Governing Cybersecurity
More Analysis

Governing Cybersecurity

How is Beijing thinking about the future of cybersecurity governance? In this analysis, cybersecurity expert Dakota Cary unpacks a chapter from the Cyberspace Administration of China’s July 2023 volume, General Secretary Xi Jinping’s Introduction to Important Ideology Regarding China as Cyber Powerhouse, which outlines the CCP’s views for the future of the internet both behind and beyond China’s Great Firewall.

FacebookTwitterLinkedInEmailPrintCopy Link

Dakota Cary

Nonresident Fellow, Global China Hub, Atlantic Council
Consultant, SentinelOne

After the Cyberspace Administration of China (CAC) implemented sweeping new vulnerability-disclosure regulations in September 2021, chapter 5 of its freshly published book General Secretary Xi Jinping’s Introduction to Important Ideology Regarding China as Cyber Powerhouse paints an expansive role for the government in cybersecurity regulation, verification, enforcement, visibility, and development. Placed midway through the eight chapters of the book and surrounded by content regarding the shaping of public opinion online and engagement with the international community, chapter 5 focuses specifically on core issues in cybersecurity policymaking. Above all else, the chapter signals that the CAC envisions a system where no part of cybersecurity escapes government oversight.

For analysts, the chapter’s most impactful part may be section two, “Establishing a Correct View of Cybersecurity.” The CAC outlines key guideposts that shape current and future policymaking. Most importantly, the authors place clear emphasis on the need for industry to shoulder responsibility for cybersecurity and reiterate that “establishing an open environment” is an important step toward accountability. To this end, they state that “because of the global nature of the internet, the idea of ​​keeping security behind closed doors is neither practical nor feasible.” This idea is already being enacted through the regulatory inspections that bureaucrats can execute under China’s Multi-Layer Protection System (MLPS) cybersecurity regulations or under the Personal Information Protection Law, which permits inspections and requires authorizations for data export. When considered alongside content in sections 3 and 4, and in the context of the 2021 vulnerability-disclosure regulations, it becomes apparent that this “openness” is central to the future of cyber policy in China.

Section 3, “Comprehensively Strengthen Cybersecurity Systems and Capacity Building,”outlines five key areas in which the government should strengthen:

  1. Security measures for critical information infrastructure: The CAC wants industry and government to view the cybersecurity of critical information infrastructure as “one game of chess,” implying coordination between pieces on the board and the need for uniformity of purpose. To this end, the chapter urges the government to “strengthen threat information sharing.”

    In December 2023, the CAC published draft regulations for reporting cybersecurity incidents. According to legal guidance by a law firm operating in China, covered entities are required to report “significant or extremely significant” cybersecurity issues to the appropriate regulators within one hour.  It is unclear how the CAC system will work in coordination—or competition—with the Ministry of Industry and Information Technology (MIIT), whose Cybersecurity Threat and Vulnerability Information Sharing Platform also collects incident reports from businesses. Regardless of their bureaucratic imperfections, the government clearly intends to have industry incident reporting be as close to real-time as possible. This visibility would enable the government to coordinate the defense of China’s critical information infrastructure.
  2. Cybersecurity situation sensing and emergency response: If task one is to report and collect data, task two is to use government oversight and inspection to prompt the coordination of industry response. Here again, the CAC emphasizes the need to share incident and risk information across diverse audiences to enable timely emergency responses. The authors even include reference to coordinating information on “foreign countries’ security threats,” though the mechanisms for this are not specified. I have speculated elsewhere that coordination through national community emergency-response teams (CERTs) is most likely. But incident information collected by Chinese companies abroad is also possible.
  3. Network security review: The CAC authors indelicately indicate they hope to use “legal weapons”—i.e., costly regulations—to force industry to implement security-management requirements. If they want their weapons to be sharp, they will need to increase the small fines that the Cybersecurity Law authorizes regulators to impose.
  4. Data security management: Referencing existing data-export regulations, the authors note the need to establish a comprehensive regulatory system over the flow of data.
  5. Protection of personal information: The CAC uses perfunctory language to pay lip service to the protection of people’s personal data. Beijing’s policies have thus far not alleviated the sale of personal information within China or the amount of data collected by China-based technology companies on their users.

In section 4, “Laying the Foundation for Cybersecurity,” the authors outline their vision for the government to play a critical role in coordinating cybersecurity policy, from major projects to industry collaboration to the education system. The authors reference ongoing work to build the National Cybersecurity Talent and Innovation Base in Wuhan, which will include a National Cybersecurity School and government and private sector research labs; to certify more academic institutions as World-Class Cybersecurity Schools; and to evaluate education and talent through a variety of mechanisms. The CAC’s stated goals align well with other public documents to which I have drawn attention over the last few years regarding talent development. The authors hope to identify the “prodigies and geniuses” that arise from this talent pipeline and to “recruit talents extensively and place them into important positions.”

The section on “Laying the Foundation for Cybersecurity” ends with a discussion of China’s goals to influence international standard-setting organizations, stating, “Whoever sets the standards has the right to speak; whoever controls the standards has the commanding heights. . . . It is necessary to. . . propose more standards that reflect China’s views and demonstrate international morality, and actively participate in the formulation of international standards and rules for cyberspace.” (China’s view of this “right to speak” in international systems was covered in an excellent 2020 report by the National Bureau of Asian Research.) Suffice to say that influence in international standard-setting bodies will, among other things, allow Beijing to influence the implementation of technology outside its jurisdiction to its benefit. But China’s success in international bodies is not a forgone conclusion and is actively contested by the United States and European Union.

Overall, this chapter of the CAC’s book identifies a clear trend in mainland China’s cybersecurity policy: more government oversight, regulation, and involvement in every aspect of the domain. For the past decade, the Chinese Communist Party has grappled with the political implications of a poorly governed internet domestically and the much more daunting prospect of free speech abroad. Cybersecurity breaches of important government facilities and private enterprises have created a “government should see all” mentality.

In hindsight, China’s software-vulnerability regulations augured this trend. That system, which includes mandatory bug reporting and offers companies government assistance to patch vulnerabilities, already demonstrates the likely path forward. The CAC may soon mandate the disclosure of cybersecurity incidents to relevant authorities. Local CAC offices and relevant industrial regulators may zealously interpret the severity of incidents to force penalties on companies, while others may seek to downplay the severity of incidents that they become aware of within their remit. The MIIT’s and the CAC’s competing regulatory systems foreshadow more compliance problems ahead for companies operating in China. For U.S. policymakers, more worrying is the prospect of Beijing’s increased visibility into China’s diverse and fractured tech system.

To top