To what extent is China a constructive force in the creation of international rules and regulations on

management of cyberspace?

Anastasia Stitch

Abstract

The proliferation and accessibility of the Internet has had vast, unanticipated implications for

contemporary international relations. Whilst it cannot be denied that this technological advancement

has fostered economic growth, as well as facilitated cooperation and communication; cyberspace has

become a virtual platform for cybercriminals to exploit the vulnerabilities of the unstructured digital

architecture. With no one centralized form of governance to manage these threats, it has become clear

that government must open dialogue with one another, with the hope of building a framework for

managing cyberspace globally. Within this debate, China has taken clear steps at showing the world

that it can be an active and responsible stakeholder, through proposing an international code of

conduct for information security to the Secretary General of the United Nations in 2011. However, the

friction between liberal democratic values of upholding “fundamental rights”, fostering transparency

and openness are in complete contrast to China’s tightly controlled grip over freedom of information.

This paper will consider in depth the degree to which China can be viewed as a constructive force in

the creation of international rules and regulations on management of cyberspace.

Introduction

This paper will consider to what extent China is a constructive force in the creation of international

rules and regulations on management of cyberspace. Cyber security has become a key item on the

majority of states agenda in recent years. This can be attributed not only to the increased speed, but

also to the sharp reduction in the cost of transmitting information. At the beginning of the 21st century

computing power cost one thousandth of what it did in the early 1970s. This has staggering

implications for international relations as we witness power “diffusing” from states to individuals and

private organisations (Nye, 2010).

The current technological revolution has had incalculable benefits, driving economic growth and

providing new ways for people to communicate and cooperate worldwide. At the same time, the

“diffusion of power” away from the state, to a virtual digital architecture has provided vast incentives

for individuals to exploit the unregulated cyber realm. States are becoming increasingly aware that

cyberspace has become a new battleground for international politics. It requires rules, regulations, and

open dialogue between states in order to establish basic international norms. As it stands, there is no

overarching international governance, regulating cyberspace. With hacking, industrial cyber

espionage, and cyber terrorism on the rise, cyber security has become a key concern for many

governments. Despite the shared anxiety, given the different political characters of western liberal

democratic governance with that of Chinese state-controlled authoritarianism, cyber security has

become an intractable issue at the global level. Within this context, it is necessary to consider if China

can be viewed as a responsible, constructive power, capable of contributing to the creation of a set of

international rules and regulations on management of cyberspace.

Cyber Security and World Order: a “Wicked Problem”?

In order to make a clear judgment as to whether China is a constructive force in the creation of

international rules on the management of cyber space it is vital to shed light on the broader context of

cyber security as an encroaching concern for governments in a global context.

Liberal democratic countries such as the United States, the United Kingdom, and Canada have cyber

security strategies that advocate an “open” and interoperable cyberspace. For example, the UK

Government have set aside £650 million of public funding for a four year National Cyber Security

Programme. The role of the government, however, is largely to ensure that individuals themselves

have the tools and knowledge to protect themselves against cyber security threats. On the other side of

the Atlantic, the United States has outlined its key objectives in the International Strategy for

Cyberspace, 2011. The U.S.’ strategy emphasises democratic values such as the rule of law,

innovation, free speech, privacy and the free flow of information (International Strategy for

Cyberspace, 2011).

What is important to highlight is that an American led democratic international strategy for the

management of cyberspace might not be attractive or easily applied to all states. Here, we can speak of

distinctive information cultures, where a melange of factors ranging from the nature of the economy,

the level of economic development, as well as historical factors have undoubtedly led to difference in

attitude and values about information in different societies (Suttmeier, 2012). This has strong

implications for international cooperation on information and cyber security. In order to highlight this,

it is useful to consider a brief analysis of the Asia Pacific region’s diverse cyberspace strategies.

Whereas most “western” countries share similar objectives when it comes to the rules and regulations

of managing cyberspace, it is not as clear-cut in regions such as the Asia Pacific. Asia now comprises

45% of the world’s Internet population and is continuing to grow at a rapid, incremental rate. China

makes up half of the regions Internet population. These factors alone indicate that the culture of global

cyberspace will transform over the next few years. Far from being a homogenous region, the Asia

Pacific is diverse and dynamic. As a result there are diverse cyberspace policies adopted throughout

the region from “free-wheeling zones of entrepreneurialism, to islands of state control” (Deibert, 2011:

1). China is a clear example of the latter, where what is known colloquially as the “Great Firewall of

China” refers to the strong censorship and surveillance of Internet information and activity. Whilst this

is expected in authoritarian regimes, in other Asian non-authoritarian regimes such as South Korea,

strict Internet censorship is adopted justified on the basis of national security. There have been

pressures growing to tighten control of cyberspace in the region because of concerns about

“cybercrime, copyright infringement, public morality and decency, or the enforcement of slander and

libel laws” (Deibert, 2011:4).

What makes the creation of international rules and regulations for cyberspace a “wicked problem” is

simply the fact that cyber security means different things for different governments. A clear example

being the contrast between the United States with China. For the U.S., cyber security largely relates to

hardware: the protection of networks, routers, and computers, whereas in the case of China, the focus

is on “information security” which includes both hardware as well as threats of content. Therefore,

China can be viewed as being concerned not only about a hacker who gets into the power grid, but

also Twitter and Facebook (Segal, 2013). Furthermore, when looking at cyber security from this

broad perspective, we see countless factors that make management of cyberspace such a contentious

issue. For example, it has been argued that the boundaries between states have become more blurred in

the current digital revolution age, however, despite the fact that the Internet has no formal state

borders; it remains a place where state entities operate in and care deeply about. Secondly, what makes

cyber security an intractable issue at the state level is that there is a large knowledge gap between

those who can be identified as “digital natives” vs. “digital immigrants”. Most policy-makers tend to

be in the latter category, and are usually the most uncomfortable about cyber issues, yet it is their job

to respond to these threats adequately. Furthermore, compounding this, there is the issue of uncertain

attribution. “It is rarely possible to identify with complete confidence the actual initiator of a malicious

cyber activity” (Lieberthal & Singer, 2012).

Lastly, one of the many factors making cyber security a pernicious concern for states is the issue of the

range of vocabulary and concepts adopted by different states to describe activity in cyberspace. As

was mentioned previously, cyber security is a contested phrase, meaning different things for distinct

information cultures depending on their political, socio-economic, and religious nature. This is an

issue that must be considered at the international level when developing a set of rules and regulations

for managing cyberspace. The cyber realm is characterized by highly technical concepts where “even

the most basic terms can be loaded with meaning”.

“Authoritarian Informationalism”: The Chinese approach to cyberspace

Much can be said about a states likely behaviour internationally from the way they conduct their

affairs internally, on the domestic level. Therefore, when considering the extent to which China could

be a constructive force in the creation of international rules and regulations on management of

cyberspace one must asses the nature of China’s security policy environment, its treatment of

cybercriminals, as well as China’s perspective on cyber security at large.

Unlike the U.K., the U.S., which was briefly considered, China does not have a monolithic,

coordinated policy approach to cyber security. Although political power is centralized in the Chinese

Communist Party (CCP), “Chinese governance is fragmented regionally and functionally”… “for

civilian or industrial cyber security, China has to contend with a complicated tangle of regulatory

institutions, inconsistent implementation of policy directives, and public and private sector actors

pursuing incompatible interest” (IGCC, 2012). China’s civilian national cyber security strategy,

released in 2003 is known as “Document 27: Opinions for Strengthening Information Security

Assurance Work.” Document 27 promotes a principle of “active defence” and establishes policy

foundations for “critical infrastructure protection, cryptography, dynamic monitoring, indigenous

innovation, talent development, leadership, and funding” (Goodrich, 2012). In China, authoritative

Chinese sources “paint a cyber threat picture with three general components”: “hacking and

cybercrime; Internet information management and propaganda; and military vulnerabilities” (Cooper

III, RAND, 2012).

Chinese authorities see social media platforms as the primary source of political destabilization and

popular discontent. Therefore, Internet control and censorship in China can be seen as being

inextricably linked to the protection of the sovereignty and integrity of the CCP.

Despite the long catalogue of popular websites blocked in China, including Facebook and Twitter,

Weibo, is a Chinese micro blogging website with well over 30% of Internet users, and is known as

Chinese Twitter. It offers ordinary citizens the opportunity to post videos, comments and messages,

providing a new source of public pressure on the government. According to Kaiser Kuo, the director

of Corporate Communications at Baidu.com, “there’s never been a time when there’s been a

comparably large and impactful public sphere. It’s now driving, in many ways, the entire national

dialogue”. However, despite Weibo being seen as an opportunity for creative expression, it is

impossible for the website to be used to organize a social movement or to revolt against the CCP.

Chinese blogger and journalist Michael Anti explains, “as soon as you use the word ‘gather’, the

keyword would get picked up, and the warning would be sent to the local police station”. In this sense,

Weibo can be seen as “Censorship 2.0.”

With the increase of online businesses and “netizens”, a complex underground criminal economy has

emerged. The growing rate of domestic cybercrime in China is comprised of a large underground

market targeting virtual goods, according to Zhuge Jianwei of Tsinghua University, a structural

analysis of the underground economy indicates that there are four value chains: “1) Real asset theft:

stealing money from accounts or credit cards; 2) Network virtual asset theft; 3) Internet resource and

services abuse; 4) Black hat techniques, tools and training: selling Trojan horses and attack tools

employed to provide technical support for the cybercriminals, and providing training services to

newbies” (Jinwei, IGCC, 2012). Based on Jianwei’s structural analysis, it is estimated that the overall

damage of and population threatened by this underground cyber economy amounts to 5.36 billion

RMB, affecting 110.8 million Chinese users (~22%). This has led to a tightening of the surveillance

and tracking of online activity in order to “prevent” cybercrime through what is known as the Chinese

“Great Firewall”.

This “Great Firewall” has been supplemented through a “complex system of ever-deepening

information controls ranging from informal pressures to formal laws and a myriad of private sector

regulations designed to capitalize on information flows while minimizing their adverse social and

political impacts” (Deibert, 2011: 2). Google, the West’s leading search engine, attempted to play by

China’s rules and introduced a self-censored search engine there in 2006, but withdrew its service in

2010 because it was allegedly being hacked (The Economist, April 6, 2013). This is just one of many

accounts of Chinese national “hacktivism”. According to Aljazeera “China’s Cyber Warriors”,

Chinese hackers are referred to as “red visitors” or “crusaders on a mission or fight a perceived anti-

China bias in the world” (2010). China fears it is too reliant on the West, as American technology

standards are used globally. According to Chinese source, 90% of chips and other technologies are

imported from the United States, and an additional 65% of encryption technologies from the West.

This fear of dependency on the West led to the 2006 Medium to Long Term Plan on Science and

Technology (MLP) where it is stated “facts have proved that, in areas critical to the national economy

and security, core technologies cannot be purchased.” (Segal, 2012). The Chinese therefore focus on

unfair advantages and China’s victimization (of cybercrime).

China has been accused of harbouring “patriotic” hackers who are motivated by three kinds of

hacking: 1) political espionage or intimidation, going after government and international agencies such

as the IMF, as well as think tanks, Tibetan activist, and others that challenge China’s state sovereignty.

2) Industrial cyber espionage, China has been accused of stealing U.S. trade secrets and other national

property in order to move up the “value chain” in R&D. 3) Cyber attacks in a military conflict, it is

argued that in a conflict against a technologically superior adversary the PLA would want to seize

information control very early on (Segal, 2012).

However, from a Chinese perspective, the picture looks entirely different. China feels equally, if not

more threatened from cyber attacks than those in the West. Tang Lan in Crux of Asia: China, India

and the Emerging Global Order states that “each year, the National Computer Network Emergency

Response Technical Team Coordination Center of China (CNCERT) deals with serious attacks on

government, financial institutions, and commercial websites”. Since 2004, the Chinese government,

recognizing the importance of cyberspace as the “central nervous system of China”, has equated cyber

security with political security, economic security, cultural security, and military security as the five

major challenges the country faces (Lan, 2013: 191-192). Furthermore, China views the United States

as a hypocrite for accusing China of hacking, especially after Stuxnet was discovered in 2010 and it is

widely believed to have been created by the U.S. and Israel to attack Iran’s nuclear facilities. The

Chinese press has reported that “a growing number of Chinese public institutions and companies have

been threatened by cyber attacks from other countries or regions” and that “a total of 85 website of

public institutions and companies were hacked from September 2012 to February 2014, including

government agencies, a provincial examination authority, a property insurance company and a virus

research facility in central China”… “it is noted that attacks on 39 of those websites were recorded

from IPs within the United States” (Xinhua, 2013). Chinese national press assert that “the US’

exaggerations of the threat posed by Chinese hackers are aimed at creating an environment to

accelerate its capability to carry out a cyber war” (Global Times, 2013). These messages are part of a

campaign aimed at non-aligned countries who worry about U.S. intentions of cyber hegemony.

Is China a constructive force or a force to be reckoned with in the creation of international rules

and regulations on management of cyberspace?

If one is to reach an adequate judgement as to whether China is a constructive force in the creation of

international rules and regulations on management of cyberspace, the dialogue must expand beyond

American and Chinese accusations and counteraccusations over who is responsible for the most cyber

hacking. This narrow focus serves to increase suspicion and mistrust, making any form of international

cooperation near impossible.

Whilst China has a distinctively authoritarian approach to “information security”, the government has

taken steps towards showing its ability to abide by existing international norms. On September 12,

2011, the permanent representatives of China, Russia, Tajikistan and Uzbekistan to the United Nations

submitted a letter jointly to the United Nations Secretary-General Ban Ki-moon, asking him to

distribute the International Code of Conduct for Information Security drafted by their countries as a

formal document of the 66th session of the General Assembly. This was a clear attempt to encourage

open dialogue towards reaching a consensus on establishing international rules and regulations on

managing information and cyberspace.

The principles enshrined in the letter require that countries “shall not use such information and

telecom technologies as the network to conduct hostile behaviors and acts of aggression” or to

“threaten international peace and security” and stress that countries have the rights and obligations to

protect their information and cyberspace as well as key information and network infrastructure from

threats, interference and sabotage attacks. Furthermore, they advocate establishing a multilateral,

transparent and democratic international Internet governance mechanism, “fully respecting the rights

and freedom of information and cyberspace with the premise of observing laws, helping developing

countries develop the information and network technologies and cooperating on fighting cyber crimes”

(Ministry of Foreign Affairs of the People’s Republic of China, 2011).

While this is clear steps towards opening discussions over the future of international governance of the

Internet, the documents proposal to curb “the dissemination of information that incites terrorism,

secessionism, or extremism, or that undermines other countries’ political, economic, and social

stability, as well as their spiritual and cultural environment” is problematic in the sense of the

generality of the wording. Syracuse professor and Internet governance expert Martin Mueller warns

that “that section would give any state the right to censor or block international communications for

almost any reason”, he writes on the Internet Governance Project blog.

If the 2011 International Code of Conduct for Information Security is not an attractive proposal, then

what would a successful international framework for managing cyberspace look like? Multilateral

coordination is a must. I agree with Ron Deibert, professor of Political Science, and Director of the

Canada Centre for Global Security Studies and the Citizen Lab at the Munk School of Global Affairs,

University of Toronto, who argues that “considering the fact that there is no one “centre” of

cyberspace governance, policy should be coordinated across many different forums, from APEC and

ASEAN to the G8 and G20”.

The distinctiveness of information cultures around the world highlights that countries must move

towards a broad normative international framework, one that underscores the basic rules and

regulations that are seen to be valuable universally. Furthermore, any overarching international

cyberspace agreement must have a strong respect and understanding of the attitudes and values

towards information found in different societies.

Whilst China has yet to develop a cyber policy, this is not a sign that it doesn’t have the characteristics

necessary to be a constructive force in the creation of international rules and regulations. It is

important to recognize that China is in a far more disadvantaged position to that of the United States,

Europe or Canada. The US has the ability to monitor activities, whereas China doesn’t have the

capabilities to do so. This leaves them in an extremely vulnerable position. When we think of cyber

security in Asia, “images of Chinese-based cyber espionage networks and repeated high-level

breaches of corporate and government assets in the U.S., Canada, and Europe”, however “statistics on

cybercrime suggest that China and most other rapidly ICT-developing Asian countries are massive

breeding grounds of the types of vulnerabilities and insecurities in which cybercrime thrives” (Deibert,

2011: 3).

The fact that Asia now comprises 45% of world’s Internet population has staggering implications for

the culture of global cyberspace. There is an obvious tension between the hands off, open Western

cyber strategies with those of Asian countries, who feel more compelled to control the Internet

because of concerns about cybercrime, copy right infringement and public morality.

Conclusion

As a rising economic power, China has taken great strides in making “Information Security” a top

priority. China’s has a fractious network of military, intelligence and other state entities involved in

cyber policy who are concerned about international and domestic security. On the domestic front,

Chinese networks face “idiosyncratic risks”: “ballooning levels of domestic cybercrime, widespread

dependence on Western software, and uneven legal regimes and enforcement” (IGCC, 2012: 3). A

failure to understand Chinas domestic civilian context of cyber security could lead to a profound

misunderstanding of its international intentions.

Given China’s fear of dependency on Western countries for technology, China’s MLP (Medium to

Long-Term Plan) for scientific and technological development with its Strategic Emerging Industries

(SEI) initiative have incentivised Chinese R&D efforts in chip design, software, and developing their

own intellectual property (IP). This is a signal that China is taking large steps to become a leading

“cyber power”, one who will play an essential role in the creation of international rules and regulations

for the management of cyberspace.

Many people wonder, due to the fact of China’s different domestic cyberspace regulatory position-

how does it expect to reconcile its difference with the wider international community, let alone take a

leadership role in establishing international norms/ framework? In the new information age, where

power is being diffused from the state level and new opportunities for exploiting the vulnerabilities

inherent in computers exist, an international cyber security strategy must take into account the

distinctive information cultures in dynamic regions such as the Asia Pacific.

An international agenda for cyber security should be a realistic, broad framework that takes into

account not only powerful states such as the U.S. and China, but influential non-state actors of the

cyber realm. There is a need to expand engagement to “track 1.5” dialogue, where “government

officials participate in non-government dialogue” (Leiberthal &Singer, 2012). Instead of focusing on

domestic political characteristics, an international normative framework on cyber security should

focus on activities that virtually all states deem harmful and discuss methods of reducing the harm as a

first step. These discussions should make space for new methods of cooperation, facilitating efforts on

norm building and building up trust. Considering China’s steps in the direction towards a code of

conduct on information security, I firmly believe that China would be a constructive force in the

creation of international rules and regulations for the management of cyberspace.

Bibliography of Sources

Aljazeera, “China's Cyber Warriors,” 101 East, 8 April 2010, 22 minutes, http://www.youtube.com/watch?v=eghmqZZKVb8

Cooper III, C.A. “Chinese Perceptions of and Strategic Response to Threats in Cyberspace”, in China and

Cybersecurity: Political, Economic and Strategic Dimensions, IGCC, April 2012.

The Economist, “Cyber-hacking, Masters of the cyber-universe”, April 6th 2013,

http://www.economist.com.hk/news/special-report/21574636-chinas-state-sponsored-hackers-are-ubiquitousand-

totally-unabashed-masters

Goodrich, J. “Chinese Civilian Cybersecurity: Stakeholders, Strategies, and Policy”, in China and

Cybersecurity: Political, Economic and Strategic Dimensions, IGCC, April 2012

Global Times, 2013-2-21, “Hacker claims reflect US intention of cyber hegemony”.

http://www.globaltimes.cn/content/763429.shtml

Healey, J. “China is a Cyber Victim, Too”, Foreign Policy.com, April 2013.

http://www.foreignpolicy.com/articles/2013/04/16/china_is_a_cyberwar_victim_too

“International Strategy for Cyberspace: Prosperity, Security and Openness in a Networked World,” Office of the President of the United States, May 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.

Jinwei, Z. “Investigating the Chinese Underground Economy of Information Security” in China and

Cybersecurity: Political, Economic and Strategic Dimensions, IGCC, April 2012.

Joseph Nye, “On Global Power Shifts,” TED Talk, July 2010, 18 minutes, http://www.ted.com/talks/joseph_nye_on_global_power_shifts.html

Kenneth Lieberthal and Peter Singer, “Cybersecurity and U.S.-China Relations, Brookings Podcast, 23 February 2012, http://www.brookings.edu/research/papers/2012/02/23-cybersecurity-china-us-singer-lieberthal.

Letter dated 12 September 2011 from the Permanent Representative of China, the Russian Federation, Tajikistan and Uzbekistan to the Secretary General of the United Nations.

Mary Kay Magistad, “How Weibo is Changing China,” Yale Global Online, 9 August 2012, http://yaleglobal.yale.edu/content/how-weibo-changing-china

Ministry of Foreign Affairs of the People’s Republic of China, “China, Russia and Other Countries Submit the

Document of International Code of Conduct for Information Security to the United Nations”, 2011-09-13

http://www.fmprc.gov.cn/eng/zxxx/t858978.htm

Mueller, M, & Chango, M. “Disrupting Global Governance: The Internet Whois Service, ICANN and Privacy.”

Journal of Information Technology and Politics, Vol. 5, No. 3, 303-325 (2008).

Mueller, M. “Internet Governance Project”, http://www.internetgovernance.org/people/milton-mueller/

Ningzhu, Z (ed). “Chinese institutions, companies threatened by overseas cyber attacks: report”, Xinhua, March,

2013.

http://news.xinhuanet.com/english/china/2013-03/10/c_132223206.htm

Ron Deibert, “Asian Cyberspace on the Rise: Challenges and Opportunities for Canada,” Canada-Asia Agenda, 13 September 2011, 5 pp. http://www.asiapacific.ca/sites/default/files/filefield/ron_deibert_sept_13_v2.pdf.

Tang Lan, “China’s Perspective: Cyber Security,” in Ashley Tellis and Sean Mirsky, eds., Crux of Asia: China, India and the Emerging Global Order, (Carnegie Endowment, 2013), pp. 185-95, http://carnegieendowment.org/files/crux_of_asia.pdf

The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world http://www.cabinetoffice.gov.uk/sites/default/files/resources/uk-cyber-security-strategy-final.pdf.

Segal, A. “The People’s Republic of Hacking,” Foreign Policy.com, January 31, 2013 http://www.cfr.org/china/peoples-republic-hacking/p29909?cid=emc-ACC_Spring13_BCK- -China_Hacking-04513

Segal, A. ICS Academic Conference Call: “China, Cybersecurity, and Crisis Stability”, April 25, 2013. 12:00pm-1:00pm. Mershan Center for International Security Studies, room 120.

Stuttmeier, R.P. “Information and the Dynamics of Innovation”, in China and Cybersecurity: Political,

Economic and Strategic Dimensions, IGCC, April 2012