China’s Maodun: A Free Internet Caged by the Chinese Communist Party

China pursues a strategy of aggressive cyberspace management and is in the midst of fostering a military cyber force to further the Chinese Communist Party’s (CCP) primary interest: to stay in power. Secondary considerations that directly or indirectly support the continuation of CCP rule include the preparation for military conflict, the sustainment of economic growth, the control of content and of expression online as well as the reinterpretation of what it means for a country to manage the Internet. [1]

The Chinese leadership has recognized that the proliferation of information technology has the potential to enhance economic output in a globalized world, though they also recognize that it also has the potential to undermine CCP rule. China now has the largest online population in the world, which is now surpassing 649 million users, though close to half of its population is still without access to the Internet (Cyberspace Administration of China, February 3) While the Chinese government wants to help its citizens get online to foster economic growth and stability, it also wants to be able to steer discourse toward “rational use of technology” and limit accessible information to maintain political legitimacy (State Council Information Office, June 8, 2010). This need for control manifests in China’s cybersecurity strategy.

You Say “Cyber,” I Say “Network”

The divergent use of terminology for cybersecurity between Western states and China is important to delineate. The Chinese concept for “cybersecurity” is understood as “network security,” (wangluo anquan) couched under the umbrella term of “information security” (xinxi anquan), and includes the “use of information…to influence or control the direction of an opponent’s decision-making activities.” [2] Unlike the more direct and limited scope of the term “cybersecurity” used in the West to concern the “ability to protect or defend the use of cyberspace from cyber attacks,” the use of the term “network security” in China implies that it conceives of network security to have national security implications—and hence, economic, political and social components (NIST, Glossary of Key Information Security Terms; Xinhua, February 27, 2014).

Objective: Secure CCP Rule

The most important goal for China is to maintain CCP control: without power and the projection of legitimacy to its population, they would not be able to govern. Their cybersecurity strategy is derived from this main driver. Other manifestations of China’s cybersecurity strategy include: maintaining economic growth and stability, which involves industrial economic cyber espionage of foreign targets; protecting the governing power of the CCP through information control, propaganda and targeting of domestic sources of potential unrest; preparing for military scenarios and ensuring military superiority in the event of cyber conflict with an adversary through military modernization, computer network operations research and human capital cultivation; and advancing alternative narratives of government control over/handling of cybersecurity internationally (e.g., promoting sovereignty of states to control the Internet within a country’s borders) and domestically (e.g., justifying domestic surveillance, information control).

Economic growth is a secondary consideration, but an essential component in keeping the CCP in power. To the central leadership, providing consistent improvement in the livelihoods of the Chinese population is essential. In order to facilitate that growth, the Chinese government conducts or commissions state-sponsored entities to exploit the cyber domain as a vehicle to obtain valuable information for economic gain. Chinese actors or state-sponsored actors ex-filtrate the intellectual property of foreign companies. Industrial cyber espionage, where countries and non-state actors exfiltrate large amounts of industrial economic information including trade secrets, research and development as well as products, occurs at a massive scale in China. While many U.S. and Western analysts and significant public attention focus on this aspect, they must remember the broader motivating factors beyond their immediate economic or security impact. 

Political control is a necessary factor in China’s cybersecurity policy, and China also employs or sanctions cyber activity (e.g., limits to information access on the Internet and social media) in the name of protection of domestic political stability. The Chinese government targets “revisionist organizations,” “separatists, extremists, splittists” and Western imperialist forces that aim to disrupt social stability. The government then screens the Internet and social media and promotes propaganda to counter these “forces” (Ministry of Foreign Affairs). For example, China has created the Great Firewall, an intricate system of Internet controls that filters out “harmful” domestic and foreign content and communications which, in practice, creates a Chinese intranet that connects to the greater Internet infrastructure through a cyber “demilitarized zone” complete with filters, deep packet inspections and other forms of “cyber border security.” [3] The Chinese government worries that unrestricted Internet access or uncontrolled information might pose a significant risk to the Chinese communist regime’s stability and hold on power.

An example where the Chinese government indirectly supports the control of information is through the social media platform WeChat. An amalgamation of Western equivalents for Facebook, Twitter, Instagram, WhatsApp and Venmo/PayPal, WeChat is a platform that has over 500 million active users worldwide, with the vast majority of active users located in China. As the Chinese government had made these distinct individual Western platforms nearly impossible to access in China (unless accessed through a Virtual Private Network, or VPN), Chinese web users are forced by limited options to use Chinese platforms—which are easily controlled by the Chinese government—over Western alternatives.

China has since strongly emphasized the importance of information and communications technology for the future of warfighting, aspiring to prevail in “local wars under informatized conditions by 2050” (Information Office of State Council, China’s National Defense in 2006). Network operations “are expected to play an important role” in military scenarios involving Taiwan, other territorial or maritime conflicts, or the United States. [4] China also devotes significant effort in studying their political and military adversaries’ military infrastructures, motivations, capabilities and limitations.

Chinese Leadership on Network Security and Internet Sovereignty

Two recent senior leader–level developments on network security are worthy of mention: the establishment of the National Security Commission in November 2013 and the formation of the Central Network Security Informatization Leading Small Group in February 2014. The National Security Commission underscored the importance of domestic security to the central government, as well as the government’s inclusion of a broad swath of topic areas including network security (People’s Daily, May 6, 2014) The Leading Small Group signaled a new, high-level prioritization of cyber as a major strategic initiative with political, economic and military implications and also indicated the relative importance of network security on the Chinese political agenda. Despite China’s ongoing efforts to coordinate and organize the network security infrastructure, however, it remains fragmented, partly as a result of the disjointed state of the Chinese government’s frequently overlapping and conflicting administrative bodies and managing organizations.

The CCP’s self-preservation priorities guide the dominant political domestic narrative and drive its foreign policies and foreign cyber activity, all of which complicates the United States’ and other countries’ abilities to shape China’s behavior in cyberspace. The Chinese government is attempting to alter how nations understand their role in Internet governance by advancing a concept called “Internet sovereignty.” Internet sovereignty refers to the idea that a country has the right to control Internet activity within its own borders, and it is what China refers to as a natural extension of a nation-state’s authority to handle its own domestic and foreign affairs (CPC News, July 22, 2014).

The movement is backed by Lu Wei, the head of the State Internet Information Office, the Cyberspace Administration of China and the director of a powerful cybersecurity strategy group comprised of China’s top leaders. Lu’s influence is backed by years of active Chinese promotion of Internet sovereignty in domestic propaganda efforts, government White Papers, Internet conferences, bilateral and multilateral meetings as well as United Nations meetings. China continues to engage the international community, wishing to signal to other countries that it is a responsible and cooperative actor on technology issues. Understanding that international norms and law have yet to codify Internet governance and cyber activity, China has invested significant effort to set the course for international norms in Internet governance.

Two recent developments that support China’s desire to control information and localize data are the consideration of the China Banking Regulatory Commission’s (CBRC), National Development and Reform Commission (NDRC), Ministry of Science and Technology (MOST), and Ministry of Industry and Information Technology’s (MIIT) new Guidance Opinion provisions on the use of foreign technology in China in September 2014 and the draft anti-terrorism law. The CBRC opinion would require that all technology used in China’s banking industry be “secure and controllable,” which would mean that foreign information technology firms would have to establish their own research and development centers in China, hand over intellectual property rights to Chinese institutions and file source codes with CBRC (CBRC, September 3, 2014). The anti-terrorism law would require similar actions as the CBRC regulation, but technology firms would also be required to install backdoors on information technology (IT) products, transfer encryption keys to the government, and maintain servers and store user data in China (Caixin, April 2).

Implications for China and Conclusion

While foreign nations, most notably the United States, continue efforts to persuade China to cease its activities in cyberspace that compromise U.S. interests, it is unlikely that China will heed to U.S. demands. China’s motivations are internally derived, and primarily focused on regime stability. China will not alter its activity in cyberspace if risks remain low, benefits remain high, and if solutions threaten CCP rule, potentially introduce instability or impede on China’s “core interests.”

However, as China continues to expand its Internet population and continues to grow in economic and political influence, China will encounter serious challenges. First, there may be limitations of censorship and control over Internet content for a rapidly growing online population. The Chinese leadership will either have to innovate new methods for easy content control or dedicate substantially more resources to information control efforts. Second, as China’s economy continues to grow, it will focus on improving domestic industry and company access to foreign markets. However, limiting access to foreign information in China’s controlled Internet environment may limit the ability of Chinese companies to conduct international business or commerce. Additionally, China’s internal cybersecurity may suffer from vulnerabilities from poor network security infrastructure, where pirated software and security loopholes wildly proliferate (as an example, experts estimate that over 80 percent of PCs running Microsoft Windows use pirated software). [5] The success of China’s cybersecurity strategy and its version of Internet governance also depends on the level of coordination on cyber issues across civilian and military leaderships. Lastly, convincing the broader international community to sign on to China’s version of Internet governance is, at the moment, an unappealing approach for many Western and developing countries. The road toward executing China’s vision for a comprehensive cybersecurity strategy looks rough ahead, though the investment of time and a strong will may prove skeptics otherwise.

These views presented in this paper are my own and do not represent those of either Chairman Matt Salmon of the Asia and the Pacific Subcommittee or Chairman Ed Royce of the Foreign Affairs Committee, U.S. House of Representatives.

Notes

1. For a more comprehensive analysis of the CCP’s cyber strategy, see: Amy Chang, Warring State: China’s Cybersecurity Strategy (Center for a New American Security, December 3, 2014).
2. Timothy Thomas, “Nation-State Cyber Strategies: Examples from China and Russia,” in Cyberpower and National Security, eds. Franklin D. Kramer, Stuart H. Starr, and Larry Wentz (Washington: National Defense University Press, 2009).
3. For a more detailed examination of the Chinese government’s Internet infrastructure and censorship system, see Economist, April 6, 2013.
4. William Hannis, James Mulvenon and Anna B. Puglisi, Chinese Industrial Espionage: Technology Acquisition and Military Modernisation (New York: Routledge, 2013): p. 221.
5. Financial Times, March 18.