Cybersecurity in China: The Next Wave
By Greg Austin
()
About this ebook
Related to Cybersecurity in China
Related ebooks
Cybersecurity in Digital Transformation: Scope and Applications Rating: 0 out of 5 stars0 ratingsCyber Security and Policy: A substantive dialogue Rating: 0 out of 5 stars0 ratingsCyber Attacks: Protecting National Infrastructure Rating: 4 out of 5 stars4/5Why Hackers Win: Power and Disruption in the Network Society Rating: 0 out of 5 stars0 ratingsBuilding a Cybersecurity Culture in Organizations: How to Bridge the Gap Between People and Digital Technology Rating: 0 out of 5 stars0 ratingsNavigating New Cyber Risks: How Businesses Can Plan, Build and Manage Safe Spaces in the Digital Age Rating: 0 out of 5 stars0 ratingsSocial Media Strategy in Policing: From Cultural Intelligence to Community Policing Rating: 0 out of 5 stars0 ratingsCybersecurity Rating: 0 out of 5 stars0 ratingsComputer Forensics: A Pocket Guide Rating: 4 out of 5 stars4/5Landscape of Cybersecurity Threats and Forensic Inquiry Rating: 0 out of 5 stars0 ratingsCybercrime and Business: Strategies for Global Corporate Security Rating: 0 out of 5 stars0 ratingsDigital Risk Governance: Security Strategies for the Public and Private Sectors Rating: 0 out of 5 stars0 ratingsCybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats Rating: 3 out of 5 stars3/5Cybersecurity and Infrastructure Protection Rating: 0 out of 5 stars0 ratingsCyber Security Consultants Playbook Rating: 0 out of 5 stars0 ratingsIs There a Common Understanding of What Constitutes Cyber Warfare? Rating: 5 out of 5 stars5/5The People Problem: Strengthening Cybersecurity Through Proper Training Rating: 0 out of 5 stars0 ratingsSafeguarding the Digital Fortress: A Guide to Cyber Security: The IT Collection Rating: 0 out of 5 stars0 ratingsThe True Cost of Information Security Breaches and Cyber Crime Rating: 0 out of 5 stars0 ratingsA Comprehensive Framework for Adapting National Intelligence for Domestic Law Enforcement Rating: 0 out of 5 stars0 ratingsHacking for Beginners: Mastery Guide to Learn and Practice the Basics of Computer and Cyber Security Rating: 0 out of 5 stars0 ratingsSecurity: The Human Factor Rating: 0 out of 5 stars0 ratingsProtecting Our Future, Volume 1: Educating a Cybersecurity Workforce Rating: 0 out of 5 stars0 ratingsCurrent and Emerging Trends in Cyber Operations: Policy, Strategy and Practice Rating: 0 out of 5 stars0 ratingsNIST Cybersecurity Framework: A pocket guide Rating: 0 out of 5 stars0 ratingsThe Little Book of Cybersecurity Rating: 0 out of 5 stars0 ratingsCyber Warfare: Techniques, Tactics and Tools for Security Practitioners Rating: 4 out of 5 stars4/5Cybersecurity in Our Digital Lives Rating: 5 out of 5 stars5/5
Public Policy For You
The Art of War Rating: 4 out of 5 stars4/5No Visible Bruises: What We Don’t Know About Domestic Violence Can Kill Us Rating: 5 out of 5 stars5/5Social Security 101: From Medicare to Spousal Benefits, an Essential Primer on Government Retirement Aid Rating: 3 out of 5 stars3/5When Harry Became Sally: Responding to the Transgender Moment Rating: 3 out of 5 stars3/5Nolo's Guide to Social Security Disability: Getting & Keeping Your Benefits Rating: 0 out of 5 stars0 ratingsHow to Blow Up a Pipeline: Learning to Fight in a World on Fire Rating: 4 out of 5 stars4/5Capital in the Twenty-First Century Rating: 4 out of 5 stars4/5A Short History of Reconstruction [Updated Edition] Rating: 4 out of 5 stars4/5Deception: The Great Covid Cover-Up Rating: 0 out of 5 stars0 ratingsHow We Do Harm: A Doctor Breaks Ranks About Being Sick in America Rating: 4 out of 5 stars4/5America: The Farewell Tour Rating: 4 out of 5 stars4/5Talking to My Daughter About the Economy: or, How Capitalism Works--and How It Fails Rating: 4 out of 5 stars4/5Against Empathy: The Case for Rational Compassion Rating: 3 out of 5 stars3/5Dreamland: The True Tale of America's Opiate Epidemic Rating: 4 out of 5 stars4/5The Power and Independence of the Federal Reserve Rating: 5 out of 5 stars5/5It's Even Worse Than You Think: What the Trump Administration Is Doing to America Rating: 4 out of 5 stars4/5Love Your Enemies: How Decent People Can Save America from the Culture of Contempt Rating: 5 out of 5 stars5/5Nobody: Casualties of America's War on the Vulnerable, from Ferguson to Flint and Beyond Rating: 4 out of 5 stars4/5The Truth About COVID-19: Exposing The Great Reset, Lockdowns, Vaccine Passports, and the New Normal Rating: 3 out of 5 stars3/5Battle for the American Mind: Uprooting a Century of Miseducation Rating: 4 out of 5 stars4/5The Diversity Delusion: How Race and Gender Pandering Corrupt the University and Undermine Our Culture Rating: 4 out of 5 stars4/5Just Mercy: a story of justice and redemption Rating: 5 out of 5 stars5/5The Price We Pay: What Broke American Health Care--and How to Fix It Rating: 4 out of 5 stars4/5The Madness of Crowds: Gender, Race and Identity Rating: 4 out of 5 stars4/5Chasing the Scream: The Inspiration for the Feature Film "The United States vs. Billie Holiday" Rating: 4 out of 5 stars4/5Doughnut Economics: Seven Ways to Think Like a 21st-Century Economist Rating: 4 out of 5 stars4/5The Least of Us: True Tales of America and Hope in the Time of Fentanyl and Meth Rating: 4 out of 5 stars4/5Men without Work: Post-Pandemic Edition (2022) Rating: 5 out of 5 stars5/5The Abolition of Sex: How the “Transgender” Agenda Harms Women and Girls Rating: 3 out of 5 stars3/5
Reviews for Cybersecurity in China
0 ratings0 reviews
Book preview
Cybersecurity in China - Greg Austin
© The Author(s) 2018
Greg AustinCybersecurity in ChinaSpringerBriefs in Cybersecurityhttps://doi.org/10.1007/978-3-319-68436-9_1
1. The Cybersecurity Ecosystem
Greg Austin¹
(1)
Australian Centre for Cyber Security, University of New South Wales, Canberra, ACT, Australia
Greg Austin
Email: G.Austin@adfa.edu.au
Abstract
China conducts more cyber espionage on itself than any other country does. The ecosystem for security in cyberspace is distorted by the country’s political system. The chapter lays out China’s definition of the problem set, and describes key features of the 2016 National Cyber Security Strategy. It then gives some background on the national policy shift in 2014 represented by Xi’s declaration of the ambition for China to become a cyber power.
Keywords
DefinitionNational strategyMilitary powerNational securityAuthoritarianismCensorshipSovereigntyCommunist partyCyber powerGreat firewallGreat wallPublic securityOrganizational structureLegislationStandards
1.1 Introduction: Weak and Strong
China’s political leaders feel insecure in cyberspace. Its corporate leaders lament the absence of a strong domestic cybersecurity industry. Its citizens are engaged in high risk online behaviors for political or personal reasons, and often out of ignorance of the dangers. Foreign corporations dominated the delivery of cybersecurity in China until quite recently. Some foreign governments work hard to undermine it. The People’s Liberation Army (PLA) is struggling to come to terms with cyber war concepts and technologies beyond cyber espionage. On the other hand, the internal security agencies are among the world leaders in domestic cyber surveillance, often relying on the services and equipment of foreign corporations. China appears to do better than almost any other country in catching its own cyber criminals. Yet it has an almost invisible, probably non-existent capability for protecting national critical infrastructure in cyberspace. The country’s domestic scientific base for security in cyberspace is in its infancy, and this judgment includes the scientific study of the country’s overall cybersecurity. This is the multi-tiered and developmentally-challenged reality of cybersecurity in China.
Cyberspace is an inherently insecure environment. Even the United States, the world’s wealthiest and most technologically advanced country, faces chronic cyber insecurities. But three factors combine to make Chinese users particularly insecure compared with those of other G20 countries, including India, a similarly large developing country. These three factors are: the numerically large number of users (including both humans and other machines, the former with little of the necessary security literacy), the higher prevalence of pirated software, and a very high intensity of consumption of ICT products (a rush to use
).
At a deeper level of analysis, but one which has high cogency for daily security in cyberspace in China is what we might call the spy versus spy
effect. China is the only country which is targeted every second across a wide spectrum of social and economic life by two of the most powerful cyber actors in the world. One of these two perpetrators is obvious. The United States has built and operates the largest cyberspace military and espionage alliance in human history and one of its primary targets is China—the country as whole, not just the government. The second perpetrator is less obvious. It is the government of China. It spies on itself. It has built and operates the largest cyber-enabled internal security surveillance system in human history and the primary target of this system is the country as a whole, including the government and its 80 million CCP members. Within two to three decades, advances in artificial intelligence may allow China to achieve a near-perfect replica of the Orwellian vision of Big Brother’s omniscient domestic social surveillance seen in the novel 1984.
If you are an adult inside China, regardless of your nationality, occupation or location, no matter what cyber system you operate and depend on, there is a very high chance that it is being surveilled or can be surveilled on short notice by both of the two cyber superpowers. There is also a high chance that they will have developed an option for attack on your cyber lifelines and foundations. To undertake this surveillance, the two countries have devised access technologies for the cyber systems you use. This is not the case for any other country in the world apart from China. While such surveillance and the cyber insecurity needed for it (endless intrusions) would be illegal in some countries, neither the U.S. government or Chinese government feels constrained by law in this activity inside China. The operating norms (one in international law and one in domestic law) are that cyber attacks for espionage purposes in this case are lawful, whether it U.S. espionage against China or Chinese political surveillance of its own citizens.
The weakness of China’s cybersecurity is one of the best kept secrets in Washington because of the latter’s interest in exploiting the vulnerability for intelligence and military purposes. For its part, the Chinese leadership faces competing priorities. On the one hand, China could reveal its own weaknesses fully in order to promote higher levels of awareness and begin to structure adequate responses. On the other hand, to do so would undercut both the political legitimacy of the government as defender of the country’s interests and undermine the government’s ability to exploit the weaknesses for its own internal political intelligence collection. In fact, the country’s leadership has a vested interest in convincing the Chinese public that it is omnipotent in cyberspace and that it can, in the fullness of time, protect CCP interests in the infosphere.
There is another general condition that undermines security in cyberspace that is worthy of note. Companies that provide services in this field in one country become a prime target for its intelligence adversaries, a fact recognized at least in the case of the U.S. agencies (Bing 2017). The reason is that the companies have direct, continuous access into their clients’ networks and collect large quantities of data about them
.
1.2 Cyber Insecurity: Snapshot
By way of introduction to the story of cybersecurity in China, here are five reports of activity in January 2017 that capture many of the challenges faced by stakeholders in the country, both at the time and on a continuing basis. Some aspects of these stories are unique to China, while others are not.
Personal Cyber Dependency and Government Intervention: A Chinese agency announced a draft regulation that would require the providers of online games to enforce a curfew (from midnight to 8.00 am) in a bid to restrict addictive
use by minors (China Daily 2017a).
Legal Obligations of Service Providers: The Guangdong Province branch of the Cyberspace Administration of China (CAC) reported that it had taken down over 5000 illegal apps, of which more than 1200 had carried pornography (Xinhua 2017a). A number of Chinese corporations were named with the implication that they were not being vigilant enough (Tencent, China Mobile, Huawei, ZTE, Coolpad, Meizu, Oppo and Vivo).
Cyber Crime Statistics: With the start of the new year in 2017, cyber crime fighters reported the scale of the problem over the previous year, citing the arrest of 19,345 suspects of cyber or telecommunications fraud throughout China (Xinhua 2017b). This was small share of total cyber crime in China, with Guangdong province alone reporting its 2016 situation in the following terms: 4125 cyber crimes and … 15,000 criminal suspects from 892 criminal gangs
(Mi 2017). Guangdong, adjacent to Hong Kong, is one of the richest and most connected provinces in the country. (China has 31 provinces, including municipalities and autonomous regions with similar status as provinces. It also has two Special Administrative Regions or SARs, Hong Kong and Macao.)
Censorship and Leadership Security: A monitoring organization based in Hong Kong, China Digital Times (2017), reported that the relevant Ministry had ordered a crackdown on virtual private networks (VPNs) which users rely on to access international internet content that is banned or blocked by the government. Chinese regulators were moving to prohibit the setting up or renting of a communication channel, such as a VPN, to undertake cross-border communications unless the channel is approved by the government. One of the primary reasons why the authorities are so keen to shut down this access is to prevent the spreading of stories about the wealth and alleged corruption of political leaders which have been reported on several times in detail by foreign media since 2012.
U.S. Military Superiority in Cyberspace: The chinamil.com website carried a story from the People’s Liberation Army Daily, which reported cyber warfare capability as one of the main success stories of the Obama Administration (Feng 2017). The report left unspoken what the implications for China of this evolution might be, but it replays subtly the long-standing Chinese view that the country lags badly behind the United States in cyber military power because of what the article calls that country’s IT advantages
.
1.3 Toward a More Secure Cyberspace: Snapshot
To complement the above snapshot of cyber insecurity in the month of January 2017, here is a similar snapshot of events in the following month suggestive of enhanced cybersecurity in China.
Cybersecurity Review Committee: One of the more significant developments was the announcement on 8 February 2017 that the government would set up a cybersecurity review committee with a wide-ranging supervisory role for products and services affecting national security or public interest (to deliberate important policies on cybersecurity and organize reviews
) (China Daily 2017b). In releasing the news, the CAC said other issues for review would include risks of criminal use to illegally gather, store, process or make use of
consumer information and unfair competition practices. The result would be blacklisting of services or products that do not pass the review, resulting in a ban on their use by government agencies, the CCP, or strategic industries. CAC promised that the review process would treat foreign and domestic suppliers equally, touching on a major concern of the former that the country is discriminating in favour of domestic companies.
Fencing China Off: On 17 February, President Xi Jinping used a seminar convened under the auspices of the National Security Commission, also then a relatively new body which he chairs, to call for attention to cybersecurity as part of a new global perspective
on protection of the country. Advocating greater attention to prevention of risks, Xi promoted consolidation of the cybersecurity fence
and improved efforts to secure information infrastructure
(China.org 2017).
Domestic Cyber Industry: On the technology front, as a sign of things to come, a Chinese-owned company based in Hong Kong, Nexusguard, took advantage of the release of the latest Top 500 global ranking of cybersecurity companies in February 2017 to take pride in its consistent placement in the top 25, ahead even of Russia’s better known Kaspersky Lab (AsiaOne 2017). Nexusguard, which specialises in protection against distributed denial of service (DDOS) attacks, is wholly owned by Legend Venture Holdings, which is the largest shareholder in Lenovo, the Chinese company that became the world’s largest manufacturer of desktop computers after buying out IBM’s PC business.
1.4 China’s Definition of Cybersecurity
China as a whole has come late to a comprehensive view of cybersecurity as a socio-technical phenomenon. A useful reference point is the three stage distinction devised by Hathaway and Klimburg (2012: 29–31), that is between a whole-of-government approach, to a whole-of-nation approach, to a whole-of-systems. China flagged its intention to pursue a whole-of-nation approach in its first regulations on cybersecurity in Decree No. 147 of the State Council on 18 February 1994 (State Council 1994). The regulations contained therein were rudimentary (expressed in some places in terms of computer worms or viruses), and could largely have been considered enterprise-level methodologies. Over the subsequent decade, the government eventually became much more focused and began to frame up over-arching concepts, producing in 2007, as Marro (2016) observed, a five-tier classification system for impacts on information security developed by the Ministry of Public Security (MPS) (www.gov.cn 2007).
This system, known by the English rubric MLPS, applies nationality and corporate governance tests to firms operating at level three or higher in this classification system:
1.
damage to the legitimate rights and interests of citizens, legal persons and other organizations, without prejudice to national security, social order and public interest
2.
serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or damage to the social order and public interests, without prejudice to national security
3.
it will cause serious damage to social order and public interest, or damage to national security
4.
particularly serious damage to social order and public interest, or cause serious damage to national security
5.
particularly serious damage to national security.
The regulations also allow for MPS supervision of any information activity inside China regardless of nationality if level 2, or higher, of the five-tier system is in play. The regulations foreshadow a comprehensive approach but for most of the time since the 1994 regulations, China’s agencies and industries involved in cyber security had been operating under a whole-of-nation approach.
By 2016, China moved to a very modern concept of cybersecurity that conformed to the whole-of-system approach. It was laid out in a speech by Xi (2016) to the National Meeting on Cybersecurity and Informatization. The key points of this concept have been reproduced in Box 1.1. It should be noted that if 2016 is the departure date for articulation of a whole-of-system approach, then effective implementation in many areas of policy will be a process that takes decades from now rather than a few