How do the United States and China move away from the mistrust that currently governs their relationship on cybersecurity issues? How can the US and China find common ground on challenges related to cyber sovereign and Internet control? With fundamentally different political and social systems, how can both countries balance their national security interests to protect global cyber infrastructure? This article introduces new perspectives on the U.S.-China cyber environment with a focus on China’s growing hacking economy, and government information security management practices. The author provides insights from the technology industry point of view and advocates empowering and expanding industry’s role in defining global cybersecurity policy to restore trust and promote secure cyber environment, for the benefits of long term economic growth of both countries, and the world.
The security of global information systems is often a contentious issue in U.S.-China relations. Since 2012, a stream of reports from the U.S. government, security companies, and international media cited China as a major source in the hacking of U.S. military and commercial secrets. These allegations have been consistently rejected by the Chinese government, which counters with its own data and displays an abundance of cyberattacks to China from parties operating in the United States and other Western countries. On February 27, 2014, Chinese President Mr. Xi Jinping acknowledged the role of cybersecurity as a strategic national priority and announced the formation of the Central Cybersecurity and Informatization Leading Small Group to be under his direct supervision. President Xi emphasized that “Without cybersecurity, there won’t be national security” for China. Other members of China’s Central Internet Security and Informatization Leading Group include Premier Li Keqiang and Mr. Liu Yunshan. The newly regrouped State Internet Information Office (SIIO) reports directly to the leading group with an expanded charter of managing China’s overall Internet governance, security strategy, as well as content-management related policies and regulations authorized by the State Council.
In 2013, revelations in confidential National Security Agency documents exposed the U.S. government’s worldwide surveillance program, which also observed China. In May 2014, U.S. prosecutors indicted five Chinese military officers for cyber theft. China was outraged, and in response, withdrew from the U.S.-China Cybersecurity Working Group dialogue and announced an official security review that targeted major information and communications product and service providers operating within its borders. Intense public media campaigns were launched to criticize the U.S. government’s aggression in cyberspace. These campaigns also identified domestic R&D and innovation as a key to improve the country’s cybersecurity and reduce China’s dependence on foreign technologies.
In an ideal world, the global information and communications (ICT) industry, which contributed to the growth of Internet and its resultant economic development, would be regarded as a partner and key stakeholder in efforts to promote cybersecurity. Under the current environment, technology companies in the United States and China are under suspicion because of country of origin and business affiliations. “De-Americanization” of the ICT products in the Chinese critical sectors has been viewed as a long-term solution to improve critical infrastructure protection. If this stance is maintained, it will undermine global productivity, innovation, trade and cybersecurity. The United States and China must find a way to address issues of cybersecurity programmatically with a well-designed process to identify common concerns and, where possible, seek mutually beneficial solutions.
An important first step in this process is reaching a better understanding of the cybersecurity challenges and Internet environment in China. This article introduces an ICT security practitioner’s perspective on China’s current cyber environment and its dangers, including a growing hacking economy and government approaches to manage information security, including critical infrastructure protections. The article also advocates for expanding the role of the technology industry in partnering with government to develop a safe and secure cyber environment required for long-term global economic growth.
The Cybersecurity Landscape in China
For a vast number of Chinese citizens, staying connected is critically important. Besides using the Internet to communicate, play games, and trade stocks, Chinese users’ participation in e-commerce is growing swiftly. The Alibaba Group, owner of two very popular consumer online retailers, Taobao.com and Tmall.com, announced earlier that during the first 11 months of 2012, the total transactions of both shopping sites reached a whopping $162 billion, the equivalent of two percent of China’s total GDP.
However, the huge potential of Chinese e-commerce, supported by its rapid growth and the increased usage of various devices, has also attracted cyber criminals.
- In August 2013, a Chinese online security service provider released a semi-annual report on China’s mobile device security. It stated that mobile attacks in China were primarily targeting Android-based devices. In March 2013 alone, a total of 69,470 types of new Trojan viruses and malware for mobile devices were detected. Nearly 50 million users on the Android platform were infected during the first six months of 2013.
- In 2012, the University of California Institute of Global Conflict and Cooperation issued a study estimating that the overall damage of cybersecurity attacks on e-commerce in China exceeded $852 million and affected 11.8 million users and 1.1 million websites.
- Theft of real assets: stealing money from stolen bank accounts or credit cards.
- Theft of virtual assets online: stealing virtual currency and equipment from online game accounts and selling them for real money.
- Abuse of Internet resources and services for profit: taking advantage of compromised Internet resources as hacked hosts and servers and infected smart phones.
- Development and distribution of Internet crime tools and techniques: trading in vulnerabilities, Trojans, phishing techniques, and other attack tools, as well as training hackers.
- Cyber theft of IP and sensitive information: Trading in stolen network access and sensitive emails and documents containing trade secrets and IPs.
- Strengthen and expand legislation that would require stronger data security measures on the Internet. This would also require clarifying the boundaries of responsibility of various government agencies that administer and manage the Internet.
- Conduct Internet ethics education for youth and the public in general.
- Provide guidance and job opportunities for security talent to give them incentives to work in legitimate business operations.
- Develop the capabilities of national network security agencies to discover the exploitation of software vulnerabilities and develop responses to them.
- Increase coordinated information sharing among government, security experts, and the private sector involved in Internet security.
- Strengthen laws against black market activity, increase monitoring of it, and provide information to law enforcement concerning such activity.
- Reduce black market activity by monitoring Internet transactions that convert virtual assets into real money, and track the movement of suspicious capital to identify money laundering and other illegal activities.
- Information security laws and regulations
- State sponsorship of strategies for indigenous innovation
- Domestic security standardization and enforcement
- Security assurance and certification (China Compulsory Compliance)
- Government security requirements for procurement
- In December 2012, MIIT released “Provisions and Supervisions for the Internet Information Service Market.”
- In February 2013, the China National Security Standards Committee released the “Public and Commercial Service Information System Personal Information Protection Guidance.”
- In March 2013, the National Administration for the Protection of State Secrets updated and released “Measures for PRC Computer Information System Security Protection.”
- And in July 2013, MIIT issued the regulation, “Telecommunication and Internet Personal Information Protection.”
Security Standards and Certifications
Setting security standardization is an important part of initiatives to accelerate the growth of China’s domestic ICT industry and enhance information security. The process, however, is not without its challenges. For example, while domestic enterprises, government-funded research institutions, and government researchers dominated the development of state-sponsored security standards, the involvement by privately owned businesses—especially small-mid size companies—has been limited. The Chinese government considered the process of developing ICT security standards as sensitive. International technology experts’ participation in creating standards is often restricted, in some cases limited to observing in the standard workgroups. China does include a thirty-day security standard public comment period as a measure of transparency, but it is only as a final step before the standards are released. These limitations make sufficient technical evaluations and assessments of the technical merits of proposed designs very difficult. It is also difficult to suggest improvements that would be widely adopted in commercial settings. Many global technology providers struggle with a lack of information on such matters as detailed technical design and terms of adoption for these domestic standards. This makes implementation of intended security measures by all technology suppliers, especially those outside China, somewhat difficult.
However, China’s participation and investment in major international standard organizations are noteworthy. China took over the leadership positions of global standard bodies including ISO (International Organization for Standardization), IEC (International Electrotechnical Commission) and ITU (International Telecommunication Union). These memberships helped China to obtain valuable technical information and benefit its domestic standard development. One challenge is that most of the international standards were not designed to comply with Chinese domestic security policies or regulations, which could result in incompatibilities between international and Chinese standards in the same technical domain. This, in turn, makes commercial implementation of the standards more costly. In addition, it is not uncommon for the Chinese government to issue security policies to include mandatory adoption of “recommended” industry security standards (GB/T, which are developed in less time than official GB national standards) for procurement, sales permits, and business licenses with a relatively short enforcement deadline. This could become an obstacle for market access if there are technical difficulties for commercial adoption and a shorter runway to allow proper alignment with the commercial product development cycle by technology suppliers.
In China’s 11th Five Year Plan, measures to improve government security included mandatory requirements for nationwide government systems and critical services to be certified against the Multi-Level Protection Scheme, which included security controls, procurements, and operational requirements. The government also enforced a China Compulsory Certification program as condition for any commercial security product sold in China’s public sector. Stand-alone security products must be certified in order to be listed on the official government procurement catalog. The certification is based on thirteen previously issued domestic security standards. Both security conformance and standard compliance are required for certification.
U.S.-China relations are facing a challenging period. How do the United States and China move away from the mistrust that currently governs the relationship? How could the U.S. and China find common ground when there are clearly disagreements over cyber sovereignty and Internet use? With fundamentally different political and social systems, how would the U.S. and China align their national security interests with global benefits to protect cyber infrastructure and trade? What security policies and legal frameworks are needed to promote global collaboration and supply chain trust? The following recommendations are provided from an industry perspective as potential common areas for both sides to consider, while recognizing the different political and economic structures and cybersecurity goals of each country.
Establish a leadership and relationship model. A cybersecurity leadership and relationship model is needed to normalize the communication and conflict resolution between both countries. It should involve U.S. and Chinese stakeholders from both the public and private sectors, including policy makers, senior domain experts from technical, legal, trade and diplomatic fields with security expertise. The goal is to identify activities that are considered threatening for both countries and keep government-to-government and government-to-industry communication channels open. There are many existing international models for such working partnerships that could be used to create a structure for dialogue and to work through the complex challenges of cybersecurity.
Develop and adopt globally recognized best practices to address supply chain trust. These would help both Chinese and U.S. industries participate and innovate in the broader global ICT economy. Governments and industry could better secure their networks by establishing a proper security assurance model, operational procedures and protections. Further, the use of widely available security technologies such as public and well vetted commercial encryption and authentication management would make it harder for hackers to compromise confidential data, providing a higher level of security for governments, businesses and individuals alike.
Expand the role of industry in cyber norms and cybersecurity solutions. Expanding public-private partnerships and leveraging private sector expertise is critical to improve global cybersecurity. For the past decades, the global technology industry has been a major driving force and contributor to the Internet economy and the development of security standards and best practices, regardless country of origin. The technology industry should be trusted to carry out the future innovations to boost productivity, connect people and improve quality of life worldwide. Most of all, the industry should become partner to protect global critical infrastructures.
Build international partnerships to combat cybercrime. Law enforcement collaboration across international borders is critical for addressing global cybercrime. Judicial exchanges and specialized legal training and partnerships with law enforcement would increase the effectiveness of prosecuting cybercrime based on national and international laws, and would identify gaps in the legal process of both countries that may hinder prosecution. Industry should also be encouraged to deliver services and innovation to reduce user risks and minimize the damages of cybercrime.
Raise public awareness of online safety and privacy to reduce the impact of the hacking economy. Many Internet users risk becoming victims of professional hackers who make a living by having victims’ devices used as launching pads for cyberattacks, resulting in the loss of identity and theft of valuable information. A three-pronged strategy of education, enforcement, and economic incentives would increase public understanding of cybercrime and increasing investment in the cybersecurity industry would reduce the impact of a fast growing of hacking economy. Public awareness of online safety and privacy should be considered a national cybersecurity imperative for China and the United States alike.
All policy issues have their own unique origins and political imperatives. Reconciling the cybersecurity policies of the United States and China is particularly challenging due to the different views on national security, foreign policy, and social and economic interests, which are increasingly critical in terms of national cybersecurity policy and strategy.
If the cybersecurity confrontations between the United States and China are not resolved, this problem could damage the progress and friendly relationship that has been established between the citizens of China and the United States. It could also undermine the social and economic interdependencies between the two countries. It will also limit the ability to achieve the global collaboration required to combat massive cybercrimes and the spread of terrorism.
The technology industry and the private sectors at large have an important role to play in this process. Given the increasing damages and complexity of cyber threats, the contribution of the global ICT industry should be considered essential for the protection of critical infrastructure, as well as the promotion of global trade relations, economic prosperity, and public safety.
Disclaimer: The views expressed in this article are solely those of the author and do not necessarily represent or reflect the position of Microsoft Corp.
Jing de Jong-Chen is Senior Director, Global Security Strategy and Diplomacy Group in the Corporate, External and Legal Affairs Division at Microsoft Corp. She has 20 years of industry experience and domain expertise in cybersecurity policy, technology and strategic partnership development.