In any discussion about the security of cyberspace, Chinese hackers are usually singled out as major threats. The most recent (and hardly unique) news involves an operation with Chinese origins, dubbed Byzantine Candor by government investigators, which has been stealing corporate and government secrets for years, to include emails from the president of the European Union Council last July.
A former executive assistant director of the FBI’s cyber division called it “the biggest vacuuming up of US proprietary data that we’ve ever seen.” Reports like this focus on emerging technical trends in cyber exploitation but tell us little about which parts of the Chinese state might or might not be responsible, and elide the fact that China—a vast and complicated country—also has to deal with novel challenges in cyberspace.
To better understand China’s approach to cybersecurtity, we convened two workshops involving scholars, scientists, and policy analysts. The findings are posted at the Institute for Global Conflict and Cooperation, but some of the highlights are summarized below.
First, both the US Department of Defense and the Chinese People’s Liberation Army (PLA) view cyberspace as a new domain of conflict, and they eye each other warily. Nationalist “hacktivism,” in the form of website defacements, service denials, and network exploitation, flows both ways across the Pacific. Chinese authorities can point to American first use of cyber weapons against Iran, and they perceive Western attempts to subvert controls on internet content as a provocation. This situation exacerbates mistrust and raises suspicions in both countries regarding the others’ motives and activities. Any notion of a cyber arms control treaty or the establishment of cyber norms must be reconciled with actual cyber activities and government interests in promoting or tolerating them. Given the role individuals and private groups play in these activities, governments will struggle to provide adequate reassurances.
Contrary to popular perceptions in the United States, China does not have a monolithic, coordinated policy approach to cybersecurity. Just as the United States struggles to reconcile its own cyber bureaucracy, so does China. Although political power is centralized in the Chinese Communist Party, Chinese governance is fragmented regionally and functionally. For civilian or industrial cybersecurity, China has to contend with a complicated tangle of regulatory institutions, inconsistent implementation of policy directives, and incompatible interests pursued by public and private actors. At the same time, there is a fractious network of military, intelligence, and other state entities involved in cyber policy and activity who are concerned about international as well as domestic security.
Like the United States, China is engaged in a period of experimentation with how best to conceive of and adapt new technical possibilities in cyberspace to support its national security interests. There has been vigorous debate in Chinese defense intellectual circles about the nature of information warfare; these are inspired by a number of different influences, sometimes similar to perspectives of other nations, and sometimes unique to China. As in the civilian cybersecurity sector, the implementation of these ideas by various military, intelligence, and civilian militia organizations is not systematically integrated.
China’s networks face a variety of idiosyncratic risks, such as ballooning levels of domestic cybercrime, widespread dependence on Western software, and uneven legal regimes and enforcement. While cybercrime has been on the rise around the world, it exhibits some interesting characteristics in China. There is a large underground market targeting virtual goods such as video game accounts and currencies in which both the criminals and the victims are Chinese; by contrast, cybercrime from Eastern Europe targets victims in Western Europe and the United States, avoiding domestic predation. Chinese cybercriminals exploit online forums to buy and sell their goods, which include stolen assets or hacker infrastructure, and lax law enforcement means they are often quite open about it.
As we think about the national security implications of cyberspace, it is important to note that the private sector actors who create the technology and vulnerabilities often lack incentives to mitigate them, or even to measure them coherently. Malicious activity exploits vulnerabilities in Windows and other software developed in the commercial sector, and even state activity eyes cyber infrastructure for both the means and targets for attack or exploitation. A lot of defensive activities in the private sector involves informal networks of cybersecurity professionals, but little is known about how effective and responsive these networks are (i.e., cries of “market failure” in the provision of cybersecurity deserve more rigorous scrutiny). Further, the public sector has been unable to coordinate policy responses across government agencies with differing priorities to mitigate different threats of quite variable levels of severity. Countries in the Americas, Europe, and Asia all face similar challenges, but with different domestic institutions, they go about addressing them in inconsistent ways, further complicating international coordination. Consequently, we need new ways to think about cybersecurity.
Policy discussion of cyber tends to focus on the technical dimensions of the threat or potential modifications to deterrence theory, but, insofar as vulnerabilities and their mitigation involve the balancing of various market and regulatory failures, political economy literature might point the way to a more grounded understanding of cybersecurity.
Derek S. Reveron is an Atlantic Council contributing editor, is a Professor of National Security Affairs and the EMC Informationist Chair at the U.S. Naval War College in Newport, Rhode Island. Jon Lindsay is a research fellow at the University of California Institute on Global Conflict and Cooperation where he is working on the Project on the Study of Innovation and Technology in China.