The relationship between China and cybersecurity is difficult to unpack, mainly because it does not fit traditional interpretations of how a state regulates operations in other, non-cyber domains. Beijing is the subject of significant criticism about cyber threats that originate within China. The United States government has struggled to respond to China’s cybersecurity posture, but the disconnect between the United States and China is exacerbated by two significant differences.
Reason one: Scale is difficult to define.
Taking an accurate accounting of the scale of cyber threats is made difficult by a number of factors. First, companies and governments are often “cyber immature.” This in turn leads to organizations failing to correctly align their postures against the threat environment. In some cases, they may be reluctant to disclose attacks, while in others, the lack of maturity means that threats simply go undetected. This can lead to a false sense of security as silence could be mistaken for inactivity. As such, the problem is difficult to discuss, as few stakeholders appreciate the full context of the cybersecurity landscape. Information is siloed, often within classified documents or within corporate structures. Combine this with patchy communications within organizations about the threat, and setting a correct and proportionate response to cyber threats becomes even more difficult.
Reason two: China sees cybersecurity differently.
Unlike more traditional warfare domains, cyber is not exclusively a government enterprise. Like governments, private companies and other organizations find themselves targets and need to defend against cyber threats. For the average company within the United States, cybersecurity is a business risk and is often treated simply as an extension of traditional physical security. Assets are protected, especially intellectual property and finances.
For most governments, particularly that of the United States, cybersecurity sits within two primary categories. On the one hand, it is an extension of traditional espionage. Information is sorted and protected in a way that, while technologically different, is nested within traditional intelligence operations. On the other hand, it is seen as an extension of weapons development. From this analytical viewpoint, cyber-weapons represent the extension of traditional warfare to the cyber domain. Power plants can be attacked, malware can be used to degrade operations and cyber-weapons are understood within this context.
While this two-category treatment represents the whole of the matter for the US government, in China there is simply more to the story. The Chinese government has consistently used cyber-attacks as a natural extension of its sovereignty. Beijing’s new cybersecurity law has totally different touch points with society when compared to how the US government thinks of the issue. Beijing clearly defines cybersecurity in terms of ownership and control. Companies doing business are required to comply with regulations apparently developed with Chinese sovereignty as their focus, as China’s new law enshrines a right for the government to demand that information is stored locally and access to intellectual property is guaranteed.
A second element to the difference between US and Chinese approaches to the cyber domain relates to international norms. China has been highly successful in forcing the rest of the world to accept a certain level of cyber-attacks emanating from China as normal. Last year, the Obama administration issued a joint statement on cybersecurity with China that stated that neither government would knowingly support cyber-related espionage of intellectual property. By agreeing to this statement, China was effectively able to move from simply not acknowledging theft generally to denying knowledge of specific attacks. Given that the statement did not put in place a commitment to reduce activity, this effectively normalized a level of cyber threats. With these actions—implementing its new cybersecurity law and obtaining agreement on the joint statement wording—China has asserted ownership over its cyberspace and re-defined international norms about who is held responsible for actions taken from within China.
Taken together, these two actions present a unique cybersecurity problem to the United States, one that has no single solution. The first aspect of the problem is one of maturity and awareness. The US government must chart a coherent course towards increasing cybersecurity resilience, both within government and industry. There are positive signs in this space. The Obama administration has appointed the first federal chief information security officer and undertaken a comprehensive effort to begin the process of fortifying America’s critical infrastructure against cyber threats. These steps signal a coordinated effort to reduce the scale of vulnerability and, when combined with corporate disclosure rules for attacks and support from organizations within government to business, stand the United States in good stead to make further gains. While these efforts are solid and world-leading, much more work will need to be done to close capability gaps in a rapidly evolving domain.
On the second element of the problem posed by China, the United States requires more nuanced thinking. The Chinese government currently defines its cyber capabilities, rights, and responsibilities in terms of its own sovereignty. This will apply to companies and to their attacks. Currently, Beijing has little incentive to make efforts to restrain attacks. The next administration will have to begin to address this in some manner. However, it must start by understanding that it currently needs to adjust its thinking about how China sees cybersecurity. Unless it does this and recognizes China’s efforts to assert control of the cyber domain within its territory and reshape external norms, it will continue to adopt a posture towards China that inadequately reflects the US government’s actual priorities.
Image credit: Christiaan Colen