On June 27, 2017, the Cyberspace Administration of China (CAC) released its National Cyber Threat Response Plan to help bolster its cyber security posture. According to news sources citing a document posted on the CAC website, the Plan includes a four-tier color-coded warning system that ranked the severity of cyber attacks Red (the highest level), Orange, Yellow, or Blue (the lowest level).
Of note, the Plan legally mandates that Chinese provinces ensure that their networks are upgraded and that response teams are established in order to support a centralized cyber reporting system. While no specifics were provided as to what the accepted level network upgrade was, government agency failure to comply with the regulation would be considered a criminal – not civil – offense, an interesting distinction demonstrating the gravity with which the national government is treating cyber defense and holding all levels of government responsible and accountable for its implementation.
The Plan also compels relevant entities to open international channels of communication during the sudden onset of international security threats. This is an important development particularly in the wake of May 2017’s global pandemic of the WannaCry ransomware campaign that successfully infected more than 300,000 systems in 150 countries. Approximately 30,000 Chinese organizations were impacted from this ransomware attack. Such channels provide the opportunity of immediately engaging international counterparts to help identify, detect, and mitigate these global infections from spreading further.
China’s cyber security shortcomings have been longstanding. According to one survey, the average number of cyber attacks detected by Chinese and Hong Kong companies rose by 950 percent between 2014 and 2016, with more than 7 a day based on information provided by the survey’s 440 China based-respondents. Complicating China’s cyber security situation is the increasing use of Internet of Things (IoT) devices that are notorious for being under secure. In 2016, Chinese DVRs and Internet-connected cameras were exploited by hackers to support a botnet that launched distributed denial-of-service (DDoS) attacks that impacted major global targets and websites. Just recently, a Chinese company warned that some of its remote-controlled video cameras contain flaws that a security firm said could be used in cyber attacks and cyber espionage. Such developments while promising show that acknowledgement of the problem is only part of the solution, and that without plans in place, there is no action to correct such issues.
Since 2014, China’s senior leadership has been publicly advocating the need for the country to aggressively pursue cyber security. In an address to Office of the Central Leading Group for Cyberspace Affairs that year, President Xi Jinping said, “without cyber security, there is no national security.” Viewed through this prism, the National Cyber Threat Response Plan is the latest iteration of China proactively trying to improve its cyber security from the top down. Since 2015 when China passed its National Security Law to its June 2017 enactment of its Cybersecurity Law, China has been aggressively enacting a series of national security-related legislation in which cyber security was a prominent feature. Of note, this legislation focuses on areas that not only improve Chinese security, but also provide the legal justification for Chinese authorities to act in a manner they determine appropriate. This has given some international businesses pause for concern, as they believe that failure to comply provides the government a legal avenue to pursue repercussions.
From a national level standpoint, the National Cyber Threat Response Plan is a logical progression. Legislation serves as the foundation from which plans like this one can be based and implemented. Invariably, more specific guidelines will follow that supply more fidelity and specifics for all levels of government stakeholders that will likely include timelines and milestones that need to be achieved, and penalties to be incurred should they not.
From a strategic perspective, the Plan reinforces China’s commitment to actively revamp its cyber security apparatus as it works to establish bilateral engagements with international partners. While the international community struggles to find some common ground on norms of behavior in cyberspace, China strengthens its position on cyber sovereignty – its core issue – through the continued passing of broad-language legislation that affords it the wiggle room to pursue other means of resolution to safeguard its interests in other political, diplomatic, or economic areas. Even if the global community ultimately accepts Western interpretations of cyber norms, China will have established a means to counterbalance them.
For the near term, through these initiatives and cyber security bilateral agreements, China is demonstrating to the world that it is a willing partner that is taking cyber security seriously through its actions as well as its words.
This is a guest post written by Emilio Iasiello.