To do so, it is first necessary to dispel the widely held belief that dominates most discussions of China's cyber-security landscape -- namely, that Chinese hackers function as state-sponsored "armies" to carry out Beijing's online objectives. In reality, Chinese hacker networks tend to be disparate and uncoordinated, and though notably nationalist, they generally operate without ideological basis or political intent. While the Chinese government and military are clearly engaged in offensive cyber activities,
the evidence strongly suggests that the majority of cyber-attacks originating in China are from independent hackers or hacker cells. Indeed, government sites themselves are routinely attacked.
Beijing's emerging policy response can be parsed from several recent announcements. This week saw
calls in the state media for improved cyber-security institutions and management from the government. The comments, originally published in the People's Liberation Army Daily, called for greater horizontal integration on cyber-security policies among China's notoriously factional ministries. News also broke that Chinese telecom giant Huawei
will open a research center in the United Kingdom in the hopes of promoting cyber-security information- and technology-sharing. These developments follow on from the opening in July of the PLA's first dedicated, technologically cutting-edge
cyber-security center in the remote Western province of Gansu.
However, while the government seems to be attaching increasing importance to the issue, the online security situation in China remains appallingly bad. Spam and malware are pervasive. Meanwhile, Web site integrity -- including for government sites -- is poor, and the distribution and usage of personal information goes almost totally unregulated. China's Internet policy has been marked by repeated deviations and U-turns, and even the Great Fire Wall of China can be circumvented with remarkable ease. To give an idea of the scale of the inadequacy of current protocols, the Ministry of Public Security this week announced that 460 people have been arrested on hacking charges so far this year, a paltry number considering that estimates of the total number of hackers in China run into the hundreds of thousands.
The state's failure to assert any kind of meaningful control over the online environment has its roots in three main causes. First, as pointed out by the PLA Daily article, inter-departmental cooperation remains sub-optimal, and policy initiatives run into the perennial obstacles of localism and inconsistent enforcement.
Second, the government's ability to deal with genuine cyber-threats is limited by the politicization of the debate surrounding regulation of the domestic Internet. Internet policies have been overly focused on clamping down what is deemed to be political dissent rather than the far greater threat of attacks that are not politically motivated. For example, it is hard to see how measures such as forcing users of Chinese Internet cafes to show their state identity cards represent any real barrier to sophisticated transnational hacker operations. Indeed, one of the first actions of the new PLA cyber-security center in Gansu was to hire 500 workers known as "50-centers," allegedly paid to post pro-China comments -- euphemistically known as "guiding public opinion" -- on domestic and international Web sites.
Third, Chinese cyber policy has been
highly erratic, with no clear pattern of development. Web sites are blocked and unblocked apparently at random: Some sites, like the Internet Movie Database and YouTube, are permanently blocked, while others that might contain even more politically damaging content, such as Wikipedia, are almost always easily available. Despite the stringent regulation of the Chinese Internet, there have been no real attempts to clamp down on piracy of any type; spam and malware creation or distribution; or organized hacker groups. The government has stood by and watched as the domestic Internet has degenerated into an essentially lawless space.
It is worth pointing out that similar or equivalent deficiencies exist in China's responses to other complex challenges facing the state in the modern age, including domestic concerns such as the country's
health care time-bomb. Tackling this new generation of dynamic threats requires precisely the kind of highly coordinated, efficient and responsive systems of governance that the Chinese Communist Party has struggled to implement. As illustrated by its approach to cyber-security, many of the party's policy initiatives seem to be ad hoc, rather than well-designed responses, and are ultimately rendered ineffective by stifling bureaucracy, local deviation or poor enforcement.
Improving cyber-security is a key challenge for the Chinese government moving forward. Despite institutional and infrastructure advances in recent years, major concerns remain regarding the state's general ability to implement the necessary response systems.
At the same time, cyber-security is an area of overlapping interests for Chinese and Western governments, and Huawei's U.K. center suggests the Chinese
may be willing to reach out on the issue. If China is seeking to develop and legitimize its cyber-security apparatus, Western governments should seek meaningful engagement with Beijing on the issue through processes such as technology-transfer, information-sharing and joint enforcement initiatives.
However, before any such engagement can occur, Western analysts must move away from the over-simplistic notion of China's hacker armies, to a more realistic description of the country's cyber-security situation and the enormous challenge it represents.
**Iain Mills is a Beijing-based freelance writer.
