Last week, the State Council issued a new policy opinion for promoting the development of Chinese information technology and information security. In the State Council’s view, “international competition over the acquisition, use, and control of information is increasingly fierce” and China faces urgent challenges. In particular, the policy opinion notes the disparity between China and developed countries in broadband infrastructure; a low degree of information sharing between the government and industry; the control of core technologies by foreigners; inadequate strategic planning for information security and weak basic network defense capabilities; and the rapid growth of mobile Internet and other new technologies.
The policy opinion has a slight “ripped from the headlines” feel, reflecting the threats that must be looming large for Chinese policymakers. There is a large section that deals with strengthening industrial control systems for nuclear facilities, aviation, oil and petrochemicals control networks, electrical systems, and transportation systems that immediately brings Stuxnet to mind. Another section focuses on securing government and other confidential information systems that could be the target of espionage exploits like Flame, or Anonymous and other political hacktivists. And the large-scale data breaches that were part of the attacks on Tianya, China Software Developer Network, and 360buy.com are covered in a section on protecting personal information and user data. There is, however, also a great deal of continuity with earlier plans for information security. The 2003 “Document 27: Opinions for Strengthening Information Security Assurance Work,” for example, also stressed the protection of critical infrastructure, and both the 2003 and 2012 opinions note the need for dynamic monitoring of the Internet as well as talent development and greater leadership and coordination.
By contrast, the United States‘ ability to move forward with its own cybersecurity policies and plans does not look particularly promising right now. On Thursday, President Obama wrote an op-ed in The Wall Street Journal urging the Senate to pass the Cybersecurity Act of 2012. A number of Senators opposed an earlier version of the bill that empowered the Department of Homeland Security to define security standards for critical infrastructure and required power grid, gas pipelines, and water supply companies to meet a certain level of security. A new compromise version makes industry participation voluntary; best practices will be created and companies offered incentives to adopt them.
Even with the compromise, the bill’s future in the Senate and in the House is uncertain (uncertain may be kind—Jessica R. Herrera-Flanigan and Paul Rosenzweig think legislation is basically dead, and Senator McCain said on Monday that the bill “has zero chance of passing in the House or ever being signed into law”). Still it would be premature, if not misguided, to tout the State Council opinion as one more piece of evidence of China’s ability to get things done. For one, the opinion is a grab bag of vague policy proposals, spanning tens of different policy arenas. Some will work out, some will be dropped. Moreover, these proposals are not always internally consistent. There is, for example, a strong government hand involved, but the opinion also “advocates for industry self-regulation.”
And politics are unavoidable in China too. As Jimmy Goodrich notes, after the introduction of the 2003 opinion different parts of the Chinese bureaucracy launched competing policy initiatives and waged fierce battles over their policy turf. The 2012 opinion highlights the leadership of the national leading small group for informationization and national coordinating small group for cyber and information security, but strong leadership is needed at the top and it is a real question if any of China’s top leaders are focused on cybersecurity right now given the state of the economy and the fallout from the removal of Bo Xilai. There is no doubt the United States could be doing more at home, and another year passing without any legislation to address what the President calls “one of the most serious economic and national security challenges we face” does not look good. But developing smart information security policies is hard, even for China.