U.S.-China Cybersecurity Relations: Understanding China’s Current Environment

How do the United States and China move away from the mistrust that currently governs their relationship on cybersecurity issues? How can the US and China find common ground on challenges related to cyber sovereign and Internet control? With fundamentally different political and social systems, how can both countries balance their national security interests to protect global cyber infrastructure? This article introduces new perspectives on the U.S.-China cyber environment with a focus on China’s growing hacking economy, and government information security management practices. The author provides insights from the technology industry point of view and advocates empowering and expanding industry’s role in defining global cybersecurity policy to restore trust and promote secure cyber environment, for the benefits of long term economic growth of both countries, and the world.

The security of global information systems is often a contentious issue in U.S.-China relations. Since 2012, a stream of reports from the U.S. government, security companies, and international media cited China as a major source in the hacking of U.S. military and commercial secrets. These allegations have been consistently rejected by the Chinese government, which counters with its own data and displays an abundance of cyberattacks to China from parties operating in the United States and other Western countries. On February 27, 2014, Chinese President Mr. Xi Jinping acknowledged the role of cybersecurity as a strategic national priority and announced the formation of the Central Cybersecurity and Informatization Leading Small Group to be under his direct supervision. President Xi emphasized that “Without cybersecurity, there won’t be national security” for China. Other members of China’s Central Internet Security and Informatization Leading Group include Premier Li Keqiang and Mr. Liu Yunshan. The newly regrouped State Internet Information Office (SIIO) reports directly to the leading group with an expanded charter of managing China’s overall Internet governance, security strategy, as well as content-management related policies and regulations authorized by the State Council.

In 2013, revelations in confidential National Security Agency documents exposed the U.S. government’s worldwide surveillance program, which also observed China. In May 2014, U.S. prosecutors indicted five Chinese military officers for cyber theft. China was outraged, and in response, withdrew from the U.S.-China Cybersecurity Working Group dialogue and announced an official security review that targeted major information and communications product and service providers operating within its borders. Intense public media campaigns were launched to criticize the U.S. government’s aggression in cyberspace. These campaigns also identified domestic R&D and innovation as a key to improve the country’s cybersecurity and reduce China’s dependence on foreign technologies.

In an ideal world, the global information and communications (ICT) industry, which contributed to the growth of Internet and its resultant economic development, would be regarded as a partner and key stakeholder in efforts to promote cybersecurity. Under the current environment, technology companies in the United States and China are under suspicion because of country of origin and business affiliations. “De-Americanization” of the ICT products in the Chinese critical sectors has been viewed as a long-term solution to improve critical infrastructure protection. If this stance is maintained, it will undermine global productivity, innovation, trade and cybersecurity. The United States and China must find a way to address issues of cybersecurity programmatically with a well-designed process to identify common concerns and, where possible, seek mutually beneficial solutions.

An important first step in this process is reaching a better understanding of the cybersecurity challenges and Internet environment in China. This article introduces an ICT security practitioner’s perspective on China’s current cyber environment and its dangers, including a growing hacking economy and government approaches to manage information security, including critical infrastructure protections. The article also advocates for expanding the role of the technology industry in partnering with government to develop a safe and secure cyber environment required for long-term global economic growth.

The Cybersecurity Landscape in China

For a vast number of Chinese citizens, staying connected is critically important. Besides using the Internet to communicate, play games, and trade stocks, Chinese users’ participation in e-commerce is growing swiftly. The Alibaba Group, owner of two very popular consumer online retailers, Taobao.com and Tmall.com, announced earlier that during the first 11 months of 2012, the total transactions of both shopping sites reached a whopping $162 billion, the equivalent of two percent of China’s total GDP.

However, the huge potential of Chinese e-commerce, supported by its rapid growth and the increased usage of various devices, has also attracted cyber criminals.

  • In August 2013, a Chinese online security service provider released a semi-annual report on China’s mobile device security. It stated that mobile attacks in China were primarily targeting Android-based devices. In March 2013 alone, a total of 69,470 types of new Trojan viruses and malware for mobile devices were detected. Nearly 50 million users on the Android platform were infected during the first six months of 2013.
  • In 2012, the University of California Institute of Global Conflict and Cooperation issued a study estimating that the overall damage of cybersecurity attacks on e-commerce in China exceeded $852 million and affected 11.8 million users and 1.1 million websites.
While cybercrime is rising around the world, a unique form of evolving and organized hacking in China has grown into a well-defined underground economy in which a large percentage of criminals and victims are Chinese. The Chinese Underground Hacking Economy A 2012 security research study, “The China Internet Information Security Underground Supply Chain Investigation,” written by three Chinese security researchers, reported that China “has a highly evolved underground hacking economy; its criminal networks comprise more than 90,000 people.” This economy thrives due to the distributed and hidden nature of cyber criminals, a lack of public awareness about piracy and online fraud, the difficulties of detecting and prosecuting cybercrime, and a lack of effective responses by law enforcement and the general cybersecurity community to reverse these trends. Based on the report, the structure of China’s hacking economy can be classified into five distinct areas:
  • Theft of real assets: stealing money from stolen bank accounts or credit cards.
  • Theft of virtual assets online: stealing virtual currency and equipment from online game accounts and selling them for real money.
  • Abuse of Internet resources and services for profit: taking advantage of compromised Internet resources as hacked hosts and servers and infected smart phones.
  • Development and distribution of Internet crime tools and techniques: trading in vulnerabilities, Trojans, phishing techniques, and other attack tools, as well as training hackers.
  • Cyber theft of IP and sensitive information: Trading in stolen network access and sensitive emails and documents containing trade secrets and IPs.
Based on the same report, the underground economy includes hackers who design methods for cyberattacks, sell tools, and operate hacking training schools; and criminals who trade in software vulnerabilities, control botnet operations, plant Trojans on the devices of victims, and launch distributed denial of service (DDoS) and other forms of persistent attacks. Others specialize in fraud using social engineering techniques that trick users into disclosing account and payment information to phishing sites, which create fake credit cards for use both inside and outside of China. Most of these phishing site domains are registered outside of China, which makes legal prosecution by Chinese authorities very difficult. China’s hacking economy also poses huge risks globally because of the potential to easily export its hacking expertise and exploits to other countries. In June 2013, China’s National Computer Network Emergency Response Team Coordination Center (CNCERT/CC), which is responsible for responding to Internet security incidents publicly, acknowledged the depth of domestic cyber hacking in China and posted an article on its official site. The article, “Urgency to Combat the Hacking Supply Chain,” called for a series of actions to combat this problem:
  • Strengthen and expand legislation that would require stronger data security measures on the Internet. This would also require clarifying the boundaries of responsibility of various government agencies that administer and manage the Internet.
  • Conduct Internet ethics education for youth and the public in general.
  • Provide guidance and job opportunities for security talent to give them incentives to work in legitimate business operations.
  • Develop the capabilities of national network security agencies to discover the exploitation of software vulnerabilities and develop responses to them.
  • Increase coordinated information sharing among government, security experts, and the private sector involved in Internet security.
  • Strengthen laws against black market activity, increase monitoring of it, and provide information to law enforcement concerning such activity.
  • Reduce black market activity by monitoring Internet transactions that convert virtual assets into real money, and track the movement of suspicious capital to identify money laundering and other illegal activities.
Two months later, the Ministry of Industry and Information Technology (MIIT) released a plan, “Prevent and Combat the Hacker Underground Supply Chain,” which advocated a comprehensive, integrated response to reduce damages of the hacking economy and enhance information security. China’s Approach to Information Security The United States considers both government systems and the public Internet, including critical infrastructure mainly owned and managed by the private sector, to be a part of an integrated cybersecurity environment. This approach is clear in reviewing the cybersecurity strategies and risk management approaches of the U.S. government. Over the past two decades, the Chinese government has defined the term “Informatization” to describe a policy of modernization via digitalization nationwide and to apply new ICT in all areas of government, industry, commerce, education and culture, etc. It has become a key component of China’s five-year planning process for central and local governments. The State Informatization National Development Strategy (2006–2020) includes goals for social progress and increased access to technology. It also includes goals for progress related to China’s information security policies in the following areas:
  • Information security laws and regulations
  • State sponsorship of strategies for indigenous innovation
  • Domestic security standardization and enforcement
  • Security assurance and certification (China Compulsory Compliance)
  • Government security requirements for procurement
The 12th Five Year Plan for Informatization published by the Ministry of Industry and Information Technology (MIIT) was released on September 29, 2013 and continued to list information security as a top priority. The implementation of policies in each of these information security areas is not always clear to those in the West. Even within China, public information on national security strategy is limited. While the government continues to provide oversight and measure the success of state-sponsored security initiatives, there is a serious investment gap by Chinese private businesses to proactively map out their own overall enterprise security strategies, either at the sector or the company level, in comparison to the United States. As a part of the 11th Five Year Plan (2006-2010), China began investing in the protection of government information systems. The government defined and implemented a Multilevel Protection Scheme (MLPS) with mandatory security controls for all government systems and Internet services considered critical to the economy. The MLPS has a five-level risk-based classification to identify and protect those systems that are critical for national security and the economy (Level 3 and above). The MLPS is enforced for all government systems nationwide, and in recent years large Internet service providers have been included in this enforcement effort. In contrast, the government’s top priority for the public Internet has been about “information security,” with investment in both the public and private sectors to control the flow and distribution of online information. This effort to control content - including social media use - out of national security concerns often attracts debates around freedom of speech and the free flow of information on the Internet, which were promoted by the U.S. government. What is less known in the West is the extent of the Chinese law enforcement effort to combat cybercrime and the tremendous need for timely global law enforcement collaboration, especially with the United States. This collaboration would expedite the review of cross border cyber hacking cases where attacks were associated with U.S.-based domains, even when the U.S.-China Mutual Legal Assistance agreement is in place. China regularly published the numbers of infected systems due to malware, botnets and other cyberattacks. At the same time, however, the technical security protection services for the public Internet has primarily left to a limited number of private security companies that are often in direct competition with each other. One approach China adopted to control the Internet and reduce abuse and fraud was the enforcement of a Real Name Registration requirement for the use of the public Internet. Shortly after the announcement of this approach, a major security incident occurred in December 2012, when hackers publicly exposed the login information (ID and passwords) of hundreds of millions of Chinese web users. The Chinese government since then accelerated the process to issue information security regulations that required Internet service providers to enhance the protection of their services and the personal information of their users:
  • In February 2013, the China National Security Standards Committee released the “Public and Commercial Service Information System Personal Information Protection Guidance.”

Security Standards and Certifications

Setting security standardization is an important part of initiatives to accelerate the growth of China’s domestic ICT industry and enhance information security. The process, however, is not without its challenges. For example, while domestic enterprises, government-funded research institutions, and government researchers dominated the development of state-sponsored security standards, the involvement by privately owned businesses—especially small-mid size companies—has been limited. The Chinese government considered the process of developing ICT security standards as sensitive. International technology experts’ participation in creating standards is often restricted, in some cases limited to observing in the standard workgroups. China does include a thirty-day security standard public comment period as a measure of transparency, but it is only as a final step before the standards are released. These limitations make sufficient technical evaluations and assessments of the technical merits of proposed designs very difficult. It is also difficult to suggest improvements that would be widely adopted in commercial settings. Many global technology providers struggle with a lack of information on such matters as detailed technical design and terms of adoption for these domestic standards. This makes implementation of intended security measures by all technology suppliers, especially those outside China, somewhat difficult.

However, China’s participation and investment in major international standard organizations are noteworthy. China took over the leadership positions of global standard bodies including ISO (International Organization for Standardization), IEC (International Electrotechnical Commission) and ITU (International Telecommunication Union). These memberships helped China to obtain valuable technical information and benefit its domestic standard development. One challenge is that most of the international standards were not designed to comply with Chinese domestic security policies or regulations, which could result in incompatibilities between international and Chinese standards in the same technical domain. This, in turn, makes commercial implementation of the standards more costly. In addition, it is not uncommon for the Chinese government to issue security policies to include mandatory adoption of “recommended” industry security standards (GB/T, which are developed in less time than official GB national standards) for procurement, sales permits, and business licenses with a relatively short enforcement deadline. This could become an obstacle for market access if there are technical difficulties for commercial adoption and a shorter runway to allow proper alignment with the commercial product development cycle by technology suppliers.

In China’s 11th Five Year Plan, measures to improve government security included mandatory requirements for nationwide government systems and critical services to be certified against the Multi-Level Protection Scheme, which included security controls, procurements, and operational requirements. The government also enforced a China Compulsory Certification program as condition for any commercial security product sold in China’s public sector. Stand-alone security products must be certified in order to be listed on the official government procurement catalog. The certification is based on thirteen previously issued domestic security standards. Both security conformance and standard compliance are required for certification.

Recommendations

U.S.-China relations are facing a challenging period. How do the United States and China move away from the mistrust that currently governs the relationship? How could the U.S. and China find common ground when there are clearly disagreements over cyber sovereignty and Internet use? With fundamentally different political and social systems, how would the U.S. and China align their national security interests with global benefits to protect cyber infrastructure and trade? What security policies and legal frameworks are needed to promote global collaboration and supply chain trust? The following recommendations are provided from an industry perspective as potential common areas for both sides to consider, while recognizing the different political and economic structures and cybersecurity goals of each country.

Establish a leadership and relationship model. A cybersecurity leadership and relationship model is needed to normalize the communication and conflict resolution between both countries. It should involve U.S. and Chinese stakeholders from both the public and private sectors, including policy makers, senior domain experts from technical, legal, trade and diplomatic fields with security expertise. The goal is to identify activities that are considered threatening for both countries and keep government-to-government and government-to-industry communication channels open. There are many existing international models for such working partnerships that could be used to create a structure for dialogue and to work through the complex challenges of cybersecurity.

Develop and adopt globally recognized best practices to address supply chain trust. These would help both Chinese and U.S. industries participate and innovate in the broader global ICT economy. Governments and industry could better secure their networks by establishing a proper security assurance model, operational procedures and protections. Further, the use of widely available security technologies such as public and well vetted commercial encryption and authentication management would make it harder for hackers to compromise confidential data, providing a higher level of security for governments, businesses and individuals alike.

Expand the role of industry in cyber norms and cybersecurity solutions. Expanding public-private partnerships and leveraging private sector expertise is critical to improve global cybersecurity. For the past decades, the global technology industry has been a major driving force and contributor to the Internet economy and the development of security standards and best practices, regardless country of origin. The technology industry should be trusted to carry out the future innovations to boost productivity, connect people and improve quality of life worldwide. Most of all, the industry should become partner to protect global critical infrastructures.

Build international partnerships to combat cybercrime. Law enforcement collaboration across international borders is critical for addressing global cybercrime. Judicial exchanges and specialized legal training and partnerships with law enforcement would increase the effectiveness of prosecuting cybercrime based on national and international laws, and would identify gaps in the legal process of both countries that may hinder prosecution. Industry should also be encouraged to deliver services and innovation to reduce user risks and minimize the damages of cybercrime.

Raise public awareness of online safety and privacy to reduce the impact of the hacking economy. Many Internet users risk becoming victims of professional hackers who make a living by having victims’ devices used as launching pads for cyberattacks, resulting in the loss of identity and theft of valuable information. A three-pronged strategy of education, enforcement, and economic incentives would increase public understanding of cybercrime and increasing investment in the cybersecurity industry would reduce the impact of a fast growing of hacking economy. Public awareness of online safety and privacy should be considered a national cybersecurity imperative for China and the United States alike.

All policy issues have their own unique origins and political imperatives. Reconciling the cybersecurity policies of the United States and China is particularly challenging due to the different views on national security, foreign policy, and social and economic interests, which are increasingly critical in terms of national cybersecurity policy and strategy.

If the cybersecurity confrontations between the United States and China are not resolved, this problem could damage the progress and friendly relationship that has been established between the citizens of China and the United States. It could also undermine the social and economic interdependencies between the two countries. It will also limit the ability to achieve the global collaboration required to combat massive cybercrimes and the spread of terrorism.

The technology industry and the private sectors at large have an important role to play in this process. Given the increasing damages and complexity of cyber threats, the contribution of the global ICT industry should be considered essential for the protection of critical infrastructure, as well as the promotion of global trade relations, economic prosperity, and public safety.

 

Disclaimer: The views expressed in this article are solely those of the author and do not necessarily represent or reflect the position of Microsoft Corp.

Jing de Jong-Chen is Senior Director, Global Security Strategy and Diplomacy Group in the Corporate, External and Legal Affairs Division at Microsoft Corp. She has 20 years of industry experience and domain expertise in cybersecurity policy, technology and strategic partnership development.