Embed Size (px)
Citation preview
Cybersecurity in China& the Balance of Power
Greg AustinProfessorial Fellow, EastWest Institute, New YorkProfessor of Cyber Security, Strategy & Diplomacy
UNSW Canberra Cyber
Canberra 31 May 2018
Research Group on
Cyber War & Peace
China Cyber Publications
2012
2014 2018
Main Question
China has established a global reputation for cyber attack.
How good is it at cyber defence?
Second Question
What is the impact on the global balance of power of
China’s cyber defencecapability?
Spy vs Spy
China’s Cyber Ecosystem
• China conducts more cyber espionage on itself than any other country does
• ecosystem for security in cyberspace is distorted by the country’s political system
• national policy shift in 2014: Xi’s “cyber power”
• 2015 China’s Military Strategy
• 2016 National Cyber Security Strategy
• 2017 Cyber Security Law; Review Committee
• 2018 Google returns: Artificial Intelligence Lab
Deep Anxiety
• China’s political leaders feel insecure in cyberspace• Cyberspace is an inherently insecure environment• “spy versus spy” effect• Adult inside China? a very high chance that your cyber
systems are being surveilled or can be surveilled by both of the two cyber superpowers
• The weakness of China’s cybersecurity is one of the best kept secrets in Washington
• Companies that provide services in this field in one country become a prime target for its intelligence adversaries
Xi: Character of Cybersecurity
1. cybersecurity is holistic rather than fragmented; cybersecurity has a close relationship with many other aspects of national security
2. cybersecurity is dynamic rather than static; the idea of relying on a few pieces of security equipment and security software to keep safety is outdated; need a dynamic, integrated protection concept
3. cybersecurity is open rather than closed; strengthen international exchange; absorb advanced technology
4. cybersecurity is relative rather than absolute; avoid the pursuit of absolute security regardless of cost
5. cybersecurity is common rather than isolated; relies on people; the whole society; joint participation of the government, enterprises, social organizations, and most Internet users to build a line of defence
Stakeholders in China’s CyberSec
Citizens
Corporations/SMEs
Governments
Citizens
Corporations/SMEs
Governments
DOMESTIC
FOREIGN
NCSS Nine Strategic Tasks
1. Defend cyberspace sovereignty
2. Uphold national security
3. Protect critical information infrastructure (CII)
4. Strengthening online culture
5. Combat cyber terror and crime
6. Improve cyber governance
7. Reinforce the foundations of cybersecurity
8. Enhance cyberspace defence capabilities
9. Strengthen international cooperation
Now the Hard Stuff
• Universities
• Cyber industrial complex
• Corporations
• Citizens
• Governments
• Grading national cybersecurity
• “The Next Wave” in China’s cybersecurity
• Balance of Power
Universities/Research Institutes
China faces many of the same dilemmas of cybersecurity education and research policy that other countries do: • the field is rapidly changing as technologies shift• the core body of knowledge for university
delivery is heavily dominated by engineering, maths and computer science
• little attention is paid to social science aspects• there are only weakly developed capabilities and
options for students to conduct even medium complexity simulations and experiments.
Chinese Made Constraints
• a rigid and authoritarian university system that resembles the one created in the Soviet Union 1951-1977
• only low levels of internationalisation• intrusion of CCP supervision that affects student life
and academic merit for ALL teaching and research staff • Chinese research institutions are achieving impressive
gains in more technical aspects of the sciences of information security, but have few avenues for research and teaching around social science aspects of the field: management, privacy, economic impacts, and politics
Education & Research Workforce
• 2015: education system began reforms for cybersecurity• huge deficit in China : 1.4 million by 2020• sheer size and the government’s mass cyber surveillance
system create unique pressures on work force development• major foreign consumer of Chinese infosec talent is the
United States (including leaders in places like MIT)• many see themselves as global citizens owing no allegiance to
China’s techno-nationalist vision or mass surveillance ideology• China has a long, hard race ahead to begin to catch up to the
education and research standards of the United States in cybersecurity
Cyber Industrial Complex (1)
The political economy of cybersecurity, including its S&T underpinnings, is a subject crying out for advanced research, whether that concerns China or other countries
• State-owned sector
• Private sector
• “cleared companies”
Cyber Industrial Complex (2)
• While China’s leaders dream of a high tech future in this field, and its scientists can provide some research underpinnings, the creation (almost from scratch in the late 1990s) of a national cyber industrial complex will have to be a gradual process
• Chinese leaders have openly acknowledged this and have publicly presented credible plans for progress
• US NRC: China risks being “designed out of” advanced IT R&D; China is somewhat susceptible to such “self-inflicted wounds”; its scientific and industrial communities are increasingly globalised and the only sure direction for China’s cyber industrial complex will be, as Xi Jinping says, to intensify that internationalisation processeven as he gives strong signals to the contrary in favour of more indigenisation.
Cybersecurity of Corporations
• China may be among world leaders in the cybersecurity of the country’s major banks (Bank of China, its personnel migration)
• in most Chinese corporations and other commercial entities, cybersecurity has been something of an afterthought in the rush for profits or in the face of competing priorities
• cases of civil aviation, electric grid and universities • situation in China may not be worse than in many countries in some
sectors (such as civil aviation and the electric grid)• this is small comfort when the level of cyber crime perpetrated
against Chinese corporations seems quite high, alongside unusually high losses by them of personal data
• major reforms in organisational culture, and in work force development, will be essential if China is to lift its very patchy performance in corporate cyber security.
Insecurity of Citizens
• Analysis of the cybersecurity of Chinese citizens, now and in prospect, illuminates better than most lines of inquiry, the true character of the cybersecurity ecosystem in the country
• It is an ecosystem intended to serve the interests of an authoritarian dictatorship and not the interests of individual citizens
• This will be increasingly evident as the Chinese state partners with foreign corporations in advanced artificial intelligence applications in support of both its monitoring/censorship polices and development of its social credit system, relying on accumulation of personal data of the citizenry
• China outperforms most countries in battling cyber crime (probably because of its authoritarian instincts and levels of surveillance)
• China has not invested significantly in the criminological research on cyberspace affairs that might begin to inform better and more effective policy in this area
• our knowledge of the cybersecurity of Chinese citizens is based on an understanding of the broad contours of the ecosystem, occasional surveys and a handful of case studies, and not on comprehensive detailed research by Chinese and/or foreign scholars
Governmental Cyber Insecurity
• one country, many provinces (31), two SARs, and the Taiwan problem• governmental cybersecurity in China is weak to very weak• inevitable reflection of the country’s late start in informatisation and its
lack of attention, until recently, to the cyber skills deficit• Over-emphasis on content security to the detriment of system security• some areas are much stronger than others (leaders, military)• Unit 61398 of the PLA had very low standards of cyber security in 2013• reports from Chinese analysts that the Ministry of Public Security is quite
weak• Chinese leaders have recognised the severe shortcoming in governmental
cybersecurity• it will take them a decade or two to begin to approach high standards in
most sectors of government operations• These weaknesses will be one of the most powerful drivers of China’s
willingness to continue to rely on foreign vendors, including American corporations, such as Microsoft, Cisco and IBM, especially for services
Grading National Cybersecurity
• a country as such does not have and cannot have “cybersecurity” as if that were a quality or commodity
• One can only speak meaningfully of which actors in a country enjoy cyber security, at what levels, and in what circumstances
• Cybersecurity is a complex socio-technical system that combines a sense of threat (insecurity) and a sense of confidence in the quality of defence (security) of different actors
• It is also in part a technical reality: where a victim can feel secure even while foreign states, criminals, corporations, or even his/her own government rampage through his/her cyber space, often in abusive or exploitative ways
• Perceptions of cybersecurity are social and psychological phenomena that might usefully be measured in assessing national cybersecurity but that are rarely taken into account
• Cybersecurity in one country or another has to be evaluated from a multi-layered point of view that can only be viewed as an interactive, large and highly diverse matrix with dynamic trend aspects. A static snapshot-list cannot give an adequate accounting. The number and type of elements in the matrix must be far wider than in most lists used in compiling indexes of national cybersecurity capability.
Grading the Strategic Tasks
TECH CAPAC LEGAL ORG’L COOP’N
1. Defend cyberspace sovereignty 3 3 2 2 2
2. Uphold national security 4 2 5 5 2
3. Protect critical information
infrastructure (CII)
1 1 1 1 1
4. Strengthening online culture 3 3 5 4 3
5. Combat cyber terror and crime 3 2 3 3 2
6. Improve cyber governance 3 2 2 2 3
7. Reinforce the foundations of
cybersecurity
2 2 2 2 2
8. Enhance cyberspace defence
capabilities
1 1 1 1 1
9. Strengthen international
cooperation
3 2 2 3 3
Scale of 1 (weakest) to 5 (strongest)
The Next Wave (1)
• national competence in designing and developing cyber security technologies is an activity of the cyber industrial complex (enterprises, researchers and investors), not the state
• China will need to develop the work force that can support its cyber power ambition
• China will need to craft international alliances to underpin the domestic accumulation of attributes of cyber power
• Social credit system faces huge social and institutional obstacles• China’s ambitions against its own citizens will lead to increasing
attacks on the credibility and security of Chinese cybersecurity systems
• China’s cybersecurity industry is going from strength to strength, but it is not a world leader in most fields (exceptions include anomaly detection)
The Next Wave (2)
• Advanced artificial intelligence productisation in China is in part a technological inevitability, but it is also driven by the demands of an ever-expanding police state intent on controlling the political orientation of its citizens
• advanced AI offers the only solution to China’s estimated skills deficit
• China’s AI ambitions will need foreign specialists and corporations (As of 2018, several leading foreign firms in China are serving as the henchmen of ‘big brother’)
• great strides and world class achievements in quantum communications; but beware China’s consistent propaganda about an alleged first-rank position in related research and applications.
• China’s quantum hopes may be somewhat misplaced
The Next Wave (3)
• Cyberspace is a contested domain. The Chinese government’s national cybersecurity strategy of December 2016 makes plain that the leaders see themselves caught up in a political battle and a modernisation whirlwind the likes of which few of them imagined ten years ago. Establishing a Communist Chinese version of security in this environment may well remain an impossible dream, if only because the actors most capable of, and intent on spoiling, the authoritarian dream are part of the most powerful and technologically most advanced alliance ever seen in human history. The struggle is only just beginning.
Balance of Power (1)
• several recent studies conclude that the United States will long remain the sole superpower in part because of its technological superiority
• no studies have looked comprehensively at the transformational impact of the information age on this pivotal power relationship
• room to challenge most existing scorecards of Chinese and U.S. international power, especially those predicting American decline
• China’s leaders have assessed that their country will remain a second rank military power compared with the United States for decades to come because of the America’s very large lead in cyber capabilities in both military and civil spheres
• This analysis is grounded in a sharper appreciation by China’s leaders of the domestic and alliance foundations of power than is normal in most foreign assessments of relative American and Chinese power
• More understanding of the role of Western-oriented high tech companies and a globally mobilized community of netizens in mediating power relationships between the two countries than in most assessments.
Balance of Power (2)• Room to challenge the cliché of a stark political divide in
the cyber age between liberal democracy and authoritarian states because of the ways in which cyber technologies are already affecting political leadership and legitimacy in both places
• This blurring is the result of deeper levels of interdependence than at any time in history due to entanglement in cyber space.
• In spite of impulses toward cooperation, close study of China/U.S. relations reveals an escalating intent by them to attain global surveillance and kill capabilities of the most instantaneous kind ever seen in human society
• In the meantime, “collaborate to compete”.
