Two recent studies of national cyber power have placed China near the bottom of the table. China is number 13 on the EUI-Booz Allen Hamilton Cyber Power Index, behind Argentina, Mexico, and Brazil but better off than Russia, Turkey, South Africa, and India (the United Kingdom, United States, and Australia are the top three). The Brussels-based Security & Defence Agenda groups China with Italy, Russia, and Poland in the fifth tier (the U.S. and the UK are in the third tier, below Finland, Sweden, and Israel; the top group is empty).
These are very subjective studies based on interviews, surveys, and vague metrics. Still, they cut against the grain of popular perceptions. If you were just paying attention to the almost weekly reporting in the Western press about alleged Chinese cyber espionage, you could be forgiven for thinking that China ruled the cyber waves. Yet recent writings in the Chinese press have more of a “China is vulnerable” flavor and suggest that analysts, if not characterizing the country’s cyber strategy as weak, think there is a great deal of work that remains to be done.
The work ahead is both defensive and offensive, technical and strategic. Zhang Yongfu, a professor at the PLA’s Information Engineering University, told the PLA Daily that the “cybersecurity situation” was in its early stages. As with every other country, deciding which bureaucracies should be involved in defense and coordinating among them is difficult; cyber management, in Zhang’s words, is fragmented and ineffective. Since a cyber event could develop over hours if not minutes, policymakers must seriously wonder if the People’s Liberation Army, Ministry of Public Security, Ministry of State Security, and Ministry of Industry and Information Technology can successfully coordinate their roles during a crisis.
Chinese analysts are also grasping with the conundrum that if you wait until you see a problem in your networks, it may already be too late. The Pentagon’s Strategy for Operating in Cyberspace says it will employ “active defense”— “synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities.” Former Deputy Secretary of Defense William Lynn III compared this to combining a sentry and a sharpshooter. This article on China National Defense News also uses the concept of active defense (积极防御), involving a reliance on cyber reconnaissance and surveillance as well as the realization that defense must be conducted at “all times and all places”, which could be read to mean “defense” in other countries’ networks.
As with most articles about cyberspace, there is a fear that China could lose control over information “nodes and infrastructure” and outside powers could distribute rumors that mislead the public. The growing dependence of the military on networks is a new vulnerability as other powers are preparing to sabotage network command, control, communications, and intelligence systems. Technology is a big concern in all of these articles: the United States has it, China does not. There are also discussions about how the PLA and others can attract and retain hacking talent.
What to make of these assessments? Someone is bound to find a quote from Sun Tzu (Here’s an easy one: “All warfare is based on deception; when we are able to attack, we must seem unable”) and suggest that these articles are meant to confuse, mislead, and lull the United States into a false sense of security. Maybe these articles are primarily focused on domestic audiences, signaling to the Chinese public that the leadership is not standing still while the United States develops a cyber strategy, or perhaps to various domestic institutions and actors that they need to get on board with the emerging strategy.
Perhaps the simplest explanation is that Chinese policymakers fear that they really are at the bottom of the table. Despite outside perceptions of the coherence and efficacy of Chinese cyber strategy, Chinese analysts are feeling increasingly vulnerable in cyberspace.