CFR Presents

Asia Unbound

CFR experts give their take on the cutting-edge issues emerging in Asia today.

Print Print Cite Cite
Style: MLA APA Chicago Close


Is China a Paper Tiger in Cyberspace?

by Adam Segal
February 8, 2012

Paper Tiger. ('No Matter' Project/Courtesy Flickr) Paper Tiger. ('No Matter' Project/Courtesy Flickr)


Two recent studies of national cyber power have placed China near the bottom of the table. China is number 13 on the EUI-Booz Allen Hamilton Cyber Power Index, behind Argentina, Mexico, and Brazil but better off than Russia, Turkey, South Africa, and India (the United Kingdom, United States, and Australia are the top three). The Brussels-based Security & Defence Agenda groups China with Italy, Russia, and Poland in the fifth tier (the U.S. and the UK are in the third tier, below Finland, Sweden, and Israel; the top group is empty).

These are very subjective studies based on interviews, surveys, and vague metrics. Still, they cut against the grain of popular perceptions. If you were just paying attention to the almost weekly reporting in the Western press about alleged Chinese cyber espionage, you could be forgiven for thinking that China ruled the cyber waves. Yet recent writings in the Chinese press have more of a “China is vulnerable” flavor and suggest that analysts, if not characterizing the country’s cyber strategy as weak, think there is a great deal of work that remains to be done.

The work ahead is both defensive and offensive, technical and strategic. Zhang Yongfu, a professor at the PLA’s Information Engineering University, told the PLA Daily that the “cybersecurity situation” was in its early stages.  As with every other country, deciding which bureaucracies should be involved in defense and coordinating among them is difficult; cyber management, in Zhang’s words, is fragmented and ineffective.  Since a cyber event could develop over hours if not minutes, policymakers must seriously wonder if the People’s Liberation Army, Ministry of Public Security, Ministry of State Security, and Ministry of Industry and Information Technology can successfully coordinate their roles during a crisis.

Chinese analysts are also grasping with the conundrum that if you wait until you see a problem in your networks, it may already be too late. The Pentagon’s Strategy for Operating in Cyberspace says it will employ “active defense”— “synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities.” Former Deputy Secretary of Defense William Lynn III compared this to combining a sentry and a sharpshooter. This article on China National Defense News also uses the concept of active defense (积极防御), involving a reliance on cyber reconnaissance and surveillance as well as the realization that defense must be conducted at “all times and all places”, which could be read to mean “defense” in other countries’ networks.

As with most articles about cyberspace, there is a fear that China could lose control over information “nodes and infrastructure” and outside powers could distribute rumors that mislead the public. The growing dependence of the military on networks is a new vulnerability as other powers are preparing to sabotage network command, control, communications, and intelligence systems. Technology is a big concern in all of these articles: the United States has it, China does not. There are also discussions about how the PLA and others can attract and retain hacking talent.

What to make of these assessments? Someone is bound to find a quote from Sun Tzu (Here’s an easy one: “All warfare is based on deception; when we are able to attack, we must seem unable”) and suggest that these articles are meant to confuse, mislead, and lull the United States into a false sense of security. Maybe these articles are primarily focused on domestic audiences, signaling to the Chinese public that the leadership is not standing still while the United States develops a cyber strategy, or perhaps to various domestic institutions and actors that they need to get on board with the emerging strategy.

Perhaps the simplest explanation is that Chinese policymakers fear that they really are at the bottom of the table. Despite outside perceptions of the coherence and efficacy of Chinese cyber strategy, Chinese analysts are feeling increasingly vulnerable in cyberspace.

Post a Comment 5 Comments

  • Posted by George Lewinski

    Mundane though they may be, the simplest explanations are most often the right ones. Very nice piece.

  • Posted by CM Yeung

    Cyberspace is anachronistic by nature and extremely hard, if not impossible, to fully secure. Everybody is vulnerable. Contrary to Western media’s obsession, the biggest threat is when a fringe group somewhere starts to employ cyber terrorism as its tactic to wreak havoc around the world.

  • Posted by Bill Hagestad

    An outstanding article – Booz Hamilton is incorrect. The People’s Republic of China is closer to the top spot – as much as we in the West do not want to admit it – the Chinese have perfected and really earned the coveted title of a true advanced persistent threat…..

  • Posted by Rod Nichols

    Excellent “take”on an often-muddled newspaper-driven panic. Adam calmly probes options. The Chinese are surely NOT 10 ft tall. Neither is US. But the deep issues remain, and no doubt so does “vulnerability.”

  • Posted by David

    Of course it is perfectly possible for both hypotheses to be correct – they are not of necessity mutually incompatible.

    A country (whether China or any other) might have a strong offensive capability, but poor defences.

Post a Comment

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR's guidelines and will be moderated prior to posting.

* Required