6026 Cybersecurity China
-
Upload
anastasia-stitch -
Category
Documents
-
view
117 -
download
1
Transcript of 6026 Cybersecurity China
To what extent is China a constructive force in the creation of international rules and regulations on
management of cyberspace?
Anastasia Stitch
Abstract
The proliferation and accessibility of the Internet has had vast, unanticipated implications for
contemporary international relations. Whilst it cannot be denied that this technological advancement
has fostered economic growth, as well as facilitated cooperation and communication; cyberspace has
become a virtual platform for cybercriminals to exploit the vulnerabilities of the unstructured digital
architecture. With no one centralized form of governance to manage these threats, it has become clear
that government must open dialogue with one another, with the hope of building a framework for
managing cyberspace globally. Within this debate, China has taken clear steps at showing the world
that it can be an active and responsible stakeholder, through proposing an international code of
conduct for information security to the Secretary General of the United Nations in 2011. However, the
friction between liberal democratic values of upholding “fundamental rights”, fostering transparency
and openness are in complete contrast to China’s tightly controlled grip over freedom of information.
This paper will consider in depth the degree to which China can be viewed as a constructive force in
the creation of international rules and regulations on management of cyberspace.
Introduction
This paper will consider to what extent China is a constructive force in the creation of international
rules and regulations on management of cyberspace. Cyber security has become a key item on the
majority of states agenda in recent years. This can be attributed not only to the increased speed, but
also to the sharp reduction in the cost of transmitting information. At the beginning of the 21st century
computing power cost one thousandth of what it did in the early 1970s. This has staggering
implications for international relations as we witness power “diffusing” from states to individuals and
private organisations (Nye, 2010).
The current technological revolution has had incalculable benefits, driving economic growth and
providing new ways for people to communicate and cooperate worldwide. At the same time, the
“diffusion of power” away from the state, to a virtual digital architecture has provided vast incentives
for individuals to exploit the unregulated cyber realm. States are becoming increasingly aware that
cyberspace has become a new battleground for international politics. It requires rules, regulations, and
open dialogue between states in order to establish basic international norms. As it stands, there is no
overarching international governance, regulating cyberspace. With hacking, industrial cyber
espionage, and cyber terrorism on the rise, cyber security has become a key concern for many
governments. Despite the shared anxiety, given the different political characters of western liberal
democratic governance with that of Chinese state-controlled authoritarianism, cyber security has
become an intractable issue at the global level. Within this context, it is necessary to consider if China
can be viewed as a responsible, constructive power, capable of contributing to the creation of a set of
international rules and regulations on management of cyberspace.
Cyber Security and World Order: a “Wicked Problem”?
In order to make a clear judgment as to whether China is a constructive force in the creation of
international rules on the management of cyber space it is vital to shed light on the broader context of
cyber security as an encroaching concern for governments in a global context.
Liberal democratic countries such as the United States, the United Kingdom, and Canada have cyber
security strategies that advocate an “open” and interoperable cyberspace. For example, the UK
Government have set aside £650 million of public funding for a four year National Cyber Security
Programme. The role of the government, however, is largely to ensure that individuals themselves
have the tools and knowledge to protect themselves against cyber security threats. On the other side of
the Atlantic, the United States has outlined its key objectives in the International Strategy for
Cyberspace, 2011. The U.S.’ strategy emphasises democratic values such as the rule of law,
innovation, free speech, privacy and the free flow of information (International Strategy for
Cyberspace, 2011).
What is important to highlight is that an American led democratic international strategy for the
management of cyberspace might not be attractive or easily applied to all states. Here, we can speak of
distinctive information cultures, where a melange of factors ranging from the nature of the economy,
the level of economic development, as well as historical factors have undoubtedly led to difference in
attitude and values about information in different societies (Suttmeier, 2012). This has strong
implications for international cooperation on information and cyber security. In order to highlight this,
it is useful to consider a brief analysis of the Asia Pacific region’s diverse cyberspace strategies.
Whereas most “western” countries share similar objectives when it comes to the rules and regulations
of managing cyberspace, it is not as clear-cut in regions such as the Asia Pacific. Asia now comprises
45% of the world’s Internet population and is continuing to grow at a rapid, incremental rate. China
makes up half of the regions Internet population. These factors alone indicate that the culture of global
cyberspace will transform over the next few years. Far from being a homogenous region, the Asia
Pacific is diverse and dynamic. As a result there are diverse cyberspace policies adopted throughout
the region from “free-wheeling zones of entrepreneurialism, to islands of state control” (Deibert, 2011:
1). China is a clear example of the latter, where what is known colloquially as the “Great Firewall of
China” refers to the strong censorship and surveillance of Internet information and activity. Whilst this
is expected in authoritarian regimes, in other Asian non-authoritarian regimes such as South Korea,
strict Internet censorship is adopted justified on the basis of national security. There have been
pressures growing to tighten control of cyberspace in the region because of concerns about
“cybercrime, copyright infringement, public morality and decency, or the enforcement of slander and
libel laws” (Deibert, 2011:4).
What makes the creation of international rules and regulations for cyberspace a “wicked problem” is
simply the fact that cyber security means different things for different governments. A clear example
being the contrast between the United States with China. For the U.S., cyber security largely relates to
hardware: the protection of networks, routers, and computers, whereas in the case of China, the focus
is on “information security” which includes both hardware as well as threats of content. Therefore,
China can be viewed as being concerned not only about a hacker who gets into the power grid, but
also Twitter and Facebook (Segal, 2013). Furthermore, when looking at cyber security from this
broad perspective, we see countless factors that make management of cyberspace such a contentious
issue. For example, it has been argued that the boundaries between states have become more blurred in
the current digital revolution age, however, despite the fact that the Internet has no formal state
borders; it remains a place where state entities operate in and care deeply about. Secondly, what makes
cyber security an intractable issue at the state level is that there is a large knowledge gap between
those who can be identified as “digital natives” vs. “digital immigrants”. Most policy-makers tend to
be in the latter category, and are usually the most uncomfortable about cyber issues, yet it is their job
to respond to these threats adequately. Furthermore, compounding this, there is the issue of uncertain
attribution. “It is rarely possible to identify with complete confidence the actual initiator of a malicious
cyber activity” (Lieberthal & Singer, 2012).
Lastly, one of the many factors making cyber security a pernicious concern for states is the issue of the
range of vocabulary and concepts adopted by different states to describe activity in cyberspace. As
was mentioned previously, cyber security is a contested phrase, meaning different things for distinct
information cultures depending on their political, socio-economic, and religious nature. This is an
issue that must be considered at the international level when developing a set of rules and regulations
for managing cyberspace. The cyber realm is characterized by highly technical concepts where “even
the most basic terms can be loaded with meaning”.
“Authoritarian Informationalism”: The Chinese approach to cyberspace
Much can be said about a states likely behaviour internationally from the way they conduct their
affairs internally, on the domestic level. Therefore, when considering the extent to which China could
be a constructive force in the creation of international rules and regulations on management of
cyberspace one must asses the nature of China’s security policy environment, its treatment of
cybercriminals, as well as China’s perspective on cyber security at large.
Unlike the U.K., the U.S., which was briefly considered, China does not have a monolithic,
coordinated policy approach to cyber security. Although political power is centralized in the Chinese
Communist Party (CCP), “Chinese governance is fragmented regionally and functionally”… “for
civilian or industrial cyber security, China has to contend with a complicated tangle of regulatory
institutions, inconsistent implementation of policy directives, and public and private sector actors
pursuing incompatible interest” (IGCC, 2012). China’s civilian national cyber security strategy,
released in 2003 is known as “Document 27: Opinions for Strengthening Information Security
Assurance Work.” Document 27 promotes a principle of “active defence” and establishes policy
foundations for “critical infrastructure protection, cryptography, dynamic monitoring, indigenous
innovation, talent development, leadership, and funding” (Goodrich, 2012). In China, authoritative
Chinese sources “paint a cyber threat picture with three general components”: “hacking and
cybercrime; Internet information management and propaganda; and military vulnerabilities” (Cooper
III, RAND, 2012).
Chinese authorities see social media platforms as the primary source of political destabilization and
popular discontent. Therefore, Internet control and censorship in China can be seen as being
inextricably linked to the protection of the sovereignty and integrity of the CCP.
Despite the long catalogue of popular websites blocked in China, including Facebook and Twitter,
Weibo, is a Chinese micro blogging website with well over 30% of Internet users, and is known as
Chinese Twitter. It offers ordinary citizens the opportunity to post videos, comments and messages,
providing a new source of public pressure on the government. According to Kaiser Kuo, the director
of Corporate Communications at Baidu.com, “there’s never been a time when there’s been a
comparably large and impactful public sphere. It’s now driving, in many ways, the entire national
dialogue”. However, despite Weibo being seen as an opportunity for creative expression, it is
impossible for the website to be used to organize a social movement or to revolt against the CCP.
Chinese blogger and journalist Michael Anti explains, “as soon as you use the word ‘gather’, the
keyword would get picked up, and the warning would be sent to the local police station”. In this sense,
Weibo can be seen as “Censorship 2.0.”
With the increase of online businesses and “netizens”, a complex underground criminal economy has
emerged. The growing rate of domestic cybercrime in China is comprised of a large underground
market targeting virtual goods, according to Zhuge Jianwei of Tsinghua University, a structural
analysis of the underground economy indicates that there are four value chains: “1) Real asset theft:
stealing money from accounts or credit cards; 2) Network virtual asset theft; 3) Internet resource and
services abuse; 4) Black hat techniques, tools and training: selling Trojan horses and attack tools
employed to provide technical support for the cybercriminals, and providing training services to
newbies” (Jinwei, IGCC, 2012). Based on Jianwei’s structural analysis, it is estimated that the overall
damage of and population threatened by this underground cyber economy amounts to 5.36 billion
RMB, affecting 110.8 million Chinese users (~22%). This has led to a tightening of the surveillance
and tracking of online activity in order to “prevent” cybercrime through what is known as the Chinese
“Great Firewall”.
This “Great Firewall” has been supplemented through a “complex system of ever-deepening
information controls ranging from informal pressures to formal laws and a myriad of private sector
regulations designed to capitalize on information flows while minimizing their adverse social and
political impacts” (Deibert, 2011: 2). Google, the West’s leading search engine, attempted to play by
China’s rules and introduced a self-censored search engine there in 2006, but withdrew its service in
2010 because it was allegedly being hacked (The Economist, April 6, 2013). This is just one of many
accounts of Chinese national “hacktivism”. According to Aljazeera “China’s Cyber Warriors”,
Chinese hackers are referred to as “red visitors” or “crusaders on a mission or fight a perceived anti-
China bias in the world” (2010). China fears it is too reliant on the West, as American technology
standards are used globally. According to Chinese source, 90% of chips and other technologies are
imported from the United States, and an additional 65% of encryption technologies from the West.
This fear of dependency on the West led to the 2006 Medium to Long Term Plan on Science and
Technology (MLP) where it is stated “facts have proved that, in areas critical to the national economy
and security, core technologies cannot be purchased.” (Segal, 2012). The Chinese therefore focus on
unfair advantages and China’s victimization (of cybercrime).
China has been accused of harbouring “patriotic” hackers who are motivated by three kinds of
hacking: 1) political espionage or intimidation, going after government and international agencies such
as the IMF, as well as think tanks, Tibetan activist, and others that challenge China’s state sovereignty.
2) Industrial cyber espionage, China has been accused of stealing U.S. trade secrets and other national
property in order to move up the “value chain” in R&D. 3) Cyber attacks in a military conflict, it is
argued that in a conflict against a technologically superior adversary the PLA would want to seize
information control very early on (Segal, 2012).
However, from a Chinese perspective, the picture looks entirely different. China feels equally, if not
more threatened from cyber attacks than those in the West. Tang Lan in Crux of Asia: China, India
and the Emerging Global Order states that “each year, the National Computer Network Emergency
Response Technical Team Coordination Center of China (CNCERT) deals with serious attacks on
government, financial institutions, and commercial websites”. Since 2004, the Chinese government,
recognizing the importance of cyberspace as the “central nervous system of China”, has equated cyber
security with political security, economic security, cultural security, and military security as the five
major challenges the country faces (Lan, 2013: 191-192). Furthermore, China views the United States
as a hypocrite for accusing China of hacking, especially after Stuxnet was discovered in 2010 and it is
widely believed to have been created by the U.S. and Israel to attack Iran’s nuclear facilities. The
Chinese press has reported that “a growing number of Chinese public institutions and companies have
been threatened by cyber attacks from other countries or regions” and that “a total of 85 website of
public institutions and companies were hacked from September 2012 to February 2014, including
government agencies, a provincial examination authority, a property insurance company and a virus
research facility in central China”… “it is noted that attacks on 39 of those websites were recorded
from IPs within the United States” (Xinhua, 2013). Chinese national press assert that “the US’
exaggerations of the threat posed by Chinese hackers are aimed at creating an environment to
accelerate its capability to carry out a cyber war” (Global Times, 2013). These messages are part of a
campaign aimed at non-aligned countries who worry about U.S. intentions of cyber hegemony.
Is China a constructive force or a force to be reckoned with in the creation of international rules
and regulations on management of cyberspace?
If one is to reach an adequate judgement as to whether China is a constructive force in the creation of
international rules and regulations on management of cyberspace, the dialogue must expand beyond
American and Chinese accusations and counteraccusations over who is responsible for the most cyber
hacking. This narrow focus serves to increase suspicion and mistrust, making any form of international
cooperation near impossible.
Whilst China has a distinctively authoritarian approach to “information security”, the government has
taken steps towards showing its ability to abide by existing international norms. On September 12,
2011, the permanent representatives of China, Russia, Tajikistan and Uzbekistan to the United Nations
submitted a letter jointly to the United Nations Secretary-General Ban Ki-moon, asking him to
distribute the International Code of Conduct for Information Security drafted by their countries as a
formal document of the 66th session of the General Assembly. This was a clear attempt to encourage
open dialogue towards reaching a consensus on establishing international rules and regulations on
managing information and cyberspace.
The principles enshrined in the letter require that countries “shall not use such information and
telecom technologies as the network to conduct hostile behaviors and acts of aggression” or to
“threaten international peace and security” and stress that countries have the rights and obligations to
protect their information and cyberspace as well as key information and network infrastructure from
threats, interference and sabotage attacks. Furthermore, they advocate establishing a multilateral,
transparent and democratic international Internet governance mechanism, “fully respecting the rights
and freedom of information and cyberspace with the premise of observing laws, helping developing
countries develop the information and network technologies and cooperating on fighting cyber crimes”
(Ministry of Foreign Affairs of the People’s Republic of China, 2011).
While this is clear steps towards opening discussions over the future of international governance of the
Internet, the documents proposal to curb “the dissemination of information that incites terrorism,
secessionism, or extremism, or that undermines other countries’ political, economic, and social
stability, as well as their spiritual and cultural environment” is problematic in the sense of the
generality of the wording. Syracuse professor and Internet governance expert Martin Mueller warns
that “that section would give any state the right to censor or block international communications for
almost any reason”, he writes on the Internet Governance Project blog.
If the 2011 International Code of Conduct for Information Security is not an attractive proposal, then
what would a successful international framework for managing cyberspace look like? Multilateral
coordination is a must. I agree with Ron Deibert, professor of Political Science, and Director of the
Canada Centre for Global Security Studies and the Citizen Lab at the Munk School of Global Affairs,
University of Toronto, who argues that “considering the fact that there is no one “centre” of
cyberspace governance, policy should be coordinated across many different forums, from APEC and
ASEAN to the G8 and G20”.
The distinctiveness of information cultures around the world highlights that countries must move
towards a broad normative international framework, one that underscores the basic rules and
regulations that are seen to be valuable universally. Furthermore, any overarching international
cyberspace agreement must have a strong respect and understanding of the attitudes and values
towards information found in different societies.
Whilst China has yet to develop a cyber policy, this is not a sign that it doesn’t have the characteristics
necessary to be a constructive force in the creation of international rules and regulations. It is
important to recognize that China is in a far more disadvantaged position to that of the United States,
Europe or Canada. The US has the ability to monitor activities, whereas China doesn’t have the
capabilities to do so. This leaves them in an extremely vulnerable position. When we think of cyber
security in Asia, “images of Chinese-based cyber espionage networks and repeated high-level
breaches of corporate and government assets in the U.S., Canada, and Europe”, however “statistics on
cybercrime suggest that China and most other rapidly ICT-developing Asian countries are massive
breeding grounds of the types of vulnerabilities and insecurities in which cybercrime thrives” (Deibert,
2011: 3).
The fact that Asia now comprises 45% of world’s Internet population has staggering implications for
the culture of global cyberspace. There is an obvious tension between the hands off, open Western
cyber strategies with those of Asian countries, who feel more compelled to control the Internet
because of concerns about cybercrime, copy right infringement and public morality.
Conclusion
As a rising economic power, China has taken great strides in making “Information Security” a top
priority. China’s has a fractious network of military, intelligence and other state entities involved in
cyber policy who are concerned about international and domestic security. On the domestic front,
Chinese networks face “idiosyncratic risks”: “ballooning levels of domestic cybercrime, widespread
dependence on Western software, and uneven legal regimes and enforcement” (IGCC, 2012: 3). A
failure to understand Chinas domestic civilian context of cyber security could lead to a profound
misunderstanding of its international intentions.
Given China’s fear of dependency on Western countries for technology, China’s MLP (Medium to
Long-Term Plan) for scientific and technological development with its Strategic Emerging Industries
(SEI) initiative have incentivised Chinese R&D efforts in chip design, software, and developing their
own intellectual property (IP). This is a signal that China is taking large steps to become a leading
“cyber power”, one who will play an essential role in the creation of international rules and regulations
for the management of cyberspace.
Many people wonder, due to the fact of China’s different domestic cyberspace regulatory position-
how does it expect to reconcile its difference with the wider international community, let alone take a
leadership role in establishing international norms/ framework? In the new information age, where
power is being diffused from the state level and new opportunities for exploiting the vulnerabilities
inherent in computers exist, an international cyber security strategy must take into account the
distinctive information cultures in dynamic regions such as the Asia Pacific.
An international agenda for cyber security should be a realistic, broad framework that takes into
account not only powerful states such as the U.S. and China, but influential non-state actors of the
cyber realm. There is a need to expand engagement to “track 1.5” dialogue, where “government
officials participate in non-government dialogue” (Leiberthal &Singer, 2012). Instead of focusing on
domestic political characteristics, an international normative framework on cyber security should
focus on activities that virtually all states deem harmful and discuss methods of reducing the harm as a
first step. These discussions should make space for new methods of cooperation, facilitating efforts on
norm building and building up trust. Considering China’s steps in the direction towards a code of
conduct on information security, I firmly believe that China would be a constructive force in the
creation of international rules and regulations for the management of cyberspace.
Bibliography of Sources
Aljazeera, “China's Cyber Warriors,” 101 East, 8 April 2010, 22 minutes, http://www.youtube.com/watch?v=eghmqZZKVb8
Cooper III, C.A. “Chinese Perceptions of and Strategic Response to Threats in Cyberspace”, in China and
Cybersecurity: Political, Economic and Strategic Dimensions, IGCC, April 2012.
The Economist, “Cyber-hacking, Masters of the cyber-universe”, April 6th 2013,
http://www.economist.com.hk/news/special-report/21574636-chinas-state-sponsored-hackers-are-ubiquitousand-
totally-unabashed-masters
Goodrich, J. “Chinese Civilian Cybersecurity: Stakeholders, Strategies, and Policy”, in China and
Cybersecurity: Political, Economic and Strategic Dimensions, IGCC, April 2012
Global Times, 2013-2-21, “Hacker claims reflect US intention of cyber hegemony”.
http://www.globaltimes.cn/content/763429.shtml
Healey, J. “China is a Cyber Victim, Too”, Foreign Policy.com, April 2013.
http://www.foreignpolicy.com/articles/2013/04/16/china_is_a_cyberwar_victim_too
“International Strategy for Cyberspace: Prosperity, Security and Openness in a Networked World,” Office of the President of the United States, May 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.
Jinwei, Z. “Investigating the Chinese Underground Economy of Information Security” in China and
Cybersecurity: Political, Economic and Strategic Dimensions, IGCC, April 2012.
Joseph Nye, “On Global Power Shifts,” TED Talk, July 2010, 18 minutes, http://www.ted.com/talks/joseph_nye_on_global_power_shifts.html
Kenneth Lieberthal and Peter Singer, “Cybersecurity and U.S.-China Relations, Brookings Podcast, 23 February 2012, http://www.brookings.edu/research/papers/2012/02/23-cybersecurity-china-us-singer-lieberthal.
Letter dated 12 September 2011 from the Permanent Representative of China, the Russian Federation, Tajikistan and Uzbekistan to the Secretary General of the United Nations.
Mary Kay Magistad, “How Weibo is Changing China,” Yale Global Online, 9 August 2012, http://yaleglobal.yale.edu/content/how-weibo-changing-china
Ministry of Foreign Affairs of the People’s Republic of China, “China, Russia and Other Countries Submit the
Document of International Code of Conduct for Information Security to the United Nations”, 2011-09-13
http://www.fmprc.gov.cn/eng/zxxx/t858978.htm
Mueller, M, & Chango, M. “Disrupting Global Governance: The Internet Whois Service, ICANN and Privacy.”
Journal of Information Technology and Politics, Vol. 5, No. 3, 303-325 (2008).
Mueller, M. “Internet Governance Project”, http://www.internetgovernance.org/people/milton-mueller/
Ningzhu, Z (ed). “Chinese institutions, companies threatened by overseas cyber attacks: report”, Xinhua, March,
2013.
http://news.xinhuanet.com/english/china/2013-03/10/c_132223206.htm
Ron Deibert, “Asian Cyberspace on the Rise: Challenges and Opportunities for Canada,” Canada-Asia Agenda, 13 September 2011, 5 pp. http://www.asiapacific.ca/sites/default/files/filefield/ron_deibert_sept_13_v2.pdf.
Tang Lan, “China’s Perspective: Cyber Security,” in Ashley Tellis and Sean Mirsky, eds., Crux of Asia: China, India and the Emerging Global Order, (Carnegie Endowment, 2013), pp. 185-95, http://carnegieendowment.org/files/crux_of_asia.pdf
The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world http://www.cabinetoffice.gov.uk/sites/default/files/resources/uk-cyber-security-strategy-final.pdf.
Segal, A. “The People’s Republic of Hacking,” Foreign Policy.com, January 31, 2013 http://www.cfr.org/china/peoples-republic-hacking/p29909?cid=emc-ACC_Spring13_BCK- -China_Hacking-04513
Segal, A. ICS Academic Conference Call: “China, Cybersecurity, and Crisis Stability”, April 25, 2013. 12:00pm-1:00pm. Mershan Center for International Security Studies, room 120.
Stuttmeier, R.P. “Information and the Dynamics of Innovation”, in China and Cybersecurity: Political,
Economic and Strategic Dimensions, IGCC, April 2012