; and depart from the long bipartisan-stated principles of technology-neutrality that would enable regulations to persist in the face of technological innovations.In my testimony, I briefly offer opportunities for addressing those issues and preserving a framework built on the key pillars of sound market regulation and national security interests. I draw many of these recommendations from the groundbreaking work of the Commodity Futures Trading Commission (CFTC) Technology Advisory Committee (TAC), where I co-chaired a group of 19 incredible industry, government, and academic experts to produce a first-ever comprehensive review of risks and opportunities in decentralized finance (DeFi), with outlined steps for policymakers to take build the framework for DeFi. I encourage legislators to consider these measures especially where existing digital asset market structures differ from traditional financial market structure, and urge you to be extremely deliberate when choosing to depart from long-tested principles needed to preserve integrity of markets, such as consumer protections, resilience against exploitation and shocks, and addressing separations of functions and conflict of interests.

Regulatory gaps and potential for confusion

As I mentioned above, seeking to provide regulatory clarity, in both authority and application, are important at this critical juncture. It will establish clear rules of the road for responsible actors to engage and innovate in the space as well as ensure strong footing for regulators and enforcement agencies to oversee markets and investigate wrongdoing. A clear framework will also (finally) help level the playing field for US firms that have long been more compliant than many foreign-operating cryptocurrency businesses that exploited their savings in non-compliance as a competitive advantage against more responsible US companies.

The Clarity Act as currently written attempts to provide clarity through defining regulatory jurisdictional bounds between the Securities Exchange Commission (SEC) and CFTC as well as defining key terms of assets to establish scope of coverage as securities versus digital commodities. The bill also includes some important protection measures, specifically around areas like segregation of customer assets, limited disclosures such as around token structure and conflicts of interest, and registration requirements.

However, the Clarity Act is still absent many important protections that we have observed to be critical to protect consumers and markets in the wake of a crisis. Within the 236 pages of the bill are confusing and ambiguous definitions and missing elements that pave the way for regulatory arbitrage and exploitation:

• No clear non-securities spots market authority: This bill does not appear to clearly outline authority over spots markets for assets that are not securities. The definition of “digital commodity” may be restrictive insofar as to only cover a limited set of tokens, which would leave potentially hundreds of tokens unregulated and/or without clear guidance on its applicability even if they function as financial assets.
• Unclear definitions and impacts on securities laws: There are various definitions in the bill whose challenges with clarity may subvert the drafters’ intent to provide clarity and defend against regulatory arbitrage. Some definitions may be seen to be crafted to frame large exemptions from responsibility decentralized finance, such as in defining concepts like groups and common control in a a “decentralized governance system,” which in the bill is a system where participation (not even active involvement, just the pretext of participation) is “not limited to or under the effective control of, any person or group of persons under common control.” In another example, the bill treats assets called “investment contract assets” as digital commodities, though “investment contracts” have generally been a key element of securities laws.
• Conflating decentralization and maturity: The test for decentralization in the bill is described as a test of blockchain maturity. In a sector where projects that are (or at least claim to be) decentralized are being targeted and exploited for weaknesses in their code, cybersecurity, and irrevocability of mistakes or illicitly acquired assets, it is confusing on why a greater extent of decentralization — a concept that is also vague in the bill — inherently means maturity rather than other markers of good governance and operations. The decentralization test also introduces some confusion that may challenge real-world implementation, and is unclear on how such a feature impacts an asset functioning like a commodity versus a security. Current and former regulatory leadership has warned against arbitrary carve-outs of protections like under securities laws simply based on complex issues like decentralization that so far have largely been met with convoluted definitions that risk exemption significant amounts of high-risk investment-related activity. This also threatens potentially creating the opposite of a future-proofed regulatory approach that cannot keep up with future technological innovation.

National security and the critical role of enforcement

n the wake of serious national security threats like billion+ dollar hacks by rogue nations, growing integration of cryptocurrency as a tool for transnational organized crime, market manipulation and fraud that can threaten system integrity and stability, as well as pressure from adversarial nations seeking to develop and leverage alternative financial systems to weaken and circumvent the dollar, it is clear that strong safeguards, including for US competitiveness, are needed. This framework also demands we ensure policy and enforcement approaches both domestically and internationally create a level playing field for US firms – often the most compliant firms in the world – to be able to compete fairly. Otherwise, the foundation we build these systems on risk faltering, with the potential to not only reap significant harms but also prevent us from harnessing the greatest positive potential that is possible from a secure and innovative digital finance ecosystem.

There is limited discussion of either illicit finance or cybersecurity in the Clarity Act—many more pages are honed on establishing large regulatory carve-outs than on establishing expectations, driving needed industry standards or sponsoring research and development, or appropriating necessary resources to ensure appropriately scaled and timely enforcement of these critical requirements. Also important to note, especially in light of recent changes in enforcement posture—beyond just creating the policy framework, the government and industry must work to apply and enforce the framework. A policy that isn’t enforced or implemented does nothing to benefit consumers nor US firms with stronger compliance programs that have been operating at higher costs and less competitive advantages than many foreign-operating firms.

I have testified previously to the critical needs for strengthening AML/CFT and sanctions authorities in the cryptocurrency space, which generally have been suggested to be saved for “comprehensive market legislation.” Such enhanced protections like appropriations for skilled enforcement and investigative personnel, sharpening tools like 9714/311 designation authorities, ensuring extraterritorial application of regulations and/or through designations of entities of high national security risk, creation of an enforcement strategy to scale timely enforcement against the most egregious violators, or resourcing public-private partnerships like the Illicit Virtual Asset Notification (IVAN) program are missing from the legislation but could be easily added in to help strengthen the holistic cryptocurrency framework. In the face of disbanding of the Department of Justice (DOJ) National Cryptocurrency Enforcement Team (NCET)14 and significant downsizing and weakening of enforcement offices and personnel across the US Government, the legislation could help ensure that tools are being honed to better address the worst actors in the space. Only with meaningful enforcement can policy be truly impactful and can we reward the best actors in the space, which are typically American companies.

An alternative approach for consideration – Joint, targeted, adaptable, and balanced

I support calls for a legislative solution that enables nuance and distinct treatment across various assets based on their economic function and which will ensure persistent clarity and flexibility for regulators to address significant risks of fraud, manipulation, and investor exploitation that we have seen in the space. The legislation should also guide regulators with key principles, many of which are similar to those outlined in the Clarity Act, and should be done in full view of the benefits that some aspects of digital assets uniquely provide, such as an unprecedented level of market transparency for on-chain financial activity to enable greater market surveillance and oversight.

An alternative approach may help meet the intent of the drafters while giving time for greater exploration and experimentation while meeting near-term calls for the most beneficial transparency needs of the market, which I have observed to most consistently be calls for a clear pathway to registration. I encourage policymakers to consider a much more streamlined approach if a more complex bill proves too difficult to reconcile:

• Dual rulemaking: Similar to efforts undertaken in the wake of the 2008 Financial Crisis and pursuant to the joint rulemaking efforts directed in Title VII of Dodd Frank, Congress could again direct the SEC and CFTC to jointly develop a framework and rulemakings to give greater specificity and adaptability to approaches to ensure appropriate coverage but at least one of the markets regulators.
• Mandate for sandboxes and clear registration pathways: In the interim while the SEC and CFTC craft their approach, Congress could direct a near-term establishment via sandboxes, provisional registrations, and other requirements with clear guardrails to help ensure clear near-term coverage while giving the time needed to thoughtfully evaluate the more complex issues like dual-registered entities, defining tokens, defining the jurisdictional hand-off, and how to address DeFi. Policymakers should consider looking to the United Kingdom’s current joint efforts between the Bank of England and the FCA under the Digital Securities Sandbox for inspiration.
• Clarify commodity spots market authorities: The legislation should specify clearly authority to the CFTC over commodity spots markets, or at a minimum digital commodity spots markets.
• Explicit appropriations and mandate for additional AML/CFT and cybersecurity initiatives: The legislation would also optimally integrate near-term resourcing, not just authorizations, to ensure the ability to effectively police bad actors in the system, which should include the earlier-referenced initiatives like expanded targeting authorities, appropriations, public-private partnerships, and cybersecurity and information sharing standards.
• Undertake steps to address the regulatory perimeter and controls with DeFi: Finally, legislators should direct the SEC and CFTC to jointly undertake the steps recommended by the CFTC TAC in evaluating how to evolve market structure in addressing issues like the unique constructs in DeFi. These steps include mapping ecosystem players, processes, and data; assessing compliance and requirements gaps; identifying risks; evaluating options, benefits, and costs of changes to the regulatory perimeter, and surging research and development and standards partnerships.

With guardrails established and more consistent oversight by Congress, this approach, implemented through administrative procedure and thoughtful regulation with public engagement, I think is likely the best way to achieve a comprehensive and enduring framework.

In closing, I’d like to again underscore my gratitude for the honor of the opportunity to speak with you all today. It is critical that the United States make timely progress on establishing and implementing cryptocurrency regulatory frameworks, which should leverage years of effort on defining critical holistic protections that also reinforce the central role in the financial system and as a leader in technological innovation.

Thank you.

Fellow

Carole House

Nonresident Senior Fellow

GeoEconomics Center

Cybersecurity Digital Currencies

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Carole House testifies to House Financial Services Committee on the gaps and opportunities for digital asset regulation appeared first on Atlantic Council.

The G7 must seize this opportunity to advance a coherent, shared framework for digital policy, one that is grounded in trust, reinforced by standards, and aligned with democratic values. To do so, it can build on some of the insights from the Business Seven (B7), the official business engagement group of the G7. The theme of this year’s B7 Summit, which was held from May 14 to May 16, in Ottawa, Canada, was “Bolstering Economic Security and Resiliency.” The selection of this theme emphasized the importance of defending against threats and enhancing the ability of societies, governments, and businesses to adapt and recover.

In the spirit of that theme, the Atlantic Council’s GeoTech Center, in partnership with the Cyber Statecraft Initiative and the Europe Center, convened a private breakfast discussion alongside the B7 in Ottawa on May 15. The roundtable brought together government officials, business leaders, and civil society representatives to discuss how digital resilience can be strengthened within the G7 framework. The participants laid out foundational principles and practical approaches to building digital resilience that support economic security and long-term competitiveness. As G7 leaders gather for the summit in Kananaskis later this month, they should consider these insights on how its member states can work together to bolster their digital resilience.

1. Develop a common language for shared goals on digital sovereignty

When developing a common framework, definitions (or taxonomy) are critical. Participants emphasized that shared vocabulary is a prerequisite for meaningful cooperation. Discrepancies in how countries define concepts such as digital sovereignty can lead to fundamental misunderstandings in critical areas such as risk, which creates friction and confusion.

For example, a G7 country might frame sovereignty in terms of national control over infrastructure while another country, such as China, defines it as regulating the digital information environment. In that case, this misalignment will hinder cooperation from the outset. Specifying precise definitions of each government’s goals, including “trust,” “resilience,” and “digital sovereignty,” would enable governments and industry to align on priorities and respond more effectively to emerging standards. This definitional clarity is crucial for policymaking and a prerequisite for compliance, implementation, and interoperability across borders.

2. Build on existing multilateral and regional frameworks

Participants stressed the importance of building on existing progress toward digital resilience, both in and out of the G7, rather than discarding it in pursuit of novelty. The G7 and its partners already possess a strong foundation of digital policy initiatives. Key milestones such as the Hiroshima AI Process, launched under Japan’s 2023 G7 presidency, established International Guiding Principles and an International Code of Conduct for the development and use of artificial intelligence (AI) systems, which included frontier models. Prior to the Hiroshima AI Process, several consecutive G7 Summits committed to developing the data free flow with trust framework, which prioritizes enabling the free flow of data across borders while protecting privacy, national security, and intellectual property.

Beyond the G7, participants cited European Union (EU) partnerships as examples of forward-leaning policy environments that balance innovation with safeguards. These included the EU AI continent action plan, which aims to leverage the talent and research of European industries to strengthen digital competitiveness and bolster economic growth, as well as Horizon Europe, the EU’s primary financial program for research and innovation.

With these partnership frameworks already in place, G7 leaders should build on existing work and avoid seeking to design unique solutions that may become time-consuming—particularly when it comes to gaining political buy-in. Even in areas like AI and the use of data, where policymakers have observed rapid changes since last year’s summit, the B7 discussion participants emphasized that governments can leverage work they’ve already completed in designing and implementing existing standards. If prior technical standards and regulations are inapplicable or insufficient, policymakers can still learn lessons from an in-depth assessment, including by taking note of where they’ve fallen short of their goals.

3. Start new initiatives with small working groups and pilot projects  

Ensuring digital resilience requires managing inevitable trade-offs between national security, economic vitality, and open digital ecosystems. As one participant remarked, “the digital economy is the economy,” so policies shaping cyberspace must consider both national security and economic impacts. The G7 provides a platform for frank discussions among allies and partners about how to get these trade-offs right. But waiting for buy-in from all like-minded partners risks missed opportunities in the short term.

Participants noted that by starting with smaller forums, policymakers can build consensus that can lead to real progress. Pilot projects and working groups among smaller clusters of G7 countries could build momentum and inform scalable solutions. Participants emphasized that despite the contentious nature of some of the issues surrounding digital resilience, such as protectionism and market fragmentation, G7 governments are operating with a shared set of values. These values can motivate collaboration across the G7 on the many areas of common ground they already share, but they can also provide the basis for projects among smaller groups within the G7 to get new ideas off the ground.

A pivotal summit for digital resilience

As G7 leaders meet in Kananaskis and work toward a common framework that balances digital security and economic growth, a few key lessons can be garnered from this B7 meeting. G7 member states should prioritize developing a common taxonomy and building on the progress made on digital resilience both inside and outside the G7, all while remaining responsive to shifting geopolitical dynamics.

Disagreements among member states should be viewed not as a barrier, but as evidence of a maturing policy landscape. Constructive tension can drive refinement so long as partners are clear about their priorities. The G7’s unique value lies in its ability to forge alignment among diverse actors. False consensus only delays progress. It will take transparency, specificity, and trust to move the digital resilience agenda forward.

Sara Ann Brackett is an assistant director at the Atlantic Council’s Cyber Statecraft Initiative.

Coley Felt is an assistant director at the Atlantic Council’s GeoTech Center.

Raul Brens Jr. is the acting senior director of the Atlantic Council’s GeoTech Center.

New Atlanticist Feb 28, 2025

Canada’s G7 presidency should prioritize health innovation

By Carl Meacham

Canada should use its G7 presidency to communicate the long-term economic benefits of investing in health innovation.

Europe & Eurasia Resilience & Society

GeoTech Cues Mar 31, 2025

Trump’s sectoral-trade pivot: What it will take to succeed

By Mahnaz Khan

The United States is now seeing the dawn of a new sectoral trade policy—one that, if harnessed effectively, has the potential to strengthen US economic resilience.

Economy & Business International Markets

GeoTech Cues Jul 26, 2024

The sovereignty trap

By Konstantinos Komaitis, Esteban Ponce de León, Kenton Thibaut, Trisha Ray, Kevin Klyman

When sovereignty is invoked in digital contexts without an understanding of the broader political environment, several traps can be triggered.

Artificial Intelligence Digital Policy

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post G7 leaders have the opportunity to strengthen digital resilience. Here’s how they can seize it. appeared first on Atlantic Council.

That’s why the world’s financial leaders are closely watching the debate playing out in Congress right now over the future of stablecoin legislation. Next week, the Senate will likely take up the GENIUS Act, which will define the responsibilities for US stablecoin issuers and clarify who is responsible for oversight. 

Stablecoins are cryptocurrencies whose values are pegged to a specific underlying asset. This makes them “stable”—at least in theory.

Currently, 98 percent of stablecoins are pegged to the US dollar, but over 80 percent of stablecoin transactions happen outside the United States. 

Countries around the world are taking notice. In April, Italy’s finance minister, Giancarlo Giorgetti, said that new US policies on dollar-backed stablecoins present an “even more dangerous” threat to European financial stability than tariffs. His argument was that access to dollars without needing a US bank account would be attractive to millions of people and could undermine the effectiveness of monetary policy not just in Europe but around the world.

In many ways, it’s an old problem with new technology. Dollarization—the situation where citizens in another country try to swap their local currency for dollars—has been a risk in emerging markets and developing economies for decades. In the early 2000s, for example, a range of countries from Ecuador to Zimbabwe to Argentina had difficulty managing the demand for dollars instead of local currency. In each situation, years of economic pain followed in these countries. 

Now stablecoins are making it cheaper and easier for people around the globe to get ahold of what is still the single most in-demand asset in the world.

Instead of the old way of having to go to a bank and exchange local currency for US dollars, which is time consuming and often involves significant fees, stablecoins make dollars seamlessly available to anyone with a cell phone.

US officials argue that this benefits the United States. When I interviewed Federal Reserve Governor Christopher Waller, who oversees payments at the central bank, about this issue in February, he said that stablecoins “could be in any fiat currency,” such as pounds or euros, “but everyone wants dollar-denominated stablecoins.” He added that “if we can get good regulation, allow these things to go out, this will only strength the dollar as a reserve currency.”

Waller’s point was that if stablecoin issuers need to back up their coins with Treasuries or other liquid assets, the increase in stablecoin usage around the world will generate even higher demand for dollars. The whole point of a stablecoin is that you can fully convert it into a dollar if you want to—meaning the issuers need to have those dollars on hand.

US Treasury Secretary Scott Bessent has put it even more bluntly. “We are going to keep the US the dominant reserve currency in the world, and we will use stablecoins to do that,” he said in March.

If so, the United States should tread cautiously. 

The global proliferation of stablecoins means that some companies will take advantage of the demand and issue stablecoins that claim they are digital versions of the dollar but in reality aren’t fully backed by dollars.   

If that company failed, it wouldn’t just cost consumers their savings. It could trigger a run on all kinds of financial assets.

Think back to the collapse of the algorithmic stablecoin TerraLuna in 2022. Over $45 billion in value for TerraLuna holders was wiped out within a week. But since that time, stablecoin volumes have increased across the world by over 60 percent. 

The current patchwork of regulations around the globe creates more confusion, more friction in payments, and ultimately higher costs for consumers. 

Already, that’s what’s happening. As new research from the Atlantic Council GeoEconomics Center shows, some countries want to create their own central bank digital currencies to compete with stablecoins, while other countries are trying to regulate the wallets that hold stablecoins. 

Instead of waiting for new regulatory fences to be built up in the coming years, the United States should show that it recognizes the concerns other countries have about dollar-backed stablecoins. The legislation in front of Congress helps domestically by creating transparency and reporting requirements, but it does little internationally.

This is where the Group of Twenty (G20) comes in. The United States has a golden opportunity to help set international standards around digital assets, including the risks and regulations associated with stablecoins, during its G20 presidency next year. A key first step would be creating a new G20 payments roadmap. 

A first roadmap was agreed to in 2020 and delivered important innovations on faster payments. But technology has rapidly changed in the past five years, and it’s time for an upgrade. 

If the United States made stablecoins a focus this year, it would raise the bar across the world and ensure that dollar-backed stablecoin users in all countries are getting what they bargain for—an actual dollar—instead of an imitation of one. 

The rest of the world will welcome US leadership in this space and will take it as a sign that, at least when it comes to the future of the dollar, the United States is not looking to export instability.

Josh Lipsky is the chair of international economics at the Atlantic Council and senior director of the Atlantic Council’s GeoEconomics Center. 

The post For dollar-backed stablecoins to be truly stable, the US needs to set international standards appeared first on Atlantic Council.

The post Cryptocurrency Regulation Tracker cited by GIR on the regulatory landscape for cryptocurrencies appeared first on Atlantic Council.

• Initial expectations
• Russia’s cyber ecosystem
• What happened to Russia’s cyber might?
• Unpacking the (cyber) nesting doll
• Conclusion
• Acknowledgements
• About the author

When the Russian government launched its full-scale invasion of Ukraine on February 24, 2022, many Western observers braced for digital impact—expecting Russian military and security forces to unleash all-out cyberattacks on Ukraine. Weeks before Moscow’s full-scale war began, Politico wrote that the “Russian invasion of Ukraine could redefine cyber warfare.” The US Cybersecurity and Infrastructure Security Agency (CISA) worried that past Russian malware deployments, such as NotPetya and WannaCry, could find themselves mirrored in new wartime operations—where the impacts would spill quickly and globally across companies and infrastructure. Many other headlines and stories asked questions about how, exactly, Russia would use cyber operations in modern warfare to wreak havoc on Ukraine. Some of these questions were fair, others clearly leaned into the hype, and all were circulated online, in the press, and in the DC policy bubble ahead of that fateful February 24 invasion.

As the Putin regime’s illegal war unfolded, however, it quickly belied these hypotheses and collapsed many Western assumptions about Russia’s cyber power. Russia didn’t deliver the expected cyber “kill strike” (instantly plummeting Ukraine into darkness). Ukrainian and NATO defenses (insofar as NATO has spent considerable time and energy to support Ukraine on cyber defense over the years) were sufficient to (mainly) withstand the most disruptive Russian cyber operations, compared at least to pre-February 2022 expectations. And Moscow showed serious incompetencies in coordinating cyber activities with battlefield kinetic operations. Flurries of operational activity, nonetheless, continue to this day from all parties involved in the war—as Russia remains a persistent and serious cyber threat to the United States, Ukraine, and the West. Russia’s continued cyber activity and major gaps between wartime cyber expectations and reality demand a Western rethink of years-old assumptions about Russia and cyber power—and of outdated ways of confronting the threats ahead.

Russia is still very much a cyber threat. Patriotic hackers and state security agencies, cybercriminals and private military companies, and so on blend together with deliberate state decisions, Kremlin permissiveness, entrepreneurialism, competition, petty corruption, and incompetence to create the Russian cyber web that exists today. The multidirectional, murky, and dynamic nature of Russia’s cyber ecosystem—relying on a range of actors, with different incentives, with shifting relationships with the state and one another—is part of the reason that the Russian cyber threat is so complex.

Policymakers in the United States as well as allied and partner countries should take at least five steps to size up and confront Russia’s cyber threat in the years to come:

• When assessing the expectations-versus-reality of Russia’s wartime cyber operations, distinguish between capabilities and wartime execution.
• Widen the circle of analysis to include not just Russian state hackers but the broader Russian cyber web, including patriotic hackers and state-coerced criminals.
• Avoid the trap of assuming Russia can separate out cyber and information issues from other bilateral, multilateral, and security-related topics—maintaining its hostility toward Ukraine while, say, softening up on cyber operations against the United States.
• Continue cyber information sharing about Russia with allies and partners around the world.
• Invest in cyber defense and in cyber offense where appropriate.

Russia’s cyber ecosystem

Russia is home to a complex ecosystem of cyber actors. These include military forces, security agencies, state-recruited cybercriminals, state-coerced technology developers, state-encouraged patriotic hackers, self-identified patriotic hackers acting of their own volition, and more. Even Russian private military companies offer cyber operations, signals intelligence (SIGINT), and other digital capabilities to their clients. Together, these actors form a large, complex, often opaque, and dynamic ecosystem. The Kremlin has substantial power over this ecosystem, both guiding its overall shape (such as permitting large amounts of cybercrime to be perpetuated from within Russia) and leveraging particular actors as needed (discussed more below). Simultaneously, decisions aren’t always top-down, as entrepreneurial cybercriminals and hackers—much like “violent entrepreneurs” in Russian business and crime, or the “adhocrats” vying for Putin’s ear to pitch ideas—take initiative, build their own capabilities, and sell them to the state as well.

The relationships that different security agencies, at different levels, in different parts of the country and world, have with Russian hackers also vary over time. A local security service office might provide legal cover to a group of criminal hackers one day (after the necessary payoffs change hands, of course), only for a Moscow-based team to recruit them for a state operation the next. While the Kremlin has a sort of “social contract” with hackers—focus mainly on foreign targets; don’t undermine the Kremlin’s geopolitical objectives; be responsive to Russian government requests—its tolerance for a specific cybercriminal group can change on a whim, too. Security officials might take a bribe from a cybercriminal, much as their colleagues do on the regular, and still find their patrons in prison and their own wrists in handcuffs.

On the Russian government side, the principal units involved in offensive cyber operations are the Federal Security Service (FSB), the military intelligence agency (GRU), and the Foreign Intelligence Service (SVR). Russia does not have a proper, centrally coordinating cyber command; it was never launched despite attempts in the 2010s. The Ministry of Defense’s initial efforts to make one happen by circa 2014 were, it came to be understood later, overtaken by the subsequent establishment of Information Operations Troops with seemingly some coordinating functions—though experts still debate its analogousness to a “cyber command” and its level of shot-calling compared to bodies like the Presidential Administration. So while it is possible for the Russian security agencies to coordinate their (cyber) operations with one another, their engagements are marked more by competition than cooperation.

The most prominent example of this potential overlap or inefficiency is when GRU-linked APT28 and SVR-linked APT29 both hacked the Democratic National Committee in 2016, making it unclear whether each knew the other was carrying out a similar campaign. This operational friction is exacerbated by the fact that the agencies’ general remits—SVR on human intelligence, for instance, and FSB mostly domestic—do not translate to the digital and online world. All three agencies hack military and civilian targets and, for example, the FSB actively targets and hacks organizations outside of Russia’s borders. Each agency approaches cyber operations differently, too, often in line with their overall institutional cultures—such as the GRU, known for its brazen kinetic operations including sabotage and assassination, carrying out the boldest and most destructive cyber operations, contrasted with the SVR, and its emphasis on secrecy, focusing on quiet cyber intelligence gathering like in the SolarWinds campaign. Still, the Russian state agencies with cyber operations remain active threats to the United States, Ukraine, the West, and plenty of others through intelligence-gathering efforts, disruptive operations, and efforts that meld both, such as hack-and-leak campaigns.

Beyond government units themselves, the state encourages patriotic hackers—sometimes just young, technically proficient Russians—to go after foreign targets through televised and online statements (such as disinformation about Ukraine). Different security organizations, such as the FSB, may hire cybercriminals for specific intelligence operations and pay them based on the targets they penetrate. Other private-sector companies pitch their own services to the state of their own volition, bid on government contracts, and support a range of offensive capability development, research and development, and talent cultivation efforts (including defensive activities and benign or even globally cybersecurity-positive activities beyond the scope of this paper). Russian private military companies increasingly offer capabilities related to cyber and SIGINT to their private and government clients around the world, too. All the while, the state retains the capability to target specific people and companies in Russia that otherwise have nothing to do with the state, apply the relevant pressure, and compel them to assist with state cyber objectives, which it can wield to extraordinary effect.

As the historian Stephen Kotkin notes, “The Russian state can confound analysts who truck in binaries.” While there are several core themes to this ecosystem—complexity; state corruption; overwhelming tolerance for and even tacit support of cybercrime; myriad offensive cyber actors in play—Russia’s cyber ecosystem neither fits into a neat box nor is a neatly run one at that.

For all the threats these actors pose to Ukraine and the West, assuming that the Putin regime controls all cyber activity emanating from within Russia’s borders is not just inaccurate (e.g., the country’s too big; there are too many players; it’s not all top down), but is the kind of assumption that serves as a “useful fiction” for the Kremlin. It makes the system appear ruthlessly efficient and coordinated, gives disconnected or tactically myopic actions a veneer of larger strategy, and puts Putin at the center of all cyber operation decision-making. Thinking as much can, intentionally or not, further feed into the idea that the Kremlin’s motives are clear and fixed or driven by some kind of “hybrid war” strategy. It also obscures the fact that—unlike many Western countries that do, in fact, publish official “cyber strategies”—Russia does not have a defined cyber strategy document, instead drawing on a range of documents and sweeping “information security” concepts to frame information, the internet, and cyber power.

On the contrary, it is the multidirectional, murky, and dynamic nature of Russia’s cyber ecosystem that makes cyber activity subject to sudden change, feeds opportunities for interagency rivalries, contributes to effects-corroding corruption and competition, and provides the Kremlin with a spectrum of talent, capabilities, and resources to tap, direct, and deny (plausibly or implausibly) as it needs. It is in part this dynamism and multidirectional nature that makes Russia’s cyber threat so complex—as mixes of deliberate state decisions, Kremlin permissiveness, entrepreneurialism, competition, petty corruption, and incompetence blend together to create the Russian cyber web that exists today. Relationships between the state proper, at different levels, in different organizations, with nonstate cyber affiliates are often shifting; ransomware groups persistently targeting Western critical infrastructure, for example, may be prolific for months before collapsing under internal conflict and reconstituting into new groups, with new combinations of the old tactics and talent. It is also the reason that what is known to date about cyber operations during Russia’s full-out war on Ukraine provides such a valuable case study in assessing the status quo of this ecosystem—and, coupled with lessons from past incidents (like Russian cyberattacks on Estonia in 2007, Georgia in 2008, and Ukraine in 2014), helps to better weigh the future threat.

What happened to Russia’s cyber might?

Cyber operations have played a substantial role in Russia’s full-on invasion of Ukraine in February 2022 and the ensuing war. These activities range from distributed denial of service (DDoS) attacks knocking Ukrainian websites offline and Ukrainian patriotic hackers’ attacks on Russian government sites (what Kyiv calls its “IT Army”) to Russia using countless malware variants to exfiltrate data and targeting Ukrainian Telegram chats and Android mobile devices. Without getting into a timeline of every major operation—neither this paper’s focus nor possible given limits on public information—it is clear that Russian and Ukrainian forces and their allies, partners, and proxies have made cyber operations part of the war’s military, intelligence, and information dimensions.

There are many ways to define cyber power, which is by no means limited to offensive capabilities. In Russia’s case, analysts could focus on anything from Russia’s national cyber threat defense system—the Monitoring and Administration Center for General Use Information Networks (GosSOPKA), which effectively brings together intrusion detection, vulnerability management, and other technologies for entities handling sensitive information—to the enormous IT brain drain problems the country suffered immediately following the full-on invasion of Ukraine. As explored in a study last year for the Atlantic Council, Russia’s growing digital tech isolationism—both a long-standing goal and increasing reality for the Kremlin—has driven more independence in some areas, like software, while heightening dependence and strategic vulnerability in others, such as dependence on Chinese hardware. This paper’s focus, though, will remain on Russia’s offensive capabilities.

Pre-February 2022 expectations in the United States and the West, as highlighted above, were dominated by those predicting extensive Russian disruptive and destructive cyber operations. In these scenarios, Russia would leverage its state, state-affiliated, state-encouraged, and other capabilities to cause serious damage to Ukrainian critical infrastructure (telecommunications, water systems, energy grids, and so forth) and cleanly augment its kinetic onslaught. Russia would “employ massive cyber and electronic warfare tools” to collapse Ukraine’s will to fight through digital means.

To be sure, some predictions were more measured. Some pointed to the 2008 Russo-Georgian War, as an illustration of Russian forces effectively using DDoS attacks (Moscow’s shatter-communications approach) in concert with disinformation and kinetic action to prepare the battlefield, and conjectured that Moscow would do the same if it moved troops further into Ukraine. Others highlighted Russia turning off Ukrainian power grids as a possible menu option for Moscow as it escalated. Cybersecurity scholars Lennart Maschmeyer and Nadiya Kostyuk, contrary to widely held positions, argued two weeks before Russia’s full-scale invasion that “cyber operations will remain of secondary importance and at best provide marginal gains to Russia,” incisively noting that press headlines talking of “cyber war” rest on “the implicit assumption that with the change in strategic context, the role of cyber operations will change as well.” The overwhelming sentiment, though, was worry and anticipation of what some considered true, cyber-enabled, twenty-first century warfare.

But the cyber operations that unfolded immediately before and after the February 2022 invasion defied what many Western (including American) commentators were predicting. Russia didn’t deliver the cyber kill strike expected (instantly plummeting Ukraine into darkness). Ukrainian and NATO defenses were sufficient to (mainly) withstand the most disruptive FSB and GRU cyber operations, compared at least to pre-February 2022 expectations. And Moscow showed serious incompetencies in coordinating cyber activities with battlefield kinetic operations. Many experts who did not expect cyber-Armageddon per se have still been surprised by the limited impact of Russian attacks, the focus on wiper attacks (that delete a system’s data via malware) and data gathering over critical infrastructure disruptions, and apparent poor coordination between cyber and kinetic moves made by the Russian Armed Forces and intelligence services.

What, then, explains the gulf between expectations—decisive moves, cleanly executed operations, and visible results—and reality, with some operations, certainly, but the overwhelming focus on kinetic activity and far less on destructive cyber movement than anticipated? Scholars and analysts have, since February 2022, put forward several buckets of hypotheses.

Various commentators argue, as National Defense University scholar Jackie Kerr compiles and breaks down, that Russia’s weak integration of cyber into offensive campaigns was symptomatic of broader problems with Russian military preparations for full-on war; that Western observers simply overestimated Russia’s cyber capabilities; that poor coordination and competition between Russian security agencies impeded operational success; or that Ukraine’s cyber defenses have been extraordinarily robust. Some have gone so far as to attribute Ukrainian cyber defenses, backed up by Western allies and partners, as the primary reason for Russian offensive failures. Russia cyber and information expert Gavin Wilde argues that Russia focused on countervalue operations (against civilian infrastructure, to demoralize political leaders and the public) more than counterforce operations (against Ukrainian military capabilities), to little effect, “a sign of highly sophisticated intelligence tradecraft being squandered in service of a deeply flawed military strategy.”

Professors Nadiya Kostyuk and Erik Gartzke write that Russia’s full-on war on Ukraine is about territory and physical control, making physical military activity far more important than cyber operations themselves. Cyber scholar Jon Bateman argues that traditional signals jamming and Russia’s cyberattack against the Viasat satellite communications system, coupled with a chaotic slew of data-deletion attacks, may have helped Russia initially—but that cyber operations from there had diminishing novelty and impact. Russia’s poor strategy, insufficient intelligence preparation, and interagency mistrust have been presented as causes for undermining Russia’s cyber-kinetic strike coordination, too. Others argue that Russians wanted to gather intelligence from Ukrainian systems more than disrupt them, that Russia’s information-focused troops have been more optimized for propaganda than cyber operations, and that cyber scholars’ and pundits’ expectations were plain wrong given that Russia wanted to inflict physical violence on Ukraine more than achieve cyber-related effects—necessitating bombs, missiles, and guns over malware, zero days, and DDoS attacks.

In reality, of course, many factors are likely in play at once. Plenty of the above scholars and commentators recognize this multifactorial situation and say it outright (although a few do push a single prevailing explanation for the war’s cyber outcomes). However, it’s worth explicitly stressing that many factors coexist, in light of occasional efforts to provide reductive explanations for complex wartime activities and effects. Concluding that Russia is no longer a cyber threat, for instance, is wrong. While Ukraine as a country has demonstrated extraordinary will and resilience, and while Ukrainian cyber defenses have been more than commendable, explanations that place the rationale solely on formidable Ukrainian cyber defenses are likewise reductive. Taking such explanations as fact simplifies the many factors involved and can veer analysis and debates away from the policy actions that are still needed, such as continued cyber threat information sharing between the United States and Ukraine.

The above, plausible, evidence-grounded explanations are not mutually exclusive. FSB officers, rife with paranoia, conspiratorialism, and a Putin-pleasing orientation, did indeed grossly misinterpret the situation on the ground in Ukraine in 2022 and fed that bad information to the Kremlin, potentially skewing assessments of cyber options as well.

Interagency competition may very well have undermined, once again, the ability of the FSB, GRU, and SVR to coordinate activities with one another, let alone with the Ministry of Defense and Russian proxies in Belarus, and therefore hampered more effective planning, coordination, and execution of cyber operations. For example, during the war’s initial stages, elements of the SVR may very well have sought to technically gather intelligence from targets that GRU- or FSB-tied criminal groups were indiscriminately trying to knock offline or wipe with malware, thrusting uncoordinated activities into tension.

Like in every other country on earth, Russian cyber operators are additionally subject to resource constraints: A hacker spending a day on breaking into a Ukrainian energy company is a hacker not spending time on spying on expats in Germany or setting up a collaboration with a ransomware group. Competition, therefore, not just between agencies—turf wars, budget fights, who gets the primary jurisdiction over Ukraine, and so forth—but within them, over who gets to spend what time and resources targeting which entities, sit within broader Russian government calculi over cyber, military, and intelligence operations. And, among others, Russia’s overall strategy did lead to bad moves, as Wilde and others have noted, with limited effect and burning away Russian capabilities (like exploits) in the process. Recognizing these many likely factors will facilitate better analysis of where Russia stands.

The gap between the imagined, all-out “cyber war” and the past three years’ reality also begs the question of whether the right metrics were considered in the first place. As much as cyber capabilities are inextricable from modern intelligence operations, and as much as cyber and information capabilities are embedded throughout militaries around the world, war is obviously about far more than cyber as a domain. But experts studying cyber all day, every day, may fall into the unintentional trap (as anyone can) of having their area of study become the focal point of analysis in a war with many moving pieces and considerations—hence, some of the commentary anticipated Russian destruction of Ukraine to happen through code, compared to a range of military weaponry. Academic theories, moreover, of how cyber conflict will unfold in political science-modeled simulations or think tank war games may similarly fail to map to battlefield realities, such as generalizing how cyber fits into warfare without adequately considering unique contexts in a country like Russia. Layered on top of all this—in the academies, in the media, in the data and artificial intelligence (AI) era—is a frequent desire to quantify everything, too, obscuring the fact that not everything can be effectively, quantifiably measured and that counting up the number of observed Russian cyber operations and scoring them may still not get to the heart of their inefficacy. Clearly, as US and Western perspectives on Russian cyber power shift with more information and time, it is worth rethinking Russia’s future cyber power—not just for how the West can recalibrate its assumptions and size up the threats, but in how the West can prepare to act and respond in the future.

Unpacking the (cyber) nesting doll

The takeaway from comparing predictions and reality shouldn’t be that pundits are always wrong or that Russia’s cyber operations are considerably less threatening in 2025. Nor should it be that Ukraine is propped up solely by Western government and private-sector cyber defenses, and that Russia is simply waiting to unleash a devastating cyber operation to end it all.

Russia remains a sophisticated, persistent, and well-resourced cyber threat to the United States, Ukraine, and the West generally. This is not going to change anytime soon. Kremlin-spun “crackdowns” on cybercrime (arrests that were little more than public relations stunts), frenetic talk of US-Russia rapprochement, and wishful thinking about Putin’s willingness to cease subversive activity against Ukraine do not portend, as some might suggest, that the United States can sideline Russia as a central cyber problem—and focus instead on China.

The Russian government views cyber and information capabilities as key to its military and intelligence operations, and the Kremlin still has one top enemy in its national security sights: the United States. Outside the Russian state per se, a range of ransomware gangs and other hackers in Russia will continue targeting companies, critical infrastructure, and other entities in the United States, Ukraine, and the West, too. There are at least five steps US policymakers and their allies and partners should take to size up this threat—against the full scope of Russia’s cyber web and integrating lessons learned so far from Russia’s full-out war on Ukraine—and confront it head-on in the coming years.

When assessing the expectations-versus-reality of Russia’s wartime cyber operations, distinguish between capabilities and wartime execution. Clearly, Russian offensive cyber activity during its full-on war against Ukraine has not matched up against Western assumptions that envisioned a cyber onslaught that turned off power grids, disrupted water treatment facilities, and blacked out communications. Evaluating how and why Russia did not make this happen is critical to understanding Russia’s operational motives, play-by-play planning and coordination between security agencies, targeting interests, and much more. But analysts and media must be careful to avoid thinking that Russia’s cyber capabilities themselves are weak. Clearly, when Russian hackers put the pedal to the metal, so to speak—ransomware gangs targeting American hospitals, or the GRU going after Ukrainian phones—they can deliver serious results. A better approach is policymakers and analysts in the United States, as well as in allied and partner countries, breaking out Russia’s continued cyber threats across ransomware, critical infrastructure targeting, mobile-device hacking, and so on while pairing the capabilities against where execution could fall short in practice. Doing so will give a better sense of Russia’s cyber strengths and weaknesses—and distinguish between the different components of carrying out a cyber operation.

Widen the circle of analysis to include not just Russian state hackers but the broader Russian cyber web, including patriotic hackers and state-coerced criminals. Focusing Western intelligence priorities, academic studies, and industry analysis mainly on Russian government agencies as the primary vector of Russian cyber power loses the importance of the overall Russian cyber web. Putting the focus mostly on Russian government agencies also loses, as my colleague Emma Schroeder has unpacked in detail, the role that public-private partnerships have played in cyber operations and defenses in the conflict, and the opportunity to assess similar public-private dynamics on the Russian side. Conversely, making sure to consider the roles of government contractors, military universities, patriotic hackers, state-tapped cybercriminals, and other actors as described above should help to fight the temptation to treat all Russian cyber operations as top-down—and illuminate the many ways in which Russia can build capabilities, source talent, and carry out operations against the West. Understanding these actors will allow for better tracking, threat preparation, defense, and, where needed, disruption.

Avoid the trap of assuming Russia can separate out cyber and information issues from other bilateral, multilateral, and security-related topics—maintaining its hostility toward Ukraine while, say, softening up on cyber operations against the United States. Whether the US government can or cannot separate out cyber issues vis-à-vis Russia from other elements of the US-Russia relationship (e.g., trade, nuclear security), Western policymakers should avoid the trap of assuming the Russian government is currently capable, let alone willing, of genuinely and seriously doing the same: separating out its cyber activities from other policy and security issues.

The Russian government has come to view the internet and digital technologies as both weapons that can be wielded against the state and weapons to use against Russia’s enemies. In this sense, cyber operations (as well as information operations) are core not just to Moscow’s approach to modern security, military activity, and intelligence operations but, perhaps more importantly, to the Kremlin’s conceptualization of regime security as well. Paranoia and propaganda about fifth columnists (with, sometimes, one feeding the other), persistent efforts to crack down on the internet in Russia, and a continued belief that Western tech companies and civil society groups are weaponizing the internet to undermine the Kremlin, mean that the regime will not truly believe it can put “information security” on the sidelines—and that includes not just internet control but cyber operations. Policymakers must go into diplomatic and other engagements with Russia with their eyes wide open.

Continue cyber information sharing about Russia with allies and partners around the world. For years, military and intelligence scholars and analysts have referred to Russia’s actions in Georgia, Ukraine, and other former Soviet republics as a “test bed” or “sandbox” for what Russia might do in other countries. It would be a strategic, operational, and tactical mistake to think that Russian cyber operations against Ukraine are just confined to Ukraine and that two-way information sharing with Ukraine about cyber threats is a waste of time and resources. Quite the opposite: Russia’s cyber and information activities against Ukraine today can give the United States and its allies and partners critical insights into the types of capabilities and operations that could, and very well might be, carried out against them at the same time or days or months later. Whether hack-and-leak operations designed to embarrass political figures, wiper attacks designed to destroy government databases, espionage operations, or anything in between, having real-time information about Russian cyber threats will only help the United States and its allies and partners better defend their own networks and systems against hacks and attacks.

Invest in cyber defense and in cyber offense where appropriate. Persistent, sophisticated Russian cyber threats to a range of key US and allied and partner systems—military networks, hospitals, financial institutions, critical infrastructure, advanced tech companies, civil society groups—demand continued investments in cyber defense. In addition to information-sharing, the United States and its allies and partners need to continue prioritizing market incentives for companies to enhance cyber defenses along with baseline requirements for essential measures such as multifactor authentication, detailed access controls, robust encryption, continuous monitoring, network segmentation, resourced and empowered cybersecurity decision-makers, and much more. Just as the Russians clearly possess a range of advanced cyber capabilities, any number of recent operations, including against Ukraine, show that Russian operations (like those carried out by many other powers) continue to succeed with basic moves such as phishing emails. The United States and its allies and partners need to continually increase cyber defenses. And, where appropriate, the United States and its allies and partners should ensure the right capabilities and posture to carry out cyber offensive operations—including to preemptively disrupt Russian attacks (the “defend forward” euphemism). As the Kremlin is more paranoid and conspiratorial, the notion of diplomatic talks and establishing cyber redlines is less and less realistic. Active mitigation and disruption of threats, rather than relying too heavily on diplomatic meetings or endless criminal indictments, are together a more feasible approach to protecting US and allied and partner interests against Russian cyber threats in the years to come.

Conclusion

Lessons from cyber operations—and about cyber operations and capabilities—from the Russian full-on war against Ukraine will continue to emerge in the coming years. This trickle of information may slowly dissipate some of the “fog of war” surrounding the back-and-forth hacks and shed much-needed light on issues such as coordination and conflict between Russian security agencies in cyberspace.

For now, however, the issue for the United States is clear: Russia remains a persistent, sophisticated, and well-resourced cyber threat to the United States and its allies and partners around the world. The threat stems from a range of Russian actors, and it stands to continue impacting a wide range of American government organizations, businesses, civil society groups, individuals, and national interests across the globe. As wonderful as the idea of cyber détente might be, Putin’s paranoia about Western technology, Russian officials’ insistence that the internet is a “CIA project” and Meta is a terrorist organization, and military and intelligence interest in conflict and subversion against the West will not evaporate with a wartime ceasefire or a newfound agreement with the United States. These are hardened beliefs and fairly cemented institutional postures that are not going to shift under the current regime.

Rather than dismissing Russia’s cyber prowess because of unmet expectations since February 2022, American and Western policymakers must size up the threat, unpack the complexity of Russia’s cyber web, and invest in the right proactive measures to enhance their security and resilience into the future.

Acknowledgements

The author would like to thank Brian Whitmore and Andrew D’Anieri for the invitation to write this paper and for their comments on an earlier draft. He also thanks Gavin Wilde, Trey Herr, Aleksander Cwalina, Ambassador John Herbst, and Nikita Shah for their comments on the draft.

Justin Sherman is a nonresident senior fellow with the Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; an incoming adjunct professor at Georgetown University’s School of Foreign Service; a contributing editor at Lawfare; and a columnist at Barron’s. He writes, researches, consults, and advises on Russia security and technology issues and is sanctioned by the Russian Ministry of Foreign Affairs.

The Eurasia Center’s mission is to promote policies that strengthen stability, democratic values, and prosperity in Eurasia, from Eastern Europe in the West to the Caucasus, Russia, and Central Asia in the East.

Learn more

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

Russia Tomorrow Oct 1, 2024

Russia’s war on Ukraine: Moscow’s pressure points and US strategic opportunities

By Ariel Cohen

A new Atlantic Council report explores Russia’s modern day domestic and international vulnerabilities.

Defense Industry Europe & Eurasia

Russia Tomorrow Feb 2, 2024

Russia Tomorrow: Five scenarios for Russia’s future

By Casey Michel

A new Atlantic Council report explores five paths that Russia future might take in its future. What forces will shape Russia’s future?

Europe & Eurasia Political Reform

Russia Tomorrow Mar 14, 2024

All the autocrat’s men: The court politics of Putin’s inner circle

By Mikhail Zygar

A new Atlantic Council report by journalist Mikhail Zygar explores how Russia’s war on Ukraine has affected Vladimir Putin’s inner circle.

Elections Europe & Eurasia

The post Unpacking Russia’s cyber nesting doll appeared first on Atlantic Council.

The post CBDC Tracker cited by the US Treasury Department on global development of CBDCs appeared first on Atlantic Council.

The post Kumar referenced in the T7 Canada Communiqué appeared first on Atlantic Council.

The post CBDC Tracker cited in Reuters on digital currency development appeared first on Atlantic Council.

First, the significant effect that government-led instant payment systems can have on citizens and the financial market transforms financial inclusion and market structures. Second, decisions made during the early stages of the process, such as system pricing and ownership structure, shape the power dynamics between local and international players, as well as incumbent and new entrants. 

These lessons are shaping an emerging framework governments can use to evaluate their need for central bank-led immediate payment systems, their potential structure, organizational features, and trade-offs involved in implementing a similar approach. The framework is composed of a three-step approach, including prerequisite weighting (i.e., “do we need this system”), the preparations needed to hit the ground running, and the process of setting up new immediate payment systems.

Pix and UPI: Initial development to growing pains

But first, it’s important to understand how immediate payment systems have developed into what they are today. 

Over the last decade, India and Brazil launched their instant payment systems, UPI and Pix, on a national scale, reshaping their payment landscapes. With 350 million UPI users and 140 million Pix users, about 25 percent of India’s population and approximately 65 percent of Brazil’s population use the systems. One of every eleven adults in the world uses either Pix or UPI to send or receive immediate payments. 

Brazil’s immediate payments policy is a payments-first approach. The Brazilian Central Bank (BCB) owns Pix and pushes it to cooperate with domestic private market players, focusing mainly on immediate payments and adjacent products. The system was launched in 2020 after a two-year ideation and development period.

Pix is the most quickly adopted immediate payment system in the world. As of the second quarter in 2024, it had reached 15.4 billion quarterly transactions. Its growth was fueled by a high degree of cooperation with the local financial ecosystem, as well as the fact that institutions with over 500,000 transacting accounts were required to participate, creating a network effect.

India developed UPI as a part of its Digital Public Infrastructure (DPI) program and implemented it as a part of a broad tech stack. Its approach to both DPI and UPI has long been for the state to develop the basic infrastructure, including a digital identity pillar, data exchange pillar, and payments pillar, allowing private sector innovation on top of the existing system.

UPI was developed under the National Payments Corporation of India, which is independent of India’s central bank and owned by various private banks. It became India’s most popular digital payment method, processing over 75 percent of the nation’s retail digital payments.

However, UPI’s growth was initially slow. It only reached 10 million monthly transactions in 2017 and took about three years to reach 1 billion monthly transactions. The growth was later expedited due to India’s demonetization, which started in 2016, the COVID-19 transition away from cash, and internationally backed payment providers entering the market.

Both Pix and UPI have significantly increased financial inclusion, supported growth in the fintech sector, and become the payment standards in their respective countries. However, their impact has not been entirely positive. Their use has also increased fraud and reshaped the power balance between different players in their markets.  

Winners and losers: Market impacts in Brazil and India 

Both systems transformed their respective markets, benefitting some players and reducing the market power of others. 

The table below provides a snapshot of the market dynamics, highlighting each of the key players, their initial power and interest mapping (green for high, yellow for medium, and red for low) and the power shifts in the market caused by Pix. Power shifts are categorized into market share and decision-making power—red with a downward-facing arrow indicates a decrease, green with an upward-facing arrow signifies an increase, and yellow represents retained power or a mixed trend.

In Brazil, Pix has transformed the financial sector by benefiting new domestic players while challenging incumbents and credit card schemes. 

Brazilian neobanks and fintech startups have grown significantly by leveraging Pix’s cost model to attract new customers. They take advantage of the optional fee structure for its value offer, including no fees for consumers and bearing the mandatory fees for businesses. Eliminated transaction fees and immediate payments increased consumer trust. It made digital payments more accessible, particularly for the previously unbanked population. Small businesses and micro-entrepreneurs have also gained access to low-cost, instant transactions, fostering financial inclusion and reducing reliance on cash. This, in turn, drove an increase in such banks’ target addressable market (i.e., relevant customer base).

However, traditional banks and credit card networks have been disrupted. Before Pix, Brazilian banks charged significant fees for interbank transfers, but Pix’s free and instant model eroded this revenue stream. As a result of Pix’s launch, traditional banks’ revenue from payments decreased by 8 percent between 2020 and 2021.

Credit card companies are seriously threatened by Pix. In 2022, BCB’s governor predicted that Pix would make credit cards obsolete. However, transaction data tells a more complicated story. With Pix introducing new consumers into the market, banks are leveraging “maturing cohorts” of consumers to offer them credit cards. Before Pix, credit card payment volumes were at a 12.7 percent annual CAGR (compound annual growth rate) between 2018 and 2020. After the launch of Pix, CAGR almost tripled, reaching 31.7 percent between 2020 and 2022.

UPI’s rapid adoption in India similarly transformed the power balance in the market and benefitted payment technology providers. 

Large-scale third-party application providers (TPAPs), particularly Google Pay and PhonePe, dominate the UPI transaction space, accounting together for over 80 percent of UPI transactions. These players leveraged UPI’s no-cost model to gain significant user adoption. Consumers and merchants have also benefited from seamless, real-time payments without additional fees. 

However, traditional banks struggle with UPI’s zero-fee structure, as it increases transaction volumes and associated costs without direct revenue gains. Some banks have pushed for the introduction of transaction fees to compensate for operational costs. For that reason, in 2022 RBI introduced subsidies for small transactions to banks, which they can share with TPAPs. In 2024, these accounted for 10 percent of PhonePe’s annual revenue. Credit card companies have also faced increasing competition. However, similar to Brazil, credit card usage volume has actually increased following UPI’s scaling. From a declining CAGR of 7.3 percent between 2018 and 2020 in payment volume, after UPI scaled, credit card growth reached a 24.2 percent CAGR between 2020 and 2022.

Big tech vs. local tech: Divergent approaches

A key distinction between Pix and UPI is their approach to global technology firms (“big tech”) and multinationals generally.

BCB has actively blocked big tech from entering the market, emphasizing the need for domestic control over digital payments. This approach is part of a general policy to strengthen the domestic ecosystem over incorporating multinational players. In 2020, for example, BCB suspended WhatsApp’s Brazilian immediate payments offering launch. It cited regulatory concerns and the potential risk to financial stability, launching Pix later that year. This strategy has helped the local fintech ecosystem and brought domestic players, mainly neobanks, to the front of the stage. 

In contrast, India’s approach has allowed big techs and multinational players to participate in the UPI ecosystem and often relied on them for last mile delivery, and consumer onboarding, driving its scaleup. Google Pay and PhonePe, respectively backed by Alphabet and Walmart, quickly dominated.They could offer payments as a loss leader (i.e., sell at a loss to attract customers to other, profitable products) while benefiting from other products over time. 

While doing so accelerated lagging adoption rates, it has also led to concerns about data privacy and market concentration. 

The Indian government has since explored regulatory measures, such as imposing a 30 percent market share cap on individual TPAPs, though enforcement has been repeatedly delayed. Another claim voiced by government officials in the debate is that, given UPI’s universal nature, providers are interchangeable, thus eliminating anti-competitive claims.

This divergence in strategies and outcomes reflects the broader debate about whether emerging economies should embrace or limit big tech’s role in financial infrastructure.

Stages of implementation

Based on Brazil and India’s experiences, a three-stage framework emerges for countries considering immediate payment systems adoption.

The first stage of weighting prerequisites involves assessing the need for a state-led payments system based on three factors: the existence of alternatives (e.g., a strong credit card presence), expected change (primarily driven by the level of financial inclusion, development costs, and the size of the economy), and state capacity. As a result, countries with low banking penetration and high reliance on cash are more likely to benefit from such systems. 

The second stage involves getting ready to hit the ground running, focusing on implementation and scaling. Understanding the existing market conditions and the shifts anticipated from the introduction of the system is crucial. Additionally, selecting an appropriate governance model—whether a central bank-led approach like Pix, a consortium-led model like UPI, or a provider model—plays a vital role in determining long-term implications. Lastly, the fee structure will also influence both adoption and market entry and should be actively established at this stage. 

The final stage involves setting up a long-term process by establishing cooperation mechanisms and managing externalities. Policymakers must implement regulatory adjustments based on market responses to address issues such as monopolization and consumer protection against fraud. They should also explore engagement mechanisms for local players through forums and bilateral consultation schemes, focusing on gaining knowledge and legitimacy as well as efficiency considerations. 

While many regions worldwide consider the future of payments, this framework can serve as an initial point of assessment. There is no perfect “one size fits all” solution. However, states’ varied ability to execute and enforce participation, the size of their economies, and the preexisting market structures significantly influence decisions concerning the “what” and the “how” of launching immediate payment systems.

Pix and UPI offer several additional insights into how state-led payment systems can reshape economies. 

While Brazil focused on domestic financial players and regulatory control, India leveraged global technology firms for swift adoption. Consequently, Brazil fostered the expansion of its local fintech ecosystem, while India established an environment with significant multinational involvement. 

In both cases, incentives for private market players aligned to support the growth of credit card provision as a subsequent step after initially introducing consumers to the financial system through Pix and UPI. While there is room for discussion about the implications of this step, it is a definitively critical point to consider when launching such systems and weighing their outcomes.

Lastly, the key lesson from these models lies in the decisions made by policymakers to initiate transformative processes. Both models illustrate the potential of such systems to enhance financial inclusion, disrupt traditional banking, and reshape economies, thereby aiding in their advancement. These lessons from UPI and PIX can be narrowly applied to public sector entities looking to create state-led systems, however, it is important to consider that market structure transformation might not be the ideal solution for every economy, especially more advanced economies which have a larger share of private sector players. Ultimately within a jurisdiction, policymakers bear the ultimate responsibility of acting to launch immediate payment systems.

Polina Kempinsky is a second-year Master of Public Policy student at the Harvard Kennedy School. This paper is part of Polina’s PAE (Policy Analysis Exercise) for her program, which explores the instant payment systems of Brazil and India.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Fast payments in action: Emerging lessons from Brazil and India appeared first on Atlantic Council.

The post Cryptocurrency Regulation Tracker cited by the International Journal of Economics, Business and Management Research on global efforts to regulate cryptocurrency appeared first on Atlantic Council.

The post Kumar quoted in NewsNation on the new US crypto strategic reserve appeared first on Atlantic Council.

The post Kumar quoted by Central Banking on the Bank of Russia’s role in sanctions evasion and building alternative payment infrastructure appeared first on Atlantic Council.

Watch the full event

Public Event Thu, April 3, 2025 • 9:30 am ET

Europe’s Teresa Ribera on the EU’s clean transition and US-EU relations

AN #ACFRONTPAGE EVENT—Teresa Ribera, executive vice-president of the European Commission, shares her vision for the EU, the bloc’s competitiveness, and the US-EU relationship.

Digital Policy Economy & Business Energy & Environment Europe & Eurasia

US President Donald Trump’s sweeping tariffs, announced Wednesday, are “bad news for the whole world—including Americans,” said Teresa Ribera, executive vice-president of the European Commission for a clean, just, and competitive transition. 

“We will defend the Europeans,” from businesses to citizens, added Ribera at an Atlantic Council Front Page event Thursday. The European Union (EU) will first look to avoid a “big clash” with the United States. “We will remain firm and open,” and see if there are any avenues to “solve any type of misunderstanding and avoid conflict,” she said. 

As for what the US tariffs mean for the EU’s trade strategy, Ribera said that the bloc will “keep on developing and deepening the relationship with the rest of the world.”  

“The whole world is bigger, or larger, than the US market. So yes, of course, we will try to keep on building that,” she said. 

She added that it is “worth it to defend” the “multilateral-order-based rules,” including ones around trade, that the EU has built with its partners “during the last eighty years.” 

Below are more highlights from the conversation, moderated by Europe Center Distinguished Fellow Frances Burwell, which also touched upon the EU’s competitiveness agenda and green transition. 

All for one . . . 

• Ribera argued that in responding to the US tariffs, it will be important to have a “strong” EU that is “united” in a “common approach.”  

• “I say that we are boringly reliable, but I think that it is absolutely true,” Ribera said. She pointed to the EU remaining together against Russian President Vladimir Putin’s attempts to divide it. “This is one of the most important principles we need to stick [with],” she said. 

• She added that internal changes—such as removing barriers to trade within the European single market—could help offset losses incurred from US tariffs, seeing as internal trade barriers amount to the equivalent of a 45 percent tariff.  

• Ribera noted that the US-EU trade relationship has come to be a “story of success” in joint cooperation, so the two parties should not look to weaken the relationship, but to strengthen it. “It’s good to count on supply chains that work, markets that work and are predictable,” she said. 

• In order to address today’s challenges and address society’s demands, she said, “it is much [easier] to build bridges than to build barriers.” 

Guided by a new “Compass”

• Ribera will soon review the EU’s competition policy, which regulates mergers and acquisitions. She said the policy has been built on a global situation that “has changed” with the power of the West diminishing in its ability to set the terms of global markets. She said she will identify how the tools can actually help attain a more competitive environment, in line with the EU’s new Competitive Compass. 

• After US Federal Trade Commissioner Andrew Ferguson said that he was “suspicious” of the EU Digital Markets Act (which imposes restrictions on tech companies operating in Europe) and criticized laws that “get at American companies abroad,” Ribera argued that the act is “not intending to go against anyone.” She said, rather, it is intended to protect from the development of monopolies against new innovators in the EU market. 

Clean, green machine 

• In addressing criticism that the EU’s green push is getting in the way of achieving competitiveness priorities, Ribera said that the green framework can actually be a “main driver” of Europe’s future competitiveness. 

• Other countries have come to realize the value of the green transition and now “have a big share of the international market dealing with green equipments,” she said. “We don’t want to miss the train anymore.” 

• With the European Commission having proposed the Omnibus package of measures to simplify rules (such as those around sustainability reporting) for businesses, Ribera said that “simplification is very important.” She said she hears from businesses that they want simpler reporting obligations and more clarity from the EU to help them make the “right decisions” on investments. 

• The EU must show investors and the industrial community that it will not go “back to the past to solve the problems of today,” Ribera said. “This is clean, this is industrial, but this is a deal,” she added, explaining that the deal means the EU will be “paying attention to where the concerns may be and how we can . . . [better] bring better everybody together.” 

Katherine Golden is an associate director of editorial at the Atlantic Council.

Watch the event

The post The European Commission’s Teresa Ribera: ‘We will defend’ Europeans in the face of new US tariffs appeared first on Atlantic Council.

DeepSeek’s breakthrough has made the West reflect on its artificial intelligence (AI) strategies, specifically regarding cost and efficiency. But the West must also urgently consider what DeepSeek’s R1 model means for the future of democracy in the AI era.

That is because the R1 model shows how China has taken the lead in open-source AI: systems that are made available to users to use, study, modify, and share the tool’s components, from its codes to its datasets, at least according to the Open Source Initiative (OSI), a California-based nonprofit. While there are varying definitions of open-source, its application for AI has immense potential, as it can encourage greater innovation among developers and empower individuals and communities to create AI-driven solutions in sectors such as education, healthcare, and finance. The technology, ultimately, accelerates economic growth.

However, according to reports, R1 appears to censor and withhold information from users. Thus, democracies not only risk the loss of the AI technological battle; they also risk falling behind in the race to govern AI and could fail to ensure that democratic AI proliferates more widely than systems championed by authoritarians.

Therefore, the United States must work with its democratic allies, particularly the European Union (EU), to set global standards for open-source AI. Both powers should leverage existing legislative tools to initiate an open-source governance framework. Such an effort would require officially adopting a definition of open-source AI (such as OSI’s) to increase governance effectiveness. After that, the United States and EU should accelerate efforts to ensure democratic values are embedded in open-source AI models, paving the way for an AI future that is more open, transparent, and empowering.

How China overtook the lead

Part of DeepSeek’s success can be understood by the Chinese Communist Party’s (CCP’s) showing signs of incorporating the norm-building of open-source AI into its legal framework. In April 2024, the Model AI Law—a multi-year expert draft led by the Chinese Academy of Social Sciences, which is influential in the country’s lawmaking process—laid out China’s support for an open-source AI ecosystem. Article 19 states that the CCP “promotes construction of the open source ecosystem” and “supports relevant entities in building or operating open source platforms, open source communities, and open source projects.” It encourages companies to make “software source code, hardware designs, and application services publicly available” to foster industry sharing and collaboration. The draft also highlights reducing or removing legal liability for the provision of open-source AI models, providing that individuals and organizations have established a governance system compliant with national standards and have taken corresponding safety measures. Such legal liability would have held developers accountable for infringing the rights of citizens. This is a notable contrast to China’s past laws governing AI that explicitly stated the goal of protecting those rights. The specific provisions in the Model AI Law, albeit a draft, shouldn’t be overlooked, as they essentially serve as a blueprint of how open-source AI is deployed in the country and what China’s models exported globally would look like.

Furthermore, the AI Safety Governance Framework, a document that China aims to use as a guide to “promote international collaboration on AI safety governance at a global level,” echoes the country’s assertiveness on open-source AI. The document was drafted by China’s National Technical Committee 260 on Cybersecurity, a body working with the Cyberspace Administration of China, whose cybersecurity standard practice guidelines were adopted by CCP in September 2024. The framework reads, “We should promote knowledge sharing in AI, make AI technologies available to the public under open-source terms, and jointly develop AI chips, frameworks, and software.” Appearing in a document meant for global stakeholders, the statement reflects China’s ambition to lead in this area as an advocate.

What about the United States and EU?

In the United States, advocates have touted the benefits of open source for some time, and AI industry leaders have called for the United States to focus more on open-source AI. For example, Mark Zuckerberg launched the open-source model Llama 3.1 last year, and in doing so, he argued that open-source “represents the world’s best shot” at creating “economic opportunity and security for everyone.”

Despite this advocacy, the United States has not established any law to promote open-source AI. A US senator did introduce a bill in 2023 calling for building a framework for open-source software security, but the bill has not progressed since then. Last year, the National Telecommunications and Information Administration published a report on dual-use AI foundation models with open weights (meaning the models are available for use, but are not fully open source). It advised the government to more deeply monitor the risks of open-weight foundation models in order to determine appropriate restrictions for them. The Biden administration’s final AI regulatory framework was friendlier to open models: It set restrictions for the most advanced closed-weight models while excluding open-weight ones.

The future of open-source models remains unclear. US President Donald Trump has not yet created any guidance for open-source AI. So far, he has repealed Biden’s AI executive order, but the executive order that replaced it has not outlined any initiative that guides the development of open-source AI. Overall, the United States has been overly focused on playing defense by developing highly capable models while working to prevent adversaries from accessing them, without considering the wider global reach of those models.

Since unveiling the General Data Protection Regulation (GDPR), the EU has established itself as a regulatory powerhouse in the global digital economy. Across the board, countries and global companies have adopted EU compliance frameworks for the digital economy, including the AI Act. However, the EU’s effort on open-source AI is lacking. Although Article 2 of the AI Act briefly mentions open-source AI as an exemption from regulation, the actual impact seems minor. The exemption is even absent for commercial-purpose models.

In other EU guidance documents, the same paradox can be found. The latest General-Purpose AI Code of Practice published in March 2025 acknowledged how open-source models have a positive impact on the development of safe, human-centric, and trustworthy AI. However, there is no meaningful elaboration promoting the development and use of open-source AI models. Even in the EU Competitiveness Compass—a framework targeting overregulation, regulatory complexity, and strategic competitiveness in AI—“open source” is absent.

The EU’s cautious approach to regulating open-source AI stems from the challenge of defining it. Open-source AI is different from traditional open-source software in that it includes pre-trained AI models rather than simply source code. And, of course, the definition from OSI has not yet been acknowledged in the international legal community. The debate over what constitutes open-source AI creates legal uncertainty that the EU is likely uncomfortable to accept. Yet the real driver of inactivity lies deeper. The EU’s regulatory successes, like GDPR, make the Commission wary of exemptions that could weaken its global influence over a technology still so poorly defined. This is a gamble Brussels has, so far, had no incentive to take.

The new power imbalance in AI geopolitics 

China’s push to become technologically self-sufficient, a push which has included solidifying open-source AI strategies, is partly motivated by US export controls on advanced computing and semiconductors dating back at least to 2018. These measures stemmed from US concerns about national security, economic security, and intellectual property, while China’s countermeasures also reflect the broader strategic competition in technological superiority between both countries. The EU, on the other hand, asserts itself in the race by setting the global norms of protecting fundamental rights and a host of democratic values such as fairness and redistribution, which ultimately have shaped the policies of leading global technology companies.

By positioning itself as a leader in open-source AI, China has turned the export and policy challenge into an opportunity to sell its version of AI to the world. The rise of DeepSeek, along with other domestic rival companies such as Alibaba, is shifting the pendulum by reducing the world’s appetite for closed AI models. DeepSeek has released smaller models with fewer parameters for less powerful devices. AI development platform Hugging Face has started replicating DeepSeek-R1’s training process to enhance its models’ performance in reinforcement learning. Microsoft, OpenAI, and Meta have embraced model distillation, a technique that drew much attention with the DeepSeek breakthrough. China has advanced the conversation around openness, with the United States adapting to the discourse for the first time and the EU being trapped in legal inertia, leaving a power imbalance in open-source AI.

China is offering a concerning version of open-source AI. The CCP strategically deploys a “two-track” system that allows greater openness for AI firms while limiting information and expression for public-facing models. Its openness is marked by the country’s historical pattern that restricts the architecture of a model, such as requiring the input and output to align with China’s values and a positive national image. Even in its global-facing AI Safety Governance Framework (in which Chinese authorities embrace open-source AI), the CCP says that AI-generated content poses threats to ideological security, hinting at the CCP’s limited acceptance of freedom of speech and thought.

Without a comprehensive framework based on the protection of democracy and fundamental rights, the world could see China’s more restrictive open-source AI models reproduced widely. Autocrats and nonstate entities worldwide can build on them to censor information and expression while touting that they are promoting accessibility. Simply focusing on the technological performance of China is not sufficient. Instead, democracies should respond by leading with democratic governance.

Transatlantic cooperation is the next step

The United States and EU should consider open-source diplomacy, advancing the sharing of capable AI models across the globe. In doing so, they should create a unified governance framework and work toward shaping a democratic AI future by forming a transatlantic working group on open-source AI. Existing structures, including the Global Partnership on Artificial Intelligence (GPAI), can serve as a vehicle. But it’s essential that technology companies and experts from both sides of the Atlantic are included in the framework development process.

Second, the United States and EU should, through funding academic institutions and supporting startups, promote the development of open-source AI models that align with democratic values. Such models, free from censorship and security threats, would set a powerful contrast to the Chinese models. To promote such models, the United States and EU will need to recognize that the benefits of such models outweigh the risks in the broader picture. Similarly, the EU must also continue leveraging its regulatory advantage; it must also be more decisive about governing open-source AI, even if it means embracing some uncertainty about its legal definition, in order to outpace China’s momentum.

The United States and EU may currently have a rocky relationship. However, US-EU collaboration rather than competition is crucial with China’s ascendence in open-source AI. To take back leadership in this pivotal arena, the United States and European Union must launch a transatlantic initiative on open-source AI that employs forward-thinking policy, research, and innovation in setting the global standard for a rights-respecting, transparent, and creative AI future.

Ryan Pan is a project assistant at the Atlantic Council GeoTech Center.

Kolja Verhage is a senior manager of AI governance and digital regulations at Deloitte.

The views reflected in the article are the author’s views and do not necessarily reflect the views of their employers.

GeoTech Cues Feb 4, 2025

Did DeepSeek just trigger a paradigm shift?

By Ryan Arant, Newton Howard

The release of DeepSeek’s AI model may have far-reaching implications for global investment trends, regulatory strategies, and the broader AI industry.

Artificial Intelligence Digital Policy

Sinographs Jan 29, 2025

Is DeepSeek a proof of concept?

By Jessie Yin

Understanding how Deepseek emerged from China’s innovation landscape can better equip the US to confront China’s ambitions for global technology leadership.

Artificial Intelligence China

New Atlanticist Jan 28, 2025

What DeepSeek’s breakthrough says (and doesn’t say) about the ‘AI race’ with China

By Kenton Thibaut

DeepSeek’s achievement has not exactly undermined the United States’ export control strategy, but it does bring up important questions about the broader US strategy on AI.

Artificial Intelligence China

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post DeepSeek shows the US and EU the costs of failing to govern AI appeared first on Atlantic Council.

The post House quoted in Axios on stablecoin legislation appeared first on Atlantic Council.

The post Donovan interviewed for the Public Key Podcast on the role of cryptocurrencies in global sanctions appeared first on Atlantic Council.

For starters, the plan stems from a 2024 proposal by Senator Cynthia Lummis and largely functions as a centralized repository for assets that have already been seized by the federal government—for example, as part of criminal proceedings. That might be “budget neutral,” as the order says, but it is not a reserve in the traditional sense of a gold reserve used by central banks to redeem depositors or pay international debts. As a prominent Bitcoin thinker succinctly put it, “[t]here is no ‘strategic’ value in a crypto reserve.”

The executive order directs the government to simply hold (or later on, perhaps buy and hold) assets like bitcoins. Although the order vaguely criticizes the government’s “premature sales” in the past, “HODL’ing” (as the expression goes) may or may not be fiscally prudent, depending on whether or when to sell the assets. Separately, there are serious questions about if it is prudent for the government to essentially invest in select digital assets, as opposed to generating revenue in other ways. At the very least, the Secretary of the Treasury should develop concrete criteria and an authorization process for periodically selling or buying digital assets, to add transparency and provide an orderly means of decreasing volatility exposure. Senator Lummis’s original proposal, for example, contained some selling thresholds.

Second, the White House crypto czar David Sachs estimated that the federal government’s reserves comprised 200,000 bitcoin worth a staggering $17.5 billion at recent prices. If those numbers are still accurate, that would equal more than the total amount of gold held at almost all Federal Reserve Banks. That cannot be right as a matter of monetary policy. Even putting aside the polarizing debates about the long-term value of bitcoin (or lack thereof), the size of the new strategic reserve seems disproportionate given the risks and functions of the assets involved. Consistent with a transparent sales process, the Treasury should rightsize any digital asset reserve and use the remaining proceeds for other government programs.

Third, the cybersecurity challenges of having a centralized digital asset pool are not trivial, as the Atlantic Council highlighted in a prior report. Yet the executive order says nothing about how to start securing this new stockpile. Sacks tweeted that the pool would be akin to a “digital Fort Knox.” But Fort Knox has legendary security, is operated by 1,700 specialized employees, and adjoins a military base with 26,000 trained personnel. It is unclear what office, if any, at the Treasury could manage such a gargantuan security task for a digital asset reserve. The endeavor would be particularly difficult after the Department of Government Efficiency—or DOGE—unceremoniously disbanded teams of engineers like those in the 18F division, who were renowned for their private sector expertise. By contrast, Senator Lummis’s 2024 proposal highlighted security measures for “state-of-the-art physical and digital security” through inter-agency cooperation.

Perhaps most importantly, the ultimate risk of the executive order is that it embodies a form of crypto boosterism. Namely, it appears to tout an industry that President Trump came to embrace during the later phases of his political campaign, famously including the launch of his own meme coin just days before inauguration. To be fair, the White House revised the president’s earlier announcement that the reserve would include proactive purchases of select “altcoins,” which industry insiders worried “could be a vehicle for corruption and self-dealing.” That was a prudent move. But to many on Wall Street and main street, the order may still seem more like political maneuvering than sober monetary policy.

In a parallel universe, there could have been a thoughtful way for the Federal Reserve and Treasury to gradually study the possibility of holding digital assets on the balance sheet. They could have scrutinized the economic implications and prepared for security contingencies that might have included a bipartisan compromise around stablecoin legislation to specifically promote the strength of the dollar. But in today’s world, this executive order looks more slapdash than strategic. That may have been intended to bolster digital asset markets, but it has fallen flat on most fronts.

JP Schnapper-Casteras is a nonresident senior fellow at the Atlantic Council’s GeoEconomics Center and the founder and managing partner at Schnapper-Casteras, PLLC.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post What is strategic about the new digital assets reserve? appeared first on Atlantic Council.

India is taking a distinctive approach to the global race for artificial intelligence (AI) supremacy. While the United States and China focus on AI for economic dominance and national security, India’s vision revolves around AI autonomy through the development of homegrown AI solutions that are closely linked to its development goals.¹ This approach seeks to position India as a prominent global AI leader through a three-pillar strategy that distinguishes it from other major nations. India’s vision of AI autonomy is based on:

• Democratizing AI through open innovation: Leading the development of open-source models and platforms that make AI more accessible and adaptable to India’s local needs including the Bhashini platform, which incorporates Indian languages in large language model processing, and the iGOT Karmayogi online learning platform for government training.
• Public-sector-led development applications: Implementing AI solutions to address critical development challenges through government-led initiatives in healthcare, agriculture, and education, ensuring that technology meets societal needs.
• Global leadership in AI for sustainable development: Championing the integration of AI to achieve the Sustainable Development Goals² (SDGs) on a global scale while pushing ethical AI governance and South-South collaboration.

This strategy seeks to establish India as a global AI leader while addressing pressing social issues, closing economic gaps, and improving the quality of life for its diverse population of over 1.3 billion people.

India’s journey toward AI autonomy goes beyond technological independence; it creates a narrative in which innovative AI technologies drive inclusive growth. This philosophy is reflected in the “India AI” mission and its National Strategy for AI, which positions India as both an adopter and developer of AI technologies and a global hub for ethical and development-oriented AI innovation.³

India’s AI landscape: A vision of innovation and strategy

The Indian AI ecosystem is a dynamic landscape shaped by government initiatives, private-sector innovation, and academic research. There has been a notable increase in AI-focused start-ups in recent years, with the National Association of Software and Service Companies (NASSCOM) reporting over 1,600 in 2023.⁴ This growing sector highlights India’s technological capabilities and entrepreneurial spirit in tackling local challenges.

Several strategic government initiatives at the core of this ecosystem have paved the way for India’s advancements in AI. The India AI mission, launched in 2023, is a government initiative to build a comprehensive ecosystem to foster AI innovation across various sectors in India. Spearheaded by the Ministry of Electronics and Information Technology (MeitY), it focuses on developing AI applications to address societal challenges in healthcare, education, agriculture, and smart cities while promoting responsible and ethical AI development.⁵

IndiaAI reflects the country’s ambitions to become a global AI powerhouse and is supported by the National AI Strategy, created by the National Institution for Transforming India (NITI Aayog). The strategy provides a comprehensive road map for AI adoption in those sectors targeted by IndiaAI.⁶

What sets these initiatives apart from AI strategies in other countries is their emphasis on using AI for social good. For instance, the government of India organized the Responsible AI for Social Empowerment (RAISE) initiative in 2020,⁷ preceding the current AI hype. This demonstrates India’s commitment to ethical AI development, and such initiatives align with India’s National Development Agenda 2030, positioning AI as a driver of economic growth and a crucial enabler for achieving SDGs.⁸

Democratizing AI through open innovation

India is making significant progress in promoting open-source AI development, fostering inclusivity and collaboration within the global AI community. Open-source frameworks, driven by collaborative innovation, offer transparency, interoperability, and scalability—essential qualities for a diverse country like India.

The Bhashini initiative, led by the MeitY, exemplifies this commitment by leveraging open-source frameworks to build natural language processing (NLP) models that support twenty-two official Indian languages and numerous dialects. This project goes beyond basic language processing; it signifies India’s dedication to AI democratization by making these models and datasets freely available to developers and start-ups.⁹

The iGOT Karmayogi platform showcases the scalability of open-source AI solutions to improve digital literacy in government. Designed to upskill twenty million employees, it utilizes open-source AI tools to provide personalized learning pathways, reducing costs while ensuring continuous improvement based on user feedback.¹⁰

Leading academic institutions like the Indian Institute of Science (IISc) in Bangalore and the Indian Institute of Technology (IIT) Madras actively contribute to open-source AI research through global public platforms such as TensorFlow and Hugging Face.¹¹ Their work encompasses various fields, including computer vision for healthcare, autonomous vehicles, and environmental monitoring.¹²

For Indian start-ups, using open-source AI models or systems provides significant benefits such as lower costs, greater customization flexibility, access to a larger developer community, the ability to tailor models to specific Indian languages and dialects, and enhanced data security by allowing deployment on premises, making it ideal for building localized AI solutions while maintaining control over sensitive data.

In August 2024, Meta’s open-source Llama model reached a significant milestone of 350 million cumulative downloads since the release of Llama 1 in early 2023.¹³. India has emerged as one of the top three markets globally for this model.¹⁴ Several Indian start-ups and well-known consumer apps, including Flipkart, Meesho, Redbus, Dream11, and Infoedge, have announced their integration of Llama into their applications.

Additionally, IBM Elxsi, a partnership between IBM and Tata Elxsi, India’s largest technology company, focuses on designing local digital engineering solutions, like using open-source models to develop AI-powered edge network solutions for rural and remote areas, enhancing AI accessibility while reducing latency and energy consumption.¹⁵

The democratization of AI through open-source initiatives is critical to India’s development trajectory and technological autonomy. This approach enables rapid, cost-effective AI adoption across India’s diverse sectors and regions, with tangible results already visible: The development cycle for AI solutions has been reduced from years to months, as evidenced by the rapid deployment of language models via the Bhashini initiative, which now serves millions in their native languages. Unlike the West, where most AI development is primarily driven by private companies with proprietary technologies, India’s adoption of an open-source-first approach has led to an independent ecosystem in which government initiatives, academic institutions, and private-sector innovations coexist.

The public-sector role in developing applications to address India’s unique challenges

The profound socioeconomic challenges that India’s 1.3 billion people face have fundamentally shaped its approach to AI.

India faces critical healthcare challenges: 70 percent of healthcare infrastructure is concentrated in urban areas serving only 30 percent of the population, and the doctor-patient ratio stands at 1:1,511, far below the World Health Organization’s recommended 1:1,000.¹⁶

The education sector struggles with fundamental gaps, as 250 million Indians lack basic literacy skills, with only 27 percent having access to internet-enabled devices for online learning, further complicated by the country’s diversity of twenty-two official languages and 1,600 dialects.¹⁷

Agricultural challenges are particularly acute, with the sector employing 42 percent of the workforce but contributing only 18 percent to gross domestic product; 86 percent are small and marginal farmers with less than two hectares of land, and 40 percent of food production is lost due to inefficient supply chains.¹⁸

Financial inclusion remains a significant barrier to development, with 190 million unbanked adults, 70 percent of rural transactions being cash-based, and a stark digital gender divide where only 33 percent of women have mobile internet access compared to 67 percent of men.¹⁹

The size and complexity of these challenges necessitate innovative technological solutions that are both scalable and relevant to India’s specific issues.

India’s development-focused AI vision strategically responds to these pressing issues. Rather than viewing AI solely as a tool for economic competition or technological advancement, India has positioned it as a transformative tool for closing fundamental development gaps.

AI is closing critical gaps in access and the quality of care in healthcare. Through the government’s eSanjeevani platform—India’s national telemedicine service offering patients access to medical specialists and doctors remotely via smartphones—has been revolutionary, with over one hundred million teleconsultations in 2023 and the aim of closing the urban-rural healthcare gap.²⁰ The platform developed AI/machine learning models to improve data collection, quality of care, and doctor-patient consultations on eSanjeevani.²¹ The Indian Council of Medical Research’s collaborations with AI start-ups for disease prediction models in tuberculosis and diabetes paved the way for preventive healthcare interventions.

The agricultural sector is experiencing an AI revolution, driven by government initiatives, particularly through two key platforms. The mKisan portal gives more than fifty million farmers personalized SMS access to critical agricultural information, while the Agristack initiative lays the groundwork for precision agriculture by providing AI-powered advisory services for crop planning, pest control, and weather forecasting. The Indian Meteorological Department’s use of AI has improved monsoon forecast accuracy by 20 percent, significantly impacting agricultural planning.²²

In education, state governments have contracted with Embibe, a company that offers AI-powered learning for basic education to bridge the learning gaps and expand access to quality education. It identifies gaps in knowledge and creates content that addresses them by studying data from student interactions. FutureSkills Prime, an initiative of the National Association of Software and Service Companies, provides AI skills training—and has developed a large AI talent pool, with more than 2.5 million technology professionals trained in AI in India. According to the 2025 Global Workplace Skills Study by Emeritus, 96% of Indian professionals are using AI and generative AI tools at work, significantly higher than the 81% in the US and 84% in the UK. This workforce advantage has made India a preferred destination for global companies seeking skilled AI professionals.

India’s public-sector-led approach to AI development uniquely integrates technology with development priorities. The government’s strategic leadership in deploying AI solutions in healthcare, agriculture, education, and finance demonstrates a unique model in which technology acts as a force multiplier for development efforts. Unlike many developed countries, where private-sector innovation drives AI advancement, India’s government-led initiatives ensure that AI solutions address fundamental development challenges on a large scale.

By combining scale, accessibility, and local relevance, India’s public-sector leadership in AI deployment is a unique model for other developing countries facing similar challenges, demonstrating that technology can effectively accelerate inclusive development when guided by clear public-policy goals.

Shaping tomorrow: India’s position in global AI leadership and development

India’s global AI leadership position is uniquely shaped by proactive government policies and collaborative initiatives. As a founding member of the Global Partnership on Artificial Intelligence (GPAI), India has used its presidency in 2024 to advance key priorities such as democratizing access to AI skills, addressing societal inequities, promoting responsible AI development, and applying AI in critical sectors such as agriculture and education.

AI plays a critical role in India’s vision to achieve all seventeen SDGs by 2030. India also aims to be one of the top three countries in AI research, innovation, and application by 2030, which reflects a larger ambition: to create a more equitable and sustainable global AI landscape. This unique approach balances technological autonomy and inclusive development, by aligning AI initiatives with socioeconomic priorities to address India’s unique challenges.

However, the expansion of India’s AI ecosystem faces several critical challenges, including the demand for an advanced AI compute infrastructure, developing accessible AI tools, ensuring data privacy, and mitigating algorithmic bias at scale. Addressing these issues requires multistakeholder collaboration between the government, local industry leaders, and academic institutions.

As India progresses in its AI journey, its experience provides valuable insights into how to use AI to drive socioeconomic development. The country’s development-focused approach to AI adoption and governance may serve as a model for other developing countries looking to capitalize on AI’s potential for inclusive growth.

Mohamed “Mo” Elbashir is a nonresident senior fellow at the Atlantic Council’s GeoTech Center, as well as Meta Platforms’ global infrastructure risk and enablement manager. With over two decades of experience, he specializes in global technology governance, regulatory frameworks, public policy, and program management.

Kishore Balaji Desikachari is the executive director for government affairs at IBM India/South Asia. With over thirty years of leadership experience at Microsoft, Intel, and Hughes, he is a recognized regional policy commentator on AI, quantum computing, semiconductors, trade, and workforce strategies.

New Atlanticist Feb 13, 2025

At the Paris AI Action Summit, the Global South rises

By Trisha Ray

The summit reflected a growing consensus that AI’s future must be both innovative and rooted in shared prosperity.

Artificial Intelligence Europe & Eurasia

New Atlanticist Feb 4, 2025

Five AI management strategies—and how they could shape the future

By Kieron O’Hara and Wendy Hall

To ensure the benefits of artificial intelligence (AI) are realized while minimizing the anticipated evils, it’s important to understand the different ways to approach AI governance.

Artificial Intelligence Technology & Innovation

GeoTech Cues Jul 26, 2024

The sovereignty trap

By Konstantinos Komaitis, Esteban Ponce de León, Kenton Thibaut, Trisha Ray, Kevin Klyman

When sovereignty is invoked in digital contexts without an understanding of the broader political environment, several traps can be triggered.

Artificial Intelligence Digital Policy

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post India’s path to AI autonomy appeared first on Atlantic Council.

Thank you Chairman Hill, Ranking Member Waters, and distinguished members of the committee, for holding this hearing and the honor of the invitation to testify on the digital payments ecosystem. I applaud your leadership in convening the committee on this important issue and continuing the years-long efforts of this committee across several Congresses to evaluate and build legislation for a stablecoin regulatory framework. I hope my testimony will be helpful in considering some of the most important aspects of frameworks needed to drive innovation in a secure, competitive, safe, and sound digital payments ecosystem that reinforces national security interests, defends consumers, and preserves personal liberty.

I have spent my career working at the intersection of national, economic, and technological security. I have had the honor of serving three tours in the White House, including recently departing from my second stint at the National Security Council leading various policy efforts on cybersecurity, emerging technology, and digital assets, to include the US Counter-Ransomware Strategy and the previous administration’s Executive Order on Ensuring Responsible Development of Digital Assets. I previously led digital asset policy initiatives at the US anti-money laundering and countering financing of terrorism (AML/CFT) regulator, the Financial Crimes Enforcement Network (FinCEN) and have served on advisory boards for the US Commodity Futures Trading Commission, the Idaho Department of Finance, and the New York Department of Financial Services (NYDFS). Through my ongoing work as a senior fellow at the Atlantic Council GeoEconomics Center and previous work as a consultant and executive at a venture capital firm, I have advised companies, academia, and policymakers in support of strategy, policy, standards, and product development ranging across areas like cybersecurity, AML/CFT, digital assets, and artificial intelligence and machine learning. The views I share are my own and do not reflect the views of the Atlantic Council.

The most important message I can underscore to this committee is the criticality of ensuring our regulatory frameworks create a foundation for providing trustworthy and affordable access to financial services for consumers while also reinforcing the centrality of the United States in the financial system and as the home for responsible, cutting-edge innovation in emerging technologies and payments. That includes the critical need for timely progress on a comprehensive stablecoin framework that supports these objectives, as well as driving broader experimentation and competitiveness in digital payments. Just as important, any framework demands more than just policy that is clear, strong, and comprehensive, but also that is implemented and enforced timely and scoped to shape the sector.

While timely progress is critical, these frameworks must be deliberate, thoughtful, and comprehensive of the real and present risks, as well as opportunities, that we have observed in the digital asset ecosystem and broader financial system. In the wake of serious national security threats like billion-dollar hacks by rogue nations, growing integration of cryptocurrency as a tool for transnational organized crime, market manipulation and fraud that can threaten system integrity and stability, as well as pressure from adversarial nations seeking to develop and leverage alternative payment systems to weaken and circumvent the dollar, it is clear that strong safeguards, including for US competitiveness, are needed. This framework also demands we ensure policy and enforcement approaches both domestically and internationally create a level playing field for US firms—often the most compliant firms in the world—to be able to compete fairly. Otherwise, the foundation we build these systems on risks faltering, with the potential to not only reap significant harms but also prevent us from harnessing the greatest positive potential that is possible from a secure and innovative digital payments ecosystem.

Background: Exigency for competition, security, and liberty

Stablecoin features, uses, benefits, and risks

Stablecoins, a class of cryptoassets that maintain a stable value in relation to another asset, most predominantly fiat currencies, hold potential to help drive needed innovations in our digital payments ecosystem. Stablecoins with proper protections can help improve efficiency in delivery of financial products and services, promoting greater transparency for monitoring of various risks in financial services, enhancing resiliency within the financial system, dismantling barriers to financial access and inclusion, and promoting innovation and competition that can strengthen US markets and leadership. With the current stablecoin market cap sitting at over $227 billion, use cases are growing across areas like dollar settlement for financial services firms, cross-border remittances, relief efforts like to Ukrainian refugees, and even for inflation hedges in places like Venezuela. However, stablecoins are largely still used as settlement in trading activity on cryptocurrency platforms—wide adoption in exchange for goods and services is not yet a reality, though it’s possible that a clear regulatory framework to enable greater trust and accountability may facilitate higher adoption.

Most of the core features for any cryptocurrencies apply to stablecoins—including their ability to transfer significant value peer-to-peer (i.e., from user to user without the need for a typical custodial role of a third-party financial intermediary), pseudonymously, immutably (or irreversibly), with global reach, with increased speed and cost efficiencies—though we must note that these are all features that are attractive to both licit and illicit actors. Challenges in mitigating risks in cryptocurrency are especially driven by by lagging AML/CFT compliance as well as broader prudential standards across the sector internationally, reinforced by the absence or reduction of financial institution intermediaries and central points of control in more highly decentralized cryptocurrency systems that can obscure clear lines of responsibility and accountability within cryptocurrency ecosystems. While stablecoins are used across more decentralized networks, in most cases stablecoins generally at least central administrators and issuers that can ease establishing lines of responsibility.

Where there is an absence of clear responsible parties, compounded by the immutability or unchangeability of cryptocurrency ledgers, it can be extremely challenging to provide mechanisms for victim recourse as well as timely adaptation to take measures to stop movement of illicit funds or patch security vulnerabilities in networks and smart contracts. However, in contrast to SWIFT, FedWIRE, and cash movements that do not publish transactions to public ledgers, on-chain stablecoin transactions include a lot of public transparency that can be beneficial to market surveillance and crypto investigations. Though ultimately the benefits presented by this transparency can be difficult to leverage with earlier-mentioned challenges with compliance, acceptance of accountability, and expertise across both public and private stakeholders.

Risks that can be presented by stablecoins without proper controls in place generally reflect the same kinds of risks that can exist in traditional finance (or “tradfi”). For example, fraud, market manipulations, and conflicts of interest across stablecoin leaders or public officials can present risks to investors and consumers. Pump-and-dump schemes and front-running capabilities enabled through maximal extractable value (MEV) schemes can endanger market integrity, and complex interconnections, concentration risks, and hardwired procyclicality in stablecoin or any other decentralized finance (“defi”) systems can present risks to financial system stability. Failures like that of Synapse Financial Technologies and of stablecoin Terra underscored the consequences of insufficient oversight of regtech and stablecoin platforms, and the devastating consequences to consumers without access or ability to recover some or all of their funds.

The risks to national security on getting the stablecoin framework wrong—either by being too lax on controls or by overly restricting companies and driving innovation offshore—are also important to evaluate. If stablecoins present the greatest potential for at-scale adoption for cross-border payments in cryptocurrency, then national security concerns of losing sanctions and AML/CFT tool efficacy can present in several ways: either from failing to drive US stablecoin competitiveness compared to other national currency denominated stablecoins or payment systems; or risks that could present from stablecoins and other defi diminishing reliance or need for US correspondent banking relationships in foreign exchange (FX) transactions or other cross-border funds flows.

The need for a framework

The United States does not yet have a comprehensive framework for regulation of stablecoins. Instead, existing authorities are fragmented at the federal level largely only via AML/CFT regulation and then across certain states like New York that cover stablecoins. In the absence of leveraging existing bank and trust charter authorities; using Dodd-Frank payment, clearing, and settlement activity designation authorities; setting up a Federal payments charter; or taking any other action to create a framework, the United States lags behind many other jurisdictions like the European Union, Singapore, Japan, and the United Arab Emirates that have established requirements and most importantly clear pathways to registration and supervision for stablecoins operating within their jurisdictions.

The United States must prioritize establishing a stablecoin framework during this Congress. Similar in many functions and operations to more traditional financial assets, stablecoins and associated deposit and payments activities are things that we understand how to regulate and protect. This framework is achievable, able to build on years of bipartisan efforts working across the aisle to construct a truly comprehensive approach. With Congress and the administration positioned to prioritize this legislation, we are at a critical juncture to get a law passed in 2025.

We need strong prudential and consumer protection regulations to ensure that stablecoins are truly “stable,” allowing any user to trust in its value and avoid losses from the issuer’s default or illiquidity. In this way, a clear regulatory framework that fosters trust can actually help set conditions that could help drive broader adoption and competition. We also need to have strong AML/CFT protections in place for stablecoin ecosystems. These different regimes do not operate in silos, but instead mutually reinforce each other and address vulnerabilities that are being exploited by illicit actors targeting the cryptocurrency sector. For example, in the case of Democratic People’s Republic of Korea (DPRK) hacks of cryptocurrency platforms, like the recent $1.5 billion Bybit hack, are exploiting both cybersecurity weaknesses and vulnerabilities as well as AML/CFT deficiencies in their crypto heists and subsequent laundering activities. In crypto heists, stablecoins have been targets as well as laundering tools exploited by hackers. Only through a comprehensive framework can we ensure that measures across the spectrum of areas like cybersecurity and AML/CFT are holistically addressed in these important ecosystems.

Though also important to note, especially in light of recent changes in enforcement posture—beyond just creating the policy framework, the government and industry must work to apply and enforce the framework. A policy that is not enforced or implemented does nothing to benefit consumers nor US firms with stronger compliance programs that have been operating at higher costs and less competitive advantages than many foreign operating firms.

Proposed stablecoin legislation:Ensuring sufficient protections

There has been a great amount of attention paid to stablecoin legislation in recent years with various stablecoin bills introduced, including the McHenry-Waters bill and Lummis-Gillibrand Payment Stablecoin Act developed last Congress, as well as the STABLE Act and GENIUS Act introduced so far this Congress.

I am very glad to see the level of support within Congress for elevating stablecoin legislation to a priority this year, something I spoke to as essential in my testimony to the Subcommittee on Digital Assets, Financial Technology, and Inclusion last year. I am also pleased to see many elements included in the STABLE Act referenced for this hearing that I support, such as high-quality reserves on at least a 1:1 basis, envisioned roles for both state and Federal regulators, and restrictions on rehypothecating reserve assets as well as stablecoin issuer activities. However, the STABLE Act appears to walk back a lot of the hard work done for years across the aisle to develop the negotiated text between then Chair McHenry and Ranking Member Waters in 2024. It is unclear why some of those critical protections, especially the prudential framework and clear AML/CFT and sanctions applicability to US dollar-denominated stablecoin activity, are absent in the STABLE Act and the GENIUS Act or if the associated risks are otherwise being addressed.

Here I outline some areas for the Committee’s consideration in hopes that the legislation for stablecoins issued this year can be truly comprehensive:

• Ensuring federal line-of-sight for supervision on issues of systemic importance: The STABLE Act, in some ways similar to the existing banking regime, provides for both federal and state authorities to charter stablecoin issuers. However, the STABLE Act does not include any coordination between the federal and state regulators. Rather, the current draft permits a system where a trillion-dollar nonbank stablecoin issuer, engaging in globally reaching payments activity that would typically place an institution under the oversight of federal authorities, without any sufficient line of sight by the Federal Reserve of activities and risks that rise to systemic importance. Unclearly defined “exigent” circumstances, especially in the way of Loper-Bright, as the only context for certain additional regulatory authorities severely restrict a regulator’s ability to monitor for and intervene to mitigate risks for assets that operate 24/7 around the world and with no concerns for borders.

I agree with many others who have testified before you all that state authorities provide an important chartering and oversight capability, including agility and expertise that can help scale appropriate supervision. State regulators with strong prudential, AML/CFT, and consumer protection frameworks are critical partners on the front lines of regulating the cryptocurrency industry, and I am sympathetic to the desire to preserve the states’ regulatory authorities. Though, it stands to reason that when these issuers are operating systems, especially large platforms, that are administering a substitute for the US dollar in international payments, some federal regulator—like the Federal Reserve Board, with its responsibility for monetary policy and financial stability, or the Office of the Comptroller of the Currency (OCC) with its chartering and supervision authority—should have the ability to monitor for their critical risks and have a say in the standards that stablecoin issuers need to meet, at a minimum when they are of a large enough size. The STABLE Act, as it currently stands, raises serious questions around the ability of federal authorities to have visibility of and ability to respond timely to moments of financial crisis and address systemic risks that may arise.

• Scope of risk coverage and enforcement regime: The STABLE Act references risks to mitigate around operational and cybersecurity risks, but otherwise is severely lacking in reference to credit risk, market risk, concentration risk, and even limitations on additional management of capital and liquidity risk beyond the 1:1 reserve collateralization requirement. There is no clear articulation of responsibility for rules or implementation of requirements under privacy regimes like Gramm-Leach-Bliley Act or the AML/CFT framework of the Bank Secrecy Act (e.g., if Treasury/FinCEN would have sole AML/CFT rulemaking authority for payment stablecoin issuers or if they would be issued jointly). Additionally, the enforcement framework is unclear, with no references to specific penalties or enforcement provisions, including no clarity on extraterritorial operations of US dollar-denominated stablecoins.
  
• Affiliate controls and application of the Bank Holding Company Act and Bank Services Company Act: The STABLE Act does not address affiliate relationships and restrictions for nonbank payment stablecoin issuers to preserve separation of activities like banking and commerce. In this new bill, it is unclear to what extent controls like from the Bank Holding Company Act as well as authorities for oversight and delegation of functions as delineated under the Bank Services Company Act apply to payment stablecoin issuers.
  
• AML/CFT and sanctions: While the STABLE Act and GENIUS Act delineate that payment stablecoin issuers are financial institutions under the Bank Secrecy Act, it is not clear (especially to the degree needed in the wake of Loper-Bright) to what degree rulemaking can cover different parts of stablecoin ecosystems and which agency would be responsible for the rulemaking and oversight. Stablecoins have been exploited by illicit actors ranging from cartels to sanctions evaders to terrorism financiers, especially leveraging the absence of sufficient compliance across international operations and defi platforms. The United States Treasury has underscored the benefit for Congress to clarify that any US-dollar denominated stablecoin must comply with US sanctions policy, including extraterritorial applicability, and also make clear the expectation to maintain and assert freeze and recovery capability for illicit proceeds across the stablecoin. We should not find it acceptable for a US dollar stablecoin to be leveraged in transactions to designated actors and jurisdictions that present threats to US national security.

While unlikely in this round of legislation, Congress should start solidifying its views and drafting legislation to expand the regulatory perimeter to help mitigate risks across more decentralized applications of the assets. Expanding such a perimeter would generally involve considering what other entities would be of greatest utility to cover due to visibility and control of the assets, and ensuring that a risk-based approach properly scopes the obligations and does so in full understanding of what is technologically and operationally possible. While there are many differing views on how to approach defi controls, it is encouraging to see that within the defi community there are actors who are trying to implement responsible innovative fixes, even if they are not yet successful, as we saw recently in the unsuccessful attempt by several THORChain developers to try to stop DPRK money laundering on their platform.

• Bankruptcy and resolution measures: Bankruptcy protections are one of the last lines of defense for fostering consumer trust in a product—building comfort for the customer that they will be able to get access to or redeem their assets held by the platform or issuer at any time on demand. The US Bankruptcy code, if applied to stablecoins in the wake of a failure, could be disastrous for token holders who would be treated equivalently to all other unsecured creditors. The McHenry-Waters bill outlined a potential alternative resolution process to help expedite recovery of assets for token holders that could work across federal and state levels and provide critical recourse for consumers.
  
• Fed master accounts and broader payments framework: There is no reference in the STABLE Act or GENIUS Act to the authority of the Federal Reserve to grant access for stablecoin issuers to a master account, something that likely will continue to be sought especially as stablecoins get more regulated and attain higher assurance of their safety and soundness. With this legislation aiming to serve as the comprehensive construct of guardrails and authorities to enable innovation and protect payments, it should include provisions like this to ensure the capability exists with the Federal Reserve for any issuer it deems to be appropriate to grant access.
  

More broadly, stablecoin legislation would optimally be pursued as part of a holistic approach to regulation and supervision of all payments platforms, which are growing enough in complexity and adoption. Many of the risks for stablecoins are similar to those for broader payments, and given the desire to ensure critical protections for consumers regardless of the denomination of their asset or which app they happen to be using, Congress should keep an eye toward how to evolve regulatory frameworks to capture any of these activities regardless on if it is blockchain-based or not.

Again, I applaud the committee’s work on this issue and the continued leadership on these issues by key leaders like Chair Hill and Ranking Member Waster. I encourage the Committee to consider working from the previously negotiated McHenry-Waters bill, which includes bipartisan-vetted provisions that address many of the outstanding issues for the desired comprehensive stablecoin framework. I hope that my views on key missing elements will be helpful to the Committee in its thoughtful efforts to build out and implement a competitive, comprehensive stablecoin framework that addresses risks while promoting responsible innovation.

Proposed CBDC legislation: Privacy as paramount in retail CBDC

The new proposed CBDC Anti-Surveillance State Act bans CBDC experimentation. Innovations in digital payments and across digital forms of both public and private money can also take many forms—whether wholesale or retail CBDCs, stablecoins, tokenized deposits, digital payment applications, etc.—each of which carry a spectrum of diverse implementations and associated risks. Ultimately, it is likely that a mix of modernizations of public and privately-administered rails, such as with the current financial system, will be needed to achieve a future of vision like global instantaneous reach and accessibility of the dollar.

This legislation is pointed specifically at addressing concerns around privacy specific to CBDCs, which is a greater point of concern around retail CBDC implementations rather than wholesale payments that are not associated with specific consumers and related sensitive personal data. The bill proposes to address the privacy concerns by banning even experimentation to even assess if there are technological and governance implementations that could achieve desired privacy outcomes, whether in the US or even just for templates that partner nations could implement. The bill also does not address privacy issues presented by private cryptocurrencies, such as privacy concerns exacerbated by public unobscured records of financial transactions and challenged cybersecurity practices across the sector.

An apparent improvement on this bill from earlier versions appears to be amending the prohibition to only retail CBDCs. Concerns around privacy for a retail CBDC are understandable and very important, especially in the United States given sentiments of Americans around making information available to the government and even challenges that have existed in trying to adopt digital identity infrastructure. Many feel that given such concerns in the United States, focus on wholesale CBDCs as an initial area for innovation in cross-border settlement could be ripe for nearer-term exploration.

The kinds of building blocks that could enable privacy preservation and security in technologies like CBDCs—innovative technologies like digital identity infrastructure and privacy enhancing technologies like homomorphic encryption, multiparty computation, and zero-knowledge proofs—are also building blocks that can enable privacy and security in private cryptocurrency implementations as well. Even if specific development of a US retail CBDC is not likely, broader research and development and experimentation across the more nascent and underlying technologies and components can be helpful to identify mechanisms to achieve desired objectives across a variety of future forms of public and private money innovations.

This bill could further exacerbate a growing gap for the United States in digital payments innovation, as over one hundred countries representing 98 percent of global GDP continue to explore CBDCs and conduct cross-border pilots. The United States remains the only member of the G20 to not be in advanced stages of CBDC exploration. CBDC experimentation is at the heart of significant research and development across the international community trying to shape what the future of the financial system looks like, experimentation that without a major US leadership presence is in some ways both a symptom and a driver towards interest of potential rails less reliant on the dollar, and something in which we cannot idly forsake leadership.

In the interests of safeguarding capabilities for experimentation and ensuring that the United States remains at the forefront of digital payments innovation, I outline here some areas for consideration for this proposed anti-CBDC legislation:

• Narrowing the prohibition to retail CBDCs: Recent updates to the proposed CBDC Anti-Surveillance State Act appears to narrow the prohibition of research and development, testing, or issuance to retail CBDCs only with the addition of the feature “widely available to the general public” into the definition of CBDC. If that is the intent, this avoids several significant challenges presented by the previous House-passed version of the bill, as well as that referenced in the recent executive order prohibition, that even the Congressional Budget Office (CBO) noted included such broad definitions that it was unclear if they could be interpreted to ban existing digital forms of central bank reserves and impact the ability to conduct monetary policy. However, if this bill is aimed at prohibiting wholesale digital payments innovation, or other forms of digital payments innovations like tiered or intermediated innovations like in certain implementations of stablecoins or tokenized deposits, additional concerns would remain related to stifling the ability to modernize the US financial system.
  
• Legal necessity unclear: The necessity of this legislation to prohibit any experimentation and research and development in CBDCs appears unnecessary if the ultimate concern is to ensure against the issuance of a retail CBDC without Congressional approval. The Federal Reserve already published its own analysis highlighting that the Federal Reserve Act does not authorize direct Federal Reserve accounts for individuals. Both the Fed and Treasury have also voiced that they would only move forward with issuance of a CBDC with clear support from both Congress and the executive branch. With Congressional approval already assessed as a precondition to issuance of at least retail CBDCs, and supported as necessary by the lead executive authorities, this prohibition appears unnecessary to achieve the policy outcome when Congress could just withhold authorization. If the refocus of this updated proposed legislation is only prohibiting retail CBDCs, research and development as well as operations to optimize and conduct of digital wholesale payments and settlement activities by central banks would hopefully not affected by this legislation as the Congressional Budget Office assessed could have been impacted by previously proposed versions.
  
• Adjusting framing: The US government fully supports privacy in any democratic CBDC: This bill’s title and corresponding messaging unfortunately present an inaccurate picture that CBDCs must inherently intimate an authoritarian “surveillance state.” CBDCs do not have to mean “Big Brother” just as cryptocurrencies do not have to mean anarchy. The implications for privacy are vastly different for wholesale versus retail CBDCs. Just as with privately administered cryptocurrencies, inherent features like privacy and discoverability are completely dependent upon the specific design of the systems. The Federal Reserve, the US Treasury and prior Administrations have been extremely consistent in messaging, including alongside the G7, that “rigorous standards of privacy” and accountability for that privacy are critical for any retail CBDC implementation. The CBDC discussion warrants nuance, just as the cryptocurrency discussion does.
  
• Refocusing on impactful privacy measures: Rather than this legislation barring pilots and experimentation of implementations and building blocks to preserve privacy for some future possible CBDCs likely at least a decade away (research that could also help provide building blocks for other digital assets like stablecoins), Congressional action could instead pivot to focus on long-existing challenges presented by the absence of comprehensive consumer data privacy legislation. Especially given the low likelihood and far-off reality of cross-US government and public interest in a US retail CBDC (which the Federal Reserve, US Treasury, and potentially Congress have all agreed would require Congressional approval to issue if there ever were such an interest), Congressional focus on privacy legislation would be a more impactful area for focus.
  
• Needed clarity on the protections meant for private stablecoins: It is unclear exactly what protections are being offered under section 4, which defends from prohibition only “any dollar-denominated currency that is open, permissionless, and private, and fully preserves the privacy protections of United States coins and physical currency.” This is oddly framed and could place significant prohibitions on industry cryptocurrency implementations, if this intimates that there are intended to be restrictions here placed on certain industry cryptocurrency implementation, such as private stablecoins that aim to get a master account with the Federal Reserve. It is unclear if this intimates that permissioned stablecoin implementations may be barred from direct or indirect relationship with the Fed. It is also unclear what fully preserved privacy protections means in this context, given that the privacy features of cash (e.g., can move value without a third party, is not posted to any ledgers) do not exactly equate to the privacy features of any existent cryptocurrency (e.g., value movements generally require certain types of third parties—even if unregulated intermediaries—such as miners and validators, and transactions post on public ledgers). It would be important to clarify which privacy features of cash they desire, or what the specific balance of discoverability versus obfuscation is desired in the cryptocurrency system, as part of broader clarity on what this section is intended to achieve.

In closing, I would like to again underscore my gratitude for the honor of the opportunity to speak with you all today. It is critical that the United States make timely progress on establishing and implementing a comprehensive stablecoin regulatory framework that leverages years of effort on defining critical holistic protections that also reinforce the central role in the financial system and as a leader in technological innovation.

Thank you.

Fellow

Carole House

Nonresident Senior Fellow

GeoEconomics Center

Cybersecurity Digital Currencies

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Carole House testifies to House Committee on Financial Services on regulation and security in stablecoins and digital payments appeared first on Atlantic Council.

Executive summary

Africa is increasingly asserting its participation in the advancement of emerging technologies by engaging in active dialogues and devising roadmaps for the development, deployment, and regulation of these technologies. However, strategies to employ emerging technologies vary widely both in levels of progress as well as regulatory mechanisms. This report explores how five African countries—South Africa, Kenya, Nigeria, Ghana, and Zambia—are strategically navigating the governance of new technologies to enrich their citizens’ lives while mitigating potential risks. It focuses on three key emerging technology domains, namely: connectivity, digital public infrastructure, and artificial intelligence (AI).

Beginning with an analysis of the foundational digital technology policies around data protection and governance and cybersecurity, the country reviews highlight the current landscape of laws, and strategies governing each of the emerging technologies of interest. By exploring the strengths and weaknesses of each country’s policy landscape across these technology domains, the report offers insights into prospects and challenges in harnessing emerging technologies for societal good.

The report finds that governments are generally optimistic about the potential impact of emerging technologies on economic development in their respective countries. This is reflected in the large public investment in technology infrastructure, promotion of innovative ecosystems, and the integration of information and communication technologies (ICTs) into e-governance and e-services toward a holistic digitalized economy and society. The countries’ multistakeholder approaches highlight the need for responsible governance while promoting active private-sector engagement for the public good.

Nigeria, South Africa, Kenya, and Ghana were found to have comparatively robust policies for each emerging technology examined, or at least—as is the case with Kenya—documentation or drafts in the form of gazettes and public consultation documents. Government efforts are more prominent in the AI domain, given the increased attention it has garnered lately. However, these frameworks are hampered by limited implementation capacities, poor infrastructure, policy fragmentation and overlap, low digital literacy levels, and a growing digital divide. Zambia on the other hand, while having strong aspirations to become an ICT-enabled knowledge economy, lacks dedicated policies pertaining to emerging technologies. Although the country’s data-protection laws, intellectual property, cyber security, and consumer protection provide a foundational framework, more updated regulations are required to keep pace with the speed at which emerging technologies are playing an increasingly pivotal role in citizens’ daily lives.

A SWOT (i.e., strengths, weaknesses, opportunities, and threats) analysis of the broader digital-technologies sector across these countries reveals some universal themes. Strengthwise, governments are generally proactive and enthusiastic about engaging new technology issues, and ICT authorities tend to adapt quickly to new developments by publishing subsidiary laws, releasing draft statements, or convening multistakeholder workshops, where national policy frameworks are absent. An overarching rather than specific sectoral or technology-domain approach also drives national technology pursuits, where for example, all the five countries examined have a national ICT/digital economy strategy which predates and already makes foundational provisions for emerging technology policies. Policy-formulation processes were driven by stakeholder engagement and public consultations, as seen in regular calls for contributions and multistakeholder convenings leading up to policy enactment. Yet huge disparities were observed within countries, where rural and marginalized urban communities, as well as women, are left behind by governmental technology ambitions. This calls for updated policy frameworks and strategies that emphasize inclusion and other sociopolitical considerations to avoid deepening inequities.

For Africa to leverage emerging technologies for socioeconomic development while maintaining accountable and transparent systems, legislative frameworks must be streamlined alongside strong institutional integration to ensure effective enforcement. It is imperative that policymakers develop a strong understanding of emerging technologies to enhance their capacities for developing comprehensive policies to address them. Equally important is raising public awareness to protect the African people’s digital rights and foster safe digital environments.

Ayantola Alayande is a Researcher at the Global Center on AI Governance. There, Ayantola works on the African Union Continental AI Strategy and the African Observatory on Responsible AI. He is also a researcher at the Bennett Institute for Public Policy at the University of Cambridge, where he focuses on industrial policy and the future of work in the public sector.

Samuel Segun, PhD is a Senior Researcher at the Global Center on AI Governance. He is also an AI Innovation & Technology consultant for the United Nations Interregional Crime and Justice Research Institute (UNICRI), where he works on the project ‘Toolkit for Responsible AI Innovation in Law Enforcement’.

Leah Junck, PhD is a Senior Researcher at the Global Center on AI Governance. Her work explores human-technology experiences. She is the author of Cultivating Suspicion: An Ethnography and Like a Bridge Over Trouble: An Ethnography on Strategies of Bodily Navigation of Male Refugees in Cape Town.

The Atlantic Council’s Digital Forensic Research Lab (DFRLab) has operationalized the study of disinformation by exposing falsehoods and fake news, documenting human rights abuses, and building digital resilience worldwide.

learn more

The post Emerging technology policies and democracy in Africa: South Africa, Kenya, Nigeria, Ghana, and Zambia in focus appeared first on Atlantic Council.

While Ukrainian President Volodymyr Zelenskyy has sought to maintain strong ties with the United States, the current shift away from aid-based diplomacy signals that Ukraine must further demonstrate its economic value. In this context, the thriving Ukrainian IT industry is a key asset. This sector not only drives domestic economic resilience, but also offers tangible benefits to American businesses through investment, technological innovation, and cybersecurity expertise.

Since the onset of Russia’s full-scale invasion three years ago, Ukraine’s IT industry has proven to be a resilient and dynamic force. Despite the ongoing war with Russia, the sector has demonstrated remarkable adaptability. In 2024, Ukraine’s IT services exports reached $6.45 billion, contributing 4.4 percent of the country’s GDP and accounting for approximately 38 percent of Ukraine’s total service exports. This strong performance has been possible despite the challenges posed by the largest European invasion since World War II, underscoring the Ukrainian IT sector’s ability to operate under extreme conditions.

Beyond its financial contribution, the Ukrainian IT industry also plays a crucial role in employment. By 2024, Ukraine’s IT workforce had grown to more than 300,000 specialists, solidifying its position as a major employer and a pillar of Ukrainian economic stability in today’s wartime environment.

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

The United States is already an important partner for Ukraine’s IT industry. In 2023, the US was the largest importer of Ukrainian IT services, accounting for $2.39 billion or 37.2 percent of the industry’s total exports. This presents opportunities for intensified bilateral collaboration in both the private and public sectors that have the potential to transcend the kind of aid-based relations found elsewhere in the region.

Ukrainian IT companies are not seeking handouts but are actively investing in the US market. Rather than displacing American jobs, they are creating new opportunities and fostering technological advancements. Importantly, these companies are not appropriating US technologies but are in many cases sharing their own advanced developments. This cooperative approach could strengthen both economies, reinforcing a business-driven relationship that aligns with the Trump administration’s strategic vision.

Eurasia Center events

Online Event Tue, June 17, 2025 • 1:00 pm ET

Drones, defense, and diplomacy: Negotiations and the battlefield in Ukraine

Conflict Defense Technologies Europe & Eurasia Politics & Diplomacy

The knowledge-based economy benefits immensely from such international partnerships. Unlike resource-dependent models, this framework ensures a two-way exchange of expertise. Ukraine’s IT professionals are already playing a significant role in cybersecurity, actively defending against digital threats and ensuring the integrity of critical infrastructure. From the early days of Russia’s full-scale invasion, they have consistently delivered in even the most difficult of circumstances and have enhanced Ukraine’s global reputation as a leading tech nation.

Moreover, the war has propelled Ukrainian engineers to the forefront of innovation in autonomous systems including aerial, maritime, and other drone technologies. Many of Ukraine’s most recent innovations in the drone sphere leverage AI. The depth of experience gained in developing and deploying these systems under real combat conditions is unparalleled worldwide. For the US defense industry, collaboration with Ukraine in this domain could be invaluable, offering access to battle-tested innovations that have the potential to redefine modern warfare.

The obvious synergies between the US and Ukrainian tech industries extends beyond the private sector. Cooperation in areas such as dual-use technologies should be prioritized by both governments to enhance security and drive innovation. Strengthening this partnership could contribute to a safer and more prosperous future for both nations.

By leveraging Ukraine’s IT expertise, the United States can improve its own technological capabilities while supporting a partner nation at a critical time. This partnership can bring further economic and strategic benefits to both parties. As the Trump administration moves toward a business-driven approach to US foreign policy, strengthening ties with Ukraine’s IT sector could boost innovation and security while also offering a range of business opportunities.

Anatoly Motkin is president of StrategEast, a non-profit organization with offices in the United States, Ukraine, Georgia, Kazakhstan, and Kyrgyzstan dedicated to developing knowledge-driven economies in the Eurasian region. Hanna Myshko is regional director for Ukraine, Moldova, and the Gulf at StrategEast.

Further reading

UkraineAlert Feb 25, 2025

Will a new Russia reset prove more successful than earlier attempts?

By Leah Nodvin

The Trump administration is seeking to reset relations with Russia as part of a comprehensive shift in US foreign policy, but successive past Russia resets have ended in failure, writes Leah Nodvin.

Conflict Economic Sanctions

UkraineAlert Dec 19, 2024

Five things Russia’s invasion has taught the world about Ukraine

By Peter Dickinson

Vladimir Putin’s brutal invasion of Ukraine has thrust the country into the global spotlight and transformed international perceptions of Ukraine in ways that will resonate for decades to come, writes Peter Dickinson.

Defense Technologies Disinformation

UkraineAlert Feb 27, 2025

The Finlandization fallacy: Ukrainian neutrality will not stop Putin’s Russia

By Brian Mefford

Donald Trump seeks to broker a peace deal with Vladimir Putin but any attempt to impose neutrality on Ukraine could set the stage for further Russian aggression, writes Brian Mefford.

Conflict European Union

The views expressed in UkraineAlert are solely those of the authors and do not necessarily reflect the views of the Atlantic Council, its staff, or its supporters.

Read more from UkraineAlert

UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture.

The Eurasia Center’s mission is to enhance transatlantic cooperation in promoting stability, democratic values and prosperity in Eurasia, from Eastern Europe and Turkey in the West to the Caucasus, Russia and Central Asia in the East.

Learn more

The post Ukraine’s IT sector offers opportunities for pragmatic partnership with the US appeared first on Atlantic Council.

The post Samaan in Institut Montaigne: AI: United Arab Emirates, key partner of France or risk for its digital sovereignty? appeared first on Atlantic Council.

The post CBDC tracker and event with Fed Governor Waller cited in CoinGeek appeared first on Atlantic Council.

The post Tran cited in paper on Chinese technological influence published by the Carnegie Endowment for International Peace appeared first on Atlantic Council.

The post Event with Fed Governor Waller featured in Business Insider on how stablecoins can promote the dollar’s global use and status appeared first on Atlantic Council.

Few were surprised, therefore, when President Trump began his second term with an executive order that prioritizes stablecoins as the preferred mechanism for safeguarding both the global role of the US dollar and financial stability. The executive order also stated that CBDCs create financial stability threats. In contrast, the monetary policy minutes from the December 2024 European Central Bank rate-setting meeting took the opposite position and proposed that crypto assets could create financial stability threats for the eurozone.

The 2025 reserve currency policy landscape: Four key issues to watch

Legislation: Despite their policy differences, European Union (EU) and US policymakers all face the same hurdle. CBDCs can not be issued without legislation.  Lawmakers in Brussels, London, and Washington are each declining to move forward quickly.  The European Parliament to date has declined to schedule a vote on the digital euro package submitted by the European Commission—despite urging by the ECB.  Nor has the UK Parliament moved forward with a digital pound initiative. 

The Republican-led Congress and the White House oppose CBDCs, ensuring that no CBDC legislation will move forward in the United States in the foreseeable future.  The Federal Reserve agrees. Chairman Jerome Powell yesterday testified to Congress  that he will not propose or pursue a digital dollar during the balance of his tenure at the central bank.  Chairman Powell’s term expires in spring 2026.  All relevant policymakers in the United States (the White House, Congressional leaders, regulatory agencies, the central bank) are now united in their opposition to a domestic CBDC. Their focus now turns towards articulating a legislative and regulatory framework supporting stablecoins.

House Financial Services Committee Chairman Hill’s 2025 interview with CNBC confirms that leading US lawmakers believe expanded stablecoin adoption would help “extend the reserve currency status” of the US dollar globally. In addition, Federal Reserve Governor Christopher Waller now publicly supports stablecoins “because they are likely to propagate the dollar’s status as a reserve currency, though they need a clear set of rules and regulations.” Senate Banking Committee Chairman Tim Scott weighed in during January, pledging to craft a stablecoin “regulatory framework that…will promote consumer choice, education, and protection and ensure compliance with any appropriate Bank Secrecy Act requirements.” It remains to be seen if dollar-backed stablecoins could strengthen the dollar’s role in the global payment system.

The structure of legislation will materially impact growth trajectories for stablecoin markets domestically and internationally, with implications for US sovereign bond markets. For example, a regulatory framework could require stablecoin issuers to hold US Treasury securities to back their stablecoins, thus guaranteeing liquidity and demand for US dollar-denominated sovereign paper. Additional proposals to create a crypto asset reserve at the federal level could provide additional liquidity support to crypto markets. 

Geopolitics: President Trump campaigned on promises to safeguard the global role of the dollar. His promises included wielding tariffs as a mechanism to discipline foreign countries that undermine the global role of the dollar, presumably in addition to aggressive sanctions enforcement. The Trump administration is not alone in raising red flags regarding certain CBDC use cases. Growing concern exists internationally that non-US dollar CBDC networks could be used to evade Western sanctions. Against this backdrop, in October 2024, the Bank for International Settlements withdrew from the wholesale CBDC mBridge project, whose members include central banks from China, Hong Kong, Thailand, the United Arab Emirates, and Saudi Arabia. The BIS General Manager reiterated the policy that “…the BIS does not operate with any countries, nor can its products be used by any countries that are subject to sanctions…we need to be observant of sanctions and whatever products we put together should not be a conduit to violate sanctions.” In addition, Russia has called for a multipolar global financial system with a separate non-dollar clearing and settlement system.

Distributed free markets: Stablecoins currently occupy a tiny fraction of financial market activity. Crypto itself remains minor relative to US capital markets. Globally, the estimated stablecoin market size is $227 billion in market capitalization, as compared to $6.22 trillion for US capital markets and $3.39 trillion for global cryptocurrency markets. If current double-digit growth rates for stablecoins continue, they could constitute a considerable proportion of overall crypto market capitalization, if not capital markets themselves. More importantly, the vast majority of stablecoins are pegged to the US dollar.

Rapid adoption rates paired with speedy transaction volumes and velocity in stablecoin markets mean that today’s stablecoin and CBDC decisions may amplify ongoing shifts in reserve currency markets. Dramatic shifts in reserve currency status historically have been rare events. The more likely scenario for threats to dollar dominance involve a range of alternative currencies nibbling at the dollar’s role at the margins. While the US dollar is comfortably in the lead, accounting for 49.2 percent of international payment messaging through SWIFT, its share of global FX reserves has fallen from 71 percent in 2001 to 54.8 percent at present. Decreased demand for dollars has increased demand for non-traditional currencies, gold, and several pairs of local currencies, rather than traditional reserve currencies.

In this context, choices made by individual users can materially impact global reserve currency status. The broad adoption of US dollar-backed stablecoins could even reverse the de-dollarization trend.  Decisions made by policymakers during 2025 will thus materially impact how the stablecoin and dollar markets evolve. 

European crypto rules: EU officials promote the digital euro as a mechanism for delivering strategic and economic autonomy relative to the US dollar. At the retail level, they compete with local payments processes currently dominated by US credit card companies. Globally, they facilitate increased usage of the euro as an international transaction currency. Secondary use cases include using blockchain technology to create “ tokenized” (euro-denominated) deposits that would cement the role of commercial banks within the payment system. European policymakers have also begun experimenting with tokenized securities. Slovenia became the first eurozone sovereign country to issue a tokenized euro area sovereign bond. In December, the Bank of France became the first eurozone central bank to complete transactions in the secondary market for both sovereign fixed income and equity using an unnamed digital currency on a blockchain.

However, if a critical mass of individuals in a country holds wealth in a foreign currency stablecoin, the competitive landscape, if not the survival of other reserve currencies, requires that they provide a digital alternative. The scenario also creates incentives for other jurisdictions to make it difficult to achieve  interoperability with non-euro stablecoins, while creating economic hurdles for local users to choose US dollar-backed stablecoins—essentially preserving their economic and monetary sovereignty.

Some see the newly issued EU crypto regulatory framework—the Markets in Crypto Assets (MiCA); and specifically the 1:1 ratio of required liquid reserves for stablecoins —as a strategic tool to raise barriers to non-EU issuers of US dollar-denominated stablecoins. MiCA extends bank-like regulatory requirements to crypto asset issuers and intermediaries. We discussed that framework and its relationship to the US crypto asset policy landscape in our January 28, 2025 Econographics essay. The framework potentially provides European regulators with the time and tools to play defense by regulating local stablecoin markets to permit either a digital euro or euro-denominated stablecoins to gain market traction. Market data will provide the metric for policy effectiveness.

Barbara Matthews is a nonresident senior fellow at the Atlantic Council’s Geoeconomics Center. She is also Founder and CEO of BCMstrategy, inc., a company that generates AI training data and signals regarding public policy.

Hung Tran is a nonresident senior fellow at the Atlantic Council’s Geoeconomics Center and senior fellow at the Policy Center for the New South; a former senior official at the Institute of International Finance and International Monetary Fund.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Central bank digital currencies versus stablecoins: Divergent EU and US perspectives appeared first on Atlantic Council.

On February 7th, 2025, South China Morning Post published an article referencing Global China Hub nonresident fellow Hanna Dohmen’s testimony for the US-China Economic and Security Review Commission on the effectiveness of export controls in slowing China’s AI advances.

The post Global China Hub nonresident fellow Hanna Dohmen in South China Morning Post appeared first on Atlantic Council.

The post Event on the future of payments with Federal Reserve Governor Christopher Waller featured in Politico’s Morning Money newsletter appeared first on Atlantic Council.

The post Event on the future of payments with Federal Reserve Governor Christopher Waller restreamed by Yahoo Finance appeared first on Atlantic Council.

The bottom line is that DeepSeek has carved an alternative path to high-performance AI by employing a mixture-of-experts (MoE) model and optimizing data processing. Although these techniques are not completely novel, their successful application could have far-reaching implications for global investment trends, regulatory strategies, and the broader AI industry.

That said, questions remain about the true cost and nature of DeepSeek’s hardware and training runs. DeepSeek’s assertions should not be taken at face value, and further research is needed to assess the company’s claims, particularly given the number of examples of Chinese firms secretly working with the government and hiding state subsidies—particularly in industries the Chinese Communist Party considers strategically important.

The traditional AI development model

The prevailing AI paradigm has supported the development of ever-larger models trained on massive datasets using high-performance computing clusters. OpenAI, for example, has pursued increasingly expansive models, necessitating exponential growth in computational power and finances. OpenAI’s dense transformer models, such as GPT-4, are believed to activate all model parameters for every input token throughout training and inference, further compounding the computational burden.

However, this approach has diminishing returns: Increasing the model size does not always yield proportional improvements in performance. Additionally, with this traditional model, there are considerable resource constraints—access to high-end graphics processing units (GPUs) is limited due to supply chain bottlenecks and geopolitical restrictions. There are also high financial barriers. Large-scale training runs using OpenAI’s transformer architecture can require tens of millions of dollars in funding.

Rather than processing every input through a monolithic transformer, MoE routes queries to specialized sub-networks, enhancing efficiency. And by activating fewer parameters per computation, MoE models demand less power. This structure allows for easier expansion without requiring proportional increases in hardware investment.

Several research efforts have previously explored MoE architectures, but DeepSeek successfully deployed MoE in a way that optimized performance while minimizing computational cost.

DeepSeek also leveraged sophisticated techniques that reduced training time and cost. For example, its model was trained in stages, with each stage focused on achieving targeted improvements and the efficient use of resources. Additionally, its model employed self-supervised learning and reinforcement learning, leveraging the Group Relative Policy Optimization (GRPO) framework to rank and adjust responses (minimizing the use of labeled datasets and human feedback). And to compensate for potential data gaps, DeepSeek-V3 was fine-tuned on synthetic datasets to improve domain-specific expertise.

These techniques helped DeepSeek mitigate the inefficiencies associated with training on overly oversized, noisy datasets—a problem that has long plagued AI developers.

Implications

Important questions around the true cost of DeepSeek’s training and access to hardware notwithstanding, DeepSeek-R1 could mark a turning point in AI research. By leveraging MoE architectures and optimized training strategies, DeepSeek may have created a roadmap to achieve high performance without the prohibitive costs and inefficiencies of traditional dense models. Whether new capabilities and improvements can be unlocked by reconfiguring existing dense models like GPT-4 to take advantage of these techniques remains to be seen.

DeepSeek’s apparent success also raises crucial policy questions around the efficacy of export controls aimed at restricting Chinese access to high-performance hardware. If AI development becomes less reliant on cutting-edge GPUs and more focused on efficient architectures, these restrictions could lose their bite. It could also potentially disrupt major planned investments in data centers, many of which have been fueled by the OpenAI model of dense AI development. With DeepSeek’s resource-efficient paradigm as a new benchmark, organizations may need to reassess or restructure some of these investments to fit within that paradigm.

While further research is crucial to assess the significance of DeepSeek’s innovation, its emergence stands as a clear wake-up call to leading AI organizations, policymakers, and investors alike. Attention, perhaps, is not all you need.

Ryan Arant is the director of the N7 Research Institute at the Atlantic Council.

Newton Howard is founder and was the first chairman of C4ADS.

New Atlanticist Jan 23, 2025

Trump should keep, not cut, Biden’s last-minute offer of federal land for AI data centers

By Will LaRivee

In an executive order in the final days of his administration, US President Joe Biden put forward a promising idea to expand US data center capacity.

Artificial Intelligence Politics & Diplomacy

New Atlanticist Jan 19, 2025

On trade and technology, the US and EU need each other now more than ever

By Trevor Rudolph

Washington and Brussels must collaborate on telecommunications, semiconductors, and critical minerals to compete with nonmarket economies.

Economy & Business European Union

GeoTech Cues Aug 6, 2024

The Great IT Outage of 2024 is a wake-up call about digital public infrastructure

By Saba Weatherspoon and Zhenwei Gao

The July 19 outage serves as a symbolic outcry for solution-oriented policies and accountability to stave off future disruptions.

Cybersecurity Internet

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post Did DeepSeek just trigger a paradigm shift? appeared first on Atlantic Council.

The most impressive thing about DeepSeek-R1’s performance, several artificial intelligence (AI) researchers have pointed out, is that it purportedly did not achieve its results through access to massive amounts of computing power (i.e., compute) fueled by high-performing H100 chips, which are prohibited for use by Chinese companies under US export controls. Instead, it may have conducted the bulk of the training for this new model by optimizing inter-chip memory bandwidth of the less sophisticated H800s (allowing these less sophisticated chips to “share” the size of a very large model). This meant that training the model cost far less in comparison to similarly performing models trained on more expensive, higher-end chips. DeepSeek’s breakthrough has led some to question whether the US government’s export controls on China have failed. 

However, such a conclusion is premature. Other recent “breakthroughs” in Chinese chip technologies were the result not of indigenous innovation but developments that were already underway before export controls seriously impacted the supply of chips and semiconductor equipment available to Chinese firms. In late 2023, for example, US foreign policy observers experienced a shock when Huawei announced that it had produced a smartphone with a seven nanometer chip, despite export restrictions that should have made it impossible to do so. But rather than showcasing China’s ability to either innovate such capabilities domestically or procure equipment illegally, the breakthrough was more a result of Chinese firms stockpiling the necessary lithography machines from Dutch company ASML before export restrictions came into force. The influx of machines bought China time before the impact of export controls would be seen in the domestic market. 

There is evidence to suggest that DeepSeek is benefiting from a similar dynamic. China AI researchers have pointed out that there are still data centers operating in China running on tens of thousands of pre-restriction chips. They also note that the real impact of the restrictions on China’s ability to develop frontier models will show up in a couple of years, when it comes time for upgrading. Or, it may show up after Nvidia’s next-generation Blackwell architecture has been more fully integrated into the US AI ecosystem.

While DeepSeek’s achievement has not exactly undermined the United States’ export control strategy, it does bring up important questions about the broader US strategy on AI. Much of the conversation in US policymaking circles focuses on the need to limit China’s capabilities—specifically by restricting its ability to access compute. While not wrong on its face, this framing around compute and access to it takes on the veneer of being a “silver bullet” approach to win the “AI race.” This kind of framing creates narrative leeway for bad faith arguments that regulating the industry undermines national security—including disingenuous arguments that governing AI at home will hobble the ability of the United States to outcompete China. 

Such arguments emphasize the need for the United States to outpace China in scaling up the compute capabilities necessary to develop artificial general intelligence (AGI) at all costs, before China “catches up.” This has led some AI companies to convincingly argue, for example, that the negative externalities of speed-building massive data centers at scale are worth the longer-term benefit of developing AGI. Such an argument has significant business upside for AI companies, as they amass greater numbers of chips to gain a competitive advantage. What the DeepSeek example illustrates is that this overwhelming focus on national security—and on compute—limits the space for a real discussion on the tradeoffs of certain governance strategies and the impacts these have in spaces beyond national security.

To plug this gap, the United States needs a better articulation at the policy level of what good governance looks like. This should include a proactive vision for how AI is designed, funded, and governed at home, alongside more government transparency around the national security risks of adversary access to certain technologies. It also requires the US government to be clear about what capabilities, technologies, and applications related to AI it is specifically aiming to regulate. This would help to elevate conversations on risk and enable communities of practice to come together to establish adaptive governance strategies across technological, economic, political, and social domains—as well as for national security.

How to best develop, deploy, and govern AI-enabled technologies is not a question that can be answered with “silver bullet” solutions. Rather, it is a process, one that requires consistent, thoughtful engagement from practitioners and experts across a wide variety of issue sets and backgrounds. No one strategy will win the “AI race” with China—and as new capabilities emerge, the United States needs a more adaptive framework to meet the challenges these technologies and applications will bring. 

Kenton Thibaut is a senior resident China fellow at the Atlantic Council’s Digital Forensic Research Lab (DFRLab), where she leads China programming for the Democracy + Tech Initiative.

The post What DeepSeek’s breakthrough says (and doesn’t say) about the ‘AI race’ with China appeared first on Atlantic Council.

The post Lipsky quoted in Reuters on Trump’s impact on CBDC development in the US appeared first on Atlantic Council.

The post CBDC tracker cited in Reuters on digital euro progress appeared first on Atlantic Council.

With legislators favorable to the industry—including Representative French Hill as the chair of the House Financial Services Committee (watch his Atlantic Council event on stablecoins here), Senator Cynthia Lummis as the newly formed chair of the Senate Banking Committee’s subcommittee on digital assets, SEC chair pick Paul Atkins, and advisors like Elon Musk and commerce secretary nominee Howard Lutnick—confidence is growing that crypto-forward agenda is on its way. But what does success on the regulatory front actually look like? What does it mean for the rest of the world? We dive into the dozen bills under consideration in Congress and zoom in on the three big themes for crypto regulation in 2025.

The SEC vs CFTC: Finally, a truce?

One of the major disagreements between the industry and legislators has been whether the SEC or the Commodity Futures Trading Commission (CFTC) is the right regulator for crypto. As is often debated in Washington, is crypto a security or a commodity? Under the former SEC chair, Gary Gensler, the agency regularly fined crypto companies when it found them in breach of securities laws. This led to some legislators and industry favoring the CFTC as the regulator. Several bills under consideration, including the Financial Innovation and Technology for the 21st Century Act, the Digital Asset Market Structure and Investor Protection Act, the Responsible Financial Innovation Act, and the BRIDGE Digital Assets Act, address the jurisdiction of SEC and the CFTC regarding crypto.

One of the Trump campaign’s biggest promises to the industry is an end to this era of regulation by enforcement. Paul Atkins, Trump’s pick to replace Gary Gensler as SEC chair, is seen as friendly to the crypto industry. His appointment follows a wave of legal decisions over the past two years that have ruled in favor of the companies against the SEC. Atkins’ job, once he’s sworn in, will be two-fold: He will need to clarify the SEC’s jurisdiction over the crypto market and then actually enforce regulations on crypto-assets—their issuance, use, and role in the US economy. Congress will augment these efforts, and you can expect several bills rebalancing the SEC and CFTC’s jurisdiction and enforcement powers. See below for the full breakdown.

Stablecoins, ahoy! 

Stablecoins have now passed $190 billion in global circulation. They can provide much needed liquidity for the crypto market and act as conduits between crypto and non-crypto-assets. Stablecoins increasingly aim to address humanitarian aid and cross-border payments such as remittances, including in Ukraine.

While 98 percent of stablecoins are pegged to the dollar, over 80 percent of stablecoin transactions happen abroad. This makes these “digital dollars” subject to regulatory frameworks set in Europe, Asia, and Africa. Europe’s stablecoin framework, known as Markets in Crypto-Assets, came into full effect in January 2025. Implementing the framework should result in some introspection across the Atlantic over the pending stablecoin legislation in Congress. The Clarity for Payment Stablecoins Act and the Lummis-Gillibrand Payment Stablecoins Act are the two bills under consideration. The Clarity Act has been under consideration by the House Financial Services Committee for the last year, coming close to bipartisan consensus a few times. It has evolved into a discussion draft proposed by Senator Bill Hagerty. The Lummis-Gillibrand Act was introduced to the Senate in May 2024. 

The bottom line, as our cryptocurrency regulatory tracker shows, is that regulations in the United States play a key role in the future of crypto around the world. While other countries have been developing their own regulatory frameworks, the United States has lagged behind—that may finally change in the months to come. 

A trailblazing national bitcoin reserve  

With the appointment of Lummis as the chair of the digital assets subcommittee at the Senate Banking Committee, it’s likely that talks of a bitcoin reserve will continue on the Hill. The logic behind the bill is to purchase bitcoin to be able to pay back the national debt. There are some open questions about the Lummis bitcoin reserve proposal—including the convoluted funding model, which revalues gold certificates from their 1993 price to their current value. 

There are also proposals for a US Central Bank Digital Currency (CBDC). The Trump administration and Republican lawmakers have made it clear that a retail CBDC, or the digital dollar, is not going to happen in the United States. This puts the United States at odds with its peers like Europe, which is rolling out a pilot of the digital euro in 2025, and the United Kingdom, which set up a CBDC lab just last week. The executive order directs all agencies to stop any ongoing work on a CBDC.

The breakdown of all the major pieces of legislation currently being considered is below.

Ananya Kumar is the deputy director, future of money at the Atlantic Council’s GeoEconomics Center.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post What is next for crypto regulation in the US? appeared first on Atlantic Council.

For more context and to make sense of all the competing arguments, we turned to our experts on China and technology. 

Click to jump to an expert analysis:

Graham Brookie: The Supreme Court’s decision will shape global tech competition

Shelly Hahn: To China, algorithms are a national interest 

Kenton Thibaut: The US data security problem is bigger than TikTok

Caroline Costello: If you’re interested in protecting civil society, you should be concerned about TikTok

Mark Scott: Worries around TikTok’s data collection and security apply to all social media giants

Matt Geraci: US data privacy laws are not up to the task 

Emerson T. Brooking: If TikTok was a tool of Chinese foreign interference, someone forgot to tell China

Samantha Wong: The national security risks will remain whether TikTok is banned or not

Konstantinos Komaitis: A TikTok ban would be a direct attack on the open and global internet

Kitsch Liao: ByteDance’s First Amendment argument is a distraction from its refusal to divest

The Supreme Court’s decision will shape global tech competition 

The United States Supreme Court is set to start 2025 with a blockbuster case on a tight timeline with significant domestic tech and geopolitical ramifications.  

The law in question in the case of TikTok v. Garland—the Protecting Americans from Foreign Adversary Controlled Applications Act—was passed by Congress in April 2024 with widespread bipartisan support: a 352–65 vote in the House and 79–18 in the Senate. US President Joe Biden signed the bill into law, giving him the authority to force TikTok’s divestiture from its Chinese parent company or be banned from the United States. The Department of Justice set a deadline of January 19—forcing this dramatic showdown. The Supreme Court will proceed in hearing the case on January 10 despite Trump’s request to delay until after his inauguration and the fact that the high court typically defers to its two co-equal branches of government on matters of national security.  

The Atlantic Council previously published an in-depth technical analysis of whether the threats of legal control, data access, algorithmic tampering, or broad influence efforts by the Chinese government are unique or singularly focused on TikTok. The threat of legal control proved to be real and ongoing. The other potential risks remain considerable with loopholes not specific to TikTok, such as the sheer amount of Americans’ data for sale on the open market or the litany of US-owned platforms the Chinese Communist Party (CCP) has used to perpetrate influence efforts. Chinese ownership of TikTok is undoubtedly a core strength in its global approach to “discourse power.” The key questions remain whether a Chinese company’s ownership of such a popular social media platform poses unique national security risks to the United States, whether banning such a popular app violates the rights of the company or the app’s US users, and how China may react or force ByteDance to react. Beyond TikTok v. Garland, any outcome will shape global tech competition from the global reach of digital platforms to broader tech governance. If new evidence is surfaced, it will shape both. 

—Graham Brookie is the vice president of technology programs and founding director of the Digital Forensic Research Lab at the Atlantic Council. 

To China, algorithms are a national interest

The TikTok saga highlights Beijing’s strategy of using private companies to exert influence globally, while restricting foreign companies’ operations within China. 

Beijing views algorithms as critical tools to exert national power, with Chinese leader Xi Jinping emphasizing the importance of artificial intelligence in military and economic power competition. As TikTok has gained market clout, the Chinese government has taken a more assertive stance on its technologies, especially content recommendation algorithms. Since 2020, China has implemented measures to protect its technological assets, including adding algorithms to the restricted list  of technologies from export in August 2020, and passing the “Export Control Law” in October 2020, which governs the sale of these technologies to foreign buyers. China now strongly opposes any forced sale of TikTok, asserting its legal authority to veto such transactions. 

Beijing has railed against the United States’ enforcement actions against TikTok, using abusive and inflammatory rhetoric to paint those actions as a violation of international norms. Chinese officials have called these actions “an act of bullying” (Xinhua editorial), “an abuse of national power” (Ministry of Foreign Affairs Spokeswoman Mao Ning), and “hypocritical and double standards” (Xinhua editorial). They have warned of potential consequences for the global economic order. 

That is interesting rhetoric given that Beijing would not allow a US or other foreign company to operate similarly in China. China maintains a restrictive environment for foreign media and technology companies, blocking most foreign social media platforms, search engines, and news outlets. When probed about this disparity, a Ministry of Foreign Affairs spokesperson claimed that “China’s policy on overseas social media is completely incomparable to the US’ attitude towards TikTok . . . as long as foreign media companies comply with the requirements of Chinese laws and regulations, all foreign media platforms and news agencies are welcomed.” In reality, these laws give the CCP firm control over data flows and information within its borders. 

Beijing’s robust defense of TikTok and its underlying technology underscores China’s growing confidence in its tech sector and its willingness to challenge what it perceives as unfair treatment in the global marketplace. 

—Shelly Hahn is the deputy director of the Atlantic Council’s Global China Hub. 

The US data security problem is bigger than TikTok 

There is no doubt that People’s Republic of China (PRC) state entities see the value in collecting data on Americans for intelligence purposes. However, the proposed actions on TikTok leave open serious questions on how effectively a ban or divestment would protect Americans’ data from exfiltration.

The Atlantic Council’s Digital Forensic Research Lab previously conducted a technical, policy, and legal analysis of the stated national security risks posed by TikTok. Our research found that TikTok can be said to present a unique risk in terms of its Chinese ownership, in that the PRC’s National Intelligence Law does give the government broad leeway to potentially compel the company to grant it access to TikTok’s data, including on Americans. In addition, even under the circumstances of outside control of TikTok’s data storage, it would be almost impossible to know if Chinese intelligence authorities somehow maintained a backdoor into these data streams.

At the same time, however, we found that TikTok’s data collection practices on Americans are not outside what is commonly practiced by social media companies, including Meta, X, and others. More importantly, the data that TikTok can provide on Americans pales in comparison to what the Chinese government has accessed through both its illegal hacking activities and what is available legally on the open market through US-based third-party data brokers.  

In fact, a report from Duke University’s Sanford School of Public Policy found that via data brokers, it is “not difficult to obtain sensitive data about active-duty members of the military, their families, and veterans, including non-public, individually identified, and sensitive data, such as health data, financial data, and information about religious practices,” noting that location data was also available for purchase. A narrow, national-security oriented focus on TikTok to address potential threats to the US data ecosystem risks overlooking much broader security vulnerabilities and thus undermines more effective policy solutions. That is to say, while there is much about TikTok’s data gathering and privacy policy to side-eye, the challenge is far wider than TikTok alone and requires a more wide-ranging policy solution to address. 

—Kenton Thibaut is a senior resident China fellow at the Digital Forensic Research Lab of the Atlantic Council’s Technology Programs. 

If you’re interested in protecting civil society, you should be concerned about TikTok 

The debate surrounding TikTok is about a tool that empowers China to extend its high-tech surveillance state beyond its own borders. While it’s true that other social media platforms engage in similar surveillance, other platforms are not beholden to the government of a foreign adversary. 

TikTok’s owner, ByteDance, is a Chinese company. In China, the CCP has absolute control over companies. In China’s authoritarian system, the party is always above the law, but the CCP took the extraordinary step of enshrining this capability into law, likely to make very clear to Chinese companies exactly what they should expect. Article 7 of the National Intelligence Law of 2017 states that “all organizations and citizens shall support, assist, and cooperate with national intelligence efforts,” meaning the government has the right to secretly demand TikTok user data, and the company must share it. 

When defending against these allegations, TikTok has insisted that it stores all US user data in the United States, but the company has also acknowledged that nevertheless, China-based employees can still access US user data, and those same employees must obey any and all edicts from the CCP. In fact, thanks to leaked audio from internal meetings, we now know that China-based employees have repeatedly done so. This includes two cases in which a China-based team at TikTok planned to use the app to monitor the location of specific US citizens.  

Chinese intelligence services have a well-documented history of harassing and intimidating human rights activists and journalists on US soil. Even if you don’t mind the PRC surveilling you, and even if you don’t care about US-China competition, if you’re interested in protecting civil society, you should be concerned about TikTok. 

There is one important caveat, though. As demonstrated in a report from the Atlantic Council’s Digital Forensic Research Lab, foreign adversaries can also buy this data from brokers that rely on US-based companies surveilling their users. In fact, US-based companies have been accused of using targeted surveillance against civil society, as in the cases of Uber and Meta reportedly tracking the location of journalists reporting on their apps. TikTok is just one piece of a broader data security vulnerability perpetuated by US platforms. 

—Caroline Costello is a program assistant at the Global China Hub. 

Worries around TikTok’s data collection and security apply to all social media giants

Central to concerns around TikTok is how the app collects, stores, and uses information it gathers on users. The fear, according to US officials, is that such data may be weaponized by Beijing, though no evidence of such activity has yet to be proven. Based on a review of TikTok’s privacy policy and external analysis, the social media platform does collect a lot of information on users if they give the company permission. That includes information on individuals’ exact location, their phone numbers and those of their contacts, people’s other social media accounts, and detailed information about individuals’ devices (often used by marketers to target specific demographics). 

That may sound creepy. But TikTok’s data collection practices are no different than those of US social media giants, which similarly gather as much information as possible on their users to tailor these firms’ advertising offerings. That also includes in-app web browsers built into the likes of Instagram and X that allow these companies to collect just as much information on people’s web habits—so long as they are surfing the internet from within these social media networks. 

So would forcing TikTok off of US app stores make Americans’ data more private and secure? The short answer is no. While US officials have raised concerns about how Americans’ data may be accessed by Chinese government officials via TikTok, such personal information—from people’s phone numbers and home addresses to internet activity to consumer purchasing history—is already available commercially, via so-called domestic data brokers. The outgoing Biden administration tried to tackle that problem with the Protecting Americans’ Data from Foreign Adversaries Act and prohibitions placed on these data brokers from transferring such sensitive data to foreign adversaries like China. 

Yet, in reality, the lack of comprehensive federal privacy legislation means that Americans’ data—no matter what eventually happens with the potential TikTok ban or sale—remains significantly more at risk compared to their counterparts in other Western countries. State-based laws, particularly those in California and Virginia, have provided a modest degree of greater control for people in how companies gather and use their personal information. But the removal of TikTok from US app stores, which have similarly set baseline levels of privacy protections for users, will not make Americans’ overall data either more private or more secure. 

 —Mark Scott is senior resident fellow at the Democracy + Tech Initiative within the Atlantic Council Technology Programs. 

US data privacy laws are not up to the task 

The absence of common-sense data privacy laws in the United States created an environment that allowed TikTok to become a security risk. Removing TikTok from app stores will not change this. As a 2022 Consumer Reports investigation revealed, TikTok uses many of the same data harvesting techniques employed by companies like Meta and Google for targeting ads. They also concluded that claims by TikTok and others that data is used solely for advertising cannot be verified by consumers or privacy researchers. 

The Cambridge Analytica scandal, which involved unauthorized data collection from millions of Facebook users for targeted political ads, remains fresh in the minds of Americans who are skeptical about the stated reasons for removing TikTok. Although the Federal Trade Commission forced new privacy restrictions on Facebook, the scandal has not led to national legislation like the European Union’s General Data Protection Regulation (GDPR) that could be applied to all companies, including TikTok. Despite this, various US states have endeavored to draft their own laws since the scandal. Yet, companies like Meta, Google, and Amazon often attempt to thwart these efforts through lobbying.  

Regulatory changes are essential to mitigate data security threats from Beijing. However, US tech companies seem to lack enthusiasm for supporting new data protections, and Congress has struggled to make progress. Nearly all the major US tech companies have been fined for violating the European Union’s GDPR (including Amazon, Google, Meta, and Twitter/X), so clearly this is an area that needs improvement. Companies are not ideal self-regulators. TikTok adds another layer given that it must answer to an authoritarian regime and thus poses even larger risks when allowed to operate in an unregulated environment. 

TikTok’s popularity, data collection practices, and Chinese ownership create a unique national security challenge requiring careful consideration. Tech companies should work with the US government to improve data privacy protections, rather than targeting TikTok under the guise of national security while simultaneously perpetuating a harmful regulatory status quo. 

—Matt Geraci is an associate director at the Global China Hub. 

If TikTok was a tool of Chinese foreign interference, someone forgot to tell China 

It’s true that the push for TikTok’s divestment from ByteDance is deeply rooted in fears of Chinese information manipulation. In a March 2024 House Committee on Energy and Commerce report on the forced divestment measure, the committee cited China’s potential use of TikTok to “push misinformation, disinformation, and propaganda on the American public.”  

It’s also true that these fears were never substantiated. The CCP’s propaganda strategy—its quest for “discourse power”—has always been premised on the incremental manipulation of information across many different platforms at the same time. The idea that Beijing built a shiny red button to turn TikTok into a tool of mass brainwashing never accorded with reality.  

Indeed, so far it appears that only a single fake CCP-adjacent TikTok account sought to influence the 2024 US election. Ironically, far more CCP accounts on other platforms sought to stir resentment about a potential TikTok ban. By contrast, Russia—which has had no unique claim to TikTok—extensively used the service for the purposes of information manipulation. In December 2023, the Digital Forensic Research Lab and the BBC uncovered a massive Russian campaign that used artificial intelligence to instrumentalize more than 12,800 accounts to undermine Ukraine.  

Perhaps the CCP was just subtly tweaking the TikTok algorithm to achieve its goals? But this is also unlikely. One of the few available independent studies of TikTok content policy suggests that the platform may have actually reduced the salience of certain hashtags in line with the wishes of US lawmakers. The bizarre nature of some of the material that goes viral on TikTok is explained by the tastes of TikTok’s Millennial- and Gen Z-majority user base, not a global conspiracy. TikTok has repeatedly failed the American people in the realm of transparency and public accountability. So has every US-based social media platform.  

—Emerson T. Brooking is director of strategy and resident senior fellow at the Digital Forensic Research Lab. 

The national security risks will remain whether TikTok is banned or not 

Last February, Biden issued a much-needed executive order limiting the sale of sensitive personal US data or US government-related data to “countries of concern,” including China, to prevent them from “engag[ing] in espionage, influence, kinetic or cyber operations or to identify other potential strategic advantage over the United States.” This is supported by additional legislation, such as the Protecting Americans’ Data from Foreign Adversaries Act of 2024 and the Protecting Americans from Foreign Adversary Controlled Applications Act, both aimed at protecting sensitive US data from being accessed by “foreign adversary nations.” 

However, these new measures are not foolproof. The executive order only targets data brokers from “countries of concern,” and the bill doesn’t address data. One way China can easily circumvent these laws is by purchasing data from companies in third-party countries that obtained it through domestic data brokers that sold the data without knowledge of the final recipient or its intended use. Essentially, if TikTok was a US company, China would still be able to purchase personal US data from TikTok through third-country entities.  

Furthermore, China could easily access any sensitive, critical data through hacking US infrastructure. China is constantly investing and building up its offensive cyber ecosystem to train Chinese hackers to target and acquire critical US intelligence. Although the ban on TikTok would prevent Chinese firms from easily accessing US data, China has the resources to access this sensitive information illegally and is not afraid to implement these illicit operations if it feels the need to do so.  

Ultimately, the TikTok ban addresses only a small aspect of a much larger issue. Even if TikTok were banned or became a US-owned company, the core national security risks would remain. The United States should instead implement broader legislation aimed at strengthening domestic cybersecurity infrastructure and closing any third-party loopholes that could undermine existing protective laws. 

—Samantha Wong is a program assistant with the Global China Hub. 

A TikTok ban would be a direct attack on the open and global internet

In the conversation about whether the United States should or should not ban TikTok, there is one parameter that no one is mentioning: what will this mean for the internet? The answer is straightforward. If the United States proceeds with banning TikTok, such a move will be nothing short of a direct attack on the open and global internet.  

The internet is based on a decentralized architecture, which means that there is no center of control. The value of the open internet is that networks should be able to connect without any restrictions. The internet was not designed so that only specific networks could connect; rather, any network should be able to connect as long as it is willing to abide by certain rules—the internet’s open standards and protocols. Banning TikTok will affect how networks get to interconnect. 

 At the same time, a potential ban will also affect the internet’s global reach and integrity. The whole idea of the internet is that no entity should inspect or modify packets carried through different networks beyond what might be necessary to route the packet as advertised. This is an expectation that users have no matter where they are in the world, and it will not be met should the ban take effect.  

The United States has historically and unequivocally been a strong supporter of the open and global internet. In fact, for more than two decades, the United States has been at the forefront of pushing back at attempts by authoritarian governments to centralize internet control. A TikTok ban will be a setback to all these years of effort and will legitimize the narrative by other authoritarian states that the internet should be subject to government control and management. It will also weaken the United States’ position globally, especially at the United Nations, where conversations about the future of internet governance are currently taking place. 

 —Konstantinos Komaitis is a resident senior fellow and Global Democracy and Technology lead with the Democracy + Tech Initiative. 

ByteDance’s First Amendment argument is a distraction from its refusal to divest

ByteDance has yet to provide a rationale commensurate with freedom of speech or national security regarding why TikTok cannot be a US company without ties to the Chinese Communist party-state. Yet, on January 10, the nation will focus on the US Supreme Court’s hearing for the “TikTok ban,” highlighting First Amendment concerns. 

This is a distraction. The government has already successfully argued in court against TikTok on both national security and data collection grounds. ByteDance has sidestepped the national security argument by pointing to the lack of public evidence and argued that TikTok’s data collection practices are the same as those of other platforms. TikTok, however, failed to argue against its intent to endanger US national security, and it’s a point that bears reiterating.  

A series of reports from 2019 to 2021 detailed TikTok’s extreme security risks, including that the app allowed remote downloading and execution of binary files, essentially acting like a pre-installed backdoor ready for payload delivery. This sets it apart from other social media platforms and established its intent to harm. A “black hat” hacker would usually have to compromise a target’s devices through phishing or other means before it can achieve what TikTok pre-installed for its users. A Washington, DC court ruling also stressed TikTok’s continued malicious intent to abuse data collected from US citizens, even after the establishment of TikTok US Data Security.   

Until TikTok’s cord with the PRC is cut, it will continue to test the waters and find legal and illegal means to endanger US national security, as it clearly possesses both the intent and capability to do so.  

The essence of security is to make it harder for an adversary to do you harm. Just because China can obtain US user data through other ways doesn’t mean we should let them do so through TikTok. Deterrence through cost imposition is a foundational concept in international security, and the “cost,” be it through financial means or legal risks should China decide to furnish data through other social media giants operating within the United States, is very real. 

—Kitsch Liao is an associate director at the Global China Hub. 

The post Your expert guide to the debate over banning TikTok  appeared first on Atlantic Council.

On January 3rd, 2025, Global China Hub nonresident fellow Dakota Cary spoke to the Washington Post about Beijing Integrity Tech, the cybersecurity company linked to the Flax Typhoon attacks.

The post Global China Hub nonresident fellow Dakota Cary in the Washington Post appeared first on Atlantic Council.

In May, US President Joe Biden announced a 100 percent tariff on all electric vehicles (EVs) imported from China. The administration had two main objectives: 1) Protect and stimulate US clean energy industries and supply chains, and 2) counter a flood of Chinese goods as Beijing turns to exports to compensate for its weak internal demand. For the United States, these tariffs are largely preventative and symbolic, as Chinese EVs make up only around 2 percent of total EV imports. For other Group of Seven (G7) countries, it’s too late for prevention, as Chinese EVs already dominate.

The Biden administration coordinated with concerned allies and, in August, Canada also announced it would levy a 100 percent tariff on EV imports from China. The European Union (EU) later imposed up to 45.3 percent tariffs on Chinese EVs. Economic stress due to Chinese dumping increasingly reaches beyond the United States––and even beyond the G7. Since 2023, Argentina, Brazil, India, and Vietnam have all begun anti-dumping or anti-subsidy investigations into Beijing’s practices. 

The incoming Trump administration will now have a choice. It can revert to President-elect Donald Trump’s previous preference for bilateral negotiations, or it can continue to restrict China’s access in step with allies and partners, possibly by creating a “buyers club” to regulate standards and open markets to a select few.

—Sophia Busch is an assistant director at the Atlantic Council’s GeoEconomics Center. 

In October 2024, the US Department of the Treasury issued final regulations implementing the Executive Order on Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern. Once it comes into effect on January 2, 2025, the Outbound Investment Security Program (OISP) regulations will prohibit or subject to notification requirements certain transactions involving Americans and persons affiliated with designated countries of concern (presently, China, including Hong Kong and Macau) operating in the semiconductor and microelectronics, quantum information technology, or artificial intelligence (AI) sectors (“covered foreign persons”). 

With respect to AI, the OISP will generally prohibit US persons from investing in a covered foreign person that develops any AI system trained using a quantity of computing power greater than ten septillion (10^25) computational operations (integer or floating-point operations). In addition, the OISP sets forth other computational thresholds implicating investment prohibitions (i.e., greater than 10^24 computational operations using primarily biological sequence data) or notification requirements (i.e., greater than 10^23 computational operations). Notably, regardless of computing power, covered transactions involving AI systems designed or intended for military, government intelligence, mass surveillance, cybersecurity, digital forensics, penetration testing tools, or the control of robotic systems end uses are also subject to prohibitions or notification requirements.

Absent practical guidance or enforcement history, exactly what these computing power thresholds mean in practice, as well as how they reasonably can be determined, remain to be seen. However, given its breadth, complexity, and enforceability, the OISP seems likely to have a significant effect—most notably with respect to US persons, but also in connection with the activities of certain foreign persons controlled by US persons or for which US persons serve in key roles. Such persons have until the new year to start making sense of what may be about 10^25 questions regarding their exposure under the OISP.

—Annie Froehlich is a nonresident senior fellow at the GeoEconomics Center and partner at Cooley LLP.

The 2024 meeting of the BRICS+ gathered the representatives of forty countries on October 22-24 in Kazan, Russia. This number is about four times the size of the BRICS+ (named for members Brazil, Russia, India, China, and South Africa), which expanded in 2023 to include Argentina, Egypt, Ethiopia, Iran, the United Arab Emirates, and Saudi Arabia.

While the creation of a BRICS currency still appears unlikely, the bloc announced a substitute for Western payment systems called BRICS Clear. Circumventing sanctions or the extraterritoriality of US banks and, more generally, becoming less dependent on the US dollar are clear motivations behind such endeavors, as well as a growing interest in making bilateral arrangements to use China’s e-yuan.

Some notable leaders, such as Argentine President Javier Milei and Brazilian President Luiz Inácio Lula da Silva, were absent. But the attendees were a large and heterogeneous group, including both Turkey and North Korea. But without being officially opposed to the United States, the US dollar, or even the G7, the summit in Kazan visibly illustrated increasing global fragmentation. True, it took two world wars for the British pound to be dethroned by the dollar, and the latter remains dominant, representing about 60 percent of central banks’ official reserves, international debt, and credit. But in a multipolar world, could too much hegemony be its own undoing?

—Marc-Olivier Strauss Kahn is a nonresident senior fellow at the Atlantic Council and honorary director general at Banque de France.

Russia’s invasion of Ukraine laid bare a vulnerability in Europe’s energy strategy: an overreliance on a single supplier for critical resources. The EU is determined to avoid repeating the same mistake with lithium, a critical mineral often referred to as “white gold” for its indispensable role in the decarbonization race. However, the EU faces an uphill battle to reduce its near-total dependence on China, which currently supplies 97 percent of the bloc’s raw lithium.

With its ability to produce lithium at low cost thanks to cheaper labor, state-controlled financing, and energy subsidies, Beijing has flooded global markets and produced much more lithium “than the world needs today, by far,” according to Jose Fernandez, under secretary for economic growth, energy, and the environment at the US Treasury Department. To mitigate this monopoly, the EU has set ambitious targets, including producing at least 10 percent of its annual lithium consumption within the bloc by 2030. However, the region’s lithium mining projects are not expected to begin production until the end of 2026, leaving a significant gap in the interim.

As the world transitions to green technologies, lithium will remain a cornerstone of the global energy transition. For the EU, building a resilient, diversified supply chain is a strategic necessity.

—Grace Kim is a young global professional with the GeoEconomics Center.

Almost half of the world held elections in 2024. In Western democracies, opposition parties have won six out of fifteen decisive elections. Globally, more than half of incumbents or ruling coalitions managed to stay in power. However, unstable coalitions prompted multiple collapsed governments in Europe, including Germany and France.

Meanwhile, Russia’s efforts to interfere in Eastern European and Eurasian countries’ elections were a prominent but not unexpected problem. Russia’s direct and indirect interference in the Georgian parliamentary elections has been thoroughly researched and documented. Like in Georgia, the Moldovan elections were fraught with Russian disinformation and meddling, although pro-Western incumbent President Maia Sandu emerged victorious. Meanwhile, Romanian intelligence services declassified documents showing that the country’s elections have become the target of “aggressive hybrid Russian action,” including 85,000 cyberattacks on Romanian election websites. 

These instances of interference throughout 2024 demonstrated that Russia and other adversaries are invested in undermining elections as a fundamental principle of democracy. This is an opportunity for the United States and the EU to leverage positive economic statecraft tools to equip countries in Eastern Europe and Eurasia with secure election technologies and provide financial assistance to educate populations in identifying and thwarting Russian propaganda and disinformation. 

—Kimberly Donovan is the director of the Economic Statecraft Initiative within the Atlantic Council’s GeoEconomics Center. Follow her at @KDonovan_AC.

—Maia Nikoladze is the associate director at the Economic Statecraft Initiative within the Atlantic Council’s GeoEconomics Center. Follow her at @Mai_Nikoladze.

—Mikael Pir-Budagyan is a young global professional at the Economic Statecraft Initiative within the Atlantic Council’s GeoEconomics Center.

Since the start of the year, the cryptocurrency market capitalization nearly doubled from $1.65 trillion to $3.65 trillion. This year, the digital asset industry made significant inroads into the global economy, especially bitcoin and stablecoins. 

Bitcoin continues to dominate the digital asset market, accounting for more than 50 percent of the total market capitalization as the asset crossed $100,000 on December 4. On January 10, the US Securities and Exchange Commission approved the bitcoin spot exchange-traded funds, giving retail and institutional investors greater access to the asset—in November, a group of US bitcoin exchange-traded funds recorded $6.2 billion of inflow. Stablecoins also saw significant, use accounting for trillions of dollars of transaction volume every month. In October, Stripe acquired stablecoin platform Bridge for $1.1 billion, demonstrating what may be fintech firms’ bigger push into digital assets. 

Digital assets should be expected to see more mainstream adoption under the Trump administration and a Republican-led House and Senate, which have expressed a pro-crypto stance. This will likely result in more open-source developers in the United States and greater exploration by financial institutions. 

—Nikhil Raghuveera is a nonresident senior fellow at the GeoEconomics Center and co-founder of Predicate.

As interest rates hit twenty-year highs, developing countries paid out a staggering sum of $1.4 trillion to service their foreign debts. The details behind that headline are equally stark and troublesome. Interest payments alone amounted to more than $400 billion as rates surged. And, as with most shocks, the poorest countries and most economically insecure people have been hit the hardest as governments are forced to make tradeoffs between development and growth, and as spending is diverted from critical health, education, and infrastructure investments. Low-income economies eligible for the International Development Association (IDA) paid $96 billion in debt service; and their interest payments now amount to nearly 6 percent of the export earnings of IDA-eligible countries—a level that hasn’t been seen in more than twenty-five years. For some countries, the payments run as high as 38 percent of export earnings. And more money is flowing out than in. Since 2022, foreign private creditors took in almost $13 billion more in debt-service payments from public sector borrowers in IDA-eligible economies than they doled out in new financing. Multilateral banks have been playing a larger role, even as service payments, interest rates, fees, charges, and surcharges have come under scrutiny. 

For its part, the World Bank announced in advance of the Annual Meetings in October that it was lowering the minimum equity-to-loan ratio from 19 percent to 18 percent, freeing up $30 billion more in financing, removing certain fees, and lowering the price of loans for smaller economies. Meanwhile, the International Monetary Fund (IMF) announced a package of reforms to its General Resources Account lending that will significantly reduce the cost of IMF borrowing, which has compounded the crisis for many countries. The principal changes include a reduction of the margin over the Special Drawing Rights interest rate, an increase in the threshold at which surcharges apply, a lower rate for time-based surcharges, and a higher threshold for commitment fees. More than a third of General Resources Account (GRA) borrowers are currently subject to surcharges. By fiscal year 2026, the number of nations subject to surcharges is projected to drop from twenty to thirteen. Hefty savings for GRA borrowers are expected––$1.2 billion annually, or 36 percent.

––Nicole Goldin, PhD, is a nonresident senior fellow at the Atlantic Council’s Geoeconomics Center.

Nothing encapsulates China’s economic crisis better than the steep fall in government revenue from “land use” sales. Since peaking in 2021, the country’s booming real estate sector has fallen into a deep depression, with construction grinding to a halt in many cities and falling prices adding to deflationary pressures in the Chinese economy. That has proven devastating to China’s heavily indebted local governments, which have relied on the sale of “land use” rights for much of their operating income. The IMF estimated in 2023 that the debt of local governments and financing vehicles they’ve set up over the years to raise (and spend) money totaled more than 100 trillion yuan ($13.7 trillion). With an estimated fifty million residences sitting empty nationwide, many property developers having defaulted on debts, and local governments unable to pay their bills, Beijing is struggling to sustain economic growth.

—Jeremy Mark is a nonresident senior fellow at the Atlantic Council’s GeoEconomics Center.

In 2024, the US Department of the Treasury took the final steps to implement Biden’s Executive Order 14105 to create a targeted Outbound Investment Security Program. During the rulemaking process, Treasury initially estimated that 212 transactions per year could fall within the program’s jurisdiction. The public comment period apparently caused Treasury to raise their estimates to 318 to “account for the likely underrepresentation of potentially relevant transactions,” but the private markets are famously opaque and Treasury went on to concede that “precise data that matches the scope of potential covered transactions is not available.” Treasury’s revised estimate should still only implicate less than 1 percent of deal activity (by deal count, vice value). The question for 2025 is whether this small percentage is an accurate reflection of the program’s impact on US outbound investments and the costs of compliance.

—Jesse Sucher is a nonresident senior fellow at the Atlantic Council’s Economic Statecraft Initiative in the GeoEconomics Center. 

There is nothing like large, unilateral, and across-the-board tariff proposals from the United States to get tongues wagging and economic models churning. The latest tariff proposals from the president-elect are no exception. But maybe more important than the impact of such tariffs is the question of whether the EU should view these tariff proposals as weapons and threats directed against trading partners, or as tools of US domestic policy that result in collateral damage to the EU. Each characterization is credible, but the difference is huge in terms of the direction of transatlantic relations.  And once EU policymakers start to publicly own one narrative or the other, it is hard to go back. 

If the tariff proposals are viewed as weapons and threats, a reasonable EU response—and maybe the only one—is retaliatory tariffs, and to refuse to negotiate “with a gun to our heads” (in well-worn EU parlance). This would likely lead to tit-for-tat retaliation or even a trade war. If, by contrast, the EU views the tariff proposals as tools of US domestic policy that inflict collateral damage on the EU, then a reasonable response is an early bilateral discussion on other ways to achieve US domestic policy objectives, but with less or no collateral damage to the EU. 

Among the policy objectives for these and previous proposed tariffs are: addressing persistent goods trade imbalances, encouraging domestic manufacturing, raising revenue, and protecting against and disincentivizing nonmarket excess capacity. These are policy goals that the EU and other trading partners can understand (and even arguably share), even if they disagree that tariffs are always a good way to achieve them. Indeed, some of these goals—like addressing the challenges posed by nonmarket economies—are better achieved in coordination with like-minded allies, which provides a clear opening and opportunity for collaboration.  

The current moment is ripe for early US-EU engagement on achieving the United States’ policy objectives while minimizing collateral tariff damage (including to the US economy itself). Engagement could, indeed, drive the percentage numbers in the header above closer to zero, at least for the EU.

––L. Dan Mullaney is a nonresident senior fellow with the Atlantic Council’s Europe Center and GeoEconomics Center.

That’s the amount of money generated by pulling forward future interest earnings on Russia’s blocked sovereign assets. For nearly three years, the G7 debated how to handle the $300 billion in Russian foreign exchange reserves being held in Western central banks. While some advocated for a total seizure of the full amount, others worried about the legality of such a move and the backlash it would create across the Global South. 

So the G7 reached a game-changing compromise. Creatively, and drawing in part on Atlantic Council GeoEconomics Center research (see our simple annuity formula below), the G7 calculated the interest these assets would earn over the next twenty years and deliver that total—$50 billion—to Ukraine in this calendar year. When you consider that Ukraine’s total budget in 2023 was around $80 billion, you understand that this solution is more than just a temporary fix—it’s a surge of resources delivered at a critical moment. And the number also represents what can happen when allies work together and think outside the box during an unprecedented situation.

––Josh Lipsky is the senior director of the Atlantic Council’s GeoEconomics Center.

Digital ID presents massive opportunities for governments and the private sector to interact with people more efficiently; well-known examples include India’s Aadhar system and Estonia’s e-ID. As governments digitize services and interfaces with constituents, digital ID is expected to play a significant role in resource allocation, access control, and data collection. At the same time, digital ID poses a number of challenges. Prior research (including from me and my colleagues at Carnegie Mellon University) has shown that ID requirements can pose significant barriers—particularly to marginalized populations—due to procedural challenges and/or limited resources for onboarding, identity-proofing, and authenticating individuals. Another prominent challenge is privacy and security. Digital ID systems typically collect and process sensitive data such as biometrics; ensuring proper privacy and security protections for this data is far from trivial. Moreover, not all countries with digital ID systems even have data protection laws in place—or the means to enforce them. 

As governments around the world increasingly embrace digitization and adopt digital ID, they will face a challenging balancing act between providing useful, usable services while also providing safeguards against many potential pitfalls that can have disastrous outcomes for constituents.

—Giulia Fanti is a nonresident senior fellow at the Atlantic Council’s GeoEconomics Center and an Angel Jordan associate professor of electrical and computer engineering at Carnegie Mellon University.

Through May of 2024, Russia supplied approximately 35 percent of US imports for nuclear fuel. Biden imposed a ban on the importation of uranium products from Russia, which went into effect in August. This was a significant move for the US energy sector transitioning away from resources that had been a critical part of the US nuclear energy regime. It’s important to note that a waiver process exists to allow some importation of enriched uranium to continue for a limited time. 

This very narrow resource that continued to be purchased from Russia by a country that had imposed crippling sanctions on the Russian economy is an important reminder that Russia was still very much part of global supply chains this year. 

—Daniel Tannebaum is a partner at Oliver Wyman, where he leads the Global Anti-Financial Crime Practice, and a nonresident senior fellow within the Atlantic Council’s GeoEconomics Center.

In October, the Associated Press reported that Microsoft and Google would invest in small nuclear reactors to support “surging demand [for carbon-free electricity] from data centers and artificial intelligence.” Amazon also announced plans to invest in small nuclear reactors as dedicated sources of zero-carbon energy to support its data centers and server infrastructure.

These investments occur as technological innovation sparks sharp increases in demand for electricity, as seen in data released by the US Energy Information Administration.

Goldman Sachs research this year estimates that AI alone will generate a more than 160 percent surge in demand by 2030 for electric power to cool data centers and maintain operational integrity for the physical servers that support cloud-based AI computing.  

The share of demand for electricity by US data centers is expected to double by 2030, although it will still remain in the single digits relative to other sources of demand.

For decades, energy and national security have had a high degree of overlap with geopolitics due to the unique role that fossil fuels play in the global economy. One consequence of Russia’s aggression in Ukraine since 2014 has been to incentivize the rapid adoption of clean energy in order to minimize geoeconomic vulnerabilities associated with imported fossil fuel energy. 

Many will celebrate the proactive shift toward renewable and nuclear energy by the three largest technology companies on Earth. But the shift will also create national security issues among three critical infrastructures: the electricity grid, nuclear energy, and AI/data centers. Local, renewable, zero-emission energy will transform and potentially complicate the interplay between national security policy, energy policy, and AI policy.

—Barbara C. Matthews is the CEO of BCMstrategy, Inc., a company that generates AI training data from the language of public policy. When in government, she was the first US Treasury Department attaché to the EU and, prior to that, senior counsel to the House Financial Services Committee. She is a nonresident senior fellow with the Atlantic Council’s GeoEconomics Center.

The post By the numbers: The global economy in 2024 appeared first on Atlantic Council.

Recognizing this rapid progress as well as the tremendous potential, policymakers in the three countries are rightly betting on the promise of their technology sectors to play key roles in economic growth, job creation, and overall social good. As policymakers are aware, developing vibrant and innovative technology sectors is even more urgent given the ongoing transition worldwide from labor-intensive economies to more knowledge-intensive ones. This trend is accelerating because of recent technological breakthroughs, including in automation and robotics, big data, and generative artificial intelligence (AI).

Policymakers are also rightly prioritizing greater data regulation, for reasons that range from combating misinformation to safeguarding national security and sovereignty. These priorities—including economic, social, and security—involve complex trade-offs.

To be sure, none of these trade-offs and complexities are unique to these three South Asian countries. Governments across the world are navigating similar issues, made even more challenging by the rapid pace of technological progress.

Recognizing the importance and complexity of this topic, the Atlantic Council’s South Asia Center embarked in 2023 on a study of the state of data protection regulations in Bangladesh, India, and Pakistan. The project resulted in three issue briefs—one each for the three countries—that were published from March through May 2023 and provided an overview of the regulatory landscape, the underlying politics, and watchpoints. This paper represents the capstone of the project.

The subsequent sections of this paper provide summaries of the three issue briefs. A snapshot of the main reasons why data protection regulation matters is presented below.

1. Economic: A broad range of sectors and companies stand to gain substantially from well-designed data protection regulations, and to thereby enable countries’ economic objectives that include growth, job creation, foreign direct investment, and foreign exchange reserves. Small and medium-size enterprises stand to gain substantially from opportunities in e-commerce and gig economies. Conversely, they are more likely than large firms to be hurt by digital trade restrictions. Good data protection regulations support the growth of innovative sectors such as those in AI, blockchain, biotech, robotics, 3D printing, electric vehicles, and other technologies of the 21st century. Digital trade regulations can enable or curtail the growth of services such as IT, financial, and business consulting.
2. Social: Data protection regulations affect social development objectives, such as privacy, the growth and effectiveness of democracies, and the efficient delivery of essential social services, such as health care, education, and benefits. Achieving these social objectives involves careful navigation of trade-offs in data regulations, for instance, between the goal of protecting free speech and the goal of minimizing hate speech and misinformation.

Join the South Asia Center mailing list

The South Asia Center serves as the Atlantic Council’s focal point for work on greater South Asia as well as its relations between these countries, the neighboring regions, Europe, and the United States.

• Name
  First Last
• Email
• 
  
  
• Comments
  This field is for validation purposes and should be left unchanged.

Bangladesh

The South Asia Center’s issue brief on Bangladesh, “Bangladesh’s Draft Data Protection Act,” authored by Stephen Weymouth in March 2023, focused on the potential implications of new restrictions on cross-border data flows and data localization requirements. The brief tracked the recent history of efforts by the Bangladesh government to promote digitalization of the economy while seeking to curb threats to data privacy and to protect personal data. 

The Digital Bangladesh initiative, launched in 2009, sought to build a national digital infrastructure that could connect Bangladesh to the larger global economy, position it as a regional commercial hub, and spur more access for its citizens to digital services. The initiative was generally seen as successful in providing the digital underpinnings for an economy that saw enormous growth in the decade that followed. The Digital Security Act of 2018 and its successor, the Cyber Security Act, however, raised questions about the increased role of Bangladesh enforcement bodies in governing the digital activities of its citizens.

The draft Data Protection Act of 2022 caused concerns among many stakeholders over the risk of some of the proposed provisions undermining the vision and ambitions of the Digital Bangladesh initiative. Some of the proposed measures were seen as being counterproductive by constraining the required range of digital services and increasing regulatory uncertainties and costs. The concerns of stakeholders included aspects such as the draft act’s requirement that sensitive data, user-generated data, and classified data be stored on servers located in Bangladesh and the draft act’s proposed restrictions on the transfer of personal data outside Bangladesh. 

More recently, there have been encouraging signs that the Bangladesh government is noting some of the inputs received about the Data Protection Act. The latest version, issued in January 2024, took an important step forward in narrowing the scope to “personal data” rather than the more general “data.” Stakeholders in the United States and elsewhere have welcomed this improvement and expressed hope that this trend toward less restrictive treatment of data flows will continue as Bangladesh finalizes and enacts the legislation.

Concerns remain, however, about some aspects of the latest draft act. For instance, the three-year transition period that was included in a March 2023 draft has been deleted, even though it would have enabled stakeholders to fully understand and properly implement new data flow restrictions. Additionally, the conditions for transfer of data that is not “classified” outside Bangladesh are not clear in the draft and could create new legal uncertainties for data fiduciaries. The draft could also benefit from greater discussion and clarity about proposed measures involving extraterritorial application, disclosure of protected data to government authorities, and the practicality of parental consent and age verification.

Bangladesh is at a turning point, with significant potential to build on its remarkable socioeconomic progress and diversifying beyond dependence on the garments sector. If Bangladesh strikes a productive balance between policies that would bolster its vibrant growth and those that enable government oversight, the country will be on a fast track to unlocking its immense potential.

To note, the ongoing political crisis in Bangladesh has added new uncertainties to policy making, including the digital landscape.

India

Stephen Weymouth also authored the South Asia Center’s issue brief on India, “India’s Personal Data Protection Act and the Politics of Digital Governance,” in May 2023. The brief highlighted the role of digital trade in India’s continuing economic growth and the recent efforts of the Indian government under the Narendra Modi administration to bring some regulatory order to the country’s burgeoning digital marketplace. The brief provided a summary of the wide-ranging legislation in the works at that time, including the Digital Personal Data Protection Bill, the Digital India Bill, and the Telecommunications Bill. 

Since then, the government succeeded in passing two pieces of legislation: the Digital Personal Data Protection Act (DPDP Act) and the Telecommunications Act. The government’s vision going forward involves a comprehensive regulatory framework to govern digital commerce and trade. Its legislative agenda therefore includes other rules and draft bills such as the Information Technology Rules, the draft Digital Competition Bill, and the draft National E-Commerce Policy. It remains to be seen how this agenda is advanced through the many relevant ministries. 

Reactions to all this activity have been mixed. For example, on the US-India bilateral front, the joint statement on the Trade Policy Forum, convened by Minister of Commerce and Industry Piyush Goyal and US Trade Representative Katherine Tai on January 12, 2024, noted that Ambassador Tai “appreciated India’s extensive consultations and noted that India’s approach of enhancing data protection, privacy and security while enabling connectivity will support further expansion of the bilateral digital trade.” To this point, an important and welcome amendment to the final DPDP Act was a shift from data localization—a prospect in earlier drafts that had caused widespread concern—toward permitting data flows from trusted geographies. However, while the DPDP Act signals a moving away from express data localization mandates, it does not specify to which countries data may be transferred nor does it list the criteria for trusted geographies.

The Modi administration is preparing for a third term in power following India’s national elections, conducted from April 19 to June 4. Despite Prime Minister Modi’s party falling short of a majority in parliament and now leading a coalition government, the administration’s likely focus will remain on preparing India to be the third-largest economy in the world by the end of the decade and to be a compelling pole in an increasingly multipolar world. The global marketing of data public infrastructure, as witnessed during India’s G20 presidency, is a manifestation of this.

To enable the administration’s vision for India’s growth and global stature, the government needs to promote foreign investment in both goods and services production. At the same time, the government is sensitive to concerns in key electoral constituencies about the threat of foreign competition. The government has also sought to regulate social media content with measures that have been criticized by some as authoritarian and intended to control the political narrative but supported by others as necessary to prevent the spread of misinformation and to ensure public order.

The Modi administration has demonstrated admirable ability to advance a socioeconomic agenda by navigating these trade-offs and to take into account inputs from a range of stakeholders. The administration should continue to show its readiness to listen to many different voices through opportunities for consultation and stakeholder engagement. Doing so will help continue putting in place a regulatory environment that balances complex trade-offs and lays the groundwork for India’s continued rise in the coming decades.

Pakistan

In his April 2023 issue brief, “Pakistan’s Data-Protection Landscape in 2023,” Uzair Younus highlighted that the Pakistan government risks curtailing the development of its digital economy if its legislation on data protection increases regulatory uncertainties and costs. Such legislation may discourage foreign investment and impede development of a facilitative ecosystem for local start-ups as well as other domestic and multinational investors. Per Younus,¹ this would be a self-inflicted wound, given the impressive growth of Pakistan’s technology sector from USD 1 billion in fiscal year 2018 to around USD 2.6 billion in 2023.

The Prevention of Electronic Crimes Act (PECA) of 2016 was among the first pieces of data regulation in Pakistan. The act involves many measures that are stated as being intended for public order and to prevent misinformation, which are important goals. However, the act is also counterproductive to building a strong, globally competitive digital economy. PECA increases uncertainties and costs of doing business, for instance, providing unclear levels of authority to the Pakistan Telecommunication Authority to control content on social media. Although a range of private sector and civil society stakeholders within and outside Pakistan have advocated against continuing this approach, the measures remain in place and appear likely to be reinforced with new legislation on data protection. 

Since 2020, the Ministry of Information Technology and Telecommunication has been working on data protection legislation that involves potential features that could negatively affect growth and homegrown innovation in digital services. These features include data localization requirements, many controls on data flows, low autonomy of data regulatory authorities, and insufficient opportunities for checks and feedback on enforcement. These concerns were discussed in bilateral US-Pakistan trade dialogues, as reflected in the joint statement on the ninth meeting of the Trade and Investment Framework Agreement Council in February 2023. 

While admittedly operating in challenging circumstances, Pakistan’s government—newly formed after elections in February—could consider slowing the pace of new data regulations and prioritizing additional rounds of inputs and consultations on existing and proposed legislation. The government could even seize the opportunity to reset and refresh the regulatory agenda by considering changes to the Data Protection Act approved by the cabinet. Additional engagements with key stakeholders both in the private sector and civil society groups would enable the new government to revise the act to better balance the goals of protecting data privacy, preventing misinformation, and promoting a robust digital economy.

Pakistan’s technology sector holds tremendous promise for the country’s future, even more so amid the ongoing economic stasis. The sector can play a key role in Pakistan’s economic recovery and in fully realizing the country’s economic potential. The Pakistan government should safeguard and catalyze the sector through any means in its tool kit. A well-designed regulatory framework could be a core component of that tool kit.

Conclusion

With their large, youthful, and highly digitized and connected populations, Bangladesh, India, and Pakistan have immense potential as emerging economies, vibrant demographies, and key players in a multipolar world. Admittedly, each country is in a different state of development in terms of economic growth, economic diversification, digitization, integration into global trade and value chains, democratic parameters, and social services, among others.

The differences in context notwithstanding, all three countries stand to benefit economically and socially from well-designed data protection regulations. For instance, suitable regulatory frameworks could enable each country to supercharge growth of its technology sector and enable it to capitalize on opportunities through greater digital linkages and trade with large markets such as the United States and the European Union. Conversely, each country’s immense potential risks being negatively affected by limitations in its regulatory frameworks in areas such as extraterritorial scope and governance of personal data sharing with governments.

In this context, the Atlantic Council’s project resulted in the following main observations and recommendations to policymakers and other stakeholders in the three countries.

• Bangladesh: Bangladesh’s most recent draft of the Personal Data Protection Act, 2024, contained measures that were welcomed by stakeholders, such as the narrowing of the act’s scope to personal data. The government could continue to refine the draft based on consultations, including, for instance, to permit an appropriate transition period. The government could also continue to remain open to inputs from key stakeholders for future data protection legislation. However, recent developments in Bangladesh’s political climate have brought new uncertainties to the trajectory of policy making in the country.
• India: India’s consultative and iterative approach with the DPDP Act was welcomed by many, as were some of the main updates incorporated into the final act. Industry, civil society, and other stakeholders would welcome a similarly consultative and iterative approach toward ongoing and future data regulations, including the work-in-progress draft E-Commerce Policy.
• Pakistan: Pakistan’s new government could consider slowing down the pace of data protection legislation and could prioritize inputs and consultations with key stakeholders from the private sector and civil society. In addition, the government could seize the opportunity to review and refresh the latest version of the Personal Data Protection Act and welcome inputs from stakeholders to that end.

More broadly, all three governments—and governments across the world—could choose to adopt more nimble and flexible approaches to policymaking in this complex and rapidly evolving context. A “regulatory sandbox” approach, while undoubtedly complex politically and administratively, could enable policymakers to learn, adapt, and customize regulations over time.

Mark Linscott is a nonresident senior fellow with the Atlantic Council’s South Asia Center. Prior to joining the Atlantic Council, Linscott was the assistant US trade representative (USTR) for South and Central Asian Affairs.

Gopal Nadadur is a nonresident senior fellow at the Atlantic Council’s South Asia Center and is also vice president for South Asia at The Asia Group.

Issue Brief Mar 8, 2023

Inside Bangladesh’s new data protection laws

By Stephen Weymouth

The 2022 Draft Data Protection Act (DPA), which establishes new restrictions related to the processing, storage, and transfer of data, appears to move Bangladesh’s digital governance in a different direction.

Bangladesh Digital Policy

Issue Brief Apr 17, 2023

Pakistan’s rapidly digitizing society requires clear policymaking

By Uzair Younus

This issue brief provides recommended steps that policymakers in Pakistan ought to take to address key concerns around free expression on the internet, and to generate momentum to catalyze higher levels of growth in Pakistan’s technology ecosystem.

Digital Policy Economy & Business

The South Asia Center is the hub for the Atlantic Council’s analysis of the political, social, geographical, and cultural diversity of the region. ​At the intersection of South Asia and its geopolitics, SAC cultivates dialogue to shape policy and forge ties between the region and the global community.

Learn more

The post Mapping South Asia’s digital landscape appeared first on Atlantic Council.

The post Kumar cited in “Smart Money: How digital currencies will win the new Cold War – and why the West needs to act now” appeared first on Atlantic Council.

The post Kumar and Lipsky cited in”The Geoeconomics of Money in the Digital Age” appeared first on Atlantic Council.

In contrast, low- and middle-income countries of the Global South have built novel indigenous systems with new technologies and best practices, leapfrogging the Global North’s digital government systems. Models such as India’s highlight DPI’s potential as a tool for financial inclusion and economic development. Because of its initial success, DPI has gained traction as other Global South countries embark on their own DPI projects or adopt technology from counterparts such as India and Brazil, which offer open-architecture access. In contrast to some legacy systems, these new digital goods aim to employ open standards and protocols, be interoperable and non-excludable, use federated architecture, engage privacy by design, and offer the digital equivalent of physical infrastructure in providing access to each country’s overall digital economy. In building these sui generis digital systems, Global South countries are rethinking how to balance public and private-sector involvement, regulations for interoperability, the appropriate role and limits of markets, how to create trust in institutions, and how to build consequentially inclusive digital government goods and services.

Two key recent events have accelerated the interest in digital public infrastructure: the COVID-19 pandemic and India’s presidency of the Group of Twenty (G20) Summit. The COVID-19 pandemic exposed vulnerabilities and the urgent need for scalable, digital services, accelerating countries’ investments in offering goods and services digitally.
¹ India’s leadership at the G20 further galvanized this movement, positioning DPI as a crucial global conversation. International and multilateral groups from the Group of Seven (G7), the Quad, and now the United Nations (UN) Global Digital Compact have all been working to address and define DPI.
² The European Parliament is now holding conferences on a “Euro Stack” as it explores new ways to assert digital sovereignty and create equitable access to the digital economy.³

In the context of these developments, the Atlantic Council’s South Asia Center assembled working groups to research and discuss the definition of digital public infrastructure, what makes it “new,” learnings from historical examples, and key questions going forward. These working groups comprised digital government, trade, innovation, payments, foreign policy, industrial policy, and internet experts. They kindly shared their time and insights in a series of meetings and panels. The working groups also conducted structured interviews with DPI experts around the world. We graciously thank all participants and commentators for their openness and time given to the project. 

This issue brief establishes the background of DPI development, discusses existing examples of DPI, and provides the policy recommendations essential for the next stage of DPI exploration, implementation and deployment. This brief is followed by two papers on cybersecurity and financial inclusion, addressing the fundamental issues affecting the development of DPI.

DPI: Scope and definition    

The nomenclature “digital public infrastructure” is a new entrant in the government technology literature, but projects bearing elements of what we now consider DPI have existed for decades.⁴ As technologies have changed, so have the definitions of what is public and what is infrastructure.⁵ Although often credited to the Nobel Prize-winning economist Paul Samuelson, the concept of public goods extends back to John Stuart Mill, Italian writer Ugo Mazzola, and Swedish economist Knut Wicksell.⁶ Samuelson extended this definition to include non-rivalry (i.e., one person’s use of a good does not diminish another person’s use) and non-excludability (i.e., everyone has equal access to that good, such as air).⁷ Digital public goods (DPGs) are open-source software packages meant for governments to build digital tools that broadly fit these two criteria. ⁸ Not all DPI projects use DPGs, and using open-source software is neither necessary nor sufficient for a government DPI project to be truly open protocol, transparent, interoperable, and reusable, as many definitions of DPI require. The definition of DPI remains a topic of a vibrant and ongoing debate. For the purposes of this paper, we use the Global DPI Repository definition: “interoperable, open, and inclusive systems supported by technology to provide essential, society-wide public and private services.”

What is new about DPI?

DPI assumes that citizens have a right to access basic features of a country’s digital economy. These features typically include identification, civil registration and vital statistics, payments, and data exchange. Proponents of DPI argue that markets have not, or have not properly, provided these products and services to all members of the digital economy. Therefore, they argue, the government should step in to provide these basic goods and services in ways that allow societal reach.

The DPI movement asks what the role of the state should be in the digital economy. Has the private sector failed in delivering goods and services to the world’s poorest and most underserved?

Government involvement in payments systems provides the clearest example of digital domains historically run by the private sector, but there are also emerging attempts to deploy DPI models for open commerce, ride hailing, and even decentralized compute.

India stack

India’s leadership of the 2023 G20 catapulted the conversation about these digital government offerings to the international stage. The New Delhi Leaders’ Declaration defined DPI as “a set of shared digital systems that are secure and interoperable, built on open technologies, to deliver equitable access to public and/or private services at a societal scale.”⁹ Over the past decade, India has digitally and financially included millions of people and built a system of digital goods around a core group of IDs, payments, and data exchange. This set of government-led digital products, known as India Stack, enables access to the Indian domestic digital economy.¹⁰

As a result, India is often seen as the model for DPI implementation due to the successful launches of its Aadhaar digital identity platform, Unified Payments Interface (UPI) instant payments system, and civil registration services. Its ability to scale DPI is attributed to its large population, technological expertise, low mobile data costs, and supportive political and economic conditions.

For New Delhi, the development of the stack has been a project for more than a decade. In 2010, the Indian government launched Aadhaar, a biometric digital identity system. Enrollment centers across the country collected face and retina scans, fingerprints, and demographic data. The government of India has tied a variety of government benefits and account setups to Aadhaar, such as setting up a bank account. Although legally optional, having an Aadhaar card remains imperative for access to the digital economy in India.¹¹ In less than a decade, more than 1.3 billion people, nearly 90 percent of the population, have joined Aadhaar.

Digital payments form the second layer in the stack. The Central Bank’s Pradhan Mantri Jan Dhan Yojana (PMJDY), a project to bring a bank account to all Indian households, opened accounts for 166 million people in its first year. This grew to 510 million by the end of 2023, according to India’s Ministry of Finance. This allowed the introduction of the UPI, a new layer of the retail payments systems that allowed banks to exchange messages with each other and with non-bank firms, capitalizing on the financial technology (fintech) innovators that had developed tools to cheaply and easily store and transfer funds.¹²

Anyone with access to the system—including consumers and small merchants who previously found it difficult to make and receive payments—could now send or receive payments for goods and services through a digital app. A crucial feature of this system was its intra-system interoperability; users were able to transact with all actors on the UPI rails. The government accomplished this interoperability by establishing a single application programming interface (API)-based rail along which all payments providers had to transact.

Data verification and consented exchange represent the third layer of the stack. The Data Empowerment and Protection Architecture, launched in 2020, aims to facilitate the seamless and consent-based exchange of personal data. An Account Aggregator framework aims to enable atomized control over one’s personal data, whereby each individual user can track and consent to different digital actors accessing said data.¹³

India Stack has experienced several challenges and controversies since its rollout. The growth of account ownership hit a lull with the pandemic, even declining slightly from 80 to 78 percent by 2021. Some doubts have also been raised regarding the universal utility of the accounts, as India has one of the world’s highest percentages of inactive accounts. Additionally, several high-profile data breaches have raised concerns about the security of the Aadhaar system.¹⁴ Experts have flagged the potential security risks of centralizing such large quantities of identity information and the possibility that saved fingerprints could be used improperly.¹⁵ Others have worried that governments could use such large databases as tools to track and surveil citizens.¹⁶

Brazil’s digital payments system

Brazil’s new payment system, Pix, is another example of a DPI. Launched in November 2020 by the Central Bank of Brazil (BCB), the Pix electronic payment system aimed to reduce reliance on cash, increase financial inclusion, strengthen competition, and reduce the cost and ease the acceptance for merchants. Several features have ensured the success of Pix. First, the BCB made participation by banks and payments providers mandatory, allowing peer-to-peer usage to increase over time. Second, Pix payments settle in three seconds on average, faster than credit or debit cards.¹⁷ Third, the BCB set zero-fee transaction costs for individuals, with a cost to the merchant of 0.33 percent of the transaction amount. These dynamics led the largest banks operating in Brazil to work together to develop the network in a way that mandated interoperability. The BCB also established a Pix Forum, in which users and stakeholders can have a dialogue through its implementation cycle.¹⁸

Pix has had impressive results since its rollout. In its first two years, 140 million Brazilians—nearly 80 percent of the adult population—used Pix. By the end of 2022, more than 3 billion transactions took place on Pix per month, five times more than credit and debit cards. The head of Brazil’s central bank, Roberto Campos Neto, famously declared that the Pix system would result in “credit cards ceasing to exist at some point soon.”¹⁹ Pix has led to the growth of non-bank payments fintechs and a decrease in the price of payments.²⁰

In terms of its governance, Pix is more centralized than India Stack. The BCB both owns and operates the payment scheme, as well as the user address database that contains user identification. The BCB is also the regulator for the overall payments system and, thus, the regulator for Pix. The central bank has added several features to Pix since its inception, including payment scheduling, access to third-party payment providers, and the ability to withdraw cash from automated teller machines. Pix has also been the subject of controversy. As volumes and online account ownership have increased, so have instances of cybercrime and fraud.²¹

Estonia’s digital highway: The X-Road

More than half of the Estonian population voted in the 2023 election from their home computers. Estonia’s digitized government system—which allows access to government services, e-health records, and secure digital identity—made this feat possible.

Estonia’s DPI project began in the 1990s with a decision to rebuild the country’s economy on a digital basis. Through the so-called “Tiigerhüpe,” or tiger leap program, the government used public-private partnerships to invest in network infrastructure to modernize Estonia’s post-Soviet infrastructure, including providing internet to all Estonian schools and government agencies. An electronic identification (e-ID) program followed suit. The electronic governance platform also includes digital voting, an e-file system for access to the judicial system, and the government cloud, which, through partnerships with private companies, has put 99 percent of public services online.

The X-Road system represents the key infrastructure behind Estonia’s digital government. A secure data-exchange platform that connects more than 450 public and private-sector organizations, X-Road enables more than three thousand digital services. The Nordic Institute for Interoperability Solutions—a nonprofit organization created by the governments of Estonia, Iceland, and Finland—now manages the X-Road platform and its international adoption projects. More than twenty countries have adapted or plan to adapt the X-Road program through open-source access. 

Working with the private sector proved essential for the success of the Estonian experiment. While the government ideated the digital ID card early in the 1990s, the first digital IDs were “only good for scratching the ice off the windshield of a car,” according to one of their developers.²² Working with banks to improve the user experience and creating incentives to use the cards proved essential to the system’s ultimate success.²³

In contrast to the payment systems in Brazil or India, X-Road has no single point of failure. X-Road’s peer-to-peer architecture is focused primarily on resiliency.²⁴ Because X-Road allows Estonia’s public agencies to share data securely with each other, every ministry manages access to its own database, which ensures data are not stored in a common pool that could become a single point of failure.

As with India and Brazil, Estonia has faced cyber threats to its DPI system. In 2007, the country faced a weeks-long attack by cyber criminals in which all government services were taken down. This led Estonia to develop a data embassy, which created a backup of critical data and services stored in a remote location.²⁵

The role of payment systems in DPI

India, Brazil, and Estonia offer distinct yet instructive models for implementing DPI. Their unique experiences reflect the different regulatory, technological, and governance choices that countries can make. India’s society-level approach, Brazil’s emphasis on speed and accessibility, and Estonia’s integration of security and privacy into digital services each provide lessons for how digital infrastructure can be developed to meet local needs. The recurring challenges of cybersecurity and privacy standards across these examples illustrate the need for secure and resilient digital architecture. These examples set the stage for a deeper exploration of a key component of DPI: payment systems.

Why study payments?

The term “payments” means moving value between actors across businesses, consumers, and governments. It is the process or service of exchanging units of value and was historically led by the private sector (e.g., by banks or merchants). Money is a discrete unit of value and governments historically play the role of enforcing that it has been spent only once at a time. Moving value digitally incurs transaction costs.²⁶ Someone must facilitate, clear, settle, and assume risk in the movement of that value from one account to another. Running a cash-based system also incurs costs to both the operator and the users of cash.²⁷ The advent of government-offered payment rails, such as India’s UPI and Brazil’s PIX, has raised new questions about the lines between the state and its citizens, the definition of “public” in public goods, and the long-term direction of financial exchange in the digital economy.²⁸

Types of DPI payments systems

For the purposes of this brief, we identified four major types of DPI payments systems. These different forms come from the different payment instruments they support and the participants among which they can transact payment instruments.

All the below DPI payments systems involve actors moving value between them and either charging to do so (via interchange) or being funded by some other mechanism (e.g., government funding/subsidies or value-add services such as telecommunications subscription services). Each of these methods is either:

• a low-cost system linking a handful of banks or other institutions to do account-to-account (A2A) payments;
• government-led facilitation like public rails (e.g., UPI or a central bank digital currency (CBDC)); or
• involving entities that do not directly monetize the payment flow itself because they monetize another aspect of customer interaction (e.g., M-PESA).

In each of these examples, either government funding plays a role in facilitating the transaction or retail banks cover the cost and the issuing bank charges for the service. In all, some alternate source of funding (whether government subsidy or cross-subsidy) maintains the rails.

Cross-domain payment systems

The first payments system is the interoperable, or cross-domain, system. Cross-domain systems allow all accredited financial actors to transact payment instruments in near real time and on equal or progressive cost footing. They ideally allow for all-to-all switching, clearing, and exchange of instruments within one system between banks, microfinance institutions (MFIs), mobile money operators (MMOs), savings and credit cooperatives, and a government’s central bank. Cross-domain payment systems represent the aspirational goal of many DPI programs because they allow the most payments interoperability in an economy.

Bank instant payment systems

A bank instant payment system (IPS) allows for the instant messaging and transaction of payments instruments between member banks. Thus, this system only allows for transactions involving instruments associated with bank accounts (e.g., debit or credit electronic funds transfers). To facilitate instant payments between other parties, those parties would need to partner with a bank that is a member of the bank IPS.

Interoperable mobile money payments systems

Interoperable mobile money operator (I-MMO) payment systems allow for the messaging and transaction of payments instruments between or within mobile operators. These systems typically work in e-money instruments and are often run by the private sector. In contrast to centralized DPI payment systems, these I-MMO payments rely on a series of multilateral and bilateral agreements between MMOs to facilitate the transfer of funds between them. Sometimes the MMOs act as indirect participants in the instant payments system via a bank that is a direct participant in the settlement infrastructure (e.g., PesaLink in Kenya). Note that this type of interoperable payment system contrasts with closed-loop payment systems such as Venmo, in which a customer can only transact with other in-network participants. The ability of MMOs to move these e-money instruments depends on the legal architecture of the country in which they operate and whether it facilitates such private-to-private exchanges between non-banks.²⁹

Central bank digital currencies

Retail CBDCs are a way for governments to issue fiat as digital legal tender. The advent of blockchain and cryptocurrencies has increased interest in CBDCs as this kind of ledgered cryptography can increase the security of storing fiat digitally. CBDCs can be seen as a type of instant payments DPI. Both retail CBDCs and traditional DPI payments software systems can use cryptography and APIs to ensure security and accessibility. Because they both reduce transaction costs, they can enable the creation of private-sector entrants and increased competition. In contrast to other digital payments systems, CBDCs represent a claim on the central bank, not on the intermediaries.

Cross-border DPI systems

In a regional DPI system, various countries group together to allow for instant payments transactions across borders and, sometimes, between different currencies. In the case of regional DPI payments, clearing either occurs through an agreed-upon central bank or through a third-party hub. Each participant (MMOs, MFIs, commercial banks) connects to the hub either directly or through a national switch.

For example, two of the three regional IPS in Africa—Pan-African Payment and Settlement System (PAPSS) and Groupement Interbancaire Monétique de l’Afrique Centrale (GIMACPAY)—use hub arrangements, while Transactions Cleared on an Immediate Basis (TCIB) follows a hub-switch arrangement.

The public-private divide

As some countries look to use open-source software to build indigenous payments systems, they must make sure to use the correct tools to scale, meet their goals, and continue to innovate as consumer needs change. However, the political systems and civil society underpinning software design and implementation arguably play a larger role in determining that DPI system’s success than the technology itself. This working group emphasizes that a diversity of institutions and balanced trade-offs can create long-term sustainable payments systems that both include and serve their end customers.

Working group policy recommendations

Governance

While financial inclusion remains important, sound internal governance and oversight of DPI projects are paramount for their long-term success.³⁰ Governance will determine the success of DPI projects in serving all communities and replicating success globally. The working group members with experience studying industrial policy and trade protection raised questions about the role of the central bank and its mandate in a particular jurisdiction, and how to resolve potential conflicts of interest when governments act as both regulator and operator. The group felt that governance should be designed to enhance public-private collaboration to encourage competition and innovation, as well as to safeguard against government favoring specific technologies (that is, technology neutrality) and to prevent crowding out of private-sector solutions.

Cost

As excellent research from the World Bank’s Project FASTT group shows, cash-based systems also incur costs (on cash providers as well as users). It is, therefore, essential that governments and private-sector players are aware of the costs of upgrading and digitization, as well as the costs of opting out of these efforts. Research on pricing, interchange, and consumer elasticity in financial products can help illuminate the conversation on free or low-cost, instant, push-payments systems.

To ensure the success of DPI, particularly in the realm of financial inclusion, it is essential to enable digital readiness by investing in key infrastructure like internet access and cellular networks while also rigorously evaluating a country’s preparedness for digital transformation. This digital readiness should be complemented by strong privacy and cybersecurity frameworks that ensure user trust, safety, and resilience. By implementing internationally recognized standards for data privacy and cybersecurity (such as the National Institute of Standards and Technology or International Organization for Standardization frameworks), countries can safeguard user data, promote transparency, and ensure that financial inclusion efforts are secure, inclusive, and sustainable for the long term.

Design for users

DPI should be inclusive, affordable, and able to address digital divides. It should prioritize users and their needs like literacy, accessibility, and fraud protection.³¹ Consumer preferences and design should be at the center of DPI improvement, which will require continuous monitoring and evaluation even as these technologies are deployed.

Share data and learnings

Transparency, citizen involvement, and accountability are keys to a successful implementation. Sharing scheme rules and uptake data builds trust and establishes independent progress evaluation. Much of the leading research on DPI and instant payment systems comes from stakeholder interviews and not from public-access websites.³²

In conclusion, the exploration of digital public infrastructure (DPI) across various national models highlights the transformative potential of these systems in addressing key societal needs such as financial inclusion and service delivery. Countries from both the Global North and South are shaping DPI to suit their respective context, with developing nations often trying innovative indigenous systems. As India’s leadership at the G20 and Brazil’s Pix system show, DPI offers a critical tool for digital governance, enabling broad and public and private access to essential services. This working group’s findings underscore the need for continued international collaboration, robust governance, and strong privacy-oriented cybersecurity frameworks to ensure longevity and inclusivity in DPI. Policymakers and stakeholders ought to focus on building resilient, and interoperable systems to fully harness the benefits of DPI.

Authors & working group co-chairs  

• Barbara Kotschwar, Georgetown University  
• Colin Colter, Atlantic Council  

Working group members

• Rob Atkinson, ITIF
• Ravi Shankar Chaturvedi, Tufts University
• Dan Chenok, IBM Center for The Business of Government
• David Eaves, University College London
• Arya Goel, ASG
• Jeff Lande,  The Lande Group & Atlantic Council
• Mark Linscott, Atlantic Council
• Srujan Palkar, Atlantic Council
• Aparna Pande, Hudson Institute
• Anand Raghuraman, Mastercard
• Susan Ritchie
• Kati Suominen, Nextrade Group
• Atman M Trivedi, ASG & Atlantic Council
• Tiffany Wong, ASG

Issue Brief Oct 21, 2024

How digital public infrastructure can support financial inclusion

By Katherine Hadda and Anit Mukherjee

As digital transformation accelerates, Digital Public Infrastructure (DPI) is at the forefront of the global push for financial inclusion. This paper examines how DPI frameworks, particularly those pioneered in India, are bringing financial services to previously underserved populations.

Digital Policy Financial Regulation

Issue Brief Oct 21, 2024

Finding security in digital public infrastructure

By Justin Sherman

As governments worldwide adopt Digital Public Infrastructure (DPI), the need for robust cybersecurity and privacy protections has never been greater. This paper delves into the critical risks and opportunities associated with securing DPI systems. With examples from India, Ukraine, and other nations, it explores how governments are managing data privacy, addressing cyber threats, and building trust in digital services. The paper highlights key considerations for policymakers, including the balance between openness and security, the role of encryption, and the importance of resilience in digital systems. As more nations turn to DPI, ensuring the safety and privacy of citizens’ data is essential to creating sustainable, trustworthy digital infrastructures.

Cybersecurity India

The post Global DPI models: Lessons from India, Brazil, and beyond  appeared first on Atlantic Council.

With digital transformation of economies and societies progressing at an increasingly rapid pace, the global community has recognized the need for clear policies, increased financing, creative innovation, and effective regulation of digital technologies to serve the public good and enhance financial inclusion of underserved populations. Digital public infrastructure, or DPI, brings together these priorities in a holistic framework for countries to adopt and adapt per their own developmental objectives. The Group of Twenty (G20) New Delhi Leaders’ Declaration defines DPI as “a set of shared digital systems that are secure and interoperable, built on open technologies, to deliver equitable access to public and/or private services at a societal scale.”¹ As in the case of India, successful DPI requires a symbiotic and mutually reinforcing relationship between the public and private sectors on public policy, digital assets, and market innovation (Figure 1).

Operationalizing DPI and financial inclusion

DPI spurs innovation for financial inclusion in myriad ways. Most notably, if implemented well, it expands access to digital services for even the most remote consumers and businesses who might otherwise be underserved by incumbent financial-services offerings. New products and services built on top of DPI targeting previously uncovered populations significantly expand the potential consumer base.

For the financial-inclusion benefits of the new digital infrastructure to be fully realized, entrepreneurs and other private-sector innovators must be able to identify large enough market opportunities for various last-mile use cases and be rewarded for the risk they undertake in solving such user challenges. By adopting the right mix of incentives and regulations, countries should be able to attract private-sector investment to fund their exponential growth and reach sustainable scale.

The India model and its global relevance

How India has used DPI to foster financial inclusion    

DPI has been at the heart of India’s digital transformation, and financial inclusion has been at the heart of India’s DPI. While other countries, such as Brazil, have also taken a similar approach, India’s experience stands out for both its scale and scope. By enabling a policy framework that fosters data privacy and empowerment, mandates interoperability, and promotes market participation accompanied by public investment in digital assets, India’s DPI has expanded the market for goods and services. Over the last decade, this approach has transformed and dramatically increased the country’s financial inclusion, also helping India meet its SDG goals.²

India’s DPI framework

Access to financial services has increased globally over the last decade. According to the Global Findex Database 2022, 71 percent of adults in developing economies now have a formal financial account, compared to 42 percent in 2011. The gap in access between men and women in developing economies has fallen from nine percentage points to six percentage points, indicating a closing of the gender gap in financial inclusion.³

Even given this improvement, India’s experience stands out from those of other developing countries largely thanks to its innovative DPI. Nearly 80 percent of all Indian adults (age fifteen and up) had a bank account in 2021, compared to 35 percent in 2011. Two-thirds of the new bank accounts were opened to receive government transfers targeted at the bottom 40 percent of the population, including the rural poor, mainly through the Pradhan Mantri Jan-Dhan Yojana (PM-JDY)—the national mission to provide financial access—from 2014 onward     .

This was followed by the creation of the Unified Payments Interface (UPI), which leveraged Aadhaar, electronic know your customer guidelines, and smartphones—the so-called Jan Dhan– Aadhaar– Mobile (JAM) trinity. India’s UPI is currently the world’s largest instant digital- payments system with a 46- percent share in global transactions volume.⁴ While available to all Indians, UPI-based payment applications are being utilized by previously cash-dependent and vulnerable populations, such as the urban and rural poor.

Beyond the technology stack itself, India’s DPI has benefitted from the country’s enabling environment for digital inclusion. India has one of the lowest costs of mobile access and data transmission globally, at  16 cents on average, largely due to low telecommunications tariffs for mobile internet access as well as widespread fourth-generation (4G) coverage.⁵ India has also implemented policies and programs to promote bank account ownership, such as the PM-JDY and the licensing of payment banks as a special category of banking institutions. While questions remain about the regulation of payments banks, as shown by the Reserve Bank of India’s recent actions against Paytm, the move to license these banks set the precedent for a banking institution focused on both digital and financial inclusion. These factors, among others, have enabled India’s DPI readiness by fostering digital inclusion that could serve as a model for other countries to follow. Of course, for all of its strengths, India’s model of financial inclusion is not necessarily a one-size-fits-all solution and might need to be adapted to better suit countries that do not have both a large population and technological capacity.

Lessons learned from India’s stack    

India’s DPI model has the potential to help other countries in the Global South leapfrog previously necessary steps and systems to create inclusive government services and financial systems. Because these countries lack legacy systems, they can also— to some extent—avoid impediments to technological innovation associated with creating their own DPIs. By leveraging technology and a network approach, efficiency, accuracy, and effectiveness of financial-inclusion programs can be vastly improved, and India can help this process by sharing its DPI technology and expertise.

There are also some lessons to keep in mind about the Indian model. The first is that its degree of centralization is both a positive aspect and an area for caution and improvement. The centralization introduced by Aadhaar and leveraged by other layers of India’s DPI contributed to its efficacy and reach, increasing financial inclusion for many underserved individuals and communities. However, centralization raises questions about data security and the government’s intention with centralizing that much personal data, which may in turn introduce doubts among potential users and inhibit their participation.

Second, ensuring constructive and equitable cooperation between the government and private sector will help promote a healthy competitive ecosystem for DPI. India has experienced challenges in this regard. For instance, on the UPI, the National Payments Corporation of India has sometimes been at odds with foreign investors seen as proponents of privatizing DPI. Given the scale at which India is operating, there is significant space for the private sector, both domestic and foreign, to be included in the DPI ecosystem. For optimum outcomes, the “public” in digital public infrastructure should not mean government dominance or control of infrastructure      but, rather, public ownership and prioritization of the public interest. Developing robust cooperation methods and mechanisms for the public and private sectors will help maximize innovation, regulation, and collective ownership and accountability, enabling high-quality and high-impact DPI.

To enable this ecosystem flywheel, successful DPI should neither prevent nor discourage commercialization in financial services, including in payments, digital savings and credit, fintech infrastructure, and insurance. A healthy DPI ecosystem must encourage both private and public innovation with appropriate fee structures, funding mechanisms, data guardrails, and stable, predictable regulatory frameworks. DPI can accelerate every aspect of financial innovation for local inclusion, especially in markets with less mature financial services industries. Examples can include new neobanks for mobile money, monthly subscriptions for insurance and other key products, supplemental data to encourage better and more affordable underwriting for under-banked populations, and merchant solutions for small businesses with limited digital footprints to grow their businesses. A robust mechanism for ongoing collaboration with the private sector, civil society groups, and technology innovators is also critical for successful, sustainable, and inclusive DPI. Enacted thoughtfully, DPI has the potential to spur an entire new Silicon Valley of financial-services innovation in new geographies to expand what’s possible for financial inclusion.

Balancing regulation and innovation in the DPI ecosystem

There are two additional lessons of India’s financial-inclusion experience that can be built upon as the idea of a DPI-based financial inclusion diffuses globally. The first is that financial inclusion is not the same thing as financial access. Inclusion in this context entails financial stability, security, and trust in the system, which requires specific attention. Second, components of the DPI stack, such as the use of biometric ID for authentication and a digital-first approach to payments, might leave certain vulnerable groups behind, especially the elderly and the rural poor. Efforts to mitigate these adverse effects should be part of the DPI design, not an afterthought.

Policy recommendations    

Financial health and well-being are integral to thriving individuals, communities, institutions, and economies. The current discourse on DPI and financial inclusion has focused on access and usage while disregarding other factors that lead to a financially healthy life, especially in a digital-first environment. These include capacity to interact with the digital ecosystem, building trust and ensuring security, and creating an innovation ecosystem that supports inclusion and well-being. Taking a holistic, outcome-based approach vis-à-vis the role of DPI in the financial ecosystem will enable policymakers to set objectives, provide financing, track outcomes, and monitor progress toward the achievement of the Sustainable Development Goals (SDGs). 

I. Enable and rigorously evaluate digital readiness.  

Countries seeking to develop DPI should invest in enabling factors for digital readiness, including internet access, cellular network coverage, technology governance, and other infrastructure to build a robust foundation for DPI. These are essential to build applications that run on DPI rails, especially financial inclusion and digital payments.

II. Adopt a holistic approach to digital financial inclusion.    

Policymakers should follow an outcome-based and people-first approach to digital financial inclusion. This approach should advance financial inclusion by working toward      measurable outcomes that demonstrate progress and impact— for example, by tracking Global Findex indicators for financial account ownership and usage and linking it to the DPI stacks.

III. Prioritize user centricity and trust.    

Countries following the DPI approach should center the interests and well-being of individual users and their communities to ensure adoption and promote trust in digital financial services, broadly defined. Countries should seek to balance innovation and regulation so that they reinforce each other (Figure 2). A robust mechanism for ongoing collaboration with the private sector, civil society groups, and technology innovators is also critical for a successful, sustainable, inclusive, and trustworthy DPI. Governments can also support and empower innovation hubs to pilot new financial technologies in controlled environments with regulatory support—for example, through sandboxes.

IV. Align public and private-sector incentives.    

Stakeholders should work to align public and private-sector incentives to achieve an optimal balance of innovation and regulation in DPI. Private-sector innovation should be sought, and space should be created for the private sector to experiment. Governments and regulators should focus on the objectives of public interest and data safety by directing the private sector rather than being a lead, solo actor on DPI.  

V. Prioritize sustainability, durability, and literacy.    

Countries should invest in the long-term durability of DPI through investments in digital literacy and capacity. Sustaining DPI in the long run requires a skilled workforce of developers, including fostering of an open-source technology community, to maintain existing and build new infrastructure as countries seek to expand their technology stacks. By developing their own human and technical capacity, countries can ensure ongoing DPI innovation and make it a sovereign pursuit that utilizes their citizens’ expertise and creativity. Moreover, for the end users—particularly in developing countries—many citizens are getting their hands on technology, particularly the internet, for the first time. Digital literacy  is, therefore, a key area for governments to focus on. Digital etiquette and know-how—from simple aspects like how and where to securely store passwords and information to utilizing DPI for day-to-day activities such as bill payments—are best initiated by governments to ensure maximum reach and create a digitally responsible populace.

Working group leaders

• Katherine Hadda, CSIS
• Anit Mukherjee, ORF America

Working Group Members

• Ajay Chhibber, Atlantic Council & George Washington University
• Melissa Frakman, Emphasis Ventures
• Ananya Kumar, Atlantic Council
• Jeff Lande, The Lande Group & Atlantic Council
• Aran Mehta, ASG
• Srujan Palkar, Atlantic Council
• Rakhi Sahay, Access Assist and UNCDF
• Heba Shams , Mastercard
• Atman M Trivedi, ASG & Atlantic Council

This report was made possible in part by the generous support of Mastercard. 

This report is written and published in accordance with the Atlantic Council Policy on Intellectual Independence. The authors are solely responsible for its analysis and recommendations. The Atlantic Council and its donors do not determine, nor do they necessarily endorse or advocate for, any of this report’s conclusions.

Issue Brief Oct 21, 2024

Finding security in digital public infrastructure

By Justin Sherman

As governments worldwide adopt Digital Public Infrastructure (DPI), the need for robust cybersecurity and privacy protections has never been greater. This paper delves into the critical risks and opportunities associated with securing DPI systems. With examples from India, Ukraine, and other nations, it explores how governments are managing data privacy, addressing cyber threats, and building trust in digital services. The paper highlights key considerations for policymakers, including the balance between openness and security, the role of encryption, and the importance of resilience in digital systems. As more nations turn to DPI, ensuring the safety and privacy of citizens’ data is essential to creating sustainable, trustworthy digital infrastructures.

Cybersecurity India

Issue Brief Oct 25, 2024

Global DPI models: Lessons from India, Brazil, and beyond 

By Barbara Kotschwar and Colin Colter

The concept of Digital Public Infrastructure (DPI) is gaining momentum globally, as countries seek to digitize essential services like identification, payments, and civil registration.

Brazil Digital Currencies

The post How digital public infrastructure can support financial inclusion appeared first on Atlantic Council.

Foreword

Can China’s economic system be compared to the world’s largest and most open advanced economies? Four years ago, when we began the China Pathfinder Project, the teams from Rhodium Group and the Atlantic Council GeoEconomics Center set out to answer that question.

In the intervening years, the global economy navigated a pandemic, supply chain shocks, the highest inflation in forty years in the United States, and the return of industrial policy across the Group of Seven and beyond.

That means today’s economic landscape is far different from the one we set out to explore. What began as an effort to create a shared language for understanding China’s economic trajectory—and benchmark its movement toward or away from open market economy norms—has evolved into a project that is trying to understand what it means to be an open market economy in the 2020s.

At the beginning of the project, policymakers and financial leaders in the West still viewed the Chinese economy with cautious optimism. Despite growing tensions between Beijing and Washington during the trade wars of the last decade, China had made modest progress toward market economy norms.

It was an open question whether China would continue that progress. Four years later, we all know the answer. The Chinese economy has shifted away from market norms. But how the movement happened is just as important as the top line.

In nearly every area we have tracked—financial system development, market competition, innovation, trade, and direct and portfolio investment—China’s progress has stalled or, in some cases, backslid. The initial hope that China would adopt more transparent and market-oriented policies has given way to a reality in which systemic state intervention and opaque decision-making continue to dominate.

The lack of clarity around China’s decision-making is now seen as a source of global economic risk. The Chinese Communist Party’s growing role in the economy stifles the private sector’s dynamism and fosters a dangerous environment of uncertainty for investors. The decline of the property sector and the correlated focus on manufacturing have raised alarm bells worldwide about a second China trade shock.

Look more closely at China Pathfinder, and you’ll uncover another layer of the story. Like a scientist who begins with one experiment but discovers in the lab that her antibiotic actually treats another disease, the China Pathfinder Project has revealed unexpected outcomes.

China’s prioritization of national security over economic growth has frozen most reform efforts. But what about the world’s advanced economies? Many have begun pursuing a range of policies based on the concept of economic statecraft, which, in our rankings, move their scores further away from open market norms.

This is the value of a data-driven approach to China’s economy. Instead of trying to calibrate policy based on officials’ statements, or one-off events, our method was to be comprehensive, objective, and focused on long-term trends.

All eyes will be on the US presidential election in the coming weeks. The next administration will develop a range of policies to grapple with China on trade, technology, Taiwan, and more. What kind of economic system will they be dealing with? As you will see in the following pages, China Pathfinder helps tell that story.

What has surprised us the most in this process is how universally translatable the story is. These reports have been used by economists from West Point to Warsaw. Whether in London, Paris, Tokyo, or Beijing, you will find China Pathfinder now referenced in your government’s own economic assessments.

And, so, the answer to the question we set out to explore is clear. Is it possible to compare China’s system to the world’s advanced economies? Yes. And it is necessary work.

We are grateful to the teams at the Atlantic Council and Rhodium Group, whose tireless work and dedication made this project possible. We extend our thanks to the policymakers, business leaders, and academics who engaged with and provided feedback on this research. As we close this chapter of China Pathfinder and look forward to the next evolution of the project, we hope that the lessons from China Pathfinder will continue to help policymakers navigate a rapidly changing global economy.

Josh Lipsky
Senior Director, Atlantic Council GeoEconomics Center

Executive summary

The current cycle of China Pathfinder is coming to a close at a critical time for China’s economy. After delaying major policy moves in 2023, China announced a major slate of reforms at the long-awaited Third Plenum of the Chinese Communist Party in July 2024. It faces enormous challenges: 2023 saw lackluster growth, continued property sector woes, and growing foreign pushback against manufacturing overcapacity and the treatment of foreign firms. China’s reform experience in 2023 and its successes and failures set the stage for the new reforms.

To track Beijing’s reform efforts to date, China Pathfinder compares China’s economic system to those of market economies. Using six components of the market model financial system development, market competition, modern innovation system, trade openness, direct investment openness, and portfolio investment openness—we established a quantitative framework for understanding China’s progress or regression on reform. China’s outsized role in the global economy and the necessity of reform to maintain the country’s growth make this work key to understanding China’s future trajectory.

Key findings

• Compared to its own 2010 baseline, China has improved. In all of the clusters analyzed by China Pathfinder, China has narrowed the gap with the Organisation for Economic Co-operation and Development (OECD). However, further progress has been elusive, and our indicators suggest China has hit limits on convergence with the OECD. This gap will likely remain in the coming years.
• In market competition—especially seen in the presence of state-owned enterprises in the economy, but also more broadly—China is unwilling to make the concessions to the traditional role of the state in its economy necessary to achieve more durable structural reform.
• China’s progress stalled in several areas tracked by China Pathfinder. These include innovation, as China’s fiscal constraints began to have a meaningful impact on its technological and development capacity by some metrics. They also include trade, where security concerns and geopolitics (including uncertainty over data and security rules) weigh on China’s trade openness. Even as China exported more and more in 2023 and became increasingly important for marginal economic growth, services trade has been affected.
• In a narrow sense, China saw some progress in dealing with financial challenges in 2023. Beijing prevented debt emergencies in the property sector and local government financing space from triggering a general financial crisis; the resulting slowdown in credit (and cleanup) was reflected in an improvement of China’s financial system reform score. Its composite cluster score surpassed that of several OECD countries for the first time since 2020. However, such achievements are modest compared to ongoing problems: poor- quality financial intermediation, declining capital productivity, and deviations from market financial regulatory principles.
• Developed market scores continued to decline on average in several categories, including innovation and market competition (marginally). This shows some reform backsliding and a resurgence of industrial policy (and geoeconomic security policy) in the OECD, even as most countries remain well ahead of where they were in 2010.
• There are more data obstacles now to analyzing China’s economy than in 2019, including data lags and delays that hamper study and have a chilling effect on open discussion of economic problems in China. But alternative data—and a rise in frank domestic and international economic commentary—are improving these conditions.

Figure 1: 2023 annual economic benchmarks

Chapter 1: A decade of tracking China’s economic structure

How it started, how it’s going

Years of tracking China’s economic policy evolution make clear that its appetite to converge with liberal market economic norms has reached its limit in several areas. This slowing of progress is a major factor behind the developing bifurcation in global economic systems. It is directly reflected in the rise of de-risking and decoupling efforts in developed economies. Such a shift in systemic direction has deep ramifications for the world, creating challenges for liberal economic hopes and a serious macroeconomic slowdown for the citizens of China. Tracking these systemic dynamics is what China Pathfinder was created to do.

China Pathfinder was undertaken as an Atlantic Council- Rhodium Group partnership in 2021 and will complete its four-year funding cycle in the fall of 2024. China Pathfinder built on a prior program, China Dashboard, produced from 2016 to 2020 by Rhodium Group and Asia Society, tracking China’s progress toward its self-stated economic reform goals. We defined those goals in China’s own terms, as laid out at the Chinese Communist Party’s (CCP’s) Third Plenum meeting of November 2013, and analyzed in great detail in the report Avoiding the Blind Alley: China’s Economic Overhaul and Its Global Implications in 2014.¹ China Dashboard measured China’s policy footprint benchmarked against where it was in 2013 to document whether Beijing was successful at “making the market decisive,” as it had pledged. While reforms were made in earnest from 2013 to 2015, by 2016, we observed a stall. Since 2021, the emphasis on politics over market signals in guiding the economy has been manifest, and not just as a response to the COVID-19 pandemic.

Our goal in benchmarking China against those market   economies—exemplified   by    the    members of the Organisation for Economic Co-operation and Development (OECD)—has always been to take Beijing’s stated policy ambitions at face value and provide an independent voice to validate evidence of marketization and convergence with the norms of market economy status. In addition to its stated commitment to marketization, China’s leaders unambiguously pledged to continually improve the quality of national economic statistics for the benefit of policymaking at home and transparency for researchers, businesses, and the public in China and abroad.

The ability of China Pathfinder to forge consensus on policy adjustment in China was, by design, contingent on accurate and timely official data. Days after Chinese President Xi Jinping issued his Third Plenum reform blueprint in November 2013, his government committed to upgrading China’s statistical accounting system. Since 2021, we have continued to record assurances that that statistical system would be modernized. Official reports are common.² And yet, as of this writing, China is still using a statistical system based on the United Nations System of National Accounts 1993 framework. That is, Beijing is measuring a 2024 economy with a thirty-year-old methodology; OECD nations use the SNA2008 or equivalent and are preparing to upgrade to SNA2025. As research has shown, this has long led to a distorted estimate of economic activity in China, for instance, understating the size of the property bubble and underestimating the value of private sector service activity.³ More recently, unexplained changes to China’s method of counting trade imbalances hid hundreds of billions of dollars of growth in external surpluses during the middle year of our China Pathfinder program. These have often been buried in the appendices of the International Monetary Fund’s (IMF’s) consultations with Chinese officials.⁴

While we hoped for statistical upgrading, we built China Pathfinder to make do with existing data standards. Unfortunately, that turned out to be overly optimistic. Four problems have arisen to frustrate our methodological game plan. First, over the past four years, several data series we’ve relied on have ceased to be available or have undergone significant changes. These include several published by the OECD and the IMF. Second, the time lags of many of the data series have gotten longer. Third, many data that remain available have shown increasing inconsistencies with other evidence or have been revised without explanation. Fourth, as a result of the preceding realities, rather than setting our methodology at the start of this four-year project and applying it consistently throughout (which best practice requires), we have had to scramble for want of basic data, often late in production cycles, to come up with workarounds for missing information. The risk of distortion has risen as we have had to be increasingly creative to fill these data gaps.

Yet, despite challenges, our goal of objective analysis of China’s economy has not wavered. Each year we have noted workarounds and corrections in footnotes and methodological notes. We discuss 2023 updates later in this chapter. We also discuss the next evolution of China Pathfinder in the conclusions of this report.

Four-year conclusions and 2024 annual findings

On net, we believe the insights gleaned through the China Pathfinder Project have justified our methodological approach. Indeed, limitations of our research design as we reach the end of the project’s lifespan are themselves an important takeaway, and the difficulty of accurately assessing China’s progress is, in part, an indication of its status. The developed markets grouping, by definition, can be evaluated on a common statistical basis, and data quality concerns are not generally an issue. The emerging markets world—a much larger set—is frequently characterized by less reliable data and questions about the reliability of statistics. There are wider margins of error around EM performance estimates, and higher risk is attached to dealing with these economies accordingly.

At the start of the China Pathfinder Project just four years ago, there was a broad consensus that China was on the cusp of inclusion in the developed market cohort. Global portfolio indices recommended a growing allocation to China, and most businesspeople believed significant diversification from China—let alone more draconian “decoupling”—was impossible given the logic of continued engagement. In the brief period since then, the world’s largest money managers have asked whether China is “uninvestable.”⁵ Over the life of China Pathfinder, the value of China plus Hong Kong equities has fallen by $5.1 trillion, and the value of property assets has fallen by about $7 trillion. The sum of these losses constitutes almost 70 percent of China’s gross domestic product (GDP).

For our four-year assessment of China’s economic trajectory, we observe that all (six out of six) dimensions of market economy policy norms have seen narrowing gaps with our OECD benchmark since 2010, using our combination of original and replacement indicators. In at least two of these clusters, the change has as much to do with the OECD’s movement downward as China’s improvement. This reflects how the role of the state is now in flux in high-income economies, too, as appetites for industrial policy grow. These score outcomes based on changes in our indicators largely accord with a common-sense diagnosis of what has happened in the world economy, where post-COVID-19-pandemic policies have given way to increasing economic and geoeconomic competition.

The foremost conclusion we take from these results is that the gulf between China’s economic system and those of open market economies, while narrower than in 2010 and 2020, will remain for years to come. Four years of tracking China’s progress has made it clear that its reform trajectory has plateaued in several areas, adding to mounting evidence of the developing bifurcation in global economic systems. Growing partial decoupling efforts by liberal market economies in recent years are a recognition of this state of affairs. These developments have deep ramifications for nations built on liberal economic foundations.

Not all economic interactions with China are harmful to the interests of developed market economies. A systemic bifurcation does not necessarily mean countries cannot engage in mutually beneficial interactions. However, open market economies need to comprehensively review how to manage this partial decoupling. Such efforts may be contingent upon changes in China’s economy, but the burden of adjustment is on Beijing.

Our final annual net assessment on the six market economy dimensions is detailed in Chapter 2. Three cross-cutting takeaways for the year (the 2023 data year) stand out. First, China saw backsliding away from open economy norms on balance across our benchmarks. Since 2010, there has been marked improvement across most of our indicators to China’s credit. However, these gains appear to have wavered in 2023, with half of our benchmark indicators witnessing slight regression in 2023 compared to the previous year. There are some bright spots in 2023, but the few optimistic trends are overshadowed by the far larger number of benchmarks that have reversed course. In some areas, such as market competition, China remains a stark outlier, especially with respect to state-owned enterprise (SOE) presence in the economy. In other areas, such as innovation, China looked to be converging but was met with stalled progress.

Part of these trends are attributable to global macroeconomic dynamics. Our open economy samples all experienced mild backsliding in 2023—for example, with respect to trade intensity. However, the major source for many of these developments remains China’s policy choices themselves. As our policy year in review sections demonstrate, Beijing has doubled down on a policy direction that steers China, on net, away from open economy norms.

We would also be remiss if we did not reflect on the role COVID-19 played in outcomes over the 2021–24 period. The pandemic triggered state activism in all economies. In all six clusters in our framework, we can easily tell a story about the appropriate insertion of the state in lieu of normal market economy activity. One example can be seen in the market competition cluster, where SOE presence in several OECD economies increased after 2020 partly due to a surge of government rescue funding. Yet, we have also carefully evaluated the stated intentions of Chinese policy in the system in our qualitative quarterly China Pathfinder reviews. These have made clear that while the pandemic offered a textbook opportunity for Beijing to rebalance the growth model toward household consumption and away from systemic bias toward the supply side and more capacity creation, leaders did the opposite. This has clearly widened the gap with OECD notions of compatibility.

The China Pathfinder indicators also illustrate how the flows of goods, services, and capital are becoming increasingly strained. China’s portfolio and direct investment benchmark indicators both declined in 2023 after making moderate progress since 2010. Services trade intensity declined, and the services trade restrictiveness index for China worsened slightly. Intellectual property (IP) protection remains a large issue for firms operating in China, reducing incentives for direct investment. Unequal treatment of foreign firms and other problematic market competition dynamics compound these concerns. Overall, the only flow left redeeming the Chinese economy is trade in goods intensity, which saw another increase, consistent with its long-term trend. This is emblematic of an economy that is overly reliant on exports as the last remaining source of reliable growth. At the same time, Germany and Japan within our comparison group have also variously leaned on exports during their economic history; neither has concurrently faced comparable pressures across other financial and trade flows.

Lastly, the outsized role played by the CCP in the economy continues to be a major obstacle to China’s convergence with open market norms. In Chapter 2, we point out in several sections how the CCP continues to influence the economy unduly. Some of these dynamics are intangible or unquantifiable in our framework. The CCP’s reach into the private sector continues apace, with few signs of slowing down, affecting corporate governance and distorting what would otherwise be market-driven innovation and competition dynamics. Many of our benchmarks, however, do underscore these points. On SOE presence in the economy, China is a far outlier amongst the countries under study. Until the state retreats from its influential, structural position, it will be difficult for China to fully converge with open market economy norms in many of our cluster areas.

In Chapter 3, we return to these and other broader conclusions drawn from across the China Pathfinder Project’s lifespan.

China Pathfinder data and analytic methodology: Updates for 2024

As stated in our inaugural 2021 report, the goal of China Pathfinder is to objectively assess China’s structural economic reform progress in order to promote consensus on where China stands in relation to advanced market economies. We do this with an evaluation framework reliant on data collection, synthesis, and analysis. We draw from many sources and series published by governments, international organizations, and nongovernmental organizations, as well as our own proprietary efforts. The quantitative findings in our reports have tracked the qualitative policy scene closely each year.

Our framework evaluates China’s convergence with market economy norms across six clusters covering both domestic and foreign-facing features of China’s economic system (Table 11). The domestic dimensions include China’s financial system development, market competition policies, and innovation system, while the external clusters include trade, direct investment, and portfolio investment openness. Each cluster is tracked with annual benchmark indicators—readily available data series with cross-country coverage that capture the essence of that dimension. A composite score for each cluster is also calculated by taking the simple average of each benchmark indicator to produce an overview of China’s annual trends.

There are aspects of China’s economy that are not easy to compare with other countries. We recognize the importance of addressing these characteristics and thus include supplemental indicators, which inform our conclusions but do not contribute to the annual composite scores. The final component of our framework is a qualitative review of policy changes in each cluster. Throughout the year, China Pathfinder publishes quarterly updates highlighting major developments and making qualitative judgments on movements closer or further from market economy norms. This annual report synthesizes these updates in Chapter 2, adding nuance to our benchmarks and helping clarify how scoring changes manifest in China’s politics and economics.

We have sought to establish a rigorous and consistent methodology with the China Pathfinder framework. By maintaining a similar approach year after year, we have been able to identify trends in China’s economic reform. Over the project’s lifespan, however, we have had to accept some methodological updates. With each successive report, we have made adjustments while preserving the basic approach. For example, in 2022, we began including 2010 baselines not only for China but also for each OECD country in our sample. The largest change to our methodology came in 2023 when we adopted a new min-max methodology that calculated relative scores for countries drawing from all data in the scope of our analysis. For the 2024 edition, we have elected to carry forward our methodology with no major revisions. Additional improvements would add marginally to precision but at the cost of increased complexity and decreased accessibility. One of the primary goals of our research design was to provide quantitative measures that are rigorous but also accessible to non-economic experts.

While our analytic methodology has seen no change this year, there have been significant changes in data availability, which has become increasingly challenging for the framework. At the outset of this project, we attempted to hedge against this issue by making data availability and consistency key criteria for inclusion in our annual benchmark indicators (the most important data series that feed into our composite scores). Indicators were selected based on whether they correlate with and are essential for openness and market orientation, are consistently available for both China and comparators, have a limited time lag of six months maximum, and are straightforward enough for a broad audience to understand. Many indicators now fail the timeliness and consistency criteria. In the 2024 edition, we encountered availability issues in almost a third (ten out of twenty-nine) of our foundational data series, a marked uptick from previous years. For example, the OECD’s FDI Openness Index, IMF’s Financial Institutions Depth Index and Financial Markets Access Index, and World Integrated Trade Solution (WITS) tariff rates, all key indicators used in our cross- country comparison, are missing current-year data for 2023 as of the time of publication.

Moreover, gaps are unevenly distributed across the clusters, magnifying the problem. Portfolio investment and direct investment openness both lack data in 2023 for half of their constituent benchmark indicators, requiring us to seek alternatives. While some indicators are no longer published, others have faced increasing time delays in their publication that make their inclusion unfeasible with the cadence of our annual analysis. This is not to mention data quality concerns, such as those noted in the trade balance statistics above.

To be sure, data drop-off is an issue with any long- running research initiative. To its credit, the immense number of hours devoted to stress testing and the evaluation of our expertise and analytic procedure early on in this project’s life cycle has paid large dividends. For example, pandemic-related disruptions to our data retrieval were minimal. However, as more data series have become unavailable, we are left with difficult choices. We must balance methodological consistency against using alternative data that speaks to the questions at hand. In the latest cycle, the gulf between these two priorities has widened. Assessing China’s progression has forced us to veer further from our original data sources. This is acceptable for an intra- year comparison and benchmark, but it adds greater unreliability to cross-year comparisons. Because the focus of the project is first and foremost on tracking China’s evolution, this presents, in our view, severe obstacles.

The options for addressing all this are imperfect. The choices for gap-filling include:

1. Carry forward the prior year’s data. This reduces or discounts the potential magnitude of change in the cluster.
2. Impute or splice the data by applying some form of average growth rates, across countries within a year or across countries across years. This risks missing surprising forward or backward movements.
3. Draw from alternative data sources that speak to the same underlying issue. This introduces comparability issues across years.
4. Reconstruct missing data indicators. This requires the availability of methodological documentation and additional data series relied upon to construct the indicator, neither of which are always readily available.

For our analysis in this report, we combine these solutions to address data gaps. A consistent principle adopted in China Pathfinder is transparency. To that end, we make clear in each subsection of Chapter 2 the data complications we had and what procedure we adopted as a remedy. Additionally, we put great effort into caveating our conclusions as appropriate. In some instances, the quantitative results present contradictory or surprising findings. We offer a qualified interpretation of these results based on our domain expertise.

As China Pathfinder comes to a close, the data issues outlined here are to be expected. Many would be obviated if China adopted the same data transparency and publication standards as OECD nations. Absent this, however, we believe that our efforts at objectivity, consistency, and rigor provide the next-best solution. The analytic methodology has proven robust, if imperfect, and offers lessons for future research on competing economic systems—lessons that will be carried forward, hopefully, in future China Pathfinder phases.

Remainder of the report

In the next chapter, we address each of our cluster issue areas. Following that, in Chapter 3, we summarize significant takeaways drawn from specific clusters and build on them to offer cross-cutting conclusions about the past year based on the evidence we collected. Since this is the final edition of this series, we also share lessons learned and principles for success based on our experience analyzing China’s economic system today and over the past four years. Finally, we preview our ideas for a next-generation China Pathfinder 2.0 design and refresh our mission statement for the kind of public policy research we believe will serve the interests of people and policymakers in the advanced economies, China, and the wider emerging world alike.

Table 1: Summary of China Pathfinder clusters and indicators, 2024

Chapter 2: Historical baseline and 2023 stocktaking

In this chapter, we review each of our six clusters in detail. We define each cluster and its relevance to a market-oriented economy. This provides a framework for how we selected indicators and why they are a fair proxy of that particular area of economic performance. The next section outlines each indicator and its corresponding methodology, followed by an analysis of the 2023 data findings for China and open market economies. The individual indicator stocktaking leads to our overall composite score results, where we assess countries’ relative performance and interesting trends for 2010, 2020, 2021, 2022, and 2023. The six sections of this chapter each conclude with a review of the major policies enacted and other relevant developments that occurred in China in 2023.

2.1 Financial system development

Figure 2.1: Composite index: Financial system development, 2023

Definition and relevance

Open market economies rely on modern financial systems to efficiently price risk and allocate capital.⁶ Key pillars of modern financial systems are generally market-driven credit pricing, the availability of a broad range of financial instruments, the absence of distortive administrative controls on credit price and quantity, and access for foreign firms to financial services and foreign exchange markets.

2023 stocktaking: How does China stack up?

In 2023, China’s financial system development score improved over both its 2022 score and its 2010 baseline. However, it continued to lag behind the OECD average in 2023. There were improvements in several indicators, including the efficiency of credit pricing and financial market access. China’s stock market capitalization as a share of GDP also saw improvements, though it was distorted by the slowdown in GDP growth between 2022 and 2023. China continues to maintain a high degree of state ownership in the financial sector compared to OECD economies.

In calculating this score, we chose the following annual indicators to benchmark China’s financial system development against that of open market economies.

Efficient pricing of credit

We use the absolute value difference between the average borrowing rates for nonfinancial corporations and projected GDP growth as a proxy for efficient pricing of credit. In an efficient financial system, the cost of capital (the average interest rate) should roughly mirror the expected return (for which we use the projected GDP growth rate). Countries with efficient credit pricing will be close to zero in our chart.

In 2010, China’s projected growth rate far exceeded the real interest rate for corporate borrowers, effectively subsidizing producers and punishing savers.⁷ In 2023, a combination of tightening credit markets, a sharp slowdown in growth, and China’s slowing economic growth—which have both affected new credit and reduced inflation-adjusted interest rates—has seen the gap narrow in our sample. China’s score for credit pricing has thus significantly improved and now exceeds both the OECD average and the United States’, reaching over 9.0 points in 2023.

As we noted in 2022, in many open economies, high inflation rates outpaced produced a negative real cost of borrowing. Lower growth (with the exception of the United States) and high interest rates in developed markets saw the gap between the two converge across the OECD scores in 2023.

Direct financing

The extent of direct financing in an economy reflects firms’ ability to borrow directly from the market instead of going through banks and other intermediaries. We include two measures of direct financing: stock market capitalization as a share of GDP and outstanding non- government debt securities as a share of GDP.

China’s stock market capitalization-to-GDP ratio does exceed that of Italy, Germany, and Spain, though it trails behind the OECD average and far behind the United States. Denominator effects are partially at play, given China’s growth slowdown in 2022 and 2023. However, even though credit growth was sluggish last year, growing debt finance helped China surpass all countries in our sample except for South Korea and the United States. Equity finance via the stock market continued to increase as a share of GDP, though China remains well behind most of the OECD.

State ownership in top ten financial institutions

We again deploy our own composite indicator, looking at the degree of state ownership in the country’s top ten financial institutions by market capitalization. For each country, we look at the proportion of each institution’s public stock owned by the government. We then weigh the results according to each institution’s market capitalization.

The high degree of state participation in China’s financial institutions remains a core systemic difference between China’s financial system and that of open economies. China’s weighted average of government ownership of financial institutions has improved in comparison to when it stood at 47 percent in 2010. However, it has stagnated at 39 to 40 percent from 2021 to 2023. Simultaneously, the OECD weighted average has remained around 3 to 4 percent over the same period. South Korea’s government ownership share is the only other rate exceeding 10 percent. South Korea’s share has not significantly improved from 2010 levels, standing at 18 percent in 2023, yet remains markedly ahead of China.

Financial institutions depth

Previous reports deployed a financial institutions depth indicator compiled by the IMF as a proxy for overall financial system sophistication. However, that indicator ceased updates in 2021. To compensate, we deploy our own composite indicator using the IMF’s methodology and alternative data series with more recent data available for 2023.⁸ We use this index to generate updated baseline scores for 2010 and 2023. Because they draw on alternative data streams, they are not directly comparable with the previous IMF scores. However, the new index shows similar country ranks and direction of change since 2010.

China’s performance on the composite depth index still lagged behind the OECD average in 2023. However, China’s score markedly improved from 2010 (by 0.9). While it previously ranked just behind Spain and Italy in financial institutional depth, China surpassed those countries last year. This is due (in part) to declining private credit and insurance premium volumes in those countries in 2023.

Financial markets access

As with the above, the IMF’s financial markets access indicator is no longer published, requiring us to deploy our own composite indicator based on existing methodology. While the old IMF indicator utilized data on the number of bond issuers per capita, our indicator deploys data on overall corporate debt volume per one hundred thousand adults. It preserves the use of a second input series, the percentage of market capitalization outside of the top ten largest companies, to proxy access to stock markets.

As with the financial system depth indicator, in 2023, China performed better than the lower-performing OECD economies of Italy and Spain. China has also shown substantial improvement since 2010. China’s score reflects the rapid expansion of its bond markets since 2010. China’s score would likely decrease if our indicator utilized data on issuers rather than the value of issued bonds.

Composite score

Blending our annual indicators, our Financial System Development Composite Index puts China at 4.4 in 2023, a notable improvement over its score of 3.5 in 2022.⁹ All OECD countries improved from the previous year except for Japan, which saw a very small technical decrease (less than 0.1 points). Thus, China’s score surpassed Italy and Spain for the first time; until 2022, China consistently scored the lowest among all in- country samples. This reflects nascent improvement in China’s credit allocation, under deleveraging policies and amidst the collapse of its property sector, which caused lenders to pull back on new credit.

Our composite scoring captures major movements in China’s performance using indicators comparable across economies. In addition to these benchmark indicators, we also track relevant policy signals germane to financial system development and monitor several additional higher-frequency or China- specific indicators. These policies are detailed below, and Figure 23 presents a selected number of these supplemental data points, including the pace of credit growth in the Chinese economy; the distribution of credit to consumers, the private sector, and SOEs; the distribution of Chinese bond ratings; interest rates for savers; and exchange rate dynamics.

A year in review: China’s 2023 financial system policies and developments

In 2023, the Chinese government focused on mitigating the outcomes of domestic financial system stress— including a loss of domestic and foreign business confidence—rather than core structural issues.

Mounting local government debt continued to weigh on financial stability. Calling on a playbook of measures to deal with the property sector, weaker growth, and local government financing vehicle (LGFV) debt in 2014–15, the central government initiated a debt refinancing policy package that would offer extensions and rate cuts on LGFV debt.¹⁰ The midyear budget revision increased central government bond issuance by RMB 1 trillion, with RMB 500 billion to be disbursed in 2023.¹¹ The People’s Bank of China (PBOC) also increased the pledged supplementary lending quota by RMB 500 billion at the end of 2023 to support policy loans for housing projects, urban revitalization, and public infrastructure. Of that, RMB 99.4 billion in lending was extended by year-end.¹² These measures provide LGFVs a solvency reprieve without addressing the underlying causes of liquidity constraints, perpetuating systemic moral hazard by allowing LGFVs to maintain unsustainable debt positions and increasing the risk of zombie enterprises. These measures also burden financial institutions with fulfilling state policy priorities at the expense of profit maximization.

On the other hand, several market-oriented measures eased local government access to listing SOEs on the stock market. These developments included the rollout of a new registration-based system for initial public offerings (IPOs), which replaced a system that required approval from the securities regulator, and the relaxing of some hard requirements on profitability and other financial ratios, making it easier for SOEs to qualify for listings.¹³ SOEs are valuable local government assets. Sales can assist in the repayment of local debt.

Throughout the year, the Central Commission for Discipline Inspection’s ongoing anti-corruption campaign in the financial sector and crackdowns on financial sector wages were a continued constraint on market forces. The heightened insecurity caused by crackdowns is likely to make loan officers more conservative and perpetuate pressures to lend to SOEs over private sector actors. There was also little progress on implementing government promises to improve market conditions for the private sector, including improvements to private enterprises’ credit conditions and increased investment in the private sector.

Market reforms for foreign players were slightly more promising. In June, the State Council rolled out new pilot measures for six of China’s twenty-one free trade zones (FTZs) and free trade ports, which included several actions opening the financial sector.¹⁴ However, the impacts of the new regulations on the business operating environment will likely take time to manifest. Revisions were made to speed up the processing of investment remittances (e.g., dividends, capital gains, etc.) and to allow individuals and companies to use overseas financial services. The new measures also promise that the government will not be permitted to ask for the source code of any software imported and distributed within the six FTZs.

Figure 2.2: Annual indicators: Financial system development (2023*)

2.2 Market competition

Figure 2.4: Composite index: Market competition, 2023

Definition and relevance

Market economies rely on a pro-competitive environment where firms face low entry and exit barriers, market power abuses are disciplined, consumer interests are prioritized, and government participation in the marketplace is limited and governed by clear principles. These dynamics are important to the overall development of an economy because firms with healthy competitors have a greater incentive to innovate and improve productivity. This adds diversity to the market and promotes higher-quality growth.

2023 stocktaking: How does China stack up?

In 2023, China’s market competition score remained mostly unchanged compared to 2022. Persistent problems continue to hinder fair competition in the Chinese economy. The rule of law is still exceedingly weak, and SOEs and other government-controlled or influenced firms continue to have an outsized presence amongst the largest listed firms by market capitalization. While China does have a lower market concentration score than OECD economies, it is excessively low and indicative of other problems in the Chinese economy, such as interprovincial barriers to commercial activity. To its credit, China has not backslid as far as open economies have on several measures in recent years, but it remains far behind those economies on average.

We chose the following annual indicators to benchmark China’s market competition against open market economies.

Market concentration

We measure overall market concentration across all industries using the top five listed companies’ revenue as a share of total industry revenue. The higher the proportion of total revenue the five firms constitute, the more concentrated the industry. The indicator is a simple average of the calculated proportions from eleven industries: communications, consumer discretionary, consumer staples, energy, financials, healthcare, industrials, materials, real estate, technology, and utilities. The industry categorization is consistent across all countries in the sample. For countries with industries comprising less than fifty listed companies, we use the top 10 percent of the total firms in the industry instead of the top five. The indicator was constructed using data from Bloomberg.

Similar to our scoring for China in 2022, China’s economy remained relatively less concentrated than economies in our OECD sample. Our benchmark indicator of concentration decreased marginally from 38.4 percent to 38.2 percent between 2022 and 2023. This is a substantial decrease from China’s baseline measure of 55.7 percent in 2010. By contrast, the open market economy average became slightly more concentrated this year, increasing from 61 percent to 61.6 percent. Canada and France had the largest increases, adding about 5 percent industry concentration, while Germany and Canada decreased by about 5 percent.

Lower market concentration in China should be interpreted carefully, however, as excessively high and abnormally low levels of market concentration may be indicative of problems in the economy. China’s low score on market concentration is mostly the result of structural issues, whereby interprovincial barriers and local government support artificially suppress rates of firms’ market exit. Indeed, the percentage of loss-making firms continues to rise across numerous industries. Where we might expect to see some industries become increasingly concentrated, state intervention is instead enabling fragmentation in the economy. Conversely, a smaller number of industries, such as transportation and energy, are highly concentrated as the state exercises monopoly rights.

SOE presence in the top ten firms

One important determinant of market competition is the role of SOEs in the economy. Our indicator for this area is calculated by summing the market capitalization of SOEs in the top ten firms within each industry and dividing it by the total market capitalization of the top ten firms by market capitalization within each industry. This ratio is then averaged across industries to arrive at our measure of SOE presence. This procedure remedies an issue in earlier editions of China Pathfinder, where the massive assets held by Chinese SOEs compared to their counterparts in OECD economies were insufficiently reflected in the benchmark. The process is repeated for the eleven industries listed in the market concentration indicator description.

Government ownership disclosures reported by companies in market economies capture the extent of state ownership more reliably. For these countries, a company was considered an SOE if the government owned 50 percent or more of its shares. However, many Chinese SOEs’ largest shareholders are not clear-cut government entities such as the State-owned Assets Supervision and Administration Commission (SASAC) of the State Council or Ministry of Finance. The team used firm-reported ownership information from WIND supplemented with Chinese-language reporting to conduct outside research on Chinese companies, determining whether a company counted any of the following governmental entities as a key shareholder:

1. other SOEs
2. the Central Huijin Investment Co. (a state-owned investment company); or
3. The Hong Kong Securities Clearing Company (of which the Hong Kong government is the largest shareholder).

This supplemented the results offered in firm disclosures accessed via Bloomberg. As with prior years, the role of SOEs in China’s economy continues to be a key differentiating factor. In 2023, SOEs comprised 65.4 percent of the top ten firms’ market capitalization across industries. This represents a 14.5 percent increase over 2022’s measure, which was a 30 percent increase over 2021’s. It also increased over the 2010 benchmark, which stood at 53.6 percent. In contrast, open economies SOEs’ presence has been consistently smaller in open economies, with only Italy, France, and South Korea showing more than a couple of percentage points of state presence over the entire study period (and France, as of 2024, scored <0.5 percent). Even Italy, the economy with the largest SOE presence in the top ten firms at 12.6 percent in 2024, does not even remotely approach China’s score.

Overall, rather than show convergence with OECD market norms on the role of the state in the economy, China continues to trend in the opposite direction. As the private sector becomes increasingly marginalized, SOEs will continue to play an outsized role in China’s economy, at least in the near to medium term.

Foreign direct investment restrictiveness

Openness to competition from foreign companies is a characteristic of open market economies. To benchmark this characteristic, China Pathfinder has to date relied upon the OECD’s FDI Regulatory Restrictiveness Index, an established indicator that measures how open an economy is to foreign competition.¹⁵ However, this data series is no longer maintained, with the last update made in 2022 (covering policies and practices of countries in 2021). For our calculations, we carry forward the latest entry in this data series. China scores 0.73 on this index, which ranges from zero (most restrictive) to one (least restrictive). The open market economy average is, by comparison, 0.92. While China has improved notably over its 2010 baseline of 0.53, the latest update to this series leaves it far below its market economy counterparts. Indeed, discrimination against foreign firms remains a large problem in China, with continuing complaints from foreign companies regarding forced technology transfers, unequal access to procurement, and little progress on easing the Negative List for foreign investment.

Rule of law

Another key ingredient for a competitive marketplace is the fair and impartial enforcement of rules. The World Bank’s Rule of Law Index captures the extent to which actors have confidence in the law, including elements such as the quality of contract enforcement, property rights, and the courts. Our adjusted index ranges from zero to five, with lower values representing less rule- of-law-based governance. On this indicator, China lags far behind its open economy peers. The update to this year’s metric saw China remain around 2.5. The open economy average regressed very slightly from 3.8 to 3.7. China has made little progress on this indicator over its 2010 benchmark, especially compared to its progress on many other indicators.

Composite score

On balance, China experienced mild backsliding in our Market Competition Composite Index from 4.3 in 2022 to 4.2 in 2023. In comparison, the score for our sample of open market economies also declined marginally from 7.31 to 7.22 over the same period (Figure 25).

While China’s score has improved greatly since 2010 (where it scored a 1.7), it appears that further progress on market competition has stalled. Excluding the data with no new updates for 2023, China backslid on every other benchmark indicator this year (market concentration, SOE presence, and rule of law). While there are segments of the economy that exhibit true competitiveness and have robust market dynamics, overall, China’s economy falls far short of open economy norms. The primary issue is the role of the state in reducing market competitive dynamics. SOEs have monopolies in numerous sectors, government subsidies and interprovincial barriers sustain firms that would otherwise fail, and the reach of the CCP into corporate affairs subverts the rule of law.

While the magnitude of decline on average in our market economy sample was roughly equivalent to that of China’s, these economies have, overall, sustained a much higher level of market competitive dynamics year over year; the average for open economies in 2010 was 7.5, close to their 2023 score. Overall, our quantitative indicators show that China is not on track to close the gap with OECD countries. Moreover, these quantitative indicators only capture market competition in part. Dynamics such as informal barriers to market participation (discrimination in procurement against foreign and private companies), uneven access to industrial policies amongst firms, and the influence of the CCP in corporate governance via grassroots party organization and administrative guidance can’t be adequately quantified by the currently available data, but complement the picture painted by our benchmarks.

To help address these gaps, we track policy developments in 2023 below and present a number of alternative indicators. These include more granular measures of state ownership in the Chinese economy.¹⁶

A year in review: China’s 2023 market competition policies and developments

Overall, policy trends in 2023 reinforced the backsliding found in our quantitative indicator. In 2013, Chinese President Xi Jinping emphasized the importance of market mechanisms in guiding resource allocation. Over a decade later, such aspirations have yet to achieve their full potential, and the role of the state in the economy is resurgent. Combined with arbitrary, stringent regulations and a pervasive focus on national security, this left a pessimistic outlook for both the domestic and foreign business communities.

Several pieces of legislation posed heightened challenges for business operations in China in 2023, especially for foreign firms. For example, the Cyberspace Administration of China (CAC) finalized the Cross-border Transfer of Personal Information Standard Contract, which included many provisions that were ultimately stricter than what had been proposed in working drafts. It introduced additional measures enforcing stricter alignment of any cross- border transfer agreement with that of the Standard Contract and heightened the requirement of monitoring by Chinese authorities of foreign recipients of personal information. For foreign companies, especially those in financial services and technology, these rules pose steep barriers to their operations and cause essentially discriminatory treatment in the domestic market.

Similarly, China’s Anti-Espionage Law received an amendment and went into effect in the middle of 2023. It was widely noted to be ambiguous in its formulation, with new language added broadening the scope of potential espionage targets to include “all documents, data, materials, and articles” related to national security interests.¹⁷ Because “national security interests” as a term is ill defined and potentially expansive, foreign companies have feared that these rules could be applied arbitrarily. Such worries built off a series of raids on foreign consulting groups, including Mintz Group, Capvision, and Bain & Company, where staff were detained for questioning.¹⁸ A large fine was additionally levied on Deloitte for allegedly failing to perform its duties adequately in auditing China Huarong Asset Management Company.¹⁹ Lastly, Chinese regulators directed SOEs and publicly traded domestic firms to heighten scrutiny when hiring foreign accounting firms, which has further restricted the ability of auditors to independently assess Chinese company data. These events highlight the tighter supervision of data, especially sensitive economic data, by Beijing and have disproportionately affected foreign firms.

There were some improvements in the policy environment in the latter half of 2023. The State Council sought public comments on several issues concerning private sector investment, such as market entry barriers, unfair competition, and arbitrary fines. There was a recognition by officials that further guidance and potential easing of cross-border data transfers would be forthcoming, but that has yet to materialize. The CAC hinted that some personal information involved in routine commercial activities, such as cross-border shopping, may be exempt from security assessments.

Ultimately, however, optimism for improvements faded as meaningful changes failed to materialize. Firms, especially foreign ones, have been left facing more uncertainty. Clarifying regulations and standards and ensuring the equal treatment of foreign versus domestic and state versus private firms would do much to repair the loss of confidence in the business community in 2023.

Figure 2.5: Annual indicators: Market competition (2023*)

2.3 Modern innovation system

Figure 2.7: Composite index: Modern innovation system, 2023

Definition and relevance

Market economies rely on innovation to drive competition, increase productivity, and create wealth. Innovation system designs vary across countries. However, market economies generally employ systems that rely on government funding for basic research but emphasize private sector investment, encourage the commercial application of knowledge   through the strong protection of IP rights, and encourage collaboration with and participation of foreign firms and researchers, except in defense-relevant technologies.

2023 stocktaking: How does China stack up?

China’s innovation system reform efforts in 2023 were similar to those in the previous year, lagging many of the developed economies in the sample. China’s IP was less attractive globally and fewer high-quality patents were filed by Chinese entities. Increases in OECD spending on research and development (R&D) outpaced that of China’s, as well, though China performed marginally better in securing venture capital (VC) spending than comparable economies. In general, we evaluate that progress in reforming the innovation system has stagnated.

We chose the following annual indicators (also used in previous China Pathfinder reports) to benchmark China’s track record against open market economies in terms of a modern innovation system.

National spending on research and development

R&D expenditures as a percentage share of GDP measure R&D spending relative to comprehensive economic activity across the economies in our sample.

China’s R&D expenditure as a share of GDP has steadily increased from 1.7 in 2010 to 2.55 in 2022, as expected of countries moving toward innovation- driven economic growth. At 2.55 percent, China’s share significantly converged toward the OECD average of 2.64 in 2022. However, in 2023, China’s funding ratio stagnated at its 2022 level, while the OECD average marginally increased to 2.67. While spending on R&D and innovation is likely to remain a high priority for China’s central and local governments, as articulated in high-level policy documents, the need for increased spending for social welfare—for example, on pensions and health care—due to an aging population, alongside stagnating growth prospects and local government fiscal debt burdens, is straining the fiscal space available to continue increasing funding for R&D.

Venture capital attractiveness

While recognizing the limitations of using R&D spending as a measure of innovation, we also look at VC investment as a share of GDP. VC plays a key role in innovation-driven entrepreneurship and shows the confidence of private sector investors in an economy’s ability to catalyze disruptive new technologies.²⁰

In 2023, all sampled countries experienced a decline in VC investment as a share of GDP as the global venture market took a steep downturn. According to PitchBook data, global capital invested fell to 2018–20 levels, and exit value fell to 2017 levels.²¹ The United Kingdom and the United States experienced the greatest decrease in their shares (sixty-three and thirty-eight percentage points, respectively). The OECD average fell from 50 percent in 2022 to 30 percent in 2023. While China was no exception, it fared relatively better, losing only five percentage points and dropping its share from around 40 percent to 35 percent in the same period, demonstrating significant convergence toward the OECD average. This is not as strong as China’s performance in 2021, when it stood at 67 percent, compared to an OECD average of 63 percent, but marks a significant improvement from 2022, when China’s share fell ten percentage points below the OECD average. Along with heightened geopolitical risk, a reassessment in the prioritization of investing domestically, and high federal fund rates in the United States, China’s increasingly challenging business environment for foreign capital in tech and other popular VC destinations still poses barriers for foreign firms. State investment continues to be a significant driver of VC in China through government guidance funds and other vehicles as an alternative to traditional grant funding.

Triadic patent families

As an indicator for the quality of innovation output, we use the number of triadic patent families filed, controlled for GDP. Triadic patent families are corresponding patents filed at the European Patent Office, the United States Patent and Trademark Office, and the Japan Patent Office. They are generally considered higher- quality patents and, thus, offer a better perspective than purely looking at the number of patents.

China’s total number of filed triadic patents decreased by roughly 100 in the analysis year. The number of filings by other countries either decreased (Japan, the United States, France, Germany) or increased marginally by an average of eleven patent families. Increased costs and disruptions due to the COVID-19 pandemic may have affected new patent filings in the period; China’s drop in our 2023 indicator was not as sharp as that of the United States or Japan.

International attractiveness of a nation’s intellectual property

Another proxy for a country’s innovation output quality and global relevance is the receipts for payments from abroad for the use of IP. Controlled for GDP, this indicator offers a perspective on the relative attractiveness of national IP to other nations.²² China’s improvement on this indicator in 2022 proved temporary. In 2023, IP receipts as a share of GDP decreased by more than 50 percent to 0.06 percent of GDP, while the open economy average remained roughly the same (0.6 percent of GDP).

Strength of IP protection regime

To measure the protection of IP, we use the International Intellectual Property Index provided by the US Chamber of Commerce’s Global Innovation Policy Center. The index is composed of fifty individual indicator scores that look at existing regulations and standards and their enforcement. Because the index was not launched until 2012, we use that year as our baseline. China’s performance on IP remains unchanged from the previous year, as do almost all rankings for the OECD countries in our sample.

Composite score

Our analysis has some limitations. For example, it does not include certain unique aspects of China’s economy, like the presence of SOEs in leading sectors relevant to innovation, including telecommunications, airspace, biotech, and semiconductors. Data constraints also restrict our insight into specific components of China’s innovation ecosystem, such as subsidies or government guidance funds.

In 2023, China’s score on the Modern Innovation System Composite Index remained similar to 2022 levels, at 2.5, short of the OECD average of 4. The United States, the UK, and Germany saw the largest score decreases of 0.3, 0.4, and 0.6, respectively. Poor performance on VC, patenting, and IP attractiveness depressed the OECD average score to its 2020 level of 5.6.

A year in review: China’s 2023 innovation policies and developments

The major development in innovation policy in 2023 was bureaucratic shuffling that indicates Xi and the CCP will drive the direction of China’s innovation for the foreseeable future. For one, the Ministry of Science and Technology was given a lead role in coordinating China’s R&D ecosystem. Moving forward, it will play a key part in determining the allocation of science and research-related funding. Additionally, the Central Science and Technology Commission, a CCP committee, was elevated to a policymaking role in China’s R&D ecosystem. This centralizes control of China’s innovation infrastructure even further in the hands of the CCP rather than with private actors.

Although some positive indications began   to emerge on artificial intelligence (AI) policy, they were ultimately overshadowed by state interference in market dynamics. Overly restrictive regulations on AI research and commercial activity were toned down in 2023, and four large generative AI models passed government assessments. But the state continues to anoint winners, and government-sponsored language models dominate the industry. More strident guidance on data use targets for industries and local authorities also leaves less and less room for the market to play a role, let alone a decisive one.

In 2024, the mood at innovative firms is somber. State sector damage to dynamism has been severe and will be difficult to reverse. Credible policy signals would need to convince anxious private companies, foreign businesses, and venture investors that market-driven innovation will not only be tolerated but promoted. Clear definitions and practical examples of what “important data” means in the CAC’s “toned-down” cross-border data flow regulations would encourage investment. Ongoing Chinese de-risking efforts driven by rising security pressures are also reducing room for technology transfers, hurting the innovation outlook. There are conciliatory steps Beijing could take to arrest that trend, such as tempering brash foreign policy postures, but few expect such a pivot.

Figure 2.8: Annual indicators: Modern innovation system (2023*)

2.4 Trade openness

Figure 2.10: Composite index: Trade openness, 2023

Definition and relevance

Free trade is a key feature of open market economies to facilitate specialization based on comparative advantage. We define trade openness as the cross- border flow of market-priced goods and services free from discriminatory, excessively burdensome, or restrictive measures.²³

2023 stocktaking: How does China stack up?

In 2023, China backslid heavily in its overall trade openness. China does perform well on metrics concerning trade in goods, but this is unsurprising given the economy’s reliance on exports to drive growth. Conversely, restrictions on trade in services continue to hold back China’s overall progress. To assess this, we apply the following annual indicators to benchmark China against open market economies.

Goods and services trade intensity

Our primary de facto trade openness indicators are gross two-way goods trade as a share of global two- way goods trade and gross two-way services trade as a share of global two-way services trade. This metric is often referred to as the trade openness ratio. However, a low ratio doesn’t necessarily imply restrictive policies— it can also derive from the size of a country’s economy or a non-trade-friendly geographic location.

Both indicators show that China is heavily integrated into global trade flows. Of the countries under study, China has the highest trade in goods intensity, at 11.9 percent in 2023. This is a slight increase of 3.5 percent over the previous year (11.5 percent intensity), and a 33.7 percent increase over 2010 (8.9 percent intensity).²⁴ Open market economies typically sustained lower scores and were more consistent year over year, with the exceptions of Germany and France, which had slight increases in their trade in goods intensity scores in 2023. The United States held the highest trade in goods intensity amongst our OECD sample at 10.6 percent.

Regarding services, China had a trade intensity of 5.2 percent in 2023. This is a decline over its 2022 score of 6.4 percent, though it remains an improvement over its 2010 baseline of 4.2 percent. Services trade intensity declined on average amongst our open economy sample as well, falling from an average of 4.2 percent in 2022 to 3.8 percent in 2023. The United States leads this group with a score of 10.7 percent, while most other open economies scored in the lower single-digit percentages.

Trade Barriers: Tariff Rates

We utilize official tariff rates to judge the formal barriers to trade. Our methodology employs the simple mean of most favored nation (MFN) tariff rates across all product categories. We use a simple mean instead of a weighted average because the latter is often skewed downward (goods facing high tariffs are imported less, lowering their weight in the calculation).²⁵ The MFN rate is used instead of the applied rate for data availability and comparability across countries.

As of mid-2024, the tariff rate data from the WITS have not been updated. We thus carry forward the latest available data covering 2021. China maintained a tariff rate of 5.3 percent, which is higher than our comparison market economies, though lower than in previous years. However, it is important to note that all sampled countries reduced their tariff rates over the study period. China has reduced its MFN rate to around 3 percent since 2010, down from 8.1 percent.

Restrictions on services trade

For a de jure measure for services trade openness, we rely on the OECD’s Services Trade Restrictiveness Index (STRI), which measures policy restrictions on traded services across four major sectoral categories.²⁶ These are physical, digital, and professional services and logistics, all weighted equally. Each sectoral category also contains several specific industry subindices. A lower score on the index indicates a less open policy to services trade, with scores ranging from zero to one. This index only started to provide data in 2014, so this is the earliest year for benchmark comparison.

In 2023, China’s STRI score was 0.36, slightly higher than its 2022 score of 0.35. This indicates that the services trade became more restrictive both within China (even though it has improved notably since 2010) and in comparison to our open economy sample, which averaged 0.20 in 2022 and 0.21 in 2023. The open economy scores have consistently maintained better services trade openness scores since 2014.

Restrictions on digital services trade

In previous years, China was an even greater outlier in digital services trade, a crucial subcategory of global services trade. Our research adapts the OECD’s Digital Services Trade Restrictiveness Index (DSTRI), which measures barriers that affect trade in digitally enabled services across fifty countries.²⁷ This includes infrastructure, connectivity, electronic transactions, payment systems, and IP rights. The index ranges from zero to one, with higher scores indicating a greater degree of restrictiveness. This index only started to provide data in 2014, so this is the earliest year for all countries in our sample.

In 2023, China’s DSTRI score was 0.35. This is an increase (more restrictive) over 2022’s score of 0.31. Throughout the study, China has scored higher on this benchmark than its open economy peers and has, in fact, backslid significantly from 2014. This is likely reflective of the increasing securitization and control of the digital sphere under Xi. On the other hand, OECD economies have moved little from their 2014 benchmark.

Composite score

China’s Trade Openness Composite Index score in 2023 was 4.36, a notable decline from the previous year’s score of 5.11, though still an improvement over the 2010 baseline score of 3.50 (Figure 211). The primary source of this decline was the enhanced restrictions on digital services trade. China’s DSTRI index for 2023 marked the lowest score of any country in the sample over the study period. This, combined with additional decreases in trade in services intensity and reduced service trade flows, resulted in a much lower score for China’s trade benchmark. While Canada and the United States saw decreased trade scores this year, every other open market economy in the study improved.

While we have good access to basic trade-related data, our coverage faces several shortcomings. China’s trade intensity measures are a yardstick for fairness and openness. The services trade data have flaws, including significant distortions through tourism spending and hot money flows. Also, measuring services trade, including tourism, during the pandemic years can produce skewed results. Finally, some of China’s most problematic practices—for example, nontariff barriers, informal discrimination, and exchange rate interventions—are difficult to capture through internationally comparable datasets.

To help address these shortcomings, we outline below policy developments relative to trade openness and present several supplemental indicators of China’s progress in Figure 2-12.

A year in review: China’s 2023 trade policies and developments

China’s trade openness contracted in the second half of last year, marked by increased controls. Trade dragged on GDP growth in the second half of 2023 despite surging exports in some sectors that are fueling foreign concerns about dumping and spillovers from Chinese overcapacity.

China maintains domestic subsidies and supply-side policies while decrying policy support for consumer demand as welfarism. This asymmetry leads to overcapacity, aggravating trade imbalances. Rather than acknowledge the unfair implications for producers in other nations and propose some sort of voluntary export restraints, Beijing emphasizes the decarbonization potential of its products and appeals to anxieties about global warming. Exports of electric vehicles (EVs), lithium-ion batteries, and solar products to the European Union (EU) took off in 2022 and remained high through 2023. China has also argued that its exports have a disinflationary effect on the global economy, and that countries struggling to rein in inflation should welcome China’s subsidization of its exports.²⁸

Parallel to these exports, China imposed export controls on key intermediate inputs for EV batteries, semiconductors, wind turbines, and other technologies. The curbs on graphite, germanium, gallium, and the technology used for making permanent rare earth magnets—China is the top producer globally of all of these—would make it more challenging for other countries to diversify their supply chains. The Ministry of Commerce (MOFCOM) and the Ministry of Science and Technology jointly invoked national security concerns in rolling out export controls on drones, laser radars, and technology used for making optical sensors, among other items. These measures are ostensibly in reaction to US controls on equipment exports and chips related to China’s high-end semiconductor sector.

At the end of 2023, China announced the end of tariff cuts on twelve chemical imports from Taiwan and accused Taipei of violating World Trade Organization (WTO) rules, ratcheting up restrictions on Taiwan trade just prior to Taiwan’s elections. At the same time, Chinese officials extended an olive branch on other goods, rescinding tariffs on Taiwanese grouper and Australian meat and barley.

China’s use of economic statecraft and political influence over trade policy is not likely to change soon. There is ample room for Beijing to change this impression by stepping up reporting of subsidies to the WTO or eliminating existing trade coercion measures. Specific actions that would indicate greater trade openness include moving away from the practice of raising or lowering the value-added tax, which distorts global crop markets; revising China’s decrees on food imports, which were implemented in 2022 and required the registration of all foreign food manufacturers; and publishing data on how Intellectual Property Action Plans have been enforced. This would demonstrate meaningful efforts to achieve fair and transparent trade practices outside of the more common trade opening measures that China has adopted, like adding free trade zones.

Figure 2.11: Annual indicators: Trade openness (2023*)

2.5 Direct investment openness

Figure 2.13: Composite index: Direct investment openness, 2023

Definition and relevance

Direct investment openness refers to fair, nondiscriminatory access for foreign firms to domestic markets and freedom for local companies to invest abroad without restrictions or political mandates. Direct investment openness is a key feature of open market economies that encourages   competitive   markets and facilitates the global division of labor based on comparative advantage.

2023 stocktaking: How does China stack up?

In 2023, China made little progress in improving its direct investment openness and it remains far behind open market economies. Inbound and outbound FDI continued to decline as a share of GDP. Developed economies, on the other hand, have become more open and have increased their relative inward and outward FDI in recent years. Direct investment openness is the area where China remains furthest behind its peers. We use the following annual indicators to benchmark China against open market economies in terms of direct investment openness.

FDI intensity

Our main de facto indicator for inbound direct investment is the inbound FDI intensity of the economy, which is calculated by dividing the total inbound FDI stock of an economy by its GDP. In recent years, China’s ratio of inbound FDI stock to GDP has declined from its 2010 level of 26 percent, plateauing at around 20 percent from 2021 to 2023. By contrast, the OECD average has risen more than ten percentage points, from 30 percent in 2010 to a steady 40 percent. In 2023, the United States and Canada’s inbound FDI intensity scores recovered from drops reported in 2022, increasing by eight and ten points, respectively.

Outflows are measured by outbound FDI intensity, which is calculated by dividing outward FDI stock by GDP. China’s outbound investment intensity has experienced an even greater decline than inbound investment. In 2010, China’s level of outbound investment intensity was 35 percent, which declined to around 15 percent by 2021 and remained there in 2022. In 2023, China saw a slight increase in its outbound investment intensity to 17 percent. The OECD average was at a comparable level to China’s in 2010, at 35 percent, but has steadily risen to 52 percent as of 2023, with a two percent age point increase in the past year. The UK’s rate was an exception to the OECD average increase over the past year, declining from 70 percent to 64 percent.

Direct investment restrictiveness

We built our own indicator for direct investment restrictiveness to measure de jure restrictiveness for FDI. While there is a robust body of academic work on cross-border capital controls, existing research was unsuitable for our purposes due to the lack of a magnitude metric,²⁹ coverage gaps, and significant time lags.³⁰ Our indicator is compiled for outflows and inflows and covers three types of restrictions: national security reviews, sectoral and operational restrictions, and repatriation requirements and other foreign exchange restrictions. The scoring is based on a proprietary framework derived from information contained in the IMF’s Annual Report on Exchange Arrangements and Exchange Restrictions (AREAER) as well as proprietary research on national security review mechanisms and sectoral restrictions.³¹ At the time of publication, IMF AREAER data for 2023 was unavailable, and 2022 values were used in scoring.

From 2010 to 2022, every country sampled, except China, increased restrictions on inbound investment, as measured by the restrictiveness indicator. Likewise, all countries’ scores on outbound investment restrictions showed no change or increased restrictiveness since 2010, with China the only improvement. China’s heavily regulated capital controls set it far behind the OECD average as a baseline, and domestic and foreign firms are still operating in a much smaller market access window than in open economies, with reforms remaining targeted and incremental.

Composite score

In 2023, China’s score on the Direct Investment Openness Composite Index continued to improve slowly, rising from 2.1 in 2022 to 2.2, driven by growth in both inward and outward FDI stock in 2023, as well as a slight improvement in outbound restrictiveness in 2022 (carried forward to the current scoring period). Over the past four years, regulatory uncertainty and slowing economic growth prospects have changed prospects for investors who rushed in to capitalize on cheaper costs of capital and labor to build manufacturing capacity in the 2010s. China’s attempts to attract foreign investment through investment incentives and the easing of restrictions on certain sectors and special economic zones (reflected in the improvement of China’s inbound restrictions score since 2010) contributed to the slight increase in China’s inward FDI stock as a share of GDP in 2023. Despite recent discussions characterizing China’s outbound FDI in recent years as accelerating, China’s strict capital controls maintain a level of outbound investment flows that are modest for its economic size. China’s score has improved from 0 in 2010 to 0.9 in 2023, but China remains the lowest performer in the group.

However, compared to the other indices covered in China Pathfinder, there is less volatility in the change in open economies’ scores on the Direct Investment Openness Composite Index from 2010 to 2023. China’s 1.6-point score increase from 2010 to 2023 represents the strongest growth out of the sample countries. Canada comes in a close second with a 1.4-point score growth. While the average OECD score stands distinctly ahead of China’s, its improvement has been more modest, from 6.1 in 2010 to only 6.3 in 2023. The scores of several countries, including Australia, Germany, Italy, and South Korea, have declined in 2010, which has largely been driven by worsening scores on inbound and outbound investment restrictiveness.

As with other indicators, our de facto measures for direct investment openness are imperfect because they are influenced by a host of non-policy variables, such as market size, economic growth, and business cycles. Our measures for de jure restrictiveness reflect scoring judgments that are subject to a certain degree of subjectivity. We address these shortcomings below by providing a summary of major policy developments in 2023 pertaining to direct investment openness. Supplemental indicators are presented in Figure 2.15 to help provide additional context.

A year in review: China’s 2023 direct investment policies and developments

According to official data, in 2023, inbound FDI flows hit new lows. MOFCOM data recorded a 19 percent and SAFE a 78 percent year-over-year decrease in inbound FDI, with unprecedented net FDI outflows in quarterly data.³² Regulatory uncertainty under Xi, China’s changing growth prospects, and the rise of investment screening regimes and other restrictions have resulted in a slowdown in new inbound FDI flows to China since 2021. On the other hand, China’s outbound FDI intensity grew marginally, increasing by one percentage point in 2023 as outbound FDI flows increased, according to MOFCOM data. Diversification pressures and enhanced inbound investment screening regimes in Western countries and Japan have contributed to shifting Chinese outbound investment. Investments are becoming more concentrated in certain sectors while also targeting new destinations. Expanded export controls on Chinese industry are also motivating some targeted industries to expand or move production abroad. Rhodium Group research finds that China’s investment in Europe and the UK dropped to its lowest levels since 2010 and became even more heavily concentrated in the EV supply chain.³³

Over the second half of 2023, China developed several initiatives to bring back foreign investment. At the end of June, new pilot programs for six of China’s 21 free trade zones and ports were announced, with the goal of reducing trade barriers and streamlining customs procedures.³⁴ In August of 2023, the State Council released a 24-point plan to help boost inbound FDI. These measures were largely devised to restore foreign business confidence, which, after three years of the zero-COVID policy and deteriorating macroeconomic and geopolitical conditions, had reached a new low.³⁵ In November 2023, the State Council separately released a “23 Tasks” plan to boost Beijing’s services sectors, followed in December by pledges at the Central Economic Work Conference to boost foreign investment in sectors including telecommunications and medical services in 2024. Promises include several pro-market reforms such as reducing the scope of the Negative List that outlines restrictions on foreign investment in some sectors,³⁶ lifting ownership caps, and increasing opportunities for foreign private companies to participate in government procurement processes. However, the proposed reforms only apply to certain sectors, and their implementation has been limited so far. In addition, other factors, like evolving data security regulations and the lack of substantive financial system reform, continued to dampen investor sentiment toward the Chinese market.

While these reforms will increase opportunities for foreign firms, China’s application of the Anti-Espionage Law became increasingly unpredictable in 2023. State- directed raids, threats, and intimidation of foreign businesses—particularly consulting and due diligence companies—undermine efforts to preference market forces and level the playing field for foreign investors. Under the new law, bureaucratic processing times and red tape for investment approval and market research have also increased.

In 2024, foreign-invested enterprises in China are waiting to see action on promised reforms outlined at the Central   Economic   Work   Conference   and the implementation of a new data security policy. However, reforms directed toward fundamental issues contributing to heightened costs for foreign investors would be a more significant step toward opening direct investment.

Figure 2.14: Annual indicators: Direct investment openness (2023*)

2.6 Portfolio investment openness

Figure 2.16: Composite index: Portfolio investment openness, 2023

Definition and relevance

Portfolio investment openness refers to limited controls on two-way cross-border investment in equities, debt, and other financial instruments. It is a key ingredient for financial market efficiency and market-driven exchange rate adjustments in open market economies.

2023 stocktaking: How does China stack up?

China’s portfolio investment openness saw little change between 2022 and 2023. While there has been moderate improvement since 2010, China lags far behind OECD economies in liberalizing cross-border financial flows. We apply the following annual indicators to benchmark China against open market economies in terms of portfolio investment openness.

Internationalization of debt and equity markets

To measure de facto openness to portfolio investment, we calculate the sum of cross-border debt (government and corporate bonds) assets and liabilities relative to the size of the economy, as well as the sum of cross- border equity (stocks) assets and liabilities relative to the size of the economy. Assets are holdings of foreign securities by residents, and liabilities represent foreign holdings of securities issued by residents. China lags significantly behind the open-economy average in both categories.

Since 2010, China’s cross-border debt assets and liabilities as a share of GDP have increased from 3 percent to a steady 6 to 7 percent since 2020, far behind the OECD average of 83 percent. China’s equity assets and liabilities as a share of GDP have grown even slower. Standing at 8 percent in 2010, China’s share reached 13 percent in 2020 before declining over the past three years to 9 percent in 2023. In 2023, the OECD average rate of equity assets to GDP recovered from a drop in 2022, rising from 86 percent to 93 percent in 2023.

Portfolio investment restrictiveness

For a de jure perspective, we created our own Portfolio Investment Restrictiveness Indicator that captures regulatory restrictions on portfolio investment flows based on the IMF’s AREAER database and our own research. We calculate separate indices for portfolio outflow and inflow restrictiveness, assigning numerical scores based on the implementation of opening or closing measures during a given year. At the time of publication, IMF AREAER data for 2023 is unavailable and 2022 values were used in scoring.

The inward portfolio restrictiveness indicator captures rules that prevent nonresidents from purchasing bonds and equity securities locally and rules that stop residents from selling and issuing bonds and equity securities abroad. The outward portfolio restrictiveness indicator captures rules that prevent residents from purchasing foreign securities and restrictions on nonresidents selling and issuing bonds and equity securities.

Historically, China has tightly restricted short-term foreign capital inflows, allowing a select number of transactions through narrow programs such as the Qualified Foreign Institutional Investor (QFII) scheme.

Since 2010, China’s inbound restrictiveness score has improved from 0 to 2.9 in 2022. However, it trails far behind the OECD average score, which has remained around 9.3 to 9.4 since 2010. Over the past decade, several schemes such as the 2014 and 2016 Shanghai- and Shenzhen-Hong Kong Stock Connects, the 2017 Bond Connect, and the 2020 China Interbank Bond Market Direct, as well as the loosening of certain restrictions, have opened greater access to China’s markets. Yet, investment quotas and inadequate cross- border settlement infrastructure still pose major barriers for foreign investors.

Concerns about the destabilizing effect of large- scale capital outflows guide China’s caution toward liberalizing outward portfolio restrictiveness. In recent years, China has expanded connections with several international exchanges, including the UK, Swiss, and German markets, with the ongoing development of the Shenzhen-London Connect in 2023. However, households remain generally unable to invest in overseas securities, and institutional investors are constrained by special programs, such as the Qualified Domestic Investor Initiative, which is capped by SAFE. As a result, China’s outbound restriction score has only improved from 0 in 2010 to 1.7 in 2022, while the OECD score has remained around 9.5 to 9.6 since 2010.

Composite score

With limited fluctuation in China’s debt and equity assets as a share of GDP and values for investment restrictiveness carried forward from 2022, China’s Portfolio Investment Openness Composite Index score remained at 1.2 in 2023. China’s score in 2010 was zero, representing the lowest level of openness among all sampled countries across all years. The China Pathfinder normalization method captures countries’ progress or regression compared to their performance in prior years. As such, China remains far behind all other countries, with the OECD average standing at seven in 2023, but has shown a very modest improvement over the past decade.

China exercises a level of control over its capital account that is distinct from open market economies. We have seen large improvements in the ability of foreigners to access and participate in China’s markets relative to 2010 through investment programs such as the QFII, stock and bond connects, and through the raising of quotas for several programs and easing of restrictions (such as reducing the number of industries restricted from listing stocks on the Negative List for foreign investment). However, the de facto indicators of debt and equity asset and liability levels also capture fluctuations with discrete impacts from policy changes, such as market sentiment, macroeconomic dynamics, and other business environment factors, such as tax optimization and financial system designs.

We noted in 2022 how these factors impacted portfolio volume as a share of GDP data, with sizable declines for both China and OECD economies compared to 2021. In 2023, all open economies sampled showed an improvement in their scores. The average OECD score showed a slight recovery, rising from 6.9 to 7, but has  still  not  reached  2020–21  levels.  Since  2010,  the scores of all economies sampled, except the UK, have improved. The UK’s score decline is primarily driven by a dropping ratio of debt securities to GDP. On the other hand, Canada and Japan have improved market access the most, both showing significant growth in shares of debt and equity positions to GDP since 2010.

While our benchmark indicators capture major movements in China’s reform progress and allow for a standardized comparison with open market economies, we undergo a qualitative assessment of China’s policy reforms in the section below to provide greater context to China’s progress in 2023. Supplemental indicators relevant to portfolio investment openness are presented in Figure 2.18.

A year in review: China’s 2023 portfolio investment policies and developments

As part of efforts to boost economic growth in 2023, Beijing rolled out several measures that marginally opened capital markets at the beginning of the year. These steps were followed by substantial government intervention to artificially shape supply, demand, and prices in the second half of the year. State interventions sought to regulate the effects of heavy portfolio capital outflow pressures brought about by a yawning interest rate gap with the United States and other market economies and the abysmal performance of China’s stock market in 2023, the worst of major stock markets globally.

In the earlier half of the year, prior to the stock market downturn, there was marginal progress in opening portfolio investment markets in some areas. The Shenzhen and London exchanges took additional steps toward establishing the Shenzhen-London Connect, which will improve capital market connectivity. The China Securities Regulatory Commission (CSRC) also softened restrictions on the offshore listing of Chinese companies with variable interest entity structures, and a new registration-based IPO system will allow investors opportunities to invest in a wider range of companies.³⁷

In the second half of the year, government-guided security   purchases   aimed   to   stabilize   markets and assuage investor confidence as stock market performance took a steep downturn. China’s Central Huijin Investment fund purchased exchange-traded funds in October, and the China Reform Holdings Corp (another state-owned strategic investor) purchased tech-focused index funds in December. Meanwhile, the government allowed social platforms such as WeChat to direct retail investors to the stock market. Government-backed funding vehicles also acquired “golden share” stakes in Alibaba and Tencent’s local operations, allowing more government oversight of company decisions. In January, CAC was reported to have taken a 1 percent stake in an Alibaba digital media subsidiary in Guangzhou.³⁸

To regulate supply, the government raised barriers for new public offerings and introduced restrictions on trading, aiming to reduce supply volatility. The CSRC slowed the pace of IPOs and tightened restrictions on refinancing activities for underperforming listed firms. The CSRC also tightened rules on share sales by large shareholders of listed firms and increased scrutiny of program trading, later banning mutual fund managers from selling more shares than they bought daily.

China’s response to portfolio investment troubles also contained some marginal market opening. To reduce transaction costs, China halved the stamp duty on stock trading and reduced transaction handling fees submitted by brokers to the exchanges. Chinese stock exchanges also lowered margin requirements to boost investor financing.

Figure 2.17: Annual indicators: Portfolio investment openness (2023*)

Chapter 3: Conclusions and implications

The challenge to reform in China has always been its real and perceived costs. China’s policymakers and economic experts have long understood the need for economic reforms; the key question has been whether policymakers and leaders would accept and incur the consequences of short-term growth, unproductive state-owned firms, and other interests. Whether in the marquee 2013 Third Plenum reform program, the supply side capacity reduction push in 2015–16, or the financial de-risking program that peaked in 2018,³⁹ previous reform pushes aimed to alter economic principles in China. All involved facts of ceding economic leadership to the private sector, embracing foreign investment and competition, and resolving longstanding questions of fiscal capacity and domestic demand, accepting short- term disruption for long-term viability. Instead, in 2023— as since 2013—policymakers retreated when faced with costs and constraints. Increasing geostrategic competition with the United States and Europe, increasing state direction of investment, and surging support for priority sectors instead took priority. These dynamics presaged what emerged in July 2024—in an overdue meeting from 2013—during the Third Plenum of the CCP.

Stalled reform, however, does not imply that China made no progress, whether in 2023 or since 2020 when the China Pathfinder Project was launched. But these small improvements come with major caveats, and the China Pathfinder results thus point to ongoing friction between the OECD and China in the coming years.

Main findings from China Pathfinder 2024

In 2023, China’s policy reforms stalled, while OECD scores came under pressure. On net and pulling together the findings from our detailed benchmark assessment of six clusters, we make the following observations.

Beijing continued to emphasize SOEs, even as it demanded more from the private sector to meet industrial policy goals: The dominance of state firms in China’s economy continued to grow in 2023. Given China’s ambitious technological goals and urgent fiscal crisis, analysts might have predicted policy to reduce SOEs’ throw weight and empower private sector innovation. Even some targeted asset privatization might have been reasonable, generating much-needed revenue at the cost of local protectionism. Instead, the weighted average of state ownership among top firms across sectors continued to grow, reaching 65 percent; it continues to surpass 2010 levels. State ownership in China’s top financial institutions also remained above 60 percent. Several policies increased state support for SOEs in 2023. Beijing granted new tranches of LGFV stimulus in 2023 and relaxed regulations on public offerings for listing SOEs. At the same time, there were few signs of action on promised private sector reform in 2023. High-level policy directives to stimulate domestic investment in innovation, manufacturing sectors, and industrial development are calling on the private sector to take on more funding responsibility. The private sector has responded; in 2023, its stated share of R&D spending in China reached its highest rate since 2020. But it is unclear what else the government can practically, and effectively, do to fund additional innovation. Government funding is constrained, and inbound VC and FDI are deteriorating. Increasing funding for SOEs without meaningful structural reform to address existing debt troubles will expand moral hazard and pose risks to capital productivity.

Surging goods trade numbers highlight overcapacity, while services trade suffers from the impact of geostrategic and security policies: China’s exports from certain sectors increased dramatically in 2023 as overcapacity industries offloaded products elsewhere to compensate for low domestic demand. These overcapacity issues are likely to get worse. But as concerning as overcapacity is for the OECD, security and geostrategic policies in 2023 had a more dramatic impact on China’s trade openness, especially in services.

China’s 2023 exports of commercial and transport services declined by $43 billion and $59 billion, respectively, and heightened regulatory barriers restricted market access. The drop reflects the extended crackdown on technology firms, as well as data and cybersecurity restrictions that worried foreign companies. Consequently, China’s digital services trade openness score dropped below its 2010 level. That Beijing chose to reinforce security over increased services trade highlights how economic policymakers were unable to convince high-level leaders of the need (and benefits of) services engagement. Lingering effects from COVID-19 lockdowns in 2023 explain some of the decline in China’s services trade, but Beijing’s focus on security—and unwillingness to accept trade- offs between digital growth and digital control—resulted in intervention in other areas of the economy.

Innovation ratings declined in the OECD: In 2023, innovation scores across most of the OECD decreased, while China’s score showed little change from 2022. Both developments reflect financial constraints: all countries suffered from the global VC slowdown in 2023, as seen in decreased indicator scores, and high interest rates hampered access to debt financing. Funding for innovation remained a top priority for the Chinese government in 2023, and government funding did attempt to spur development during the year. However, fiscal constraints in 2023 and increased spending on areas key to social stability threaten China’s ability to subsidize and finance innovative industries and strategic sectors. Local governments are tasked with greater funding responsibilities amid a lack of substantive financial system reform to improve debt positions. Yet China was not alone, and many OECD countries also saw declines in patent output and IP attractiveness. Rising barriers to investment and trade constrain access to critical inputs, market scale, and international research collaborations, which are necessary for both Chinese and OCED economies to grow or maintain a robust innovation ecosystem.

Looking back at four years of systemic change

After four years of analysis, we can see that 2023 was not exceptional. While both China and OECD progress during the four-year period was mixed, China’s challenges during the China Pathfinder period were consistent, and structural, as certain reforms remained off the table. Based on this report and previous China Pathfinder editions, we make the following observations about China’s progress, and the challenges of interpreting data during the period.

China has shown improvement in several areas since 2020: China’s financial system reforms have expanded market depth and access along several dimensions, even as shortcomings remain. In 2022, China scored the lowest out of all sampled economies on the Financial System Development Composite Index indicator. In 2023, however, China stands ahead of Italy and Spain. Most of this movement is due to the Chinese government’s deleveraging policies in the wake of the property sector collapse, which have improved China’s credit efficiency. But significant problems remain. Despite government efforts to support stock exchange through the creation of bond and stock connect programs and the easing of restrictions on stock market access, China’s stock market continues to falter, incurring losses upwards of $6 trillion since 2021.⁴⁰ State ownership in China’s financial system, and the absence of more significant structural reforms to improve local government debt, hold China back from closing the gap with our broader sample of OECD markets. China has also improved the prioritization of innovation funding and diversity of funding sources in its economy. Since 2020, China’s score for R&D spending as a share of GDP has risen to almost meet the OECD average, bolstered by strong prioritization of R&D for central and local government funding. Diverse government funding vehicles outside of traditional grants and tax incentives provide alternative avenues to finance China’s innovation ecosystem. Private funding for innovation has also remained well above the OECD average since 2010, and China’s score has grown at a faster rate than the OECD’s through 2023. Reinvestment of profits is the largest source of R&D funding for commercial actors by value, and as China’s fiscal space becomes more constrained, commercial actors are being called on to take a greater role in R&D funding. These actors are subject to state influence as Beijing attempts to ensure that spending is directed toward government priorities. China’s performance on the Direct Investment Openness Composite Index has also shown slow but consistent improvement, though it still trails the OECD average. A gradual easing of China’s heavily restricted FDI inflows and outflows in certain sectors has improved China’s scores on FDI restrictiveness indicators.

But a lack of system-wide structural financial system reform constrains China’s ability and willingness to reform in other areas: China’s financial system has opened since 2010, and its composite benchmark score increased moderately in 2023 as credit allocation improved. Yet even China’s improved score is still lower than it was in 2020 and remains lower than all countries in our sample other than Italy and Spain. These subcomponents of China’s scores since 2020 tell the story. While their scores are higher than in 2010, financial market access and our direct financing ratio benchmarks have all decreased since 2020, reflecting deep-seated constraints on depth and efficiency of the financial system. This has impacts well beyond the financial system. A distorted financial system will continue to struggle to stimulate domestic consumption, and preferential credit will make it harder for private and foreign firms to compete. Despite its side effects, domestic credit will continue to power investment in China’s economy. Innovation goals will be more difficult to accomplish if R&D and start-up activity cannot be effectively financed. Portfolio and direct investment could fill some of this gap. But while our scoring of, for example, China’s portfolio investment openness has improved marginally since 2020, it remains far below that of all other countries in the sample (at 1.2 points compared to the next-lowest scorer, South Korea, at 5.9 points). China’s VC investment score (in the innovation cluster) did not improve significantly during the China Pathfinder study period. The absence of deep and liquid financial markets and constraints on government funding will be bottlenecks to funding a rich innovation ecosystem that allows Chinese firms to remain at the forefront of technological innovation.

The COVID-19 pandemic affected our benchmarking between 2020 and 2024 and continues to affect economic analysis today: The scores we track reflect the challenge of interpreting economic data in the wake of the COVID-19 pandemic. The first China Pathfinder report was launched in 2020, at the height of the pandemic, as markets and government policy scrambled to respond. While 2010 data provides a comparative baseline for our market sample, COVID-19 dynamics mean that the changes in scores we have observed since 2020 may be temporary adjustments enduring movements toward or away from market norms, making it harder to conclusively determine reform patterns in China and the OECD. One-off COVID effects have impacted several scores in these reports; for example, supply chain disruptions may have suppressed China’s FDI stock performance in 2021–22 and affected services trade in countries with large tourism and transport sectors. There are special challenges in disaggregating the impact of COVID-19 on China’s performance. In the years prior to the pandemic, China’s economic growth began to slow, the expansion of domestic credit began to cool, and China entered a trade war with the United States. Shortly after the onset of the pandemic, China’s property market downturn sent shockwaves through a destabilized system. Retrenchment toward familiar tools of state intervention in response to these sources of economic instability can thus be difficult to attribute to discrete pandemic effects. It may instead represent the strengthening of a persistent structural feature. However, policies such as zero-COVID are examples where China’s pandemic response may obscure longer- term trends in the prioritization of state versus market forces.

Geo-fragmentation and backsliding impact OECD scores: China isn’t the only economy backsliding on reform. OECD countries are also relapsing as trade barriers, nearshoring, and the securitization of economic interactions grow. The OECD average for both inbound and outbound investment restrictiveness has dropped below 2010 levels as of 2022, the most recent year surveyed, and digital services trade restrictiveness has remained below the 2010 benchmark for several years despite slow improvement. Restrictions on flows of investment and people, alongside supply chain fragility under geopolitical tensions, create challenges for international research exchange and access to inputs needed for cutting-edge science and technology development. In 2023, the OECD’s patent score dropped back to 2010 levels.

Beyond the framework

Beyond its quantitative results, the China Pathfinder Project has important implications for how analysts should approach China’s economy and system. In light of our past four years of work, three principles bear special mention:

First, as noted in Chapter 1, the way the world looks at China has changed radically since China Pathfinder began. Rather than assuming that China has joined (or is soon to join) the club of developed markets, global investors in 2024 now analyze China with the same principles and caution they deploy for analyzing other emerging market countries. Between equity and property assets, China has lost $15 trillion in value since 2021; for global investors, such losses require them to question whether China is even baseline investable. Answering that question requires sufficient quantitative data, as does a broader analysis of China’s economic performance, like the China Pathfinder Project. The challenges we faced with data availability, reliability, and continuity illustrate the challenges faced by any analyst of China’s economy at the aggregate level. We are not alone in our quest for reliable metrics, whether from China—where data series have been retired, rebased, or arbitrarily suppressed—or from international organizations, which face publication delays and their own priority shifts that may orphan critical data streams without notice. International investors have many reasons to worry about China’s markets, including period crackdowns on private firms, increasing geopolitical tension, and reform promise fatigue. Data unreliability is yet another plausible justification for pulling back on investment in China. Just as some analysts have turned to anecdata or qualitative approaches, in the future, any attempt to quantitatively engage with China will require muddling through.

Second, statistical data access is not the only constraint on independent researchers conducting studies like this one. Since 2020, the ability to do firsthand research and meetings has been dampened by a perfect storm of factors, including pandemic travel restrictions, pressure on Chinese officials not to interact with foreigners, and a chilling effect on economists and due diligence professionals who might otherwise publicly criticize authorities. This has damaged the overall degree of transparency and free flow of information that serves as a critical input to our framework and hampers interpretation.

Third, the China Pathfinder Project takes a targeted— but potentially too narrow—view of economic outcomes. The framework evaluates a broad set of indicators covering many facets of market economic systems. However, it does not directly compare the outputs of these systems: growth outcomes and productivity. The latter includes the concept of total factor productivity (TFP), the proportion of potential economic output that cannot be accounted for by factors like a growing labor force or more capital investment. China’s productivity has been declining for several years,⁴¹ and our evidence of partial, stagnating reforms reinforces how policy is prolonging that slowdown. Our evidence would also predict a continued decline. If these dynamics persist in coming years, whatever China’s progress in specific metrics, a wider view of China’s system as compared to other economies might need to integrate analysis of outcomes to fully address the effects of piecemeal reform.

These takeaways present a challenge for future research, but conditions are changing. For starters, despite the severe problems with the quantity and quality of Chinese data, we believe new analytic strategies can deliver answers. Alternative credit data, satellite imagery, and efforts to integrate (and rectify) mirror and partner country data offer creative researchers increasingly valuable tools. There remains a lot of value in quantitative analysis, even with a higher margin of error than we expected, and even if approaches must adapt to new data streams.

A larger takeaway, though, is that serious Chinese economists share these concerns about data, information, and productivity. As hopes of an easy post-COVID recovery have faded, these economists have become more pointed in their critique of current conditions. Academics like Zhang Bin, Huang Yiping, Yu Yongding, and others have correctly asserted the need for credible economic statistics and a clear-eyed assessment of China’s economic conditions. With time and facing as substantial an economic challenge as China currently confronts, there is some reason to hope that objective data from within China and frank discussion of that data will once again be possible in the coming years.

Looking ahead

What does the future hold, based on what we have learned in the China Pathfinder Project? We conclude with a few conjectures about that for business and policymaking. We also offer a look ahead to our research team’s next-generation ambitions, with some lessons learned for analysts.

We predict that today’s observed structural slowdown will be persistent because it is clearly rooted in divergence from market-oriented policy reorientation. In theory, market systems are more efficient than politically controlled economies, enabling them to reach a higher production possibility frontier and potential growth rate. This is also what we observe in practice. China turned toward marketization, and its growth outperformed. It is now steering toward statism, and its growth is underperforming. This trend predates the COVID-19 pandemic and survived it.

Slower macro expansion means businesses will need to fight over market share rather than count on a fast- growing pie to feed all firms. In theory, this should compel competitors to work harder to attract customers, which could drive innovation and productivity. If the government suppresses competition to avoid structural adjustment and instability, this will deplete productivity. The “lie flat” movement—a widespread disinclination to strive due to a sense of low probability of success— can be seen as a reflection of this tendency. Slower domestic growth also increases the marginal pressure to export, invest abroad, and compete for customers overseas in higher-growth opportunity markets. This is a major theme presently and one our framework suggests will become even more salient.

Shifting business expectations for the quantity and quality of China’s macroeconomic growth will also impact the political economy of business-government relations in the West. Less concerned with shielding their China operations from home government policies, firms will shift their lobbying focus from moderating strategic and commercial de-risking to advocating for trade protection, relocation subsidies, innovation incentives, and other benefits.

Political and national security policymakers in market democracies will lift their ambitions in response to this change in business sector positioning. Economic security as a subfield of economic policymaking, including industrial policy, will continue its nascent rise in importance as a result of the competitive risks and opportunities of a bifurcating global supply chain landscape. Financial officials will be greatly concerned about the risks of crises and financial spillovers due to shifting economic flows, stranded assets, and changing assumptions about supply and demand.

This is just a rough initial sketch of some of the likely repercussions of an extended slowdown of China’s economy. Whether China’s “socialist market economy” model ceases to be emulated around the world is another huge question, as is whether the liberal market approach is the default to which attention returns. The seal has been broken on industrial policy in the West, and this is likely to persist.

Another policy-level question is at the international organization level. Institutions including the IMF, the WTO, the World Bank, and even the industrialized- democracies-centered OECD largely accepted China’s variant of the economy and lauded it for its developmental achievements over the past two decades. Even today, these organizations are over- cautious about critizing China’s official economic performance narrative. Institutionally, they view their remit as challenging member data, even if staff views often differ from leadership. How these organizations function in a world focused on bifurcation and de- risking is unclear.

China Pathfinder: The next generation

Our annual and quarterly China Pathfinder reports have been read worldwide: the website is most used by users from the United States, but the second-most users are from China itself, followed by Germany, France, and the UK. As discussed at length above, a methodology dependent on official Chinese data has grown harder to employ, but the demand for an integrated perspective on China’s economy has never been higher. Thus, we intend to continue our research partnership with modifications.

As of this writing, a variety of next-generation strategies are under discussion. The principles we will carry forward are clear, though: 1) policymakers and business decision- makers are the primary audience; 2) readers find the most value in assessment of specific, real economy outcomes; 3) our decade of quantitative databasing is foundational; 4) we must maintain a systemic analysis which takes stock of political and security factors; and 5) our outputs should speak to the most pressing, current topics, rather than perennial debates. On what is topical, discussions about overcapacity, diversification, growth slowdown, and barriers to cross-border capital, information, and technology flows are illustrative.

We intend to focus less on cataloging China’s policy aspirations and more on performance outcomes. We intend to evaluate performance less with official data at the core and more based on alternative proxies that are less prone to delay and politicization. We intend to maintain objectivity and quantification while putting more weight on independent measures of economic activity at risk outside China as a function of non- market norms and interventions in China. Finally, we will continue to critique excessively protectionist policies unreasonably justified as necessary to respond to China.

Parting words

The China Pathfinder Project illustrates China’s relative progress on reform: China’s economic system looks much different than it did in 2010, even as it continues to diverge from market norms. Despite China’s stagnation or backsliding in several of the areas China Pathfinder evaluates, there is still room—and need—for managed, constructive economic engagement between China and the rest of the world. While market economies seek to de-risk from China where necessary, trade and investment in other sectors still offer mutual benefits. The global commons also presents China and the OECD with challenges that we must manage together as effectively as possible. If nothing else, China Pathfinder shows the importance of economic and policy choices. China’s past reform choices do not prevent its leaders from making different ones that can further benefit China’s growth and its people. We encourage fellow researchers in China and elsewhere to take a broad, long-term view of economic reform and all readers of China Pathfinder to engage with us on how our work can be more valuable and impactful.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

About China Pathfinder

Mission

China Pathfinder is a joint initiative from the Atlantic Council’s GeoEconomics Center and Rhodium Group that measures China’s economic system relative to advanced market economy systems. Few people, even within the circle of China experts, seem to agree about the country’s economic system, where it is headed, or what that means for the world. This initiative aims to shed light on whether the Chinese economic system is converging with or diverging from open market economies. Over the course of two decades, China has risen from the world’s sixth-largest economy, with a gross domestic product (GDP) of $1.2 trillion in 2000, to the second largest, boasting a GDP of $17.95 trillion in 2022. China now intersects with the interests of all nations, businesses, and individuals. With China’s past and future systemic choices impacting the world in both positive and negative ways, it is essential to understand its global footprint. The hope is that China Pathfinder’s approach and findings can fill in some of the missing puzzle pieces in this ongoing debate—and, in turn, inform policymakers and business leaders seeking to understand China.

Partners

The Atlantic Council is a nonpartisan organization that galvanizes US leadership and engagement worldwide, in partnership with allies and partners, to shape solutions to global challenges. By informing its network of global leaders, the Atlantic Council provides an essential forum for navigating the economic and political changes defining the twenty-first century. The Atlantic Council shapes policy choices and strategies to create a more free, secure, and prosperous world through the papers it publishes and the ideas it generates.

Rhodium Group is a leading independent research provider. Rhodium Group has one of the largest China research teams in the private sector, with a consistent track record of producing insightful and path-breaking analysis. Rhodium China provides research, data, and analytics to the private and public sectors that help clients understand and anticipate changes in China’s macroeconomy, politics, financial and investment environment, and international interactions.

Authors

This report was produced by Rhodium Group’s China team in collaboration with the Atlantic Council’s GeoEconomics Center. The principal contributors on Rhodium’s team were Daniel H. Rosen, Matthew Mingey, Charles Austin Jordan, and Laura Gormley. The principal contributors from the Atlantic Council’s GeoEconomics Center were Josh Lipsky, Jeremy Mark, Sophia Busch, and Benjamin Lenain.

Acknowledgments

The authors wish   to   acknowledge   a   superb   set of colleagues and fellow analysts who helped us strengthen the study in group review sessions and individual consultations. These individuals took the time, in their private capacity, to critique the indicators and analysis in draft form; offer suggestions, warnings, and advice; and help us to ensure that this initiative makes a meaningful contribution to public debate.

The authors also wish to acknowledge the members of the China Pathfinder Advisory Council: Steven Denning, Gary Rieschel, and Jack Wadsworth, whose partnership has made this project possible.

This report is written and published in accordance with the Atlantic Council’s intellectual independence policy. The authors are solely responsible for its analysis and recommendations. The Atlantic Council, Rhodium Group, and its donors do not determine, nor do they necessarily endorse or advocate for, any of this report’s conclusions. This report is published in conjunction with an interactive data visualization toolkit, at http://chinapathfinder.org/. Future quarterly and annual updates to the China Pathfinder Project will be published on the website listed.

The post End of the line: The cost of faltering reforms appeared first on Atlantic Council.

This report offers an agenda for common US-EU action to meet today’s challenges and set a productive vision for transatlantic relations for years to come. It identifies the issues policymakers must tackle and presents actionable recommendations for the next US administration and European Commission. The topics are varied, highlighting the breadth and depth of the US-EU relationship.

The analysis and recommendations are nonpartisan, but they are driven by the Atlantic Council’s conviction that we are stronger together. From technology policy to the green energy transition and support for Ukraine, Washington and Brussels both benefit when they collaborate.

James Batchik served as the rapporteur and editor of this report. Stuart Jones and Jacopo Pastorelli also contributed to the report.

The Europe Center promotes leadership, strategies, and analysis to ensure a strong, ambitious, and forward-looking transatlantic relationship.

Learn more

The post Transatlantic horizons: A collaborative US-EU policy agenda for 2025 and beyond appeared first on Atlantic Council.

The bottom line

Ever since Edward Snowden revealed details on the US National Security Agency (NSA) covertly collecting Europeans’ electronic communications, companies have contended with deep uncertainty over whether they may continue to transfer personal data from Europe to the United States. Washington and Brussels, in their efforts to resolve a long-running dispute with major commercial consequences, have vacillated between data war and peace. A true settlement should be the focus of the next administrations in the United States and the European Union (EU), or the conflict could flare again. For the time being, a fragile truce prevails.

Commercial data transfers from the EU to the United States

State of play

As a direct result of the Snowden revelations, the Luxembourg-based Court of Justice of the EU (CJEU) twice invalidated EU-US international arrangements designed to ensure transatlantic data transfers consistent with EU privacy law. In 2015, the EU-US Safe Harbor Framework was struck down by the court, and in 2020, a successor arrangement, the Privacy Shield, met the same fate.

A third transfer arrangement, the EU-US Data Privacy Framework (DPF), concluded in 2023, put significant additional safeguards in place for Europeans’ personal data. Another legal challenge was immediately filed at the CJEU, this one by Philippe Latombe, a French parliamentarian. The court quickly denied Latombe’s request for a temporary injunction to suspend the application of the DPF. Final disposition of the case remains pending, though many commentators believe it ultimately will fail for procedural reasons.

A greater litigation threat looms, however. The European privacy advocacy organization NOYB —short for None of Your Business—headed by Austrian privacy activist Max Schrems, issued a statement last year suggesting that it also was considering a judicial challenge. There are recent signs that it could be close to doing so. Austria has just implemented a new EU directive enabling consumer protection organizations to file suits for collective redress—a European equivalent to US-style class action lawsuits. NOYB may avail itself of this new remedy in an Austrian court in an effort to block the DPF. A referral to the CJEU could follow quickly, setting the stage for a decisive legal determination by the judges in Luxembourg in the next year or two.

Looking ahead

For the time being, there is little for European Commission and US officials to do other than to jointly ensure that the DPF’s safeguards are being rigorously applied and to sharpen their arguments for the EU legal challenge. The DPF’s prospects before the CJEU are mixed. US observers tend to be impressed by the creativity and seriousness of the reforms that the US government has put in place. However, some European counterparts are more skeptical, pointing out remaining areas where the US steps still may fall short of strict CJEU fundamental rights requirements.

If the DPF, like its predecessors, were to be struck down, a new US administration—Democratic or Republican—might well hesitate whether to go back to the negotiating table with the European Commission for a fourth time. Adding even more US legal safeguards to protect Europeans’ personal data would likely require enactment of a US statute—a doubtful proposition in a new Congress—and could run up against US constitutional constraints.

A Trump administration could well conclude that enough is enough—that instead, it is time to fight back against endless European threats to transatlantic data flows. The Heritage Foundation‘s Project 2025 report, which was written by the former president’s allies though he has distanced himself from it, already has called for a skeptical review of the DPF safeguards and has mooted the possibility of curtailing US intelligence sharing with European governments if commercial data sharing is interrupted. Such an approach would once again vault data transfers into the first rank of transatlantic economic conflict.

Law enforcement data transfers

State of play

The NSA is not the only US challenge the EU sees to its digital sovereignty. Running a close second is the CLOUD Act, a 2018 US law. It empowers US law enforcement to demand that US cloud service providers turn over personal data companies host on foreign servers, including those located in Europe. Although several EU countries, including Belgium, give their prosecutors similar extraterritorial criminal evidentiary powers, the CLOUD Act has been heavily criticized in Europe.

However, the CLOUD Act also offers foreign governments an olive branch to accompany its unilateral offensive provisions. It authorizes the US Department of Justice (DOJ) to negotiate binding international agreements establishing the terms and limits under which each may directly seek electronic evidence from communications service providers. The United States has already reached such agreements with the United Kingdom and Australia, and negotiations with other Five Eyes nations are underway.

For the past five years, the DOJ and the European Commission also have been negotiating a CLOUD Act agreement. The talks paused for several years while the EU finalized its own counterpart legislation, the E-Evidence Regulation, but resumed actively last year. Progress has been slow and difficult. But in June, senior EU and US home affairs and justice officials issued an optimistic joint statement welcoming “further progress” in the negotiations and looking forward to “advancing and completing” them.

Policy recommendations

Now that an agreement appears to be within reach, negotiators should redouble their efforts to finalize the text—or at least come to a political agreement in principle— by the end of this year, before changes in leadership on both sides. Although transatlantic law enforcement negotiations historically have been largely nonpartisan in nature, a Trump administration DOJ might nonetheless question whether to continue negotiations with the EU.

Completing the CLOUD Act agreement would neutralize EU sensitivities over judicial sovereignty in a way comparable to how the DPF has quieted concerns over US foreign surveillance activities in Europe. The two, taken together, would bring an important measure of data peace to transatlantic digital relations.

National security limits to data transfers

State of play

After four decades of propounding unrestricted international commercial data flows, in late 2023, the United States made a course correction—opting to control certain data exports to China, Russia, and other “foreign adversaries” for national security reasons. The new approach is reflected in both legislation and an executive order. The measures will subject a range of data flows to these countries to either outright bans or export controls through a regime akin to what is in place for goods.

The United States similarly reversed course in a World Trade Organization (WTO) negotiation intended to liberalize services trade, the Joint Statement Initiative on Electronic Commerce (JSI). Last fall, the Office of the US Trade Representative unexpectedly withdrew its proposal that the prospective agreement guarantee the free flow of data across borders. The final text of the JSI, announced in July, not only lacks such an obligation, it also allows parties essentially unlimited scope to restrict data flows for data protection reasons, as the EU had sought.

Most notably, the United States singled out its view that the essential security exception is inadequate as a reason for deciding not to join the JSI agreement. That provision simply refers to the essential security exception in the existing General Agreement on Trade and Tariffs (GATT) and the General Agreement on Trade in Services (GATS). Although the United States traditionally had taken a broad view of the GATT/GATS provisions, it now appears to believe that its new national security data controls might not pass WTO muster. Thus, the United States has come full circle on digital trade—from being a principal proponent of free data flows to an opponent of a traditional multilateral limitation on its ability to restrict them for security reasons.

The new US multilateral posture on data transfers reflects a degree of convergence between Washington and Brussels on the proper extent to which data protection may be invoked as a limitation, no doubt to Brussels’ satisfaction. The European Commission has acknowledged some puzzlement, however, over why the United States is no longer content with the WTO’s historic national security exception.

Looking ahead

Neither a Democratic nor a Republican US administration is likely to alter the new approach emphasizing national security considerations in data flows to certain adversary countries.

Although Europe is not, of course, the home of “foreign adversary” countries, the new US policy could eventually pose problems there if Washington were to pressure European governments to adopt similar measures. Alternatively, the United States could seek to directly shut down data transfers from European companies to China and Russia analogous to how it has employed secondary sanctions in the financial realm.

Such steps could pose dilemmas in Europe. The EU, as an institution, largely lacks meaningful authority over export controls, which are reserved to member states, as are national security measures. Individual member states would struggle to develop coherent responses to such potential US pressure.

The United States and the EU have come far toward settling on safeguards accompanying access to personal data by their national security and law enforcement authorities, but definitive resolution in both areas still awaits. In the meantime, new concerns over foreign adversaries’ access to data have emerged, also calling for transatlantic coordination.

Kenneth Propp is a nonresident senior fellow at the Atlantic Council’s Europe Center. He teaches EU law at Georgetown University Law Center and is a former legal counselor to the US Mission to the European Union in Brussels.

Report Oct 7, 2024

Looking ahead to the next chapter of US-EU digital collaboration

By Frances Burwell

There are opportunities for further transatlantic collaboration, especially in addressing emerging technologies and the risks both sides face from bad actors in the digital sphere.

Digital Policy Economy & Business

Report Oct 7, 2024

Reenergizing transatlantic trade dynamics over the coming years

By Erik Brattberg

Instead of bickering over tariffs or pursuing protectionist regulations, policymakers should take practical steps to upgrade the US-EU economic relationship for a more geopolitically challenging era.

Economy & Business European Union

Report Oct 7, 2024

Closing the gap between Mars and Venus on trade

By L. Daniel Mullaney

It will be more critical than ever that the United States and the European Union coordinate their approaches to international trade across a wide range of issues.

Economy & Business European Union

The Europe Center promotes leadership, strategies, and analysis to ensure a strong, ambitious, and forward-looking transatlantic relationship.

Learn more

The post Navigating between data war and peace appeared first on Atlantic Council.

The bottom line

In the past four years, during Ursula von der Leyen’s first term as European Commission president and Joe Biden’s time as US president, there has been a strong convergence across the Atlantic in the governmental approach to digital and technology-related issues. However, the transatlantic agenda for the coming years remains unclear and will depend on the impact of the debate over competitiveness now emerging in Europe and the outcome of the US election in November. There are opportunities for further collaboration, especially in addressing emerging technologies and the risks both sides face from bad actors in the digital sphere. Whether this will be an effort driven by the European Union (EU) or one in which the United States is an equal partner is not yet certain.

State of play

Von der Leyen entered office in late 2019 with a strong focus on digital policy. Despite the pressures of the COVID-19 pandemic and Russia’s full-scale invasion of Ukraine, the European Commission put forward a tsunami of legislation, most of which has now passed, including the Digital Markets Act, Digital Services Act (DSA), Data Governance Act, Data Act, Cyber Resilience Act, and the Artificial Intelligence Act. While there is a growing debate about the impact of such extensive regulation on European innovation, as discussed in former President of the European Central Bank Mario Draghi’s recent report on competitiveness, there are few indications of any back-tracking on these new laws.

In contrast, the Biden administration entered office without strong ambitions in this area, although the president had expressed some concerns about the impact of social media on the electorate. However, there was a big shift in the administration’s attitude toward artificial intelligence (AI) as that technology developed. Through a series of “blueprints,” voluntary guidelines, and executive orders, the Biden administration has largely adopted the EU’s risk-based approach to AI, at least in its assessment of the dangers and its objectives.

This convergence in tech policy cannot be divorced from the growing transatlantic alignment on China. The Biden administration has emphasized the need for greater oversight and restrictions on transfers of technology and data to that country. The 2023 suspension of US participation in the World Trade Organization’s digital trade efforts and the citing of national security considerations in limiting data flows to “countries of concern,” including China, seem to mark a turning away from the long-held US commitment to open data flows. Moreover, the Protecting Americans’ Data from Foreign Adversaries Act passed as part of a foreign aid package for Ukraine and Israel puts restrictions on data brokers that receive US personal data based on their foreign ownership.

In Europe, there has been a growing caution about Chinese equipment and investments in the communications and high-tech sectors, although the policy is often described as differentiating between trusted and untrusted vendors. Most recently, the EU has opened investigations into China’s subsidization of its electric vehicle (EV) battery and wind turbine industries. Although there are still differences, the last four years have seen a growing transatlantic consensus on the risks posed by China’s anti-competitive behavior and its impact on US and EU autonomy in key technologies.

The strategic imperative

The US-EU digital relationship is one of the strongest and most lucrative in the world—US tech companies earn more in Europe than anywhere else in the world. At the same time, EU rules affect those companies’ operations not only in the European market but often far beyond. The question for US and EU policymakers is how to create a more coherent transatlantic—and perhaps even global—digital marketplace, one where regulation and innovation incentives can be balanced. Can the United States and the EU find enough common ground to achieve that ambition? If they do not cooperate—and perhaps even adopt opposing policy approaches—will companies then face two distinct markets? In that circumstance, will the EU become even more focused on digital sovereignty and restrictive regulations while the United States becomes a relatively less-regulated space? Will companies be forced to choose whether to adhere to strict European regulations or forgo the profitable European market?

Looking ahead

Whether the United States and the EU will succeed in building greater cooperation on digital and tech issues will depend in large part on two factors. First, the EU is engaged in an internal discussion on how to enhance the bloc’s economic competitiveness. A key element of that should be to provide a more business-friendly environment across the economy while encouraging citizens, governments, and businesses to participate in the digital transition and provide the protections they expect. Competitiveness does not mean no regulation, but rather that compliance with the rules does not create prohibitive burdens, especially for innovative start-ups. Europe also needs to boost its digital engagement and provide its people with the skills needed to flourish in the digital economy. In short, will it be Estonia or France that emerges as the model for how Europe balances regulation and innovation? If Europe comes to believe that the only way it can enhance its competitiveness is by restricting certain markets to European companies, transatlantic cooperation will inevitably become more challenging.

Second, the future of US-EU collaboration will also depend on the outcome of the US presidential election. Although digital and tech policy has figured little in the race to date, there are some clear differences. Vice President Kamala Harris has been deeply engaged in the Biden administration’s approach to AI, and measures such as those in the Biden administration’s executive order on AI are likely to be reinforced in a Harris administration.

The path forward is murkier if former President Donald Trump returns to the White House. He has already said that he would withdraw the Biden administration executive order on AI, a move that would distance the United States from the Group of Seven and others who seek to constrain some uses of AI. While messages from the Trump campaign have been mixed when it comes to the large tech companies, the conservative manifesto Project 2025 has called for the end of the Federal Trade Commission and its anti-trust role, as well as removing environmental and other rules that the project’s authors believe have constrained the growth of technology companies. This position will be received with much skepticism, if not alarm, in Europe. US tech companies are already viewed in Europe as under-regulated, and a relaxation of current US rules is likely to lead Europe to respond by stepping up enforcement of its new digital rules even further. Even if a Trump administration does not roll back existing regulation, all indications are that it will resist any further constraints on tech companies, including measures such as labeling AI-generated content or restricting the distribution of fake videos. Such a stance is unlikely to provide a foundation for greater US-EU cooperation.

For much of the last four years, the EU has been a world leader when it comes to tech regulation, while the United States, in some areas, has not even had a policy in place. Some would argue that the EU’s focus on regulation has hampered corporate innovation and the opportunity for European tech superstar companies to develop. That may be, but in the absence of comparable US regulation, the EU has become the default arbiter of rules that govern the digital economy, including the global behavior of US companies. Unless the United States engages more actively—including putting forward concrete legislative and regulatory proposals—Europe is likely to continue to set the pace, especially on regulating AI and disinformation. And if the United States fails to enact guardrails in the digital sector and instead decides that the digital economy should continue to be lightly regulated, the EU is likely to respond by strengthening enforcement of its own rules, especially against US companies. Consistent and constructive US-EU regulatory engagement, therefore, is an essential component of a transatlantic digital marketplace.

Policy recommendations

The United States and the EU should focus on a few key areas to create a more coherent transatlantic digital marketplace. These do not represent the entire universe of existing digital policy. (One area omitted here is competition policy, which is governed by distinct legal processes in the United States and the EU.) It should also be noted that during the coming years, entirely new areas of digital and tech are likely to emerge as crucial in the transatlantic partnership. Thus, it is important that a mechanism exists that allows for continuous conversations about these matters. During 2021–24, the US-EU Trade and Technology Council (TTC) provided valuable opportunities for consultation and for aligning US and EU approaches. During the next US administration, a revamped TTC or similar mechanism should be available to ensure continued close communication across the Atlantic on these fast-moving issues.

Cybersecurity: During the past few years, the United States and Europe have experienced an increasing number of cyberattacks, although specific numbers are difficult to secure, given that not every victim reports an attack. In 2023, the cost of cybercrime was estimated at $11.5 trillion and is expected to be almost $15 trillion in 2024. Both China and Russia have been identified as facilitating—if not ordering—some of these attacks, demonstrating cyber’s growing role as a key area of hostile state action, in addition to the longtime involvement of criminal enterprises. Coordinating policy toward cyberattacks and developing greater cyber resilience should be a top priority for policymakers. The US-EU Cyber Dialogue has been important in facilitating dialogue about specific attacks and strategies for countering those efforts. Recently, it has also started to address the different US and EU regulatory measures aimed at creating resilience, both in critical infrastructure and in connected devices. Coordination between the United States and the EU will be essential not only in ensuring that consumers are safe but also in building the collaboration required to keep societies secure in the face of a growing onslaught by hostile actors. Some important steps have been taken, but the threat will evolve, and so must the response.

AI and emerging technologies: One of the biggest successes of the TTC was the convergence it inspired on the issue of AI. While the EU led with the AI Act, the Biden administration gradually moved from inaction to establishing voluntary guidelines and then to issuing Executive Order 14110 imposing rules on those seeking to do AI-related business with the US government. The commercialization of ChatGPT happened just as the AI Act was nearing completion, and a few provisions were hastily added in response, especially to ensure that generative AI was treated as high risk. While the United States will probably struggle to pass comprehensive AI legislation, some US states have started to fill the domestic breach by passing their own AI laws. For example, the Colorado law passed in May imposes similar restrictions and responsibilities on AI developers as does the EU AI Act. But there is no denying that AI is a rapidly evolving technology that will require ongoing government review and regulation. Indeed, Microsoft president Brad Smith recently called for more government regulation to combat “abusive AI-generated content.” During the next five years, as AI is integrated into people’s daily lives and as more uses (good and bad) develop, US-EU cooperation in facilitating the productive use of AI while constraining its harmful uses will be essential. As a first step, transatlantic conversations about the implementation of rules for the EU AI Act will determine how compatible US and EU rules will be in practice.

Quantum computing: AI is not the only technology that requires cooperation across the Atlantic. Quantum computing has already been identified by the TTC as the next emerging technology worthy of focus. Given the enhanced power and computing speed that quantum would provide for researchers and AI developers and deployers, for example, there is definite value in the technology. But it also offers those same capabilities to those seeking to hack into critical infrastructure systems or financial or healthcare institutions. Thus, ensuring that quantum capabilities are securely held should be a top transatlantic priority for ongoing tech discussions. On September 5, the US Commerce Department issued rules establishing export controls on certain elements of quantum computing. Although some EU member states were identified as eligible for exemptions from these restrictions, the EU as a whole is not. Discussions on quantum computing are already underway in the TTC, but they are now more urgent so that the United States and the EU can maintain a united front.

Data governance: This topic should also be much higher on the list of US-EU priorities than it has been in the past. To date, this discussion has focused on ensuring the transfer of EU personal data to the United States in the commercial setting in a manner compatible with the EU General Data Protection Regulation. But the recent US decision to begin limiting how US data can be shared and the continuing US-EU negotiation on law enforcement access to electronic evidence make this issue one that is ripe for intensive US-EU discussions, especially as the new Commission will present a European Data Union Strategy. The United States and the EU urgently need to build more consensus in the movement and governance of data.

Online safety and combating disinformation: In the wake of the European Parliament elections—and with the US elections looming—increased attention should be paid to the threat of intentional disinformation, as well as the harms done by online targeting of individuals. AI has escalated this threat, as demonstrated by faked audio recordings released during the Slovak election campaign and the AI-generated fake video of Harris featured on X. While the EU has the DSA and other legislation to rein in illegal and harmful content, the United States has resisted such measures, citing free-speech protections. Once the US elections are over and the impact of online and offline disinformation can be assessed, this should become an important area of collaboration between the two democracies. But there is also great potential for transatlantic tensions in this area, especially since European and US ideas—and laws—on free and prohibited speech can vary. A Trump administration may well view EU attempts at content moderation under the DSA as efforts to censor free speech. Recent communications between then-European Commissioner Thierry Breton and X owner Elon Musk demonstrate the potential for misunderstanding, especially if the focus becomes harmful, rather than illegal, speech. In the future, close consultation will be essential if the US-EU partnership is to be effective in managing real disinformation.

Frances G. Burwell is a distinguished fellow at the Atlantic Council’s Europe Center and a senior director at McLarty Associates.

Report Oct 7, 2024

Leveraging Europe and the EU as a defense power

By Rob Murray

Defense cooperation between the United States and the European Union must solidify the backbone of a resilient transatlantic alliance capable of securing global stability and upholding democratic values.

Defense Industry European Union

Report Oct 7, 2024

Navigating between data war and peace

By Kenneth Propp

A true settlement on transatlantic data flows should be the focus of the next administrations in the United States and the European Union, or the conflict could flare again.

Digital Policy Economy & Business

Report Oct 7, 2024

Reenergizing transatlantic trade dynamics over the coming years

By Erik Brattberg

Instead of bickering over tariffs or pursuing protectionist regulations, policymakers should take practical steps to upgrade the US-EU economic relationship for a more geopolitically challenging era.

Economy & Business European Union

The Europe Center promotes leadership, strategies, and analysis to ensure a strong, ambitious, and forward-looking transatlantic relationship.

Learn more

The post Looking ahead to the next chapter of US-EU digital collaboration appeared first on Atlantic Council.

As Europe and the United States navigate leadership change and turnover on both sides of the Atlantic, the Europe Center’s new report Transatlantic horizons: A collaborative US-EU policy agenda for 2025 and beyond offers a productive vision for transatlantic relations with forward-looking policy recommendations for the next US administration and European Commission

On this special edition of the #AtlanticDebrief, Europe Center Nonresident Senior Fellow Kenneth Propp discusses his section of the report “Navigating between data war and peace” and recommendations for policymakers on both sides of the Atlantic.

Staff

James Batchik

Associate Director

Europe Center

Central Europe Digital Policy

The post #AtlanticDebrief – How can policymakers navigate between data war and peace? | A debrief from Kenneth Propp appeared first on Atlantic Council.

How Washington and Brussels differ

The United States and EU have approached this issue from very different starting points. Unlike the EU, the United States navigated this process more smoothly since the measures were preemptive. The United States had little prior exposure to Chinese BEV imports or US BEV exports to China, making its decisions easier.

In May, the Biden administration announced a swath of tariffs on Chinese products in strategic sectors, including an increase of the tariff rate on Chinese BEVs from 25 percent to 100 percent under Section 301 of the Trade Act of 1974. The administration argued that the Chinese government’s subsidies in that industry contribute to unfair, nonmarket practices that would threaten the US auto industry and American jobs. Canada followed suit a few months later, announcing an increase from a tariff rate of 6.1 percent to 100 percent on Chinese BEV imports. And more recently, in late September, the US Commerce Department proposed rules that would “prohibit the sale or import of connected vehicles that incorporate certain technology and the import of particular components themselves from countries of concern, specifically the People’s Republic of China (PRC) and Russia” due to national security concerns.

While the United States has already moved on from tariffs to the national security issues surrounding connected vehicles, the EU understandably moved at a slower pace. This is due to the differing priorities of its member states, many of which are already significantly exposed to China in this sector. European Commission President Ursula von der Leyen announced the launch of the official European Commission investigation a year ago, stating that the EU’s leadership and innovation in the BEV sector “are being impeded by market distortions and unfair competition” by China. However, the need for approval by member states made the EU’s decision on this issue more fraught, which led to the emergence of two main factions. One group, led by von der Leyen and French President Emmanuel Macron, advocated for strengthening the tariffs to address market distortions. The other, led primarily by German Chancellor Olaf Scholz and supported by the German auto industry, had been Beijing’s ally on the inside, opposing these measures, largely due to enormous overexposure to Chinese markets. Unlike the United States’ situation, the results of the October 4 vote should also not be taken to mean that EU countries supporting the tariffs, such as France and Italy, are entirely against growing their engagement with China on BEVs.

China’s campaign to divide the EU

In recent months, China carried out a campaign aimed at dividing the EU on this issue ahead of the October 4 vote. Beijing ramped up these efforts further after the bloc set its provisional tariff rates in July, which were slightly reduced in August following a comment period. China’s campaign included leader-level outreach from Xi Jinping, as well as talks led by Minister of Commerce Wang Wentao and Minister of Foreign Affairs Wang Yi. Wang Wentao’s EU-level negotiations, combined with efforts from Scholz, showed some initial progress with the postponement of the final vote from September 25 to October 4. This postponement followed Wang Wentao’s meeting with European Commission Executive Vice-President Valdis Dombrovskis on September 19, which gave China a final opportunity to provide an attractive enough deal for the EU to mitigate the tariffs or end the inquiry altogether before the vote. Although the new vote date moved forward as scheduled, the European Commission has left the door open for continued negotiations with China even after the tariffs go into effect at the end of this month.

The most public tactic Beijing wielded was threatening trade retaliation targeting specific EU member states in key EU export sectors, including pork, brandy, and dairy. France, a major exporter of all three, was clearly being targeted as the primary instigator of the tariff policy in Beijing’s eyes. Spain, the key target for pork, flipped its position right after Spanish Prime Minister Pedro Sánchez met with Xi in Beijing on September 9, and it ultimately voted to abstain today, a shift from its informal, nonbinding ‘yes’ vote on July 15. However, other key pork exporters, such as the Netherlands and Denmark, maintained their support for the tariffs. Ireland, a major dairy exporter to China, changed to vote in favor of the tariffs today*, according to a report from Reuters, after abstaining from the previous informal, nonbinding vote in July. Ten other EU countries remained on the fence as well during the nonbinding vote, while only four (Slovakia, Hungary, Cyprus, and Malta) voted against the tariffs. Although Germany initially abstained from the July vote due to domestic pressure and to allow the process to move forward, Scholz wielded executive power to force a no vote for Germany today.

China has also offered carrots in the form of investment opportunities, such as offering to establish electric vehicle manufacturing plants in parts of Europe or forging joint development agreements between European and Chinese automakers. For instance, Beijing offered to invest in Spain’s local manufacturing capacity. Although reportedly delayed until October 2025, Chinese BEV producer Chery Auto plans to establish a manufacturing plant in Barcelona, which could potentially allow the company to circumvent the roughly 21 percent tariff rate it is currently facing. Hungary, which voted against the tariffs, will reportedly have an operational BYD manufacturing plant in 2025. Italy, though it voted in favor of the tariffs, is in talks with Dongfeng and Chery Auto for a manufacturing plant. Poland, which also voted in favor, has likely helped China avoid the tariffs by allowing Leapmotor International, a joint venture between Stellantis and Leapmotor, to begin manufacturing in the country as of this past June. And perhaps most surprisingly, Polestar, which is owned by Geely Holding and Geely-owned Volvo Cars, launched a manufacturing plant in South Carolina this past August, which could allow it to avoid some (though not necessarily all) of the US and EU tariffs.

Looking forward

To the European Commission’s credit, the current tariff episode marks a notable shift in the EU’s readiness to push back against Chinese pressure, especially when compared to past antidumping and subsidy cases involving solar energy and 5G infrastructure. However, the passage of the tariffs does not mark the end of this saga, as Beijing’s push to scale the manufacturing capacity of BEVs in Europe will likely blunt their effectiveness over time and further entrench itself within European markets. Further, even with some Chinese BEV companies such as Geely feeling the full impact of the tariffs, evidence indicates that they are unlikely to be high enough to significantly slow China’s market share gains. Beijing’s efforts, compounded by German efforts to protect the short-term interests of its auto industry, have successfully reduced the severity of the tariffs, allowed for continued opportunities for greenfield investments that could bypass them entirely, and opened the door to a potential negotiated compromise even after the tariffs are imposed, possibly involving a minimum import price or volume cap.

The EU tariffs will not fully block Chinese-made BEVs, and Beijing will likely still have the opportunity to establish a solid foothold on the continent. This is a key distinction between the United States and EU on this issue. Whereas the imposition of tariffs was largely security-driven in the United States, the EU tariffs were fundamentally trade-driven. As a result, Europe will now have to increasingly grapple with the national security impacts of vehicles equipped with cameras and other connected surveillance and software under China’s control. Further, the United States will continue to weigh in by raising data security risks associated with the increasing presence of Chinese BEVs in the EU, underscoring this issue by restricting Chinese-developed software in connected vehicles. Discussions on the security risks associated with connected vehicles, led by the United States, alongside the EU and other allies, are still in their infancy. The first Multinational Meeting to Address Connected Vehicle Risks was only just held in late July.

The United States must remain focused on uniting allies and partners to address challenges posed by China while acknowledging their agency. While Washington should continue to stress that tariffs alone are insufficient to address the broader risks posed by BEVs in the EU, it needs to recognize that the EU has unique interests and must address internal divisions in its own way. The United States also cannot expect allies and partners to blindly follow when its own strategy for derisking its relationship with China remains unclear.

Matt Geraci is an associate director of the Atlantic Council’s Global China Hub.

Correction: A previous version of this article misstated Ireland’s position on the EV tariffs. It voted in favor, according to a report in Reuters.

The post China’s lobbying did not block the EU’s new EV tariffs. But it may yet weaken them. appeared first on Atlantic Council.

The post House and Cryptocurrency Regulation Tracker cited by the World Economic Forum on digital asset regulation appeared first on Atlantic Council.

The post Kumar quoted by Cointelegraph on CBDC legislation and development in the US appeared first on Atlantic Council.

The post Donovan and the Dollar Dominance Monitor cited by The Banker on growing alternatives to Swift and the dollar amid rising geopolitical tensions appeared first on Atlantic Council.

The post Chhangani quoted by Fast Company on the risks of a US strategic bitcoin reserve appeared first on Atlantic Council.

How did this happen? Russia, long opposed to the Council of Europe’s 2001 Budapest Convention on cybercrime, began this process in 2017. Then, in 2019, Russia, along with China, North Korea, Myanmar, Nicaragua, Syria, Cambodia, Venezuela, and Belarus, presented a resolution to develop a global treaty. Despite strong opposition from the United States and European states, the UN General Assembly adopted a resolution in December 2019, by a vote of seventy-nine in favor and sixty against (with thirty abstentions), that officially began the process. Already, it was clear that the member states did not share one vision. Indeed, they could not even agree on a name for the convention until last week. What they ended up with is a mouthful: “Draft United Nations convention against cybercrime: Strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and for the sharing of evidence in electronic form of serious crimes.”

This exceedingly long name reveals one of the biggest problems with this convention: its scope. At its heart, this convention is intended to allow law enforcement from different countries to cooperate to prevent, investigate, and prosecute cybercrime, which costs trillions of dollars globally each year. However, the convention covers much more than the typical cybercrimes that come to mind, such as ransomware, and includes crimes committed using technology, which reflects the different views as to what constitutes cybercrime. As if that were not broad enough, Russia, China, and other states succeeded in pushing for negotiations on an additional protocol that would expand the list of crimes even further. Additionally, under the convention, states parties are to cooperate on “collecting, obtaining, preserving, and sharing of evidence in electronic form of any serious crime”—which in the text is defined as a crime that is punishable by a maximum of four years or more in prison or a “more serious penalty,” such as the death penalty.

In Russia, for example, association with the “international LGBT movement” can lead to extremism charges, such as the crime of displaying “extremist group symbols,” like the rainbow flag. A first conviction carries a penalty of up to fifteen days in detention, but a repeat offense carries a penalty of up to four years. That means a repeat offense would qualify as a “serious crime” under the cybercrime convention and be eligible for assistance from law enforcement in other jurisdictions that may possess electronic evidence relevant to the investigation—including traffic, subscriber, and even content data. Considering how much of modern life is carried out digitally, there will be some kind of electronic evidence for almost every serious crime under any domestic legislation. Even the UN’s own human rights experts cautioned against this broad definition.

Further, under the convention, states parties are obligated to establish laws in their domestic system to “compel” service providers to “collect or record” real-time traffic or content data. Many of the states behind the original drive to establish this convention have long sought this power over private firms. At the same time, states parties are free to adopt laws that keep requests to compel traffic and content data confidential—cloaking these actions in secrecy. Meanwhile, grounds for a country to refuse a cooperation request are limited to instances such as where it would be against that country’s “sovereignty,” security, or other “essential” interest, or if it would be against that country’s own laws. The convention contains a vague caveat that nothing in it should be interpreted as an obligation to cooperate if a country “has substantial grounds” to believe the request is made to prosecute or punish someone for their “sex, race, language, religion, nationality, ethnic origin, or political opinions.”

Russia claimed that such basic safeguards, which do offer some protection in the example regarding LGBT activity as “extremist,” were merely an opportunity for some countries to “abuse” the opportunity to reject cooperation requests. Those safeguards, conversely, could also be abused by the very same states that opposed them. The Iranian delegation, for its part, proposed a vote to delete that provision, as well as all other human rights safeguards and references to gender, on the day the text was adopted. These provisions had already been weakened significantly throughout the negotiation process and only survived thanks to the firm stance taken by Australia, Canada, Colombia, Iceland, the European Union, Mexico, and others that drew a red line and refused to accept any more changes.

The possible negative consequences of this convention are not limited to human rights but can seriously threaten global cybersecurity and national security. The International Chamber of Commerce, a global business organization representing millions of companies, warned during negotiations that “people who have access to or otherwise possess the knowledge and skills necessary” could be forced “to break or circumvent security systems.” Worse, they could even be compelled to disclose “previously unknown vulnerabilities, private encryption keys, or proprietary information like source code.” Microsoft agreed. Its representative, Nemanja Malisevic, added that this treaty will allow “for unauthorized disclosure of sensitive data and classified information to third states” and for “malicious actors” to use a UN treaty to “force individuals with knowledge of how a system functions to reveal proprietary or sensitive information,” which could “expose the critical infrastructure of a state to cyberattacks or lead to the theft of state secrets. Malisevic concluded that this “should terrify us all.”

Similarly, independent media organizations called for states to reject the convention, which the International Press Institute has called a “surveillance treaty.” Civil society organizations including Electronic Frontier Foundation, Access Now, Human Rights Watch, and many others have also long been ringing the alarm bell. They continue to do so as the final version of the convention adopted by the committee has failed to adequately address their concerns.

Given the extent and cross-border nature of cybercrime, it is evident that a global treaty is both necessary and urgent—on that, the international community is in complete agreement. Unfortunately, this treaty, perhaps a product of sunk-cost fallacy thinking or agreed to under duress for fear of an even worse version, does not solve the problems the international community faces. If the UN General Assembly adopts the text and the required forty member states ratify it so that it comes into force, experts are right to warn that governments intent on engaging in surveillance will have the veneer of UN legitimacy stamped on their actions. Rights-respecting states should not allow themselves to be co-opted into assisting abusive practices under the guise of cooperation. Nor should they willingly open the door to weakening their own national security or global cybersecurity.

Lisandra Novo is a staff lawyer for the Strategic Litigation Project at the Atlantic Council specializing in law and technology.

The post The UN finally advances a convention on cybercrime . . . and no one is happy about it appeared first on Atlantic Council.

Kenya is a prime example: In 2007, a local telecommunications provider launched a form of mobile money called M-PESA, which enabled peer-to-peer money transfers between mobile phones and became wildly successful. Within five years, it grew to fifteen million users, with a deposit value approaching almost one billion dollars. To address rising security concerns, in 2013, the Kenyan government implemented a law requiring every citizen to officially register the SIM card (for their cell phone) using a government identification (ID). The measure was enforced swiftly, leading to the freezing of millions of SIM cards. Over ten years later, SIM card ID registration laws have become common across Africa, with over fifty countries adopting such regulations. 

But that is not the end of the story. In parallel, a practice called third-party SIM registration has become rampant, in which cell phone users register their SIM cards using someone else’s ID, such as a friend’s or a family member’s. 

Our recent research at Carnegie Mellon University, based on in-depth user studies in Kenya and Tanzania, found that this phenomenon of third-party SIM registration has both unexpected origins and unintended consequences. Many individuals in those countries face systemic challenges in obtaining a government ID. Moreover, some participants in our study reported having privacy concerns. They felt uncomfortable sharing their ID information with mobile money agents, who could repurpose that information for scams, harassment, or other unintended uses. Other participants felt “frustrated” by a process that was “cumbersome.” As a result, many users prefer to register a SIM card with another person’s ID rather than use or obtain their own ID.

Third-party SIM registration plainly undermines the effectiveness of the public policy and has additional, downstream effects. Telecommunications companies end up collecting “know your customer” information that is not reliable, which can impede law enforcement investigations in the case of misconduct. For example, one of our study subjects shared the story of a friend lending their ID for third-party registration, and later being arrested for the alleged crimes of the actual user of the SIM card. 

A core implication of our research is that the Kenyan government’s goals did not fully take into account the realities of the target population—or the feasibility of the measures that Kenya and Tanzania proposed. In response, people invented their own workarounds, thus potentially introducing new vulnerabilities and avenues for fraud.

Good policy, bad consequences 

Several other case studies demonstrate how even well-intentioned regulations can have unintended consequences and practical problems if they do not appropriately consider security, privacy and usability together. 

• Uganda: Much like our findings in Kenya and Tanzania, a biometric digital identity program in Uganda has considerable unintended consequences. Specifically, it risks excluding fifteen million Ugandans “from accessing essential public services and entitlements” because they do not have access to a national digital identity card there. While the digitization of IDs promises to offer certain security features, it also has potential downsides for data privacy and risks further marginalizing vulnerable groups who are most in need of government services.
  
• Europe: Across the European Union (EU), a landmark privacy law called General Data Protection Regulation (GDPR) has been critical for advancing data protection and has become a benchmark for regulatory standards worldwide. But GDPR’s implementation has had unforeseen effects such as some websites blocking EU users. Recent studies have also highlighted various usability issues that may thwart the desired goals. For example, opting out of data collection through app permissions and setting cookie preferences is an option for users. But this option is often exclusionary and inconvenient, resulting in people categorically waiving their privacy for the sake of convenience.
  
• United States (health law): Within the United States, the marquee federal health privacy law passed in 1996 (the Health Insurance Portability and Accountability Act, known as HIPAA) was designed to protect the privacy and security of individuals’ medical information. But it also serves as an example of laws that can present usability challenges for patients and healthcare providers alike. For example, to comply with HIPAA, many providers still require the use of ink signatures and fax machines. Not only are technologies somewhat antiquated and cumbersome (thereby slowing information sharing)—they also pose risks arising from unsecured fax machines and misdialed phone numbers, among other factors.
  
• Jamaica: Both Jamaica and Kenya have had to halt national plans to launch a digital ID in light of privacy and security issues. Kenya already lost over $72 million from a prior project that was launched in 2019, which failed because of serious concerns related to privacy and security. In the meantime, fraud continues to be a considerable problem for everyday citizens: Jamaica has incurred losses of more than $620 million from fraud since 2018.
  
• United States [tax system]: The situation in Kenya and Jamaica mirrors the difficulties encountered by other digital ID programs. In the United States, the Internal Revenue Service (IRS) has had to hold off plans for facial recognition based on concerns about the inadequate privacy measures, as well as usability concerns—like long verification wait times, low accuracy for certain groups, and the lack of offline options. The stalled program has resulted in missed opportunities for other technologies that could have allowed citizens greater convenience in accessing tax-related services and public benefits. Even after investing close to $187 million towards biometric identification, the IRS has not made much progress.
  

Collectively, a key takeaway from these international experiences is that when policymakers fail to simultaneously balance (or even consider) usability, privacy, and security, the progress of major government initiatives and the use of digitization to achieve important policy goals is hampered. In addition to regulatory and legislative challenges, delaying or canceling initiatives due to privacy and usability concerns can lead to erosion in public trust, increased costs and delays, and missed opportunities for other innovations.

Policy as product design

Going forward, one pivotal way for government decision makers to avoid pitfalls like the ones laid out above is to start thinking like product designers. Focusing on the most immediate policy goals is rarely enough to understand the practical and technological dimensions of how that policy will interact with the real world.

That does not mean, of course, that policymakers must all become experts in creating software products or designing user interfaces. But it does mean that some of the ways that product designers tend to think about big projects could inform effective public policy.

First, policymakers should embrace user studies to better understand the preferences and needs of citizens as they interact digitally with governmental programs and services. While there are multiple ways user studies can be executed, the first often includes upfront qualitative and quantitative research to understand the core behavioral drivers and systemic barriers to access. These could be complemented with focus groups, particularly with marginalized communities and populations who are likely to be disproportionately affected by any unintended outcomes of tech policy. 

Second, like early-stage technology products that are initially rolled out to an early group of users (known as “beta-testing”), policymakers could benefit from pilot testing to encourage early-stage feedback. 

Third, regulators—just like effective product designers—should consider an iterative process whereby they solicit feedback, implement changes to a policy or platform, and then repeat the process. This allows for validation of the regulation and makes room for adjustments and continuous improvements as part of an agency’s rulemaking process.

Lastly, legislators and regulators alike should conduct more regular tabletop exercises to see how new policies might play out in times of crisis. The executive branch regularly does such “tabletops” in the context of national security emergencies. But the same principles could apply to understanding cybersecurity vulnerabilities or user responses before implementing public policies or programs at scale.

In the end, a product design mindset will not completely eliminate the sorts of problems we have highlighted in Kenya, the United States, and beyond. However, it can help to identify the most pressing usability, security, and privacy problems before governments spend time and treasure to implement regulations or programs that may not fit the real world.

Karen Sowon is a user experience researcher and post doctoral research associate at Carnegie Mellon University.

JP Schnapper-Casteras is a nonresident senior fellow at the Atlantic Council’s GeoEconomics Center and the founder and managing partner at Schnapper-Casteras, PLLC.

Giulia Fanti is a nonresident senior fellow at the Atlantic Council’s GeoEconomics Center and an assistant professor of electrical and computer engineering at Carnegie Mellon University.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Tech regulation requires balancing security, privacy, and usability  appeared first on Atlantic Council.

An initiative led by the Atlantic Council’s Adrienne Arsht Latin America Center in partnership with the US Department of State continues to focus on facilitating greater constructive exchange among multisectoral thought leaders and government leaders as they work to implement commitments made at the ninth Summit of the Americas. This readout was informed by a private, information-gathering roundtable and several one-on-one conversations with leading experts in the digital space.

Executive summary

At the ninth Summit of the Americas, regional leaders agreed on the adoption of a Regional Agenda for Digital Transformation that reaffirmed the need for a dynamic and resilient digital ecosystem that promotes digital inclusion for all peoples. The COVID-19 pandemic exacerbated the digital divide globally, but these gaps were shown to be deeper in developing countries, disproportionately affecting women, children, persons with disabilities, and other vulnerable and/or marginalized individuals. Through this agenda, inclusive workforce development remains a key theme as an avenue to help bridge the digital divide and skills gap across the Americas.

As part of the Atlantic Council’s consultative process, thought leaders and practitioners evaluated progress made in the implementation of the Regional Agenda for Digital Transformation agreed on at the Summit of Americas, resulting in three concrete recommendations: (1) leverage regional alliances and intraregional cooperation mechanisms to accelerate implementation of the agenda; (2) strengthen public-private partnerships and multisectoral coordination to ensure adequate financing for tailored capacity-building programs, the expansion of digital infrastructure, and internet access; and (3) prioritize the involvement of local youth groups and civil society organizations, given their on-the-ground knowledge and role as critical indicators of implementation.

Recommendations for advancing digitalization and workforce development in the Americas:

Report

May 31, 2024

PACC 2030 objectives: The road to implementation

By Wazim Mowla, Charlene Aguilera

The Atlantic Council organized a PACC 2030 Working Group and worked closely with governments, the business community, and civil society organizations to support the implementation of PACC 2030’s objectives.

Caribbean Climate Change & Climate Action

Report

Apr 16, 2024

Advancing health and resilience policies in Latin America and the Caribbean

By Isabel Chiriboga, Martin Cassinelli, Diego Area

During an off-the-record private roundtable, thought leaders and practitioners from across the Americas discussed how to further enhance access to and finance for health services and products in the region.

Coronavirus Latin America

Summit of the Americas

An initiative led by the Adrienne Arsht Latin America Center of the Atlantic Council in partnership with the US Department of State focused on facilitating greater, constructive exchange among multi-sectoral thought leaders and government leaders as they work to implement Summit commitments.

Staff

Isabel Chiriboga

Assistant Director

Adrienne Arsht Latin America Center

Colombia Corruption

Staff

Maite Gonzalez Latorre

Program Assistant

Adrienne Arsht Latin America Center

Americas Education

Former staff

Diego Area

Former Director, Strategic Development Partnerships

Adrienne Arsht Latin America Center

Crisis Management Democratic Transitions

The Adrienne Arsht Latin America Center broadens understanding of regional transformations and delivers constructive, results-oriented solutions to inform how the public and private sectors can advance hemispheric prosperity.

Learn more

The post The future of digital transformation and workforce development in Latin America and the Caribbean appeared first on Atlantic Council.

China’s global influence operations have received increasing attention in the national security community. Numerous congressional hearings, media reports, and academic and industry findings have underscored China’s increased use and resourcing of foreign information manipulation and interference (FIMI) tactics in its covert operations both in the United States and abroad.

In response, US government offices the Foreign Malign Influence Center (FMIC), the Global Engagement Center (GEC), and the Cybersecurity and Infrastructure Security Agency (CISA), among others, have made strides in raising awareness of the issue and charting pathways to increase the resilience of the US information ecosystem to foreign influence. To date, however, the efforts to counter the influence of the People’s Republic of China (PRC) have been fragmented. That fragmentation is indicative of a lack of cohesion around the concept of influence operations itself.

Across the government and nongovernment sectors alike, there is considerable variation regarding the definition and scope of information manipulation. For example, the Department of State’s (DOS’s) GEC has an expansive definition, which includes “leveraging propaganda and censorship, promoting digital authoritarianism, exploiting international organizations and bilateral partnerships, pairing cooptation and pressure, and exercising control of Chinese-language media.” Others define it more narrowly as disinformation and propaganda spread by a foreign threat actor in a coordinated, inauthentic manner, and largely occurring on social media platforms.

This variation is a reflection of the holistic and multifaceted nature of Chinese influence. Coercive tactics and influence operations have long been a central part of China’s strategic tool kit and core to how it engages with the outside world. Because China conceives of the information domain as a space that must be controlled and dominated to ensure regime survival, information operations are part of a much bigger umbrella of influence that spans the economic, political, and social domains. It may be more useful to think of information manipulation as existing within the broader conceptual framework of China’s weaponization of the information domain in service of its goal to gain global influence.

As previous work by the Digital Forensic Lab (DFRLab) has shown, China’s approach to the information domain is coordinated and proactive, taking into account the mutually constitutive relationships between the economic, industrial, and geopolitical strategies of the Chinese Communist Party (CCP). The aim of its efforts is to gain influence—or “discourse power”—with the ultimate goal of decentering US power and leadership on the global stage. One of the main mechanisms through which the CCP seeks to achieve this objective is by focusing on the dominance of information ecosystems. This ecosystem encompasses not only narratives and content that appear in traditional and social media but also the digital infrastructure on which communication systems rely, the policies that govern those systems at the international level, and the diplomatic strategy deployed by Beijing’s operatives abroad to gain buy-in for the CCP’s vision of the global order.

The DFRLab’s previous two reports, which explored China’s strategy and the impacts of its operations abroad, found that the United States will not be successful in addressing the challenges of Chinese influence if it sees that influence as separate from the interconnected economic, political, and technical domains in which its strategy is embedded.

To this end, the DFRLab hosted a series of one-on-one expert interviews, conducted research and workshops, and held a virtual roundtable discussion with scholars and practitioners with expertise on or experience in addressing authoritarian influence and information operations, US government processes and policies around these issues, and Chinese foreign policy. This issue brief is part of a larger body of work that examines the Chinese government’s interests and capabilities and the impacts of party’s efforts to shape the global information ecosystem. The focus of this report is on how the US government can best respond to those challenges, including the architecture, tools, and strategies that exist for addressing PRC influence and information manipulation, as well as any potential gaps in the government tool kit.

This report finds that, to mount the most effective response to Chinese influence and the threat it poses to democratic interests at home and on the international stage, the United States should develop a global information strategy, one that reflects the interconnected nature of regulatory, industrial, and diplomatic policies with regard to the information domain. A core assumption undergirding this concept is that US policymaking space tends to over-index on the threat of information manipulation in particular while under-indexing on the core national interest of fostering a secure, interoperable information environment on a larger scale.

The limits of understanding Chinese influence as systemic and part of a broader strategy has sometimes led US response to be pigeonholed as an issue of strategic communications, rather than touching on the information and technology ecosystems, among others, where China focuses its information and influence efforts. Responding to Chinese influence with government messaging is not sufficient to address the complex nature of the challenge and places the United States in a position of reactivity.

In short, understanding that the CCP (1) integrates its tech industrial strategy, governance policy, and engagement strategy and (2) connects its approach at home to how it engages abroad, the United States needs to do the same, commensurate with its values. It should not respond tit-for-tat but rather have a collective strategy for a global competition for information that connects its tech strategy to its governance approach to its engagement around the world.

That is not to say that a US strategy on information resilience should mirror China’s, or that such a strategy should be developed in response to the PRC’s actions in the information domain. Nor is it to say that the United States should adopt a similar whole-of-government approach to the information domain. There are silos by design in the US system and important legal and normative foundations for the clear delineation of mission between them. What this issue brief argues for is a strategic breaking down of silos to facilitate proactive action versus a dangerous breaking down of legally required silos.

This report emphasizes that the United States should articulate how major initiatives like the CHIPS and Science Act, regulatory approaches like the recent executive orders on AI and data security, and the DOS’s recent cyberspace and digital policy strategy are part of a cohesive whole and should be understood and operationalized as such.

The strategy should outline what the United States stands for as much as what it is against. This requires that the United States frame its assessment of threat within a broader strategy of what its values are and how those values should be articulated in its regulatory, strategic, and diplomatic initiatives to promote open information environments and shore up information resilience. This includes working with allies and partners to ensure that a free, open, and interoperable internet is a global priority as well as a domestic one; developing common standards for understanding and thresholding foreign influence; and promoting connectivity at home and abroad. One finding of this report is that the United States is already leaning into its strengths and values, including championing policies that support openness and continuing support for civil society. This, along with the awareness of influence operations as the weaponization of the information domain, is a powerful response to authoritarian attacks on the integrity of both the domestic US and global information spaces.

The United States has a core national security interest in the existence of a rules-based, orderly, and open information environment. Such an environment facilitates the essential day-to-day tasks related to public diplomacy, the basic expression of rights, and investment in industries of strategic and economic value. Absent a coherent strategy on these core issues related to the integrity of the United States’ information environment that is grounded in an understanding of the interconnected nature of their constitutive parts, the challenges of foreign influence and interference will only continue to grow. This issue brief contains three sections. For sections one and two, experts in different aspects of the PRC’s information strategy addressed two to three main questions; during the course of research, further points were raised that are included in the findings. Each section represents a synthesis of the views expressed in response to these questions. The third section comprises recommendations for the US government based on the findings from the first two sections.

Staff

Kenton Thibaut

Senior Resident Fellow, China

Digital Forensic Research Lab Scowcroft Center for Strategy and Security

China Disinformation

In-Depth Research & Reports Aug 24, 2022

Chinese discourse power: Ambitions and reality in the digital domain

By Kenton Thibaut

The CCP has embarked on a concerted strategy to gain control over the global digital and information environment. Its goal: create an alternative global order with China at its heart.

China Digital Policy

Report Aug 2, 2023

Chinese discourse power: Capabilities and impact

By Kenton Thibaut

An examination of China’s online and offline channels for the dissemination of “discourse power” and the mechanisms of oversight on which such communications rely.

China Digital Policy

The Atlantic Council’s Digital Forensic Research Lab (DFRLab) has operationalized the study of disinformation by exposing falsehoods and fake news, documenting human rights abuses, and building digital resilience worldwide.

learn more

The post Effective US government strategies to address China’s information influence appeared first on Atlantic Council.

That was a topic of a recent roundtable hosted by the GeoTech Center and Syntropy, a platform that works with healthcare, government, and other groups to collaborate on data in a single ecosystem geared toward informing healthcare research.

At the roundtable, experts from the public and private sectors discussed the complex challenges that arise with the transformation of the healthcare sector, arguing that these challenges lie not only in the development of the technology but also in the implementation and use of it.

As AI becomes more and more integrated with healthcare, policymakers must lay the groundwork for a future in which AI augments, rather than replaces, human expertise in the pursuit of better health outcomes for all. Below are the roundtable participants’ recommendations for policymakers, focusing on building strong data foundations, setting guidelines for algorithm testing and maintenance, fostering trust and transparency, and supporting a strong workforce.

1. Building strong data foundations

Data sets in the healthcare sector can be messy, small in scale, and lacking in diversity, leading to inherent biases that can skew the outcomes of AI-driven analyses—and decisions made following such analyses. Moreover, these biases are not always apparent and often require extensive work to identify. Thus, it is important at the outset to ensure the integrity, quality, and diversity of the data with which AI systems are trained.

The ability to do so will in part depend on the strength of the workforce and the infrastructure that collects and manages data. For example, hospitals—from large, well-funded facilities to smaller community-based hospitals with fewer resources—play an important role in collecting data.

A strong foundation for data is one that protects data. In an ideal world, all individuals (regardless of socioeconomic status or geographic location) can benefit from AI-driven healthcare technologies. With that come concerns about the protection of health data, particularly in countries with fragile democracies and low regulatory standards. The potential misuse of health data by governments around the world poses significant risks to individual privacy and autonomy, highlighting the need for robust legal and ethical frameworks to safeguard against such abuses.

To address such challenges with data collection and management, policymakers can begin by implementing the following:

• Establishing a foundational data strategy for healthcare data that will improve patient equity by setting standards for inclusive data sets.
• Allocating more resources and support for community hospitals to ensure that the data collected in such facilities is high quality and diverse.
• Encouraging the development of robust data systems that allow for better data sharing, collaboration, and interoperability.
• Optimizing patient benefits by providing transparency about not only the healthcare providers but also about anyone else participating in data sharing.

2. Establishing guidelines for algorithm testing and maintenance by healthcare-technology companies

While building an algorithm may be a complex process, understanding and testing its performance over time is even more challenging. The dynamic nature of the healthcare industry demands ongoing adaptation and refinement of algorithms to account for evolving patient needs, technological advancements, and regulatory requirements.

In addition to continuous testing, it’s important to recognize that the same algorithms may exhibit different risk profiles when deployed in different contexts. Factors such as patient demographics, disease prevalence, and healthcare infrastructure can all influence the performance and safety of AI algorithms. A one-size-fits-all approach to AI deployment in healthcare is neither practical nor advisable.

To ensure that algorithms are constantly tested and maintained, policymakers should consider the following:

• Developing guidelines that inform developers, testers, data scientists, regulators, and clinicians about their shared responsibility of maintaining algorithms.
• Instituting an oversight authority to continuously monitor the risks associated with decisions that have been made based on AI to ensure the algorithms remain accurate, reliable, and safe for clinical settings.

3. Fostering patient trust and transparency

As technology continues to impact the healthcare industry, and as patients often find themselves unaware of the integration of AI technologies into their care processes, it becomes more difficult for those patients to give informed consent. This lack of transparency undermines patient autonomy and raises profound ethical questions about patients’ right to be informed and participate in health-related decisions. A lack of awareness about the integration of AI technologies is just one layer to the problem; even if a patient knows that AI is playing a role in their care, they may not know about who sponsors such technologies. Sponsors pay for the testing and maintenance of these systems, and they may also have access to the patient’s data.

When AI technologies are involved in care processes, it is still important to achieve the right balance between human interaction and AI-driven solutions. While AI technologies hold great promise for improving efficiency and accuracy in clinical decision-making, they must be integrated seamlessly into existing workflows and complement (rather than replace) human expertise and judgment.

The willingness to accept AI in healthcare varies significantly among patients and healthcare professionals. To bridge this gap in acceptance and address other challenges with trust and transparency, policymakers should consider the following:

• Providing transparent information about the capabilities, limitations, and ethical considerations of AI technologies.
• Encouraging companies to use particular design methods that ensure that tools and practices align with privacy values and protect patient autonomy.
• Producing guiding principles for hospitals to promote a deep understanding of the implications of AI and proactively addressing concerns related to workforce dynamics and patient care.
• Developing strategies to strengthen institutional trust to encourage patients to share data, avoiding algorithms that develop in silos.
• Awarding organizations with an integrity badge for transparency, responsible use, and testing.

4. Supporting a strong workforce

The integration of AI tools into healthcare workflows is challenging, particularly because of the changes in processes, job roles, patient-provider interactions, and organizational culture such implementation creates. It will be necessary to support the hospital workforce with strategies to manage this change and also with comprehensive education and training initiatives. While the focus here is on humans rather than technology, such support is just as integral to realizing the full potential of these innovations in improving patient outcomes and healthcare delivery.

Many hospitals lack the necessary capabilities to effectively leverage AI technologies to their fullest potential, but supporting technical assistance training and infrastructure could help in the successful deployment of AI technologies.

To navigate the changes that AI tools would bring to the workplace, policymakers should consider the following:

• Releasing guidance to healthcare companies to anticipate change management, education, training, and governance.
• Incentivizing private-sector technical assistance training and infrastructure to provide services to communities with fewer resources.
• Creating training programs tailored to the specific needs of healthcare organizations so that stakeholders can ensure AI implementations are both effective and sustainable in the long run.

The private sector is moving quickly with the development of AI tools. The public sector will need to keep up with new strategies, standards, and regulations around the deployment and use of such tools in the healthcare sector.

Coley Felt is a program assistant at the GeoTech Center.

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post A policymaker’s guide to ensuring that AI-powered health tech operates ethically appeared first on Atlantic Council.

On February 28, 2024, a blog post entitled “What is Sovereign AI?” appeared on the website of NVIDIA, a chip designer and one of the world’s most valuable companies. The post defined the term as a country’s ability to produce artificial intelligence (AI) using its own “infrastructure, data, workforce and business networks.” Later, in its May 2024 earnings report, NVIDIA outlined how sovereign AI has become one of its “multibillion dollar” verticals, as it seeks to deliver AI chips and software to countries around the world.

On its face, “sovereign AI” as a concept is focused on enabling states to mitigate potential downsides of relying on foreign-made large AI models. Sovereign AI is NVIDIA’s attempt to turn this growing demand from governments into a new market, as the company seeks to offer governments computational resources that can aid them in ensuring that AI systems are tailored to local conditions. By invoking sovereignty, however, NVIDIA is weighing into a complex existing geopolitical context. The broader push from governments for AI sovereignty will have important consequences for the digital ecosystem on the whole and could undermine internet freedom. NVIDIA is seeking to respond to demand from countries that are eager for more indigenous options for developing compute capacity and AI systems. However, sovereign AI can create “sovereignty traps” that unintentionally grant momentum to authoritarian governments’ efforts to undermine multistakeholder governance of digital technologies. This piece outlines the broader geopolitical context behind digital sovereignty and identifies several potential sovereignty traps associated with sovereign AI.¹

Background

Since its inception, the internet has been managed through a multistakeholder system that, while not without its flaws, sought to uphold a global, open, and interoperable internet. Maintaining this inherent interconnectedness is the foundation by which the multistakeholder community of technical experts, civil society organizations, and industry representatives have operated for years.

One of the early instantiations of digital sovereignty was introduced by China in its 2010 White Paper called “The State of China’s Internet.” In it, Beijing defined the internet as “key national infrastructure,” and as such it fell under the scope of the country’s sovereign jurisdiction. In the same breath, Chinese authorities also made explicit the centrality of internet security to digital sovereignty. In China’s case, the government aimed to address internet security risks related to the dissemination of information and data—including public opinion—that could pose a risk to the political security of the Chinese Communist Party (CCP). As a result, foreign social media platforms like X (formerly Twitter) and Facebook have been banned in China since around 2009. It is no coincidence that the remit of China’s main internet regulator, the Central Cyberspace Affairs Commission, has evolved from developing and enforcing censorship standards for online content to becoming a key policy body for regulating privacy, data security, and cybersecurity.

This emphasis on state control over the internet—now commonly referred to by China as “network sovereignty” or “cyber sovereignty” (网络主权), also characterizes China’s approach to the global digital ecosystem. Following the publication of its White Paper in 2010, in September of the following year, China, Russia, Tajikistan, and Uzbekistan jointly submitted an “International Code of Conduct for Information Security” to the United Nations General Assembly, which held that control over policies related to the governance of the internet is “the sovereign right of states”—and thus should reside squarely under the jurisdiction of the host country.

In line with this view, China has undertaken great efforts in recent years to move the center of gravity of internet governance from multistakeholder to multilateral fora. For example, Beijing has sought to leverage the platform of the Global Digital Compact under the United Nations to engage G-77 countries to support its vision. China has proposed language that would make the internet a more centralized, top-down network over which governments have sole authority, excluding the technical community and expert organizations that have helped shape community governance from the internet’s early days.

Adding to the confusion is the seeming interchangeability of the terms “cyber sovereignty,” used more frequently by China, and “digital sovereignty,” a term used most often by the European Union and its member states. While semantically similar, these terms have vastly different implications for digital policy due to the disparate social contexts in which they are embedded. For example, while the origin of the “cyber sovereignty” concept in China speaks to the CCP’s desire for internet security, some countries view cyber sovereignty as a potential pathway by which to gain more power over the development of their digital economies, thus enabling them to more efficiently deliver public goods to their citizens. There is real demand for this kind of autonomy, especially among Global Majority countries.

Democracies are now trying to find alternative concepts to capture the spirit of self-sufficiency in tech governance without lending credence to the more problematic implications of digital sovereignty. For example, in Denmark’s strategy for tech diplomacy, the government avoids reference to digital sovereignty, instead highlighting the importance of technology in promoting and preserving democratic values and human rights, while assisting in addressing global challenges. The United States’ analogous strategy invokes the concept of “digital solidarity” as a counterpoint, alluding to the importance of respecting fundamental rights in the digital world.

Thus, ideas of sovereignty, as applied to the digital, can have both a positive, rights-affirming connotation, as well as a negative one that leaves the definition of digital rights and duties to the state alone. This can lead to confusion and often obscures the legitimate concerns that Global Majority countries have about technological capacity-building and autonomy in digital governance.

NVIDIA’s addition of the concept of “sovereign AI” further complicates this terrain and may amplify the problems presented by authoritarian pushes for sovereignty in the digital domain. For example, national-level AI governance initiatives that emphasize sovereignty may undermine efforts for collective and collaborative governance of AI, reducing the efficacy of risk mitigations. Over-indexing on sovereignty in the context of technology often cedes important ground in ensuring that transformative technologies like AI are governed in an open, transparent, and rights-respecting manner. Without global governance, the full, uncritical embrace of sovereign AI may make the world less safe, prosperous, and democratic. Below we outline some of the “traps” that can be triggered when sovereignty is invoked in digital contexts without an understanding of the broader political contexts within which such terms are embedded.

Sovereignty trap 1: Sovereign systems are not collaborative

If there is one thing we have learned from the governance of the internet in the past twenty years, it is that collaboration sits at the core of how we should address the complexity and fast-paced nature of technology. AI is no different. It is an ecosystem that is both diverse and complex, which means that no single entity or person should be responsible for allocating its benefits and risks. Just like the internet, AI is full of “wicked problems,” whether regarding the ethics of autonomy or the effects that large language models could have on the climate, given the energy required to build large models. Wicked problems can only be solved through successful collaboration, not with each actor sticking its head in the sand.

Collaboration leads to more transparent governance, and transparency in how AI is governed is essential given the potential for AI systems to be weaponized and cause real-world harm. For example, many of the drones that are being used in the war in Ukraine have AI-enabled guidance or targeting systems, which has had a major impact on the war. Just as closed systems on the internet can be harmful for innovation and competition, as with operating systems or app stores built as “walled gardens,” AI systems that are created in silos and are not subject to a collaborative international governance framework will produce fewer benefits for society.

Legitimate concerns about the misappropriation of AI systems will only worsen if sovereign AI is achieved by imposing harsh restrictions on cross-border data flows. Just like in the case of the internet, data flows are crucial because they ensure access to information that is important for AI development. True collaboration can help level the playing field between stakeholders and address existing gaps, especially in regard to the need for human rights to underlie the creation, deployment, and use of AI systems.

Sovereignty trap 2: Sovereign systems make governments the sole guarantors of rights

Sovereign AI, like its antecedent “digital sovereignty,” means different things to different audiences. On one hand, it denotes reclaiming control of the future from dominant tech companies, usually based in the United States. It is important to note that rallying cries for digital sovereignty stem from real concerns about critical digital infrastructure, including AI infrastructure, being disrupted or shut down unilaterally by the United States. AI researchers have long said that actors in the Global Majority must avoid being relegated to the status of data suppliers and consumers of models, as AI systems that are built and tested in the contexts where they will actually be deployed will generate better outcomes for Global Majority users.

The other connotation of sovereign AI, however, is that the state has the sole authority to define, guarantee, or deny rights. This is particularly worrying in the context of generative AI, which is an inherently centralizing technology due to its lack of interpretability and the immense resources required to build large AI models. If governments choose to pursue sovereign AI by nationalizing data resources, such as by blocking cross-border transfer of datasets that could be used to train large AI models, this could have significant implications for human rights. For instance, governments might increase surveillance to better collect such data or to monitor cross-border transfers. At a more basic level, governments have a more essentialist understanding of national identity than civil society organizations, sociotechnical researchers, or other stakeholders who might curate national datasets, meaning government-backed data initiatives for sovereign AI are still likely to hurt marginalized populations.

Sovereignty trap 3: Sovereign systems can be weaponized

Assessing the risks of sovereign AI systems is critical, but governments lack the capacity and the incentives to do so. The bedrock of any AI system lies in the quality and quantity of the data used to build it. If the data is biased or incomplete, or if the values encoded in the data are nondemocratic or toxic, an AI system’s output will reflect these characteristics. This is akin to the old adage in computer science, “garbage in, garbage out,” emphasizing that the quality of output is determined by the quality of the input.

As countries increasingly rely on AI for digital sovereignty and national security, new challenges and potential risks emerge. Sovereign AI systems, designed to operate within a nation’s own infrastructure and data networks, might inadvertently or intentionally weaponize or exaggerate certain information based on their training data.

For instance, if a national AI system is trained on data that overwhelmingly endorses nondemocratic values or autocratic perspectives, the system may identify certain actions or entities as threats that would not be considered as such in a democratic context. These could include political opposition, civil society activism, or free press. This scenario echoes the concerns about China’s approach to “cyber sovereignty,” where the state exerts control over digital space in several ways to suppress information sources that may present views or information contradicting the official narrative of the Chinese government. This includes blocking access to foreign websites and social media platforms, filtering online content, and monitoring digital communications to prevent the dissemination of dissenting views or information deemed sensitive by the government. Such measures could potentially be reinforced through the use of sovereign AI systems.

Moreover, the legitimacy that comes with sovereign AI projects could be exploited by governments to ensure that state-backed language models endorse a specific ideology or narrative. This is already taking place in China, where the government has succeeded in censoring the outputs of homegrown large language models. This also aligns with China’s push to leverage the Global Digital Compact to reshape internet governance in favor of a more centralized approach. If sovereign AI is used to bolster the position of authoritarian governments, it could further undermine the multistakeholder model of internet and digital governance.

Conclusion

The history of digital sovereignty shows that sovereign AI comes with a number of pitfalls, even as its benefits remain largely untested. The push to wall off the development of AI and other emerging technologies with diminished external involvement and oversight is risky: lack of collaboration, governments as the sole guarantors of rights, and potential weaponization of AI systems are all major potential drawbacks of sovereign AI. The global community should focus on ensuring AI governance is open, collaborative, transparent, and aligned with core values of human rights and democracy. While sovereign AI will undoubtedly boost NVIDIA’s earnings, its impact on democracy is more ambiguous.

Addressing these potential threats is crucial for global stability and security. As AI’s impact on national security grows, it is essential to establish international norms and standards for the development and deployment of state-backed AI systems. This includes ensuring transparency in how these systems are built, maintained, released, and applied, as well as implementing measures to prevent misuse of AI applications. AI governance should seek to ensure that AI enhances security, fosters innovation, and promotes economic growth, rather than exacerbating national security threats or strengthening authoritarian governments. Our goal should be to advance the well-being of ordinary people, not sovereignty for sovereignty’s sake.

Konstantinos Komaitis is a nonresident fellow with the Democracy + Tech Initiative of the Atlantic Council’s Digital Forensic Research Lab.

Esteban Ponce de León is a research associate at the Atlantic Council’s Digital Forensic Research Lab based in Colombia.

Kenton Thibaut is a resident China fellow at the Atlantic Council’s Digital Forensic Research Lab.

Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center.

Kevin Klyman is a visiting fellow at the Atlantic Council’s Digital Forensic Research Lab.

New Atlanticist Jul 5, 2024

Advancing AI safety requires international collaboration. Here’s what should happen next.

By Courtney Lang

In May, ten countries and the European Union met in South Korea to establish an international network of AI safety institutes. Next, this network should focus on three specific objectives.

Artificial Intelligence Technology & Innovation

GeoTech Cues Apr 22, 2024

EU AI Act sets the stage for global AI governance: Implications for US companies and policymakers

By Mohamed Elbashir

The European Union (EU) has made a significant step forward in shaping the future of Artificial Intelligence (AI) with the recent approval of the EU Artificial Intelligence Act (EU AI Act) by the European Parliament. This historic legislation, passed by an overwhelming margin of 523-46 on March 13, 2024, creates the world’s first comprehensive framework […]

Artificial Intelligence Digital Policy

New Atlanticist Nov 9, 2023

Rival powers agree that AI poses new risks. Can they work together to address them?

By Dame Wendy Hall and Trisha Ray

The recent AI Safety Summit in the United Kingdom offered a glimpse into a possible future of international cooperation on tackling risks associated with artificial intelligence.

United Kingdom

The post The sovereignty trap appeared first on Atlantic Council.

This and similar incidents have highlighted the importance of the cyber front in the Russian invasion of Ukraine. Ukraine has invested significant funds in cybersecurity and can call upon an impressive array of international partners. However, the country currently lacks sufficient domestic cybersecurity system manufacturers.

Ukraine’s rapidly expanding drone manufacturing sector may offer the solution. The growth of Ukrainian domestic drone production over the past two and a half years is arguably the country’s most significant defense tech success story since the start of Russia’s full-scale invasion. If correctly implemented, it could serve as a model for the creation of a more robust domestic cybersecurity industry.

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

Speaking in summer 2023, Ukraine’s Minister of Digital Transformation Mykhailo Fedorov outlined the country’s drone strategy of bringing together drone manufacturers and military officials to address problems, approve designs, secure funding, and streamline collaboration. Thanks to this approach, he predicted a one hundred fold increase in output by the end of the year.

The Ukrainian drone production industry began as a volunteer project in the early days of the Russian invasion, and quickly became a nationwide movement. The initial goal was to provide the Ukrainian military with 10,000 FPV (first person view) drones along with ammunition. This was soon replaced by far more ambitious objectives. Since the start of Russia’s full-scale invasion, more the one billion US dollars has been collected by Ukrainians via fundraising efforts for the purchase of drones. According to online polls, Ukrainians are more inclined to donate money for drones than any other cause.

Today, Ukrainian drone production has evolved from volunteer effort to national strategic priority. According to Ukrainian President Volodymyr Zelenskyy, the country will produce more than one million drones in 2024. This includes various types of drone models, not just small FPV drones for targeting personnel and armored vehicles on the battlefield. By early 2024, Ukraine had reportedly caught up with Russia in the production of kamikaze drones similar in characteristics to the large Iranian Shahed drones used by Russia to attack Ukrainian energy infrastructure. This progress owes much to cooperation between state bodies and private manufacturers.

Marine drones are a separate Ukrainian success story. Since February 2022, Ukraine has used domestically developed marine drones to damage or sink around one third of the entire Russian Black Sea Fleet, forcing Putin to withdraw most of his remaining warships from occupied Crimea to the port of Novorossiysk in Russia. New Russian defensive measures are consistently met with upgraded Ukrainian marine drones.

Eurasia Center events

Online Event Tue, June 17, 2025 • 1:00 pm ET

Drones, defense, and diplomacy: Negotiations and the battlefield in Ukraine

Conflict Defense Technologies Europe & Eurasia Politics & Diplomacy

In May 2024, Ukraine became the first country in the world to create an entire branch of the armed forces dedicated to drone warfare. The commander of this new drone branch, Vadym Sukharevsky, has since identified the diversity of country’s drone production as a major asset. As end users, the Ukrainian military is interested in as wide a selection of manufacturers and products as possible. To date, contracts have been signed with more than 125 manufacturers.

The lessons learned from the successful development of Ukraine’s drone manufacturing ecosystem should now be applied to the country’s cybersecurity strategy. “Ukraine has the talent to develop cutting-edge cyber products, but lacks investment. Government support is crucial, as can be seen in the drone industry. Allocating budgets to buy local cybersecurity products will create a thriving market and attract investors. Importing technologies strengthens capabilities but this approach doesn’t build a robust national industry,” commented Oleh Derevianko, co-founder and chairman of Information Systems Security Partners.

The development of Ukraine’s domestic drone capabilities has been so striking because local manufacturers are able to test and refine their products in authentic combat conditions. This allows them to respond on a daily basis to new defensive measures employed by the Russians. The same principle is necessary in cybersecurity. Ukraine regularly faces fresh challenges from Russian cyber forces and hacker groups; the most effective approach would involve developing solutions on-site. Among other things, this would make it possible to conduct immediate tests in genuine wartime conditions, as is done with drones.

At present, Ukraine’s primary cybersecurity funding comes from the Ukrainian defense budget and international donors. These investments would be more effective if one of the conditions was the procurement of some solutions from local Ukrainian companies. Today, only a handful of Ukrainian IT companies supply the Ukrainian authorities with cybersecurity solutions. Increasing this number to at least dozens of companies would create a local industry capable of producing world-class products. As we have seen with the rapid growth of the Ukrainian drone industry, this strategy would likely strengthen Ukraine’s own cyber defenses while also boosting the cybersecurity of the wider Western world.

Anatoly Motkin is president of StrategEast, a non-profit organization with offices in the United States, Ukraine, Georgia, Kazakhstan, and Kyrgyzstan dedicated to developing knowledge-driven economies in the Eurasian region.

Further reading

UkraineAlert Jul 16, 2024

Russia’s retreat from Crimea makes a mockery of the West’s escalation fears

By Peter Dickinson

The Russian Navy’s quiet retreat from Crimea highlights the emptiness of Putin’s red lines and the self-defeating folly of Western escalation management, writes Peter Dickinson.

Conflict Defense Policy

UkraineAlert Jun 12, 2024

Ukraine is making the Russian occupation of Crimea untenable

By Olivia Yanchik

Ukraine’s growing air strike capabilities are decimating Russian air defenses in Crimea and making the occupation of the peninsula increasingly untenable, writes Olivia Yanchik.

Conflict Defense Technologies

UkraineAlert May 30, 2024

If the West wants a sustainable peace it must commit to Ukrainian victory

By Hanna Hopko, Andrius Kubilius

Since 2022, Western policies of escalation management have failed to appease Putin and have only emboldened the Kremlin. If the West wants peace, it must help Ukraine win, write Hanna Hopko and Andrius Kubilius.

Civil Society Conflict

The views expressed in UkraineAlert are solely those of the authors and do not necessarily reflect the views of the Atlantic Council, its staff, or its supporters.

Read more from UkraineAlert

UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture.

The Eurasia Center’s mission is to enhance transatlantic cooperation in promoting stability, democratic values and prosperity in Eurasia, from Eastern Europe and Turkey in the West to the Caucasus, Russia and Central Asia in the East.

Learn more

The post Ukraine’s drone success offers a blueprint for cybersecurity strategy appeared first on Atlantic Council.

The post Cryptocurrency Regulation Tracker and Kumar cited by Axios on crypto regulation appeared first on Atlantic Council.

The post Cryptocurrency Regulation Tracker cited by Axios on global crypto regulation appeared first on Atlantic Council.

The post Cryptocurrency Regulation Tracker cited by Politico on crypto relevance in US election appeared first on Atlantic Council.

• Executive Summary
• Introduction
• The digitalization of the Global South has only begun 
• Corruption in public procurement 
• What is in the National Cybersecurity Strategies – And what isn’t
• Global South lessons learned: The Ukrainian response to corruption
• Policy recommendations drawn from Ukraine
• Addressing corruption in cybersecurity strategies
• Conclusion
• About the author

Executive summary

Recent government-wide shutdowns of information systems in a half-dozen developing countries ranging from Albania to Vanuatu suggest that ransomware and state-sponsored attacks are finding success in targeting critical infrastructure networks of the Global South. Over the first decade of their integration with the digital economy low-income and lower-middle-income countries faced relatively few cyberattacks, but that honeymoon appears to be over, with the Global South now ranking first in cyberattacks per institution and cyberattacks per capita. 

As mobile device e-commerce and ICT networks continue to expand across the Global South, this rise in cyberattacks is not surprising. Nevertheless, the level of digital integration in the region still trails the rest of the world, suggesting the record-setting levels of cyberattacks may be the result of vulnerabilities systemic to the region. The most corrosive of these problems is corruption. While few governments in the Global South have publicized the role of IT corruption in critical infrastructure enterprises, this analysis builds on donor and regional software association investigations to argue that IT departments in the Global South are vulnerable to corrupt procurement schemes catalyzed by the proliferation of pirated software.  

Until recently the prevalence of pirated or lapsed licensed software on government networks across the Global South may have led to little more than poor or unpredictable network performance. This is no longer the case today, as networks built around pirated software serve as easy targets for ransomware gangs and hacktivists that still find decades-old malware like the “WannaCry” worm to be effective in countries challenged by systemic corruption. 

In response to the growing cyber threat, governments in the region and foreign donors focused their response on the best practices found in the action plans and policy initiatives drawn from national cybersecurity strategies designed for the Global North. As a result, not one government’s national cybersecurity strategy in the Global South recognizes corruption as an important issue for critical infrastructure network security.  

This analysis underlines the effects of addressing corruption on cybersecurity by highlighting the positive impacts of Ukraine’s switch to an autonomous and transparent procurement platform by comparing the experience of cyberattacks in 2017 with those that accompanied the 2022 full-scale invasion of the country. Taking these lessons forward, cybersecurity officials across the Global South must consider identifying procurement corruption as a cybersecurity risk and develop initiatives to mitigate the impact of systemic corruption on cybersecurity.  

Introduction

The global revolution in information and communications technology (ICT) has expanded educational and economic opportunities across the Global South² even as it brings new threats of inequality and cyber vulnerability. Whether these countries are prepared, they now represent the fastest-growing population of new internet users. Moreover, malicious hackers have recognized this rise in networked users, with Latin America and the Caribbean now leading the globe in the rate of cyberattacks as a share of the networked population,³ while Africa leads in the rate of cyberattacks per institution.⁴   

The process of digital transformation started later in the Global South, which likely limited the vulnerability of these countries to ransomware attacks. This is no longer the case. Vanuatu served as a wake-up call in 2022 when most of the island’s public services shut down after hackers encrypted the government’s data networks.⁵  The ransomware gang’s commitment of time and resources to infiltrate Vanuatu’s government networks demonstrates that even the smallest nations in the Global South can no longer assume they will be overlooked by global hacker organizations.  

A critical lesson from the first decade of ubiquitous cyberattacks is the importance of patching an enterprise’s network software. Unfortunately, the vulnerabilities that IT professionals must track and patch each year have been growing, especially since the arrival of cryptocurrency in the mid-2010s offered the first practical means for hackers to receive payments after locking up or seizing data.⁶ Figure 1 shows MITRE’s recorded annual increase in registered vulnerabilities and exposures, which shows the growth has been rising at an exponential rate since 2018. As ransomware began to grow and criminal organizations sought to continue finding lucrative and vulnerable targets, hackers suddenly turned to institutional networks in countries they might never have heard of before researching potential targets.⁷ A growing horde of ransomware organizations appear to be choosing targets based first on vulnerability, which has resulted in more attacks on institutions in the Global South.⁸  

Although the need to patch software vulnerabilities has never been higher, corrupt practices in software procurement explain why many organizations do not regularly update their security. Functioning software that was not legitimately acquired rarely provides a connection to the software vendor.⁹  The presence of pirated software on a network reduces the likelihood that the network is regularly receiving updates that the software’s producer distributes to patch newly discovered vulnerabilities.¹⁰
 
An organization’s cybersecurity can also face vulnerabilities due to obsolete versions of software still running on its network. This can happen for multiple reasons, from vendors going out of business to developers choosing to no longer support a product line. In underfunded institutions across the globe, it is not rare to find the continued use of obsolete software. This vulnerability is further exacerbated by procurement managers prioritizing corrupt rents over issues of trusted vendors or sustainable support for software.  

Given the epidemic levels of corruption in public and private procurement across the Global South,¹¹  this study draws from recent cybersecurity experiences in European and Eurasian economies similarly challenged by corruption to argue that a digitally integrated Global South may be more susceptible to cyberattacks than those in the Global North. While the limited scale of the digital economy across most of the Global South continues to keep these countries out of top spots in terms of the total number of attacks, the Global South has suddenly become a disproportionately high malware target.¹² This new reality reflects unique challenges to cybersecurity in the Global South and also suggests that the solutions to this challenge may not be found in the traditional national cybersecurity strategies based on the playbooks of more developed countries.  

The digitalization of the Global South has only begun 

The International Telecommunication Union estimates that the Global South passed the milestone of more than half of its citizens gaining access to the internet in 2022. At this growth rate, more than 75 percent of the Global South will be connected by the end of 2025.¹³  Most of this access is represented by limited bandwidth connections to mobile phone subscribers, which allow for a range of services to citizens that, because of resource constraints or great distances, were previously impractical to offer at scale. For example, the tiny nation of Vanuatu provides its citizens residing across its far-flung islands the ability to use mobile phones to pay utility bills and taxes or initiate government document requests without a long trip between islands.¹⁴ The economic impact is enormous for citizens who are no longer required to spend 1-2 days of travel for administrative tasks. 

Figure 2

The private services offered by early mobile phone entrepreneurs in the Global South have been no less impressive. Widespread mobile phone use looks to be a pathway from poverty for millions of citizens once isolated from the global flow of information resources.¹⁵ ICT-based businesses may already be the leading force for economic growth in many of these countries. A study between 2007 and 2016 found mobile phone diffusion had a more significant impact on the rise in gross national product (GNP) in Sub-Saharan Africa than any other form of investment.¹⁶ Across Africa, rural residents who lack access to landline phones or banks benefit from nearly one billion mobile phones that allow them to tap into the internet sites (notably, banking and wholesale services) necessary to engage in entrepreneurial activity.¹⁷ Moreover, the nascent digital information space in these countries has allowed the emergence of internet-based businesses specifically supporting rural entrepreneurs with a range of supply chain and logistic services.¹⁸

Despite the rapid growth in mobile phone-led economic activity, most countries in the Global South are just now starting to develop the ICT infrastructure needed to support this demand. Many states in the Global South have only completed the “first mile” of broadband access–global connections to their capitals and large cities–and large parts of the population still lack access to reliable broadband internet.¹⁹ Like mobile phone connectivity, widely distributed broadband is positively associated with economic growth. Two findings have become measuring sticks in the digital development sphere: the World Bank estimates that a 10 percent increase in broadband leads to a 1.4% increase in GNP²⁰ and the McKinsey Global Institute found ICT economic activity over the first decade of internet connectivity may have accounted for more than 21% of the gross domestic product (GDP) growth in mature economies.²¹ 

The new wave of ICT development in the Global South is realizing this economic potential by bringing broadband infrastructure to smaller cities and rural communities. Improved connectivity is already affecting the quality of life in the Global South,²² allowing for national e-business, good governance solutions, and social services like healthcare and education to operate beyond the limited bandwidth offered by mobile phone data connections. 

The World Bank has provided more than $1.2 billion in ICT lending alone for broadband development in Africa, the South Pacific, and the Caribbean.²³ Moreover, Nigeria and Mozambique have led the way in Africa by licensing SpaceX’s Starlink service, which offers near broadband connections through low-orbit satellites for private users.²⁴ Certainly, Starlink’s fees and terminals are barriers to access for most citizens in the Global South, but it and future providers are the first competitors to largely state-owned services in the region that have not succeeded in providing economical and reliable high-speed service across large swaths of territory.  

Nevertheless, the growing benefits of the information age in the region come with risks–this same connectivity also attracts scores of cyber criminals who expect to profit from vulnerabilities in connected enterprise networks. 

Corruption in public procurement 

Corruption in procurement processes is a global problem, but the scale of systemic corruption in procurement tenders in the Global South has long been a major obstacle to developing effective governance and prosperity.²⁵ This issue does not go unrecognized by local leaders and external advisors, but they rarely account for this threat when drafting new regulatory or development initiatives.²⁶ The backroom decisions on what hardware and software is purchased for large enterprise information networks may be the archetype of systemic corruption but it is routinely missed by national cybersecurity strategists.  

As with most forms of corruption, there are few studies on corrupt practices in software procurement but countless anecdotes of rent-seeking found in public sector network management in developing countries.²⁷ In this author’s thirteen years of experience overseeing IT development projects in four post-Soviet countries in Europe and Eurasia, this was the common view of corruption held by those working for critical infrastructure enterprises and IT Departments inside and outside government. Control over IT procurement decisions in systemically corrupt countries is ideally suited for inflating costs and hiding kickbacks because networks are built around software that is neither visible nor readily measurable as authentic through the standard procurement oversight measures of quantity, delivery, and price.²⁸

Another barrier to changing the software procurement culture in the Global South is the social norms and expectations among senior management and network administrators who in their everyday lives use or interact with pirated software on personal devices.²⁹ In countries where the use of pirated software is not viewed as a significant ethical or technical issue, managers of critical infrastructure enterprises may be less hesitant to acquire cheaper, pirated software for their networks. In fact, this may even be perceived as a positive decision that reduces the organization’s IT budget.  

The Business Software Alliance (BSA) found that although globally one-third of software in the private sector is unlicensed, in countries in the Global South this proportion may be twice as high. In the last breakdown for the Middle East and Africa in 2019, for instance, the BSA found that fifty-six percent of software in use was pirated.³⁰ This short-sighted view of the risks of pirated software undermines the state’s ability over the long term to protect domestic networks from cyberattacks. While most government officials in the region were raised in a previous era of altruistic websites distributing unlicensed software with few downsides, this is no longer the case. One of the few studies examining pirated software samples from eleven developing countries found that 61 percent contained malware.³¹

The illicit rents found in legal software procurement, on the other hand, come in the form of bribes paid to one or more employees at the purchasing firm, an intermediary, or the supplier.  This can occur through the purchasing enterprise soliciting the bribe (extortion), the seller offering the bribe for colluding (kickback), or an intermediary receiving fees or commissions on the inflated price of the transaction.³² Interviews with investigators of private procurement fraud in the Global South find that most align with the dominant embezzlement practices found in the country’s wider economy.³³ As the seller can often procure pirated or unsupported software at a fraction of the market price, the rents gained by the supplier can approach 100 percent of the stated cost.  

An organization that continually uses pirated or unsupported software will likely develop a culture of avoiding–rather than actively pursuing–interactions with its software’s producers. Although some software companies claim to provide software patches to customers even after they stop paying for licenses, in practice those using pirated network software rarely receive updates from the vendors.Angela Moscaritolo, “Losses from software piracy leads $51 billion in 2009,” SC Media, May 13, 2010, https://ww³⁴ It is a source of debate as to where the blame lies. On the one hand, users complain of significant technical hurdles for updating unregistered software. On the other hand, vendors claim that few network administrators overseeing unlicensed copies ever seek them out, leaving them unaware of who is running pirated copies of their unpatched software. In either case, the presence of pirated software increases the likelihood that the organization’s network is susceptible to vulnerabilities.³⁵ Even if an unregistered organization seeks out and applies a patch, because the process is not timely or automatic, there will always be a window of time with unpatched vulnerabilities.  

In evaluating their country’s cybersecurity posture, governments in the Global South must measure the degree to which pirated and unpatched software is present on their information platforms and identify mechanisms that can decrease their rate of use. It may be wise for policymakers to look at culture and practice instead of simply increasing IT budgets. Comparative country research shows that the income of countries or individual enterprises was not a consistent predictor of choosing licensed or pirated software. Instead, the strongest predictors were a tolerance of open pirated software markets and the degree of systemic corruption in the country.³⁶ Moreover, a comparison of a half dozen policy measures in eleven African countries found that the strongest initiative reducing the presence of pirated software on networks was implementing corruption-control policies, not measures that raised incomes or procurement budgets.³⁷

Case study: IT procurement corruption in Pakistan 

Even donor-funded procurement can fall victim to IT procurement schemes. Drawing on a 2019 World Bank loan, the Pakistan Federal Board of Revenue (FBR) used $80 million to upgrade the Karachi data center as its hardware and software were no longer supported by vendors and had been assessed as “end-of-life equipment.”³⁸ Just a year after the procurement, the US Assistant Secretary of State Alice Wells publicly accused FBR of using pirated versions of US software in the data center.³⁹ A year later, a suspected Russian cybercriminal gang gained access to the center’s more than 1,500 computers and data; reportedly benefiting from the pirated and unsupported Microsoft Hyper-V software used for the virtual hard disks storing FBR data.⁴⁰The FBR has never identified the vendor involved in the World Bank procurement or whether they paid the ransom to unlock their data that was advertised for sale on a Russian dark web site.  

As countries struggling with public corruption or high levels of pirated software integrate further into the global digital economy, they are increasingly susceptible to cyberattacks on their critical infrastructure. Some observers already view 2022 as an inflection point in the rising number of successful hacks of smaller countries.⁴¹ In July 2022, for example, the government of Albania was forced to shut down its government computer and internet systems after a devastating cyberattack. The intrusion was a result of an unpatched version of the file-sharing software Microsoft SharePoint Server (versus the more common cloud-based Microsoft 365 SharePoint) that understaffed IT teams had maintained for years on their networks.⁴² Albania has not chosen to explain how its software did not get the patch for this vulnerability released automatically by Microsoft two years earlier. As mentioned previously, the island nation of Vanuatu was also hit by a ransomware attack in 2022 that froze nearly all government network servers, shutting down fire and rescue services, erasing five months of court data, and preventing 315,000 citizens from paying taxes or utilities.⁴³ That same year, two more ransomware attacks by the Russia-based Conti Group led the Costa Rican government to declare a national emergency,⁴⁴ and cybercrime groups also temporarily gained control of government networks in Montenegro and Chile. 

Regardless of the technical cause, the lessons from these examples are the same: Countries seeking to protect networks across their critical infrastructure must prioritize systematic communications with software developments and implement regular updates or face an army of hackers that target unpatched vulnerabilities to gain control of a network. 

The ascendancy of cyberattacks in the Global South buoyed by these successful breaches also suggests that cybercriminals are now targeting small or economically challenged countries because they may be viewed as “softer” hacking targets. Certainly, enterprises around the world continue to pay ransomware, as 2023 set a record for total and average payments of ransoms. The recent cybercriminal focus on the Global South, however, may partly reflect a perception that their networks represent lower-risk targets with a higher willingness to pay for returning access to their data.⁴⁵ The strong correlation between systemic corruption and a preference for pirated software may shape an approach to ransomware that is appealing to cyber criminals. If an organization’s management has been earning significant kickbacks on purchases of pirated software, for example, they are unlikely to pursue a strategy of resisting ransom requests, instead quietly choosing to pay and maintain the status quo. The focus on the Global South may also reflect a landscape of reduced opportunities in the Global North. Leading ransomware negotiator Coveware recently reported that the portion of victims in the U.S. paying the ransom has fallen by half over the last three years (See Figure 3); the same exact period that has seen a dramatic increase in attacks on enterprises in the Global South.⁴⁶  

Moving forward, more and more government institutions and critical infrastructure enterprises in the Global South will likely be targeted as they continue to integrate with global information and communication networks. What is less certain is whether the procurement culture in these countries can keep up by transforming from one of avoiding the attention of software developers to a strategy of maximizing communication and exchanges. This transition is unlikely to succeed if corrupt practices continue to incentivize avoiding transparent procurement and collaboration with vendors to support resilient network systems. Moreover, the transition will require a proactive government guided by a clear national cybersecurity strategy that addresses the unique cyber policy challenges in the Global South. 

What is in the National Cybersecurity Strategies – And what isn’t

As digital connectivity continues to expand, more than 100 countries have developed national cybersecurity strategies to serve as the framework for synchronized public-private cybersecurity development. A review of the twenty-three published national strategies from countries in Africa and the Asia-Pacific region found that, in general, the strategies’ objectives were grouped across a minimum of four pillars for strengthening cyber resilience.⁴⁷ 

The first common pillar consists of strategic objectives that often include developing new cybersecurity agencies and/or improving coordination between disparate ministries overseeing cybersecurity policy. This pillar also includes new policy initiatives based on gap analyses of the country’s cybersecurity architecture. The government’s structural reform steps are often intertwined with the second pillar of legislation and regulations. The Council of Europe has been the most influential donor in this space, assisting in the development of legislative frameworks and advising in the development of national cybersecurity strategies in at least nineteen countries in the Global South.  

The last two pillars focus on external initiatives. The third pillar is focused on public-private partnerships, including cooperation with multinational software producers and other governments pursuing cybersecurity. The fourth major pillar usually describes information campaigns and education initiatives that would strengthen cybersecurity in the workforce. While national strategies in the Global South have prescribed more limited activities in the fourth pillar, the EU has recently joined the US in developing cybersecurity workforce frameworks to bridge the gap between the planning and development of cybersecurity educational standards and the workplace requirements for the knowledge and skills needed to defend critical infrastructure networks.  

Across the national cybersecurity strategies in the Global South, not one of the twenty-three documents contained the terms “corruption” or “pirated software.” In some ways, this is not surprising. The leading roadmap to developing a national cybersecurity strategy, the UN’s International Telecommunication Union’s (ITU) Guide to Developing a National Cybersecurity Strategy, also does not reference corruption or pirated software. The 2018 guide was produced by a partnership between ITU, the World Bank, the Council of Europe, the Organization of American States (OAS), Interpol, Microsoft, Deloitte, and the NATO Cooperative Cyber Defense Center of Excellence, as well as several think tanks. The guide specifically states its objective is “to “provide direction and good practice on ‘what’ should be included in a National Cybersecurity Strategy, as well as on ‘how’ to build, implement and review it.”⁴⁸

Case study: International counter ransomware initiative 

The most significant US-sponsored global cybersecurity initiative is arguably the International Counter Ransomware Initiative (CRI). Now in its third year of existence, the group has established a platform for capacity building and developing best practices to reduce the success of ransomware, including via a joint statement that member countries should not pay ransoms.⁴⁹ Although more than a dozen of the fifty nation-state participants in the CRI are considered Global South countries that face significant challenges in addressing systemic corruption, the CRI’s policy and capacity-building efforts have so far followed the ITU and World Bank’s lead in not addressing procurement corruption as part of cybersecurity initiatives.⁵⁰

As representatives of government and civil society in the Global South look to further develop and reassess their national policies and infrastructure for cybersecurity, they are unlikely to find anti-corruption best practices in the prevailing guiding documents and best practices. The reality is that top cybersecurity officials in North America and the EU do not consider the role of corruption to be a major or even minor factor in their country’s cybersecurity resilience. Instead, countries in the Global South must consider the context of corruption and its impact on cybersecurity and critical infrastructure resilience when developing their strategies, as well as learn from the experiences of other states’ adoption of reform initiatives focused on procurement corruption.  

Global South lessons learned: The Ukrainian response to corruption

Ukraine offers a case study of how a country challenged by systemic corruption can reduce its impact on network security. In the years leading up to the start of open conflict with Russia in 2014, on more than one occasion senior officials in Ukrainian ministries iterated to the author that they would rather cancel a project than not receive their preference for an expensive network software solution. In at least one case this prevented a donor-supported project from moving ahead as the ministry refused to use a simpler, less expensive software product that was more aligned with their needs and local network. Across several ministries, the practice of procuring the highest-cost network solutions over this period would result in arrears owed to the vendor due to the inability to pay annual fees. At one point, the sales representative of a global network software company told the author that they would not sell new software to a US-funded project if the ministry did not agree to pay off years of outstanding annual license fees owed from past procurement.  

By late 2014, as the first wave of cyberattacks on Ukraine preceded the Russian military’s annexation of Crimea, most critical state infrastructure had been operating for years without licenses (and the associated updates and patches), even legally purchased software.⁵¹ Many institutions were instead paying a fraction of the retail price to obtain pirated versions of software, which conveniently left the bulk of the recorded procurement expenditures for corrupt rent-seeking. This explains how, prior to 2014, an estimated eighty percent of the network software used in Ukrainian private and public enterprises either never had been or no longer was supported by the software’s vendors.⁵² 

As hackers associated with Russia began cyberattacks in support of the new “special operation” in Ukraine, they targeted local software commonly used in the two countries by exploiting vulnerabilities for which patches had not been installed.⁵³ Most notably, in 2015 the Russian military hacker group Sandworm used Blackenergy-3 malware to temporarily knock out the information networks of three energy distribution companies, denying power to more than 200,000 homes in 2015. The next year, the Industroyer-1 malware was used to target the Kyiv region’s power grid.⁵⁴ Slovakian cybersecurity firm ESET found that the hackers benefited from knowledge of common post-Soviet electric grid networks and control system software. ESET reported that a major factor in the success of the power grid attacks was the failure of Ukrainian electrical distribution enterprises to change obsolete and unpatched operating system software. 

In arguably the most damaging cyberattack in history, in 2017 the Sandworm group unleashed the NotPetya wiper malware that specifically targeted a well-publicized vulnerability in Microsoft network software that the company had patched in updates a few months before the attack. At that time, most Ukrainian enterprises were using either pirated or older versions of Microsoft data management software and thus did not receive timely or automatic updates.⁵⁵ Although Microsoft and other vendors in principle permit operators of pirated software to request and apply updates, this is rarely accomplished and the exploitation of unprotected networks in Ukraine accounted for more than an estimated $10 billion in commercial losses.⁵⁶ The NotPetya malware is also an example of a software vendor advertising new software updates after an attack. A secondary effect of this disclosure, however, is that it provides hackers a roadmap for similar attacks on other unpatched systems in the Global South.  

Policy recommendations drawn from Ukraine

Since 2017, Ukraine has adopted, with mixed results, a range of internal and donor-supported anti-corruption initiatives ranging from the establishment of investigation bureaus to prosecuting state corruption and mounting ad campaigns that promote good governance.⁵⁷ One of the most well-known developments, which also had an outsized impact on software procurement corruption, is the launch of a national e-government tool for public procurement.⁵⁸ A public/private-administered electronic platform for government tenders, ProZorro, which means “through transparency” in Ukrainian, began operating with more than 300 private suppliers in 2016. ProZorro largely put an end to backroom procurement processes in Ukraine by making bidding and decision-making available to the public, which reduces opportunities for rent-seeking.⁵⁹

Over the next four years, additional legislative and operational improvements were made to ProZorro, including integrating the role of tax authorities directly onto the platform to provide additional oversight for fraudulent pricing and hidden kickback schemes. By gaining private sector support early in its development, ProZorro was able to move the government’s IT infrastructure purchases onto a platform by 2019, which by then was facilitating $22 billion worth of tenders across the government.⁶⁰ In a sign of trust in the transparency and efficiency of ProZorro, the World Bank has also began conducting its own Ukrainian procurement through the platform.⁶¹ 

In 2022, the Computer Emergency Response Team of Ukraine (CERT) reported a total of 2,194 investigated malware attacks, twenty-five percent of which targeted government systems, with at least a dozen cases in which the malware was detected on critical infrastructure information systems.⁶² Nonetheless, the work of the CERT, bolstered by robust private sector partnerships with software developers, led to quick responses to patch identified vulnerabilities before malware could spread and result in significant network outages. The result of this new capacity has been the prevention of cyber-induced infrastructure outages such as the electric grid collapses that plagued Ukraine in 2015-2016.⁶³  

In the years following the NotPetya attack, Ukrainian public and private organizations began addressing old debts to network software vendors while using the ProZorro platform for new IT procurement. As a result, the country’s state-owned critical infrastructure operators were forced to pursue open tenders on a public-private run platform while network software companies returned to selling licenses to the state enterprises. The author was told by senior officials at Ukraine’s State Special Communications Service (SSCS) that they estimated the share of pirated and unsupported software on the country’s networks had dropped from more than eighty percent at the start of the conflict with Russia in 2014 to only twenty percent in 2020. 

While state enterprises have been required to make transparent software purchases since 2020, anti-corruption progress in the private sector is less certain. As part of the 2022 Russian cyberattacks on Ukraine, the Mandiant cybersecurity firm found that Russian military intelligence hackers likely uploaded “trojanized” versions of Microsoft software on torrent sites popular with Ukrainians.⁶⁴The malware was part of the Ukrainian language packs that, if selected, would perform reconnaissance on a system and install further malware as needed.  

The commitment of state critical infrastructure in Ukraine to rapidly expand licensed software on their networks also drew the interest of large international software vendors that saw Ukraine as ground zero in identifying new malware.⁶⁵ Therefore, as Ukrainian public and private sector enterprises pursued legitimate purchases of licensed software, they also found that vendors were just as motivated to repair relationships with Ukraine’s large network operators. A benefit that few could have predicted in 2016 at the start of Ukraine’s anticorruption agenda is the role that the return of licensed software vendors would have in countering the much larger volume of cyberattacks that accompanied the 2022 Russian invasion. The major network software vendors, such as Microsoft and Cisco, established computer response and threat intelligence teams in Ukraine as part of their effort to identify and mitigate new threats to their licensed software before the malware targeting Ukraine could become a global problem.⁶⁶

The transformation of Ukrainian cybersecurity resilience over the five years between the last of the most harmful cyberattacks on the country (WannaCry and NotPetya) in 2017 and the resilience in the face of the relentless wave of malware attacks that accompanied Russia’s 2022 full-scale invasion suggests governments can proactively make progress against serious systemic vulnerabilities. Nonetheless, the anti-corruption approach must be relentless to succeed. For example, it was no surprise when in late 2023 national anti-corruption investigators uncovered a large IT software kickback where two senior SSCS officials had falsely categorized some procurement as classified, keeping it from being posted on the ProZorro site.⁶⁷  

Overall, the Ukrainian experience suggests that countries burdened with systemic corruption should integrate procurement reform into their cybersecurity measures to mitigate the impact of cultures across the Global South that have promoted or looked the other way at the use of pirated or unsupported software.  

Addressing corruption in cybersecurity strategies

The decision by a dozen of the world’s most influential institutions promoting international cybersecurity not to address the threat of systemic corruption in their 2018 Guide to Developing a National Cybersecurity Strategy continues to be echoed in advisory and technical assistance offered to countries in the Global South. A recent example is the removal of considerations for sectoral vulnerability to procurement corruption in the World Bank’s 2023 influential sectoral cyber capability maturity model (C2M2) assessment tool, which was originally present in the pioneering PRoGReSS sectoral C2M2 developed by Tel Aviv University that the assessment tool is based upon.⁶⁸ 

It is clear from the Ukrainian case study that neglecting issues of corruption in software procurement may result in overlooking an important lever for reducing overall cyber vulnerabilities. While officials in both the Global South and Global North tend to avoid public discussions of corruption, Ukraine’s IT procurement transparency reform offers cybersecurity policymakers a more targeted and politically acceptable policy goal. Certainly, the absence of guidance on IT procurement corruption is leaving cybersecurity strategists in countries challenged by systemic corruption without inspirational goals or advice on mitigating a key threat to their critical infrastructure networks.  

As profiled in this analysis, Pakistan offers a cogent example of a country seeking to address its vulnerability to IT procurement corruption. Just two years after a Russian ransomware organization gained complete access to the revenue service’s new data center riddled with unsupported software, the Ministry of Foreign Affairs official responsible for cybersecurity championed the need to adopt national policies in line with the 2018 Guide to Developing a National Cybersecurity.⁶⁹ The Guide offers a robust set of recommendations and certainly should influence Pakistan’s implementation of its 2021 national cybersecurity strategy, but a government that witnessed first-hand how procurement corruption undermines critical infrastructure cybersecurity would also have benefited from the inclusion of guidance and materials on targeted procurement anticorruption measures—advice not found in the 2018 Guide. 

The dramatic turnaround in the resilience of Ukrainian networks demonstrates the importance of cybersecurity strategies that include the adoption of external and transparent procurement platforms for critical infrastructure enterprise software and technology. As with any capacity-building measure, a cybersecurity anti-corruption initiative could start small as countries struggle to wrestle public procurement from rent-seeking interest groups. A national public tender system that covers all procurement, such as Ukraine’s ProZorro, is an ambitious goal that requires years to develop and operationalize. Nevertheless, national cybersecurity strategies could promote more limited platforms focused on critical infrastructure enterprise procurement from the handful of network software providers serving the market.  

IT procurement reform success depends on the degree to which sectoral or national institutions introduce public-private collaboration, transparency, and autonomy into decision-making processes that currently happen in the backrooms of state bureaucracies. A failed approach was demonstrated in Kenya when the centralization of IT procurement within a single ministry led to the doubling or tripling of prices for key technologies negotiated by newly empowered senior officials.⁷⁰ Kenya’s cybersecurity strategists should be credited with seeking to address the vulnerabilities linked to IT procurement processes. Moreover, they were proposing solutions in a sphere (IT procurement reform) that international donors and cybersecurity consultants continue to avoid.  

The most durable solution is for national cybersecurity strategies to begin to address procurement processes to remove the role of illicit rent-seekers in transactions. Kenya’s failed 2019 centralization of state IT procurement is an example of how many countries in the Global South have only adopted narrow measures limiting the impact of reform to just IT procurement. The next step would be to further limit that procurement to transparent and external electronic tender platforms modeled on Ukraine’s ProZorro system. The e-tender process would serve to transform the country’s critical infrastructure networks by shifting procurement to licensed and updated network software while attracting increased software vendor competition because sales revenues are no longer flowing back to rent-seeking IT administrators.  

A shift in national cybersecurity strategies toward the adoption of e-tender platforms can be facilitated by the rapid growth in e-governance across the Global South. The first generation of e-tender platforms, like ProZorro, were “semi-distributed” to the degree that public and private entities supervise their analytical dashboards across the platform.⁷¹ The growing role of blockchain technology in creating transparent contracts across peer-to-peer networks will certainly transform the next generation of transparent procurement platforms.  

Addressing IT procurement vulnerabilities can also build on existing resilience measures in national cybersecurity strategies. For example, cybersecurity awareness campaigns championed in existing national strategies can be leveraged to have a potential anti-corruption role. Their messaging could target not only individuals but also enterprises while highlighting the vulnerabilities that follow the choice to adopt pirated or other unsupported software. A generation of IT managers, who spent decades downloading pirated software for their personal use, must understand that those practices are no longer safe in the era of the ransomware gang and their recent turn toward targeting the Global South.  

Another strategy that often is proposed as a cybersecurity solution for budget-constrained institutions in the Global South is open-source software (OSS). Paying for commercial software is not the only means to reduce the portion of pirated software on an enterprise’s network. OSS software has long been the building blocks of the world’s dominant network software sold by private vendors, and for more than two decades governments in the Global North have been adopting requirements mandating that officials first seek OSS alternatives before purchasing commercial software for their critical infrastructure networks.⁷² Nonetheless, malware has increasingly been targeting open-source solutions and a policy shift toward OSS in the Global South must be part of a wider government-led effort to recognize the need to support OSS as another element of critical infrastructure.⁷³

As countries continue to innovate in measures to raise transparency in the procurement of IT software and hardware, donors should reconsider their past hesitancy to advocate for anti-corruption measures as part of the cybersecurity strategies they support. The absence of even indirect references to the role of corruption in national cybersecurity strategies across the Global South is inexplicable given the serious cybersecurity risks that are present for countries standing up large information networks founded on pirated or unsupported software. Given the significant challenges developing countries face in responding to cyber threats, they cannot afford to simultaneously overlook the vulnerability associated with corrupt procurement practices.  

Conclusion

Developing countries are continuing to make progress in digitizing governance and trade while simultaneously raising transparency in their public expenditures. Nevertheless, 2022’s country-wide network outages across the Global South suggest this capacity has been built on networks left vulnerable by unlicensed and unsupported software. As governments and critical infrastructure in the Global South prepare for the next stage in ICT development, they must prioritize policies that can reduce corruption in the critical procurement of the network software responsible for protecting their country’s nascent cyberspace. As Adam and Fazekos argue, reform-minded governments and donors throughout the Global South have adopted ICT practices in the fight against national corruption but have developed a blind spot to the role corruption plays in undermining the security of this rapid digitization.⁷⁴  

Cybersecurity strategists working in the Global South must reevaluate a decade of national strategies that largely replicated those from the Global North. It is no longer safe to assume that cyber best practices are divorced from the harsh reality of addressing systemic corruption. At a minimum, national cybersecurity strategies must, for the first time, identify procurement corruption as a cybersecurity risk. Moreover, countries challenged by systemic corruption and under-resourced governance should consider more limited initiatives, such as creating transparent and autonomous IT tender processes for the most critical state sectors. The digital integration of the Global South offers its citizens greater prosperity and transparency in governance, but as decades of past economic development have demonstrated, the equity and reliability of this new revenue stream will depend on leaders not overlooking the adverse impact corruption can play in the social outcomes of their digital development. 

About the author

Robert Peacock is a nonresident senior fellow at the Cyber Statecraft Initiative of the Atlantic Council’s Digital Forensic Research Lab, where his work builds on his past role supporting the highly correlated goals of reducing corruption in critical infrastructure procurement and developing cybersecurity resilience in the Global South. Peacock is Senior Strategic Technical Advisor at DAI Global advising on cybersecurity development programs, funded by the US Agency for International Development (USAID), across a half dozen countries in Eastern Europe and Eurasia. Peacock’s past advisory roles have included developing assistance programs in Armenia, Mozambique, Morocco, while more recently serving as a co-creator for USAID’s first bilateral cybersecurity program (Ukraine) and first regional cyber pathway for women program (Balkans).

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The impact of corruption on cybersecurity: Rethinking national strategies across the Global South   appeared first on Atlantic Council.

The post Transatlantic Economic Statecraft Report cited in the International Cybersecurity Law Review on semiconductor supply chains appeared first on Atlantic Council.

The post Kumar cited by Axios on wholesale central bank digital currency development appeared first on Atlantic Council.

The post CBDC Tracker cited by Coingeek on wholesale central bank digital currency development appeared first on Atlantic Council.

The post Zaaimi in Leadership Connect: Tribal Spotlight Interview appeared first on Atlantic Council.

The post Tran, Matthews, and CBDC Tracker cited by YouTube video on Saudi Arabia mBridge membership appeared first on Atlantic Council.

The post Kumar and CBDC Tracker cited by Axios on global central bank digital currency development appeared first on Atlantic Council.