Cybersecurity in China: The Next Wave

© The Author(s) 2018

Greg AustinCybersecurity in ChinaSpringerBriefs in Cybersecurityhttps://doi.org/10.1007/978-3-319-68436-9_1

1. The Cybersecurity Ecosystem

Greg Austin¹  

(1)

Australian Centre for Cyber Security, University of New South Wales, Canberra, ACT, Australia

Greg Austin

Email: G.Austin@adfa.edu.au

Abstract

China conducts more cyber espionage on itself than any other country does. The ecosystem for security in cyberspace is distorted by the country’s political system. The chapter lays out China’s definition of the problem set, and describes key features of the 2016 National Cyber Security Strategy. It then gives some background on the national policy shift in 2014 represented by Xi’s declaration of the ambition for China to become a cyber power.

Keywords

DefinitionNational strategyMilitary powerNational securityAuthoritarianismCensorshipSovereigntyCommunist partyCyber powerGreat firewallGreat wallPublic securityOrganizational structureLegislationStandards

1.1 Introduction: Weak and Strong

China’s political leaders feel insecure in cyberspace. Its corporate leaders lament the absence of a strong domestic cybersecurity industry. Its citizens are engaged in high risk online behaviors for political or personal reasons, and often out of ignorance of the dangers. Foreign corporations dominated the delivery of cybersecurity in China until quite recently. Some foreign governments work hard to undermine it. The People’s Liberation Army (PLA) is struggling to come to terms with cyber war concepts and technologies beyond cyber espionage. On the other hand, the internal security agencies are among the world leaders in domestic cyber surveillance, often relying on the services and equipment of foreign corporations. China appears to do better than almost any other country in catching its own cyber criminals. Yet it has an almost invisible, probably non-existent capability for protecting national critical infrastructure in cyberspace. The country’s domestic scientific base for security in cyberspace is in its infancy, and this judgment includes the scientific study of the country’s overall cybersecurity. This is the multi-tiered and developmentally-challenged reality of cybersecurity in China.

Cyberspace is an inherently insecure environment. Even the United States, the world’s wealthiest and most technologically advanced country, faces chronic cyber insecurities. But three factors combine to make Chinese users particularly insecure compared with those of other G20 countries, including India, a similarly large developing country. These three factors are: the numerically large number of users (including both humans and other machines, the former with little of the necessary security literacy), the higher prevalence of pirated software, and a very high intensity of consumption of ICT products (a rush to use).

At a deeper level of analysis, but one which has high cogency for daily security in cyberspace in China is what we might call the spy versus spy effect. China is the only country which is targeted every second across a wide spectrum of social and economic life by two of the most powerful cyber actors in the world. One of these two perpetrators is obvious. The United States has built and operates the largest cyberspace military and espionage alliance in human history and one of its primary targets is China—the country as whole, not just the government. The second perpetrator is less obvious. It is the government of China. It spies on itself. It has built and operates the largest cyber-enabled internal security surveillance system in human history and the primary target of this system is the country as a whole, including the government and its 80 million CCP members. Within two to three decades, advances in artificial intelligence may allow China to achieve a near-perfect replica of the Orwellian vision of Big Brother’s omniscient domestic social surveillance seen in the novel 1984.

If you are an adult inside China, regardless of your nationality, occupation or location, no matter what cyber system you operate and depend on, there is a very high chance that it is being surveilled or can be surveilled on short notice by both of the two cyber superpowers. There is also a high chance that they will have developed an option for attack on your cyber lifelines and foundations. To undertake this surveillance, the two countries have devised access technologies for the cyber systems you use. This is not the case for any other country in the world apart from China. While such surveillance and the cyber insecurity needed for it (endless intrusions) would be illegal in some countries, neither the U.S. government or Chinese government feels constrained by law in this activity inside China. The operating norms (one in international law and one in domestic law) are that cyber attacks for espionage purposes in this case are lawful, whether it U.S. espionage against China or Chinese political surveillance of its own citizens.

The weakness of China’s cybersecurity is one of the best kept secrets in Washington because of the latter’s interest in exploiting the vulnerability for intelligence and military purposes. For its part, the Chinese leadership faces competing priorities. On the one hand, China could reveal its own weaknesses fully in order to promote higher levels of awareness and begin to structure adequate responses. On the other hand, to do so would undercut both the political legitimacy of the government as defender of the country’s interests and undermine the government’s ability to exploit the weaknesses for its own internal political intelligence collection. In fact, the country’s leadership has a vested interest in convincing the Chinese public that it is omnipotent in cyberspace and that it can, in the fullness of time, protect CCP interests in the infosphere.

There is another general condition that undermines security in cyberspace that is worthy of note. Companies that provide services in this field in one country become a prime target for its intelligence adversaries, a fact recognized at least in the case of the U.S. agencies (Bing 2017). The reason is that the companies have direct, continuous access into their clients’ networks and collect large quantities of data about them.

1.2 Cyber Insecurity: Snapshot

By way of introduction to the story of cybersecurity in China, here are five reports of activity in January 2017 that capture many of the challenges faced by stakeholders in the country, both at the time and on a continuing basis. Some aspects of these stories are unique to China, while others are not.

Personal Cyber Dependency and Government Intervention: A Chinese agency announced a draft regulation that would require the providers of online games to enforce a curfew (from midnight to 8.00 am) in a bid to restrict addictive use by minors (China Daily 2017a).

Legal Obligations of Service Providers: The Guangdong Province branch of the Cyberspace Administration of China (CAC) reported that it had taken down over 5000 illegal apps, of which more than 1200 had carried pornography (Xinhua 2017a). A number of Chinese corporations were named with the implication that they were not being vigilant enough (Tencent, China Mobile, Huawei, ZTE, Coolpad, Meizu, Oppo and Vivo).

Cyber Crime Statistics: With the start of the new year in 2017, cyber crime fighters reported the scale of the problem over the previous year, citing the arrest of 19,345 suspects of cyber or telecommunications fraud throughout China (Xinhua 2017b). This was small share of total cyber crime in China, with Guangdong province alone reporting its 2016 situation in the following terms: 4125 cyber crimes and … 15,000 criminal suspects from 892 criminal gangs (Mi 2017). Guangdong, adjacent to Hong Kong, is one of the richest and most connected provinces in the country. (China has 31 provinces, including municipalities and autonomous regions with similar status as provinces. It also has two Special Administrative Regions or SARs, Hong Kong and Macao.)

Censorship and Leadership Security: A monitoring organization based in Hong Kong, China Digital Times (2017), reported that the relevant Ministry had ordered a crackdown on virtual private networks (VPNs) which users rely on to access international internet content that is banned or blocked by the government. Chinese regulators were moving to prohibit the setting up or renting of a communication channel, such as a VPN, to undertake cross-border communications unless the channel is approved by the government. One of the primary reasons why the authorities are so keen to shut down this access is to prevent the spreading of stories about the wealth and alleged corruption of political leaders which have been reported on several times in detail by foreign media since 2012.

U.S. Military Superiority in Cyberspace: The chinamil.com website carried a story from the People’s Liberation Army Daily, which reported cyber warfare capability as one of the main success stories of the Obama Administration (Feng 2017). The report left unspoken what the implications for China of this evolution might be, but it replays subtly the long-standing Chinese view that the country lags badly behind the United States in cyber military power because of what the article calls that country’s IT advantages.

1.3 Toward a More Secure Cyberspace: Snapshot

To complement the above snapshot of cyber insecurity in the month of January 2017, here is a similar snapshot of events in the following month suggestive of enhanced cybersecurity in China.

Cybersecurity Review Committee: One of the more significant developments was the announcement on 8 February 2017 that the government would set up a cybersecurity review committee with a wide-ranging supervisory role for products and services affecting national security or public interest (to deliberate important policies on cybersecurity and organize reviews) (China Daily 2017b). In releasing the news, the CAC said other issues for review would include risks of criminal use to illegally gather, store, process or make use of consumer information and unfair competition practices. The result would be blacklisting of services or products that do not pass the review, resulting in a ban on their use by government agencies, the CCP, or strategic industries. CAC promised that the review process would treat foreign and domestic suppliers equally, touching on a major concern of the former that the country is discriminating in favour of domestic companies.

Fencing China Off: On 17 February, President Xi Jinping used a seminar convened under the auspices of the National Security Commission, also then a relatively new body which he chairs, to call for attention to cybersecurity as part of a new global perspective on protection of the country. Advocating greater attention to prevention of risks, Xi promoted consolidation of the cybersecurity fence and improved efforts to secure information infrastructure (China.org 2017).

Domestic Cyber Industry: On the technology front, as a sign of things to come, a Chinese-owned company based in Hong Kong, Nexusguard, took advantage of the release of the latest Top 500 global ranking of cybersecurity companies in February 2017 to take pride in its consistent placement in the top 25, ahead even of Russia’s better known Kaspersky Lab (AsiaOne 2017). Nexusguard, which specialises in protection against distributed denial of service (DDOS) attacks, is wholly owned by Legend Venture Holdings, which is the largest shareholder in Lenovo, the Chinese company that became the world’s largest manufacturer of desktop computers after buying out IBM’s PC business.

1.4 China’s Definition of Cybersecurity

China as a whole has come late to a comprehensive view of cybersecurity as a socio-technical phenomenon. A useful reference point is the three stage distinction devised by Hathaway and Klimburg (2012: 29–31), that is between a whole-of-government approach, to a whole-of-nation approach, to a whole-of-systems. China flagged its intention to pursue a whole-of-nation approach in its first regulations on cybersecurity in Decree No. 147 of the State Council on 18 February 1994 (State Council 1994). The regulations contained therein were rudimentary (expressed in some places in terms of computer worms or viruses), and could largely have been considered enterprise-level methodologies. Over the subsequent decade, the government eventually became much more focused and began to frame up over-arching concepts, producing in 2007, as Marro (2016) observed, a five-tier classification system for impacts on information security developed by the Ministry of Public Security (MPS) (www.​gov.​cn 2007).

This system, known by the English rubric MLPS, applies nationality and corporate governance tests to firms operating at level three or higher in this classification system:

1.

damage to the legitimate rights and interests of citizens, legal persons and other organizations, without prejudice to national security, social order and public interest

2.

serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or damage to the social order and public interests, without prejudice to national security

3.

it will cause serious damage to social order and public interest, or damage to national security

4.

particularly serious damage to social order and public interest, or cause serious damage to national security

5.

particularly serious damage to national security.

The regulations also allow for MPS supervision of any information activity inside China regardless of nationality if level 2, or higher, of the five-tier system is in play. The regulations foreshadow a comprehensive approach but for most of the time since the 1994 regulations, China’s agencies and industries involved in cyber security had been operating under a whole-of-nation approach.

By 2016, China moved to a very modern concept of cybersecurity that conformed to the whole-of-system approach. It was laid out in a speech by Xi (2016) to the National Meeting on Cybersecurity and Informatization. The key points of this concept have been reproduced in Box 1.1. It should be noted that if 2016 is the departure date for articulation of a whole-of-system approach, then effective implementation in many areas of policy will be a process that takes decades from now rather than a few