CFR Presents

Asia Unbound

CFR experts give their take on the cutting-edge issues emerging in Asia today.

Print Print Cite Cite
Style: MLA APA Chicago Close


China Moves Forward on Cybersecurity Policy

by Adam Segal
July 24, 2012

Wang Chen, director of the State Council Information Office answers questions after announcing the launch of the National Internet Information Office. (Zhai Zihe / Courtesy Xinhua)


Last week, the State Council issued a new policy opinion for promoting the development of Chinese information technology and information security. In the State Council’s view, “international competition over the acquisition, use, and control of information is increasingly fierce” and China faces urgent challenges. In particular, the policy opinion notes the disparity between China and developed countries in broadband infrastructure; a low degree of information sharing between the government and industry; the control of core technologies by foreigners; inadequate strategic planning for information security and weak basic network defense capabilities; and the rapid growth of mobile Internet and other new technologies.

The policy opinion has a slight “ripped from the headlines” feel, reflecting the threats that must be looming large for Chinese policymakers. There is a large section that deals with strengthening industrial control systems for nuclear facilities, aviation, oil and petrochemicals control networks, electrical systems, and transportation systems that immediately brings Stuxnet to mind. Another section focuses on securing government and other confidential information systems that could be the target of espionage exploits like Flame, or Anonymous and other political hacktivists. And the large-scale data breaches that were part of the attacks on Tianya, China Software Developer Network, and are covered in a section on protecting personal information and user data. There is, however, also a great deal of continuity with earlier plans for information security. The 2003 “Document 27: Opinions for Strengthening Information Security Assurance Work,” for example, also stressed the protection of critical infrastructure, and both the 2003 and 2012 opinions note the need for dynamic monitoring of the Internet as well as talent development and greater leadership and coordination.

By contrast, the United States‘ ability to move forward with its own cybersecurity policies and plans does not look particularly promising right now. On Thursday, President Obama wrote an op-ed in The Wall Street Journal urging the Senate to pass the Cybersecurity Act of 2012. A number of Senators opposed an earlier version of the bill that empowered the Department of Homeland Security to define security standards for critical infrastructure and required power grid, gas pipelines, and water supply companies to meet a certain level of security. A new compromise version makes industry participation voluntary; best practices will be created and companies offered incentives to adopt them.

Even with the compromise, the bill’s future in the Senate and in the House is uncertain (uncertain may be kind—Jessica R. Herrera-Flanigan and Paul Rosenzweig think legislation is basically dead, and Senator McCain said on Monday that the bill “has zero chance of passing in the House or ever being signed into law”). Still it would be premature, if not misguided, to tout the State Council opinion as one more piece of evidence of China’s ability to get things done. For one, the opinion is a grab bag of vague policy proposals, spanning tens of different policy arenas. Some will work out, some will be dropped. Moreover, these proposals are not always internally consistent. There is, for example, a strong government hand involved, but the opinion also “advocates for industry self-regulation.”

And politics are unavoidable in China too. As Jimmy Goodrich notes, after the introduction of the 2003 opinion different parts of the Chinese bureaucracy launched competing policy initiatives and waged fierce battles over their policy turf.  The 2012 opinion highlights the leadership of the national leading small group for informationization and national coordinating small group for cyber and information security, but strong leadership is needed at the top and it is a real question if any of China’s top leaders are focused on cybersecurity right now given the state of the economy and the fallout from the removal of Bo Xilai. There is no doubt the United States could be doing more at home, and another year passing without any legislation to address what the President calls “one of the most serious economic and national security challenges we face” does not look good.  But developing smart information security policies is hard, even for China.



Post a Comment 1 Comment

  • Posted by Antonio L Rappa, Associate Professor and Head, UniSIM Security Studies

    1. Cybersecurity is defined by Antonio L Rappa as a means of protecting personal and public information from intentional or unintentional abuse. China is able to move faster on cybersecurity policy because it embraces Communism. Obama’s America cannot move fast enough to get the Cybersecurity Act of 2012 approved because America embraces Democracy. There remains a gulf of difference between these bipolar, political ideologies.
    2. China must not obviate the use of diplomacy to resolve issues that it has with other nations. China has never made an overt move vis-a-vis the South China Sea since the time of Mao. Why is it doing so now? Why would China wish to weaken its standing among ASEAN countries, especially the Philippines and Vietnam?

Post a Comment

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR's guidelines and will be moderated prior to posting.

* Required