The information revolution has been a mixed blessing for China and the world. On one hand, computer networks enhance economic productivity, national security, and social interaction. On the other, valuable information infrastructure provides lucrative targets for thieves, spies, and soldiers. Nearly every type of government agency, commercial firm, and social organization benefits from information technology, but they can also be harmed through cyberspace. Not a week goes by where a major hack is not reported in the media or countries chastise each other for cyberespionage.
In the absence of shared norms or even concepts, cybersecurity discourse becomes mired in competing morality tales. Chinese hackers are pillaging intellectual property and creating asymmetric threats. The National Security Agency (NSA) is jeopardizing civil liberties and weakening the Internet. Communist censorship is undermining the democratic promise of information technology, even as American firms unfairly dominate its development. Cybercrime is costing everyone trillions of dollars.
There is a grain of truth in all of these claims, which means that the phenomenon as a whole must be more complicated than any one suggests. China both generates and experiences serious cyber threats, shaped by a combination of bureaucratic politics and economic policy, domestic security imperatives, military modernization, and ambitions for international influence. Nevertheless, the United States and China both have far more to gain than lose through their digital interdependence.
Competing Threat Narratives
The United States and China regularly accuse each other of abuse. Disputes over espionage and internet governance are creating tensions that need active management to limit their effects on diplomatic relations.
Cybersecurity pessimists increasingly dominate American thinking on this subject. President Barack Obama wrote that “the cyber threat to our nation is one of the most serious economic and national security challenges we face.” This growing worry about the vulnerability of cyberspace to espionage or disruption is motivated to no small extent by concerns about China’s economic and military development. As FBI Director James B. Comey noted, “For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries.”
The concern extends to America’s closest allies. The director-general of MI5 sent a confidential letter to three hundred corporate executives expressing “concerns about the possible damage to U.K. business resulting from electronic attack sponsored by Chinese state organizations, and the fact that the attacks are designed to defeat best-practice IT security systems.”Australia barred Chinese telecommunications giant Huawei from bidding on its national broadband network out of concerns that covert, “back doors” might be installed.
Yet, Western accounts of this threat tell only one side of the story. Chinese leaders are also quite concerned about cyber insecurity. President Xi Jinping stresses “the importance and urgency of internet security and informatization” and describes the dual goals of security and development as “two wings of a bird and two wheels of an engine. . . . No internet safety means no national security. No informatization means no modernization.” Xi’s predecessor, Hu Jintao, likewise observed, “We should attach great importance to maritime, space, and cyberspace security.”
Chinese authors frequently note that China is also a victim of foreign cyberattacks, predominantly from the United States, citing staggering statistics of tens or hundreds of thousands of attacks and compromised machines per month. The director of China’s National Computer Network Emergency Response Technical Team and Coordination Center (CNCERT/CC) asserted, “We have mountains of data, if we wanted to accuse the U.S., but it’s not helpful in solving the problem.” Another researcher at the China Foreign Affairs University broadened this view: “For months, Washington has been accusing China of cyber espionage, but it turns out that the biggest threat to the pursuit of individual freedom and privacy in the U.S. is the unbridled power of the government.”
American attempts to articulate the difference between the political-military targets of U.S. cyber espionage and the economic targets of Chinese espionage, or between Internet control as practiced by China and metadata collection as practiced by the NSA, have tended to fall on deaf ears.
China’s Troubled Cybersecurity Apparatus
China’s domestic political economy differs considerably from that of Western countries, with important implications for cybersecurity. Although China is an authoritarian party state, administrative governance is bureaucratically fragmented and hyper-competitive by nature.
Cybersecurity coordination across military, law enforcement, diplomats, and industrial regulators is challenging under the best conditions, but it is particularly difficult in the top-down yet compartmentalized Chinese system. The pervasive role of the state leaves little room for the advocacy or protection of civil society or corporate interests.
One particularly distinguishing characteristic of the Chinese concept of information security (xinxi anquan) is that it emphasizes Internet content as much as, if not more than, technical network security (wangluo anquan). In the United States, by contrast, malware and hackers rather than data and ideas are perceived as the principal dangers in cyberspace.
China thus tends to put a more coherent effort into defense against the perils of “terrorism, separatism, extremism” than defense against economic cybercrime and technical exploitation by foreign intelligence services. One unfortunate result is that China tends to export its domestic security paranoia abroad through digital harassment of expatriate minorities and Western media and civil society activist organizations.
Ironically, China’s prioritization of ideological information security creates serious defensive gaps in China’s national networks. A booming domestic online underground economy thrives in China, enabled by lax enforcement and widespread neglect of best practices. The national cybersecurity enterprise is run by a tangled web of Party, State, and military organizations that do not cooperate effectively. It is hard to ascertain whether periodic attempts to ban foreign (American) information technologies result from legitimate security concerns or protectionism. In any case, Chinese information security products are poor substitutes.
The State Council is candid about the challenges facing China, even as this supports a narrative of victimization by the more powerful United States: “the broadband information infrastructure development gap with developed countries has widened; the level of government information sharing and business collaboration is not high; the core technology is controlled by others;. . . insufficient strategy coordination; weak critical infrastructure protection capability; mobile Internet and other technologies pose serious challenges.”
After several years of relative neglect, bureaucratic deadlock, and increasing international controversy about cyberspace, Chinese leaders have recently begun to pay attention to cybersecurity.
In early 2014, Xi Jinping created and chaired a new leading small group focusing on cybersecurity and informatization. A previous incarnation of the cybersecurity committee was run by a lower ranking official and headquartered in the Ministry of Industry and Information Technology. The new working offices are in the Cyberspace Administration of China, also known as the State Internet Information Office in charge of online censorship. Its director, Lu Wei, is also the Deputy Director of the Central Propaganda Department of the Communist Party.
Although this new development doubles down on ideological purity and is in keeping with Xi’s anti-corruption drive, its efficacy for cyber defense remains to be seen. Previous experience does not bode well: following a foundational opinion issued in 2003 (“Document 27”) and updated in 2012, the leadership became distracted while an emerging cybersecurity industrial complex chased ever more lucrative rents.
Divergent Visions of Internet Governance
American-Chinese cooperation on cybersecurity is a shared goal, but there are many obstacles. Any notion of a cyber arms control treaty or the establishment of cyber norms must be reconciled with actual covert cyber activities and government interests in promoting or tolerating them.
Cyber exploitation of ethnic minorities and Internet censorship by the Chinese state stand in stark contrast to cosmopolitan visions of an open Internet with strong normative protections for human rights. The U.S. Department of State’s “Internet freedom” agenda “works to advance Internet freedom as an aspect of the universal rights of freedom of expression and the free flow of information.” As part of this initiative, the U.S. government and activists from nongovernmental organizations develop and deploy technologies that dissidents can use to subvert controls on Internet content. With regards to China, this essentially means hacking the “Great Firewall.”
China, together with Russia, would prefer to shift governance of the Internet to the United Nations with stronger norms of Internet sovereignty and noninterference. Europe and the United States prefer to maintain the current “multistakeholder” arrangement while strengthening norms of openness and human rights. The Obama administration’s decision to transfer the Internet Assigned Name Authority (IANA) function from the Department of Commerce to the Internet Corporation for Assigned Names and Numbers (ICANN) is a sign that the United States recognizes it must internationalize cyber policy, but even this step is unlikely to mollify Chinese critics.
The challenge of international policy coordination is exacerbated by intrastate disorganization and disconnects between public and private actors in both countries. National cyber policy in any country must balance the competing goals of national security, law enforcement, and industrial regulation in an international market context of rapid technological change.
Yet innovation in the commercial information technology sector moves far more rapidly than the pace of policymaking in any state. The opportunities for making mischief online emerge faster than government regulators can adjust to counter them, even if they were somehow able to achieve normative agreement on the desirability of doing so.
To date, both states have attempted to find common ground against transnational criminal organizations and have made modest progress on reconciling views on intellectual property. However, as cyber capabilities develop and deepen inside the national security establishments of both countries, it is difficult to ignore tensions created through the cyber activities of all parties.
Likewise, it is futile to hope to eliminate cyber exploitation across national boundaries. It is simply too essential a tool for China’s economic development and political stability strategy and for the national security strategy of the United States, although neither state likes to admit it publicly.
Learn to Stop Worrying and Love the Cyber Bomb
Understanding cyber threats to and from China requires more attention to domestic and international institutions and the incentives they create. Paradigms matter, and the political economy of trade and industrial regulation might be as or more important than deterrence or warfighting for analyzing cybersecurity.
Cyberspace is ultimately a human creation and its potential for abuse will be shaped through a long and complex process of institutional bargaining in the context of ongoing architectural redesign. Misunderstanding not only leads to oversimplification in analysis but also to potential miscalculation in strategic interaction.
While it might not be possible to completely eliminate cyberthreats through norms or formal agreements, we should be able to avoid making them worse through ignorance. Both the U.S. military and the Chinese PLA assume that cyberspace is a highly offensive, asymmetric, and unstable domain of conflict, yet the history of minor irritants and tolerable abuses experienced thus far suggest that restraint and limited effectiveness is the norm.
Bad assumptions are dangerous in international relations, so both states should work to dispel illusions about catastrophic cyber attacks. “More transparency will strengthen China-U.S. relations,” former U.S. Secretary of Defense Charles Hagel observed, adding: “Greater openness about cyber reduces the risk that misunderstanding and misperception could lead to miscalculation.”
The worries over cybersecurity should not risk the mutual value both countries derive from an open and innovative cyberspace.
Jon R. Lindsay is an assistant research scientist with the University of California Institute on Global Conflict and Cooperation and assistant adjunct professor at the UC San Diego School of International Relations and Pacific Studies. Tai Ming Cheung is the director of the University of California Institute on Global Conflict and Cooperation. Derek S. Reveron is a professor of national security affairs and the EMC Informationist Chair at the U.S. Naval War College. They are the co-editors of the book China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain (Oxford University Press, 2015).
Image: Flickr/AFN-Pacific Hawaii News Bureau