excerpt from the “Cyber Strategy & Policy Brief (Volume 11/12 – November/December 2016)”
China´s goals and capabilities in the realm of cyber security represent a pressing issue for understanding Asian stability and, as Beijing expands its sphere of influence worldwide, also for international politics more in general. While the assessment of China´s capabilities remains complicated and controversial even among experts, two recent documents shed light on China´s goals and interests in this realm.
At the end of last year, China has in fact published two crucial documents on its cyber security policy. On November 7th, 2016, the Chinese government officially adopted its first law completely focused on cyber security, while just before the end of the 2016 it released the new national strategic document for cyberspace security.
The first "Law of the People´s Republic of China on Cyber Security"
As far as the "Law of the People´s Republic of China on Cyber Security" is concerned - entering into force next June - the aim declared in Article 1 is to guarantee network security in order to safeguard cyberspace sovereignty, national security and social interests, but also to protect the lawful rights and interests of citizens, legal persons and other organizations, as well as to promote economic and social development through technology.
Nevertheless, by reading the law in full, it can be highlighted that the whole regulatory pattern, as set by the Chinese legislator, actually aims at strengthening - resorting to the law - the Beijing government´s possibility and capability to control its citizens, and public and private actors operating on the territory of People´s Republic of China. What´s more, the regulation does nothing else but crystallizing duties and prohibitions, already informally in force, for both citizens and operators providing IT products and services.
In this view, by way of example, Article 12 expressly prohibits - inter alia - each person and organization from using the networks to prejudice Chinese honor or national interests, it also prohibits to encourage subversion of national sovereignty or overthrow of the socialist system or to spread forged information aimed at undermining economic and social order.
Talking about public and private actors, instead, despite the valuable effort made by the Chinese legislator to implement within the very same law some "minimum" security measures for network operators (Article 21) and for companies that can be classified as critical information infrastructures (Article 34), to which one or more of the seven "Cybersecurity and Data protection National Standards" currently undergoing public consultation - according to the interested field - shall be added, some doubts arise when looking at other articles of the law.
For instance, this is the case with Article 23, prohibiting the sale and supply of network equipment or network security products unless they are inspected and certified by a governmental agency attesting their compliance with the requirements of the Chinese law and national security standards.
This is also the case with Article 37 - one of the most controversial - requesting companies that can be classified as critical information infrastructures to store within mainland People´s Republic of China all the personal data and any other relevant information gathered or produced in China while carrying out their activities. Furthermore, in case for grounded business reasons such data and information should be sent abroad, the security levels of these very same companies shall be evaluated by specific State entities.
As it´s easy to notice, the approach of the Chinese Government is particularly strict, and basically follows the approach of many other countries such as Russia or Iran, as pointed out in May 2016 Cyber Strategy & Policy Brief.
Article 58 also raises some doubts in it directly assigning to the State Council or to Chinese governments of provinces, autonomous regions or municipalities - upon prior approval of the State Council - the possibility to temporarily limit IT communications, should it be necessary to protect national security, public order or to counter serious security incidents affecting citizens.
Finally, Article 75 specifies that, should foreign entities, organizations or individuals carry out attacks, intrusions, interferences, damages or other activities that may jeopardize Chinese critical information infrastructures, causing serious consequences, the Ministry of Public Security and other governmental entities in charge shall not only be legally responsible but might also decide to freeze the assets or adopt further not better specified punitive measures.
After reading on the whole the first "Law of the People´s Republic of China on Cyber Security", although the Chinese legislator´ significant and valuable effort is clearly intended to organize and harmonize the whole field of cyber security within a single law, some concerns cannot be left out on those provisions evidently aimed at ensuring the Chinese government a strong domestic control on all the activities conducted in and through the cyberspace by citizens, and both national and international public and private operators.
The new National Cyber Security Strategy
Published on December 27th, 2016, the new Chinese cyber security strategy is mainly focused on two strategic goals strictly connected with the above-mentioned "Law of the People´s Republic of China on Cyber Security", namely safeguarding cyberspace national sovereignty and protecting national critical information infrastructures.
The safeguard of cyberspace national sovereignty is in fact the first and most relevant strategic pillar for the Chinese government within the document, at such a point that the will to safeguard it is explicitly declared, in open opposition to any attempt to use the Internet to overturn the Chinese national regime or to sabotage its sovereignty on the territory. To reach such a goal, Beijing also maintains that it is ready to use whatever means considered necessary, be it scientific, technological, legal, diplomatic or military.
The second pillar, dealing with the protection of national security, must be read together with the previous one. In this case, the objective is to anticipate, repress and punish, as provided for by law, a series of behaviors that are well defined in the strategy, namely:
Yet, both the previously mentioned law and the new strategy give a very wide and, most of all, too general definition of critical information infrastructure, encompassing any structure affecting national security, the Country´s economy as well as the livelihood of its citizens.
In addition, the strategy analyses in depth many preventive cyber security activities exclusively aimed at protecting such structures, focusing attention on two elements:
In addition - in line with what provided for by Article 23 of the law examined above - the Chinese government reaffirms its intention to prevent governmental bodies from using technology products and services in the absence of prior inspection and certification by a governmental structure attesting their compliance with the provisions of Chinese law and with national security standards.
Finally, the strategy also provides for further surely relevant objectives, such as, by way of example, strengthening online anti-terrorism, counterespionage and anti-theft capabilities - activities that are only mentioned but not specifically dealt with - or gathering the efforts to perfect national network governance systems especially by promulgating laws (as the one just examined), or even strengthening international cooperation resorting to the United Nations and signing bilateral and multilateral agreements on cyber security.
To conclude, the joint analysis of the new strategy and the first cyber security law shows that the Chinese approach is clearly aimed at safeguarding first of all its political leadership, monitoring and, in case of need, slowing down information and propaganda activities conducted in and through the cyberspace mainly by national opposition parties and by political and social dissident groups.
Meanwhile, the Government is also undeniably interested in affirming and strongly safeguarding national sovereignty in cyberspace security, as well as enhancing protection and defence levels of its critical information infrastructures.
Some strategic priorities can then be identified, definitely similar to those already outlined in previous Chinese cyber strategies. Yet, it is understood that Beijing does show a greater maturity and openness to see international cooperation as an essential element for cyber security and for the development of Chinese economic interests and geopolitical ambitions.