China, US Push Cybersecurity Policies

After the State Council issued a new policy opinion on cybersecurity last week, and with the United States hoping to pass its own legislation on the issue, Adam Segal of the Council on Foreign Relations discusses the challenges both sides face in pursuing meaningful information security policy:

Even with the compromise, the bill’s future in the Senate and in the House is uncertain (uncertain may be kind—Jessica R. Herrera-Flanigan and Paul Rosenzweig think legislation is basically dead, and Senator McCain said on Monday that the bill “has zero chance of passing in the House or ever being signed into law”). Still it would be premature, if not misguided, to tout the State Council opinion as one more piece of evidence of China’s ability to get things done. For one, the opinion is a grab bag of vague policy proposals, spanning tens of different policy arenas. Some will work out, some will be dropped. Moreover, these proposals are not always internally consistent. There is, for example, a strong government hand involved, but the opinion also “advocates for industry self-regulation.”

And politics are unavoidable in China too. As Jimmy Goodrich notes, after the introduction of the 2003 opinion different parts of the Chinese bureaucracy launched competing policy initiatives and waged fierce battles over their policy turf. The 2012 opinion highlights the leadership of the national leading small group for informationization and national coordinating small group for cyber and information security, but strong leadership is needed at the top and it is a real question if any of China’s top leaders are focused on cybersecurity right now given the state of the economy and the fallout from the removal of Bo Xilai. There is no doubt the United States could be doing more at home, and another year passing without any legislation to address what the President calls “one of the most serious economic and national security challenges we face” does not look good. But developing smart information security policies is hard, even for China.

Segal also caught up with The New Yorker’s Evan Osnos, addressing the cyber issue in the overall scope of U.S.-China relations:

Cyber is often mentioned as one of the leading potential flashpoints in the U.S.-China relationship. Where would you rank that risk compared to potential conflict in the South China Sea, Taiwan, or trade disputes?

While strategic mistrust is high between the two sides, Cyber alone is unlikely to be a major flashpoint. Attacks designed to steal intellectual property and other trade secrets occur with such regularity and at such a pace and scope that General Alexander, head of U.S. Cyber Command, has called them “the greatest transfer of wealth in history”—yet the United States continues to engage China on a range of issues, from Iran and Syria to trade and the environment. Washington has raised the pressure on Beijing about cyber, publicly calling out Chinese hackers and addressing it in bilateral meetings, but clearly has not made it an issue that it is willing to go to the mat for.

There is little doubt, however, that cyber will be part of any political, military, or economic conflict in the future, and that it has high a probability of making the situation more difficult to resolve. Web-site defacements were an annoyance in the standoff between China and the Philippines over the Scarborough Shoal/Huangyan Island, but more serious cyber attacks could have escalated the situation, making signalling much more complicated. This is why it is so important that the United States and China continue to talk about cyber and to develop points of contact and other communication mechanisms in case of crisis.