Exporting the Great Firewall: The CCP’s Exposed Efforts to Spread Digital Authoritarianism

A massive September 2025 leak of data from the People’s Republic of China’s (PRC) ‘Great Firewall’ offers the first verifiable technical evidence of how the Chinese Communist Party (CCP) develops its infrastructure of internet control. This unprecedented disclosure also reveals how the CCP exports the mechanisms of digital censorship. Amid intensifying U.S.-PRC technology competition and global democratic backsliding, the leak presents Washington with a rare opportunity to counter ‘digital authoritarianism’ through technical analysis, economic measures, and coordinated diplomacy. 

Authoritarian regimes monitor the internet to suppress dissent, control information access, and surveil citizens. The CCP stands at the forefront of this practice, continually refining the “Great Firewall” into what is now “the most sophisticated content-filtering internet regime in the world.” 

In the early years of the internet, Western democracies believed it would enable free global access to information and spread democratic principles. The CCP’s domestic efforts quickly proved otherwise, and experts have feared it would export systems of internet censorship to like-minded authoritarian regimes. The recent leak of Great Firewall data affirms these fears. 

The Leak: Context and Contents

On September 11, 2025, a collection of approximately 600 GB of Great Firewall files appeared online. Researchers called it “the largest leak of internal documents in [the Great Firewall’s] history.” Independent investigations traced the leak to two entities involved in the Great Firewall’s research and development: Geedge Networks, a nominally private company that manufactures internet censorship and monitoring tools, and MESA Lab, a research unit in the PRC’s Academy of Sciences’ Institute of Information Engineering. 

The leak provides groundbreaking insights into the CCP’s domestic internet censorship efforts. Inside the PRC, Geedge Networks provides services in Xinjiang, Jiangsu, and Fujian provinces. These province-specific deployments represent a departure from the party’s assumed centralized censorship model. Decentralized censorship allows local authorities greater control and enables heavier surveillance in politically sensitive provinces like Xinjiang. Significant collaboration between the company and local authorities allows for tailored surveillance and experimentation with new capabilities. 

The CCP’s increasingly sophisticated censorship system, supported by Geedge Networks, reflects its ambition to monitor and control citizens’ online behavior precisely. By decentralizing censorship, the party is enabling adaptive digital surveillance and repression. Moreover, the technical experimentation occurring in various provinces serves as a proving ground for replication nationwide. Together, these advancing capabilities enable the CCP to effectively shape public opinion and suppress opposition, safeguarding regime stability. 

The leak also reveals new technical details about the international proliferation of the CCP’s internet censorship systems. Geedge Networks exports services to Myanmar, Pakistan, Ethiopia, Kazakhstan, and another unnamed Belt and Road Initiative partner. These governments use the company’s systems for surveillance, content filtering, VPN blocking, and targeted shutdowns. In Myanmar, operators reportedly monitor as many as 81 million simultaneous TCP connections through Geedge Networks equipment at core internet exchange points (IXPs), using it for mass blocking and selective filtering. In Pakistan, Geedge Networks equipment integrates with remnants of older monitoring systems and operates alongside other lawful intercept platforms, demonstrating significant interoperability. 

Experts have long assumed the CCP aims to export its digital authoritarianism model. However, previous evidence was either circumstantial or uncertain. This leak entirely changes that, confirming export recipients, timelines, and deployment details. Beyond confirming the CCP’s export activity, the leak demonstrates a rising willingness among foreign governments to adopt its approach. Adoption may accelerate as other regimes emulate the CCP’s perceived success. The leak may even intensify proliferation, as regimes attempt to replicate the exposed software. Wider adoption would threaten U.S. interests in promoting an open internet and constrain civil-society engagement. 

Technical Breakdown of PRC Censorship Capabilities

Beyond deployment information, the leaked files contain considerable technical data on censorship capabilities, including work logs, internal communications from both Geedge Networks and the MESA Lab, and extensive source code from Great Firewall censorship systems. 

The technical contents of the leak present unprecedented information on Geedge Networks’ primary internet censorship offering: Tiangou Secure Gateway (TSG). The system operates inline (directly within the data path of network traffic) at major data centers and can scale to handle all national traffic. This positioning between users and the wider internet grants operators total real-time visibility and intervention capacity. They can apply per-user rules, monitor all activity, and capture plaintext content, including web pages, credentials, and attachments. The inline positioning also enables packet manipulation, letting operators directly infect users with malware through in-path injection. For encrypted traffic, TSG uses deep packet inspection (DPI) and machine learning (ML) techniques to identify VPNs and other censorship circumvention tools, flag suspect sessions, and block them on a case-by-case basis. 

The leak also reveals Cyber Narrator, Geedge Networks’ proprietary Security Information and Event Management (SIEM) and Online Analytical Processing (OLAP) solution. Cyber Narrator is the interface operators use to analyze data collected by TSG. It draws on data stored in Geedge Networks’ data warehousing solution, TSG Galaxy, as well as WebSketch, a tool with intelligent search capabilities. Operators can use the Cyber Narrator system to see each mobile user’s geographic location and whether the user is connected via a VPN. They can also link cellular activity to track groups of users in specific areas. 

Internal communications show that clients can request new features. Geedge Networks prioritizes these software updates and offers them to all clients. These communications indicate that Geedge Networks is discussing and testing DDoS-for-hire services that would let clients target specific users with disruptive attacks. The company is also considering implementing techniques to create geofences for specific users. 

These capabilities pose immediate risks to U.S. citizens and their data. U.S. citizens using the internet in countries running Geedge Networks equipment risk exposing sensitive information. They are also vulnerable to surveillance and, by extension, possible threats to personal security. Additionally, U.S. citizens who connect with users on those networks from abroad make their data vulnerable not only to authoritarian regimes using Geedge Networks systems but also to the CCP itself. Because components of Geedge Networks’ systems, including TSG Galaxy, WebSketch, and update platforms, are housed in the PRC, company personnel retain access to data from foreign installations. This extends access to MESA Lab partners and to CCP officials, given the PRC’s sweeping national security and intelligence laws. Potential CCP access considerably amplifies the threat to U.S. communications into and out of the countries in question. 

Experts have warned that U.S. citizens might be vulnerable to these threats. However, like deployment reports, these warnings have been largely speculative or circumstantial. This leak confirms and details the dangers to U.S. citizens and their sensitive information. 

Opportunities for the United States

The leak confirms previously unsubstantiated threats to U.S. citizens’ security and offers opportunities for strategic action. 

Because the leak contains extensive source code, system logs, and deployment diagrams, it offers the first definitive evidence of how the PRC’s censorship tools function at the foundational level. This allows analysts to reverse-engineer the architecture and extract signatures linking foreign deployments to the CCP. Moreover, analysts can develop mitigation strategies to counter the CCP’s approach. The U.S. should direct CISA, the National Security Agency Cybersecurity Collaboration Center, and allied cyber agencies, such as Britain’s National Cyber Security Centre and the Australian Cyber Security Centre, to jointly accomplish these tasks. These groups should publish joint findings in coordinated advisories offering detection and mitigation guidance. 

The financial and operational records within the leak appear to identify Geedge Networks’ and MESA Lab’s networks of vendors and partners. This opening gives the U.S. and its allies a rare chance to trace and disrupt the commercial ecosystem behind the CCP’s efforts to export censorship technologies. U.S. agencies, including the Bureau of Industry and Security (BIS), the Office of Foreign Assets Control (OFAC), and CISA’s National Risk Management Center, should collaborate to map vendors and affiliates tied to Geedge Networks and MESA Lab. 

This work should leverage and expand the Department of Defense’s Section 1260H list of PRC military companies under the National Defense Authorization Act. These efforts would enable the U.S. government to construct a targeted sanctions framework to reduce the capabilities of that ecosystem. Within this framework, procurement restrictions should limit federal and state agencies, defense industrial base contractors, and critical infrastructure operators from acquiring products from designated entities. Import and export controls administered by BIS and OFAC should limit trade to and from those entities, restricting access to crucial materials and keeping their products out of the U.S. 

The sanctions themselves should extend to Geedge Networks, MESA Lab, their affiliates, and key individuals, including executives, state officials, or systems engineers, freezing their assets and severing their access to international markets. Under authorities delegated by Congress through statutes such as the International Emergency Economic Powers Act (IEEPA), the president may unilaterally impose these sanctions by executive order. Washington should coordinate these measures with partners to implement a multilateral sanctions regime, ensuring collective enforcement. These recommendations are severe, but the leak offers a unique opportunity for Washington to act decisively before the CCP’s model becomes globally entrenched.

The leak provides a diplomatic opening for the U.S. to lead coalitions committed to an open internet. The U.S. should craft material that condemns authoritarian technology exports, highlighting the human rights impacts of surveillance and censorship. It should coordinate with allies to promote a multilateral response with sanctions and export controls. This effort should align democratic states around a transparent global internet and persuade neutral states that the benefits of domestic internet control do not outweigh its global costs. To further encourage cooperation, the U.S. should frame the issue as one of strategic independence, recommending that heavy reliance on the PRC’s authoritarian regime for national security technologies is not advisable. Finally, the U.S. should pair its condemnations with tangible alternatives, such as internet infrastructure and digital capacity-building initiatives offered by the U.S. International Development Finance Corporation, to give neutral states a credible path away from reliance on PRC systems. In short, the leak offers a unique opportunity to turn evidence of repression into multilateral support for digital freedom through diplomacy.

Views expressed are the author’s own and do not represent the views of GSSR, Georgetown University, or any other entity. Image Credit: CNAS