Will China and America Clash in Cyberspace?

"The worries over cybersecurity should not risk the mutual value both countries derive from an open and innovative cyberspace."

Chinese authors frequently note that China is also a victim of foreign cyberattacks, predominantly from the United States, citing staggering statistics of tens or hundreds of thousands of attacks and compromised machines per month. The director of China’s National Computer Network Emergency Response Technical Team and Coordination Center (CNCERT/CC) asserted, “We have mountains of data, if we wanted to accuse the U.S., but it’s not helpful in solving the problem.” Another researcher at the China Foreign Affairs University broadened this view: “For months, Washington has been accusing China of cyber espionage, but it turns out that the biggest threat to the pursuit of individual freedom and privacy in the U.S. is the unbridled power of the government.”

American attempts to articulate the difference between the political-military targets of U.S. cyber espionage and the economic targets of Chinese espionage, or between Internet control as practiced by China and metadata collection as practiced by the NSA, have tended to fall on deaf ears.

China’s Troubled Cybersecurity Apparatus

China’s domestic political economy differs considerably from that of Western countries, with important implications for cybersecurity. Although China is an authoritarian party state, administrative governance is bureaucratically fragmented and hyper-competitive by nature.

Cybersecurity coordination across military, law enforcement, diplomats, and industrial regulators is challenging under the best conditions, but it is particularly difficult in the top-down yet compartmentalized Chinese system. The pervasive role of the state leaves little room for the advocacy or protection of civil society or corporate interests.

One particularly distinguishing characteristic of the Chinese concept of information security (xinxi anquan) is that it emphasizes Internet content as much as, if not more than, technical network security (wangluo anquan). In the United States, by contrast, malware and hackers rather than data and ideas are perceived as the principal dangers in cyberspace.

China thus tends to put a more coherent effort into defense against the perils of “terrorism, separatism, extremism” than defense against economic cybercrime and technical exploitation by foreign intelligence services. One unfortunate result is that China tends to export its domestic security paranoia abroad through digital harassment of expatriate minorities and Western media and civil society activist organizations.

Ironically, China’s prioritization of ideological information security creates serious defensive gaps in China’s national networks. A booming domestic online underground economy thrives in China, enabled by lax enforcement and widespread neglect of best practices. The national cybersecurity enterprise is run by a tangled web of Party, State, and military organizations that do not cooperate effectively. It is hard to ascertain whether periodic attempts to ban foreign (American) information technologies result from legitimate security concerns or protectionism. In any case, Chinese information security products are poor substitutes.

The State Council is candid about the challenges facing China, even as this supports a narrative of victimization by the more powerful United States: “the broadband information infrastructure development gap with developed countries has widened; the level of government information sharing and business collaboration is not high; the core technology is controlled by others;. . . insufficient strategy coordination; weak critical infrastructure protection capability; mobile Internet and other technologies pose serious challenges.”

After several years of relative neglect, bureaucratic deadlock, and increasing international controversy about cyberspace, Chinese leaders have recently begun to pay attention to cybersecurity.

In early 2014, Xi Jinping created and chaired a new leading small group focusing on cybersecurity and informatization. A previous incarnation of the cybersecurity committee was run by a lower ranking official and headquartered in the Ministry of Industry and Information Technology. The new working offices are in the Cyberspace Administration of China, also known as the State Internet Information Office in charge of online censorship. Its director, Lu Wei, is also the Deputy Director of the Central Propaganda Department of the Communist Party.

Although this new development doubles down on ideological purity and is in keeping with Xi’s anti-corruption drive, its efficacy for cyber defense remains to be seen. Previous experience does not bode well: following a foundational opinion issued in 2003 (“Document 27”) and updated in 2012, the leadership became distracted while an emerging cybersecurity industrial complex chased ever more lucrative rents.

Divergent Visions of Internet Governance

American-Chinese cooperation on cybersecurity is a shared goal, but there are many obstacles. Any notion of a cyber arms control treaty or the establishment of cyber norms must be reconciled with actual covert cyber activities and government interests in promoting or tolerating them.