China s Cybersecurity Challenges and

Transcription

1 China s Cybersecurity Challenges and Foreign Policy Gao Fei For the People s Republic of China s first thirty years of history ( ), Chinese foreign security policy focused mainly on protecting its sovereignty and preventing invasion. Since then, China has shifted its focus to economic development. While the rise of the information age and the modern technological revolution facilitated the country s transition, these shifts have also engendered new challenges. Cybersecurity is one such challenge, and has emerged as a major Chinese national security issue. Gao Fei is an Associate Professor and Director of Research at China Foreign Affairs University, and a Fulbright Scholar at the George Washington University. China is Increasingly Dependent on the Internet Internet penetration and use are growing rapidly in China. As of December 2010, China had 457 million Internet users, an increase of 73.3 million from the previous year. Overall Internet penetration has climbed to 34.3 percent of the population, an increase of 5.4 percent compared to the end of Broadband use is also growing quickly. By December 2010, China had 450 million broadband users (including DSL, cable, optical access, power line communication, Ethernet, and mobile broadband users), and 98.3 percent of the Chinese population used a broadband connection to access the Internet in the first half of [185]

2 CHINA S CYBERSECURITY CHALLENGES AND FOREIGN POLICY Commercial Internet applications are also increasingly prevalent in China, which is pushing e-commerce development and changing users habits. In 2010, over 160 million Chinese consumers shopped online, an increase of 48.6 percent from the previous year. Online payment and e-banking users have reached 137 million and 139 million respectively, with annual growth rates of 45.8 percent and 48.2 percent from the end of Chinese enterprises are increasingly dependent on the Internet for business development. As of December 2010, 94.8 percent of China s small to medium enterprises (SMEs) are equipped with computers, and 92.7 percent have some form of Internet access. Among China s larger enterprises, nearly 100 percent have some form of Internet access. 3 The PRC is still a developing country, and the information technology revolution is bringing critical development opportunities. Both the Chinese government and Chinese enterprises advocate Internet infrastructure construction. The Chinese government contends that informatization is the driving force behind worldwide globalization and China s urbanization. The information revolution has already made great strides in China over the past ten years. Ten years ago the Internet was nothing in China; now you can do nothing in China without the Internet. China s Vulnerabilities and Problems The Internet is a doubleedged sword. It creates new opportunities, but also brings new vulnerabilities and problems. China currently faces Ten years ago the Internet was nothing in China; now you can do nothing in China without the Internet. The Chinese government is also pushing Internet development by advocating efficient e-government at all levels nationwide was the Year of E-Government. Since then, many different government departments and levels have established their own websites. 4 In addition to providing basic government services, E-Government also makes it easier for government departments and units to publish information and provide policy advice. China s E-Government drive is increasing not only governmental work efficiency, but also governmental transparency. severe cybersecurity challenges. China is currently one of the greatest victims of botnet attacks worldwide. A botnet is a group of computers infiltrated by a hacker and infected with malicious software, generally for the purpose of attacking other information systems. These botnets are distributed across the globe. In 2007 the Honeynet Project, an international security research organization, found the highest number of botnets in Brazil, followed by China, Malaysia, Taiwan, Korea, and Mexico. 5 The commandand-control servers directing these [186] Georgetown Journal of International Affairs

3 FEI International Engagement on Cyber machines were are located primarily in the United States, followed by China, Korea, Germany, and the Netherlands. By the close of 2007, Symantec identified around 3.2 million distinct bots worldwide. The largest numbers of botinfected computers are found in the United States (14 percent of total bots measured), followed by Germany (9.5 percent), and China (7.8 percent). Chinese websites are also vulnerable to malicious attacks. In September 2009, 3,513 websites were tampered with in China. Among those, 256 were government websites. The National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) has detected over 140,000 Internet clients suffering from botnet infections; half of those are located in the Chinese mainland. According to China s Ministry of Public Security, Chinese websites, especially government websites (gov. cn), suffer outside hacking attacks at an average rate of nearly two thousand per month. 6 Although the above statistics were gathered by different countries and organizations, at different times, and using different methodologies, they all clearly demonstrate that China is facing very serious cybersecurity challenges across multiple fronts. Although all countries face cybersecurity challenges and vulnerabilities, China s problems are particularly acute. First, given the rapid growth of the Internet in China, officials who create and implement cybersecurity laws, regulations, and policies are finding it difficult to stay apace with the rate of change. These challenges are only increasing with the transition to highspeed broadband networks. Ongoing inter-departmental government coordination exists on matters of information security, risk assessment, standards development, product development, and the fight against online criminal activities. While such coordination has achieved positive results, there is no comprehensive national cybersecurity strategy to guide these efforts. Second, although the United States and other developed economies depend heavily on industry expertise and public-private cooperation to address their cybersecurity challenges, China s information and communications technology (ICT) enterprises are still relatively inexperienced. Not only does the Chinese government presently lack the expertise to deal with these new security challenges, but it also does not have strong private-sector partners with substantial industry experience. Prior to the age of Internet telecommunications, the government was responsible for security, and enterprises were responsible for production. The Internet has created a new scenario: network technology is innovating and evolving so quickly that the government cannot keep up with market demands and guarantee security without industry cooperation. Most domestic Internet enterprises in China are still relatively new private companies, and it takes time to develop the close public-private cooperation that is necessary for effective security in the post-broadband era. Third, all countries are currently struggling to find an acceptable balance between cybersecurity which generally requires some form of government oversight and personal data privacy as well as information freedom. China is no exception. Developing democ- [187]

4 CHINA S CYBERSECURITY CHALLENGES AND FOREIGN POLICY racy is an important goal for many people in China. In October 2010, Chinese Premier Wen Jiabao stated in a CNN interview: I believe I and all the Chinese people have such conviction that China will make continuous progress and the people s wishes and The absence of mutual trust magnifies the difficulties of cybersecurity cooperation among nations. need for democracy and freedom are irresistible I hope you will be able to gradually see the continuous progress of China. 7 While the government is the key force driving China s modernization, the Internet is driving the development of the mass media. For this reason, China s social elites pay particular attention to the diverse views and debates surrounding cybersecurity and information freedom issues. Some elites support strict Internet controls to protect national security; others emphasize protecting information freedom and encouraging technical innovation, similar to the U.S. approach. Even in the United States and European Union, both of which possess strong democratic institutions and value the free flow of information, leaders and members of the public alike are debating and weighing individual rights versus states security issues. Debating such issues openly is particularly difficult in China, a state that has yet to transition toward democracy and lacks open public debate on issues that the government deems sensitive. Fourth, lagging international cooperation in the cyber arena increases security challenges for all actors. The Internet has no borders, and thus no country can guarantee security on its own. The controllers of most of the botnets found in China were based abroad. Moreover, more than 80 percent of the cyber attacks targeting Chinese government websites came from overseas. 8 In this new environment, where actors can use information networks to attack one another across borders and without the knowledge of the host country, traditional political disputes among nations may give rise to new problems. For example, if an organization is considered a terrorist group by Country A but a legitimate human rights organization by B, country B may end up providing a base for this organization to attack the websites of Country A, subsequently leading to increased tensions among states. The absence of mutual trust magnifies the difficulties of cybersecurity cooperation among nations. China s Cybersecurity Foreign Policy China is a developing country, though after thirty years of reform and opening up to the outside world, China has experienced tremendous internal change. In particular, the rapid growth of China s economy and the country s growing ties with the rest of the world stand out as immensely important, and have led Chinese officials to gradually develop what they have dubbed as a New Security Concept. The basic [188] Georgetown Journal of International Affairs

5 FEI International Engagement on Cyber tenets of this New Security Concept are mutual trust, mutual benefit, equality, and consultation. 9 The New Security Concept takes a long-term view on security relations and respects other nations practical interests. It encourages nations to build trust through consultation and to protect national security by means of multilateral coordination. Specifically, the New Security Concept emphasizes multilateral ties, which stress the interdependence among nations in terms of security; multilateral cooperation, which replaces confrontation as the effective route to security; comprehensive security mechanisms that possess economic, technical, social, and environmental dimensions in addition to traditional military and political dimensions; and institution building as a legitimate means to enhancing security, rather than relying on use of the military. 10 The New Security Concept not only focuses on traditional security but also emphasizes non-traditional challenges. Cybersecurity is itself a non-traditional security challenge. The Chinese government has stated that [i]nformation security bears on international security and stability, as well as national economy and people s livelihood. Under the new circumstances with multiple security threats, rising non-traditional security factors and increasingly rampant international terrorism activities, information security has become an important issue in the field of international security. 11 China is continuously developing new laws, regulations, and technical standards to deal with new cybersecurity challenges. At the same time, China maintains that all states must bear responsibility for appropriately addressing issues of information security and stability, since enhanced cybersecurity serves a common global interest. China therefore advocates bilateral and multilateral international cooperation for addressing these mutual challenges. U.S.-China cybersecurity cooperation dates back to 9 June Professor Wu Shizhong, Director of the China National Information Security Testing Evaluation and Certification Center (CNISTECC), told U.S. embassy officials that his government was willing to cooperate with the United States on cybersecurity issues. He stated that the CNISTECC would welcome any information concerning Chinese hacker attacks against U.S. targets, because China and the U.S. should cooperate on information security matters. 12 Chinese and U.S. research institutes have now already established institutional cooperation. China founded the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/ CC) in October Its main task is to coordinate China s nationwide Computer Emergency Reaction Team (CERT) operations to deal with online emergencies, to provide technical and service assistance, and to organize international cooperation with similar agencies. Under the banner of its proposed East-West Institute, CNCERT has already brought together Chinese and American experts for an Institution on Sino-U.S. Cyber Security Dialogue. As of June 2010, these experts have met on three separate occasions. China and the United States are also launching intergovernmental communication meetings and dialogues on cybersecurity issues. The PRC also supports multilat- [189]

6 CHINA S CYBERSECURITY CHALLENGES AND FOREIGN POLICY eral cybersecurity cooperation. Officials believe that the United Nations is the appropriate forum to address information security issues. China supports the UN General Assembly and the UN Group of Governmental Experts on Information Security continuing their comprehensive indepth studies on threats and challenges in the field of information security. It also supports their goal of developing reasonable and feasible measures within the context of international security and arms control. 14 In sum, cybersecurity has emerged as an important issue in the field of international security. All countries face the same basic vulnerabilities in cyberspace. Security dilemmas may lead to a cyber arms race and to deteriorating security of cyberspace. Humankind has already suffered two World Wars and a Cold War in the last century. Such historical tragedies demand that states discard a zero-sum game mentality. Enhancing cybersecurity serves the common interest of all countries and is also the common responsibility of the individual states. The global cybersecurity challenge could provide opportunities to promote international coordination, to better coordinate the activities and interests of governments and private sector, and to intensify communication among technological and service departments and ministries. Chinese leaders believe that as long as all countries acknowledge existing problems and demonstrate the political will to address them, the international community can arrive at a consensus regarding the appropriate means to deal with threats and challenges in the field of information security. 1 China Internet Network Information Center (CNNIC), Statistical Report on Internet Development in China, Internet, uploadfiles/pdf/2011/2/28/ pdf, 3-5 (date accessed: (29 April 2011). 2 Ibid, Ibid, All Chinese E-Government websites are located at 5 Markus Koettner, Know Your Enemy: Tracking Botnets, Internet, papers/bots/ (date accessed: 13 May 2011). 6 Paper of New Culture, Internet, news.163.com/10/0201/01/5udbqdi j. html (date accessed: 25 April 2011). 7 Tanya Branigan, Wen Jiabao talks of democracy and freedom in CNN interview, The Guardian, Internet, oct/04/wen-jiabao-china-reform-cnn-interview (date accessed: 27 April 2011). NOTES 8 content_ htm. 9 Cong Peng (Ed.), Comparative Studies: Security Concepts of Great Powers, (International Affairs Publishing House: 2004); Meng Xiangqing, Shanghai Five Regime: Successful Practice of New Security Concept, PLA Daily, [Jiefangjun Bao], 12 June Information Security, Ministry of Foreign Affairs of the People s Republic of China, Internet, t htm (date accessed: 1 May 2011). 12 China: Information Security, A June 1999 report from U.S. Embassy Beijing, Internet, html (date accessed: 30 April 2011). 13 The website for National Computer Network Emergency Response Technical Team/Coordination Center of China is 14 See note 11 above. [190] Georgetown Journal of International Affairs