Show Hide image

China’s strategy to become the world’s strongest cyber power

Nigel Inkster, former operations and intelligence director of MI6, analyses China’s efforts to impose order on its vast online community.

When just over two years ago I began researching a book on China’s cyber power, mainstream western media were full of stories about China’s alleged programme of state-sponsored cyber industrial espionage directed against US and other western corporations. Following an agreement between Presidents Xi Jinping and Barack Obama in December 2015 that “that neither the US nor the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage” that story dropped out of the headlines. But the importance of China as a cyber power has not diminished and understanding China’s capabilities and objectives in the cyber domain has become a key element in understanding its global strategic objectives. It is also an important prism through which to understand China’s long struggle to achieve modernisation whilst retaining its cultural and political self-esteem.

China came out of the Cultural Revolution in a state of economic and technological backwardness that demanded urgent attention. Its new leadership was seized of the important role modern ICT would play. Although the internet did not become accessible to ordinary Chinese citizens until 1996, the subsequent take-up has been dramatic. China has over 700 million “netizens”, the majority of whom access online service through smartphones. In 2015, the total value of online sales was $581bn, making China the world’s largest digital marketplace. The Chinese government has ambitious plans to switch from an export-dominated economic model to one based on domestic consumption; and to move up the value chain to break free of a middle-income trap. A key enabler will be an Internet Plus strategy that aims to integrate the real-world and digital economies.

In pursuing this, China’s government had to confront two vulnerabilities. The first is the potential of the internet to serve as a vector for subversive influences that challenge the Communist Party’s legitimacy. The second is a high level of dependence on western – largely US – technologies and software, seen as a security threat. From the outset China’s authorities sought to control online content through a combination of firewalls to filter externally generated content, regulation of service providers and censorship; the latter becoming ever more technologically enabled but still reliant on large numbers of censors and pro-government activists who promote and defend official views on social media sites such as Weibo.  

The result has been a cat-and-mouse game in which China’s netizens have sought to bypass censorship by relying on the infinite capacity of the Chinese language to generate homonyms for terms which are banned, giving rise to a rich lexicography of online dissidence. But it is a game the authorities are winning thanks to technology dominance and the huge manpower resources devoted to an issue seen by the leadership as existential. This is not to say that the Chinese internet is characterised by an atmosphere of sterile ideological conformity; in many respects it is more vibrant and anarchic than its western equivalent and has been used to good effect by its citizenry to hold officialdom to account. But first under Hu Jintao and ever more under Xi Jinping a climate of greater political and cultural conformity has led to popular bloggers –so-called Big Vs – being shut down. And China is unapologetic about asserting an approach to the internet based on the concept of cyber sovereignty, in effect its right to determine what its citizenry can access.     

Meanwhile, China is pursuing a policy of indigenous innovation to reduce dependence on western technologies. Dependence on western ICT is such that when in 2014 Microsoft announced that it would cease supporting Windows XP it subsequently had to make an exception for China, such was its reliance on that system. That dependence will take time to erode. But there is a growing number of indigenous Chinese software companies, Chinese smartphones and other devices are increasingly competitive with western equivalents and Chinese entrepreneurs have shown considerable ingenuity in developing and marketing a range of online services. As the Chinese state seeks to impose greater order on what to date has been an anarchic and insecure Chinese cyber environment, new laws have imposed greater demands on western companies such as the provision of source code. China is seeking to leapfrog the west in key areas of ICT including artificial intelligence (AI), quantum encryption and quantum computing. And the Chinese government is facilitating the purchase by Chinese companies of western technology start-ups. In 2014, $22bn had been spent on such deals, which have significant medium-term implications for the competitiveness of advanced industrial economies including the UK, France and Germany.

The global outlook of China’s leadership is dominated by the so-called Century of Humiliation covering the period from the mid-19th century up to the founding of the People’s Republic in 1949 during which China was virtually colonised by the west. The determination not to repeat this experience has translated into a transformation of China’s defence posture from a land-based, low-tech, mass-mobilisation force to one that is increasingly based on a capacity for naval force projection with a view to securing China’s supply lines and protecting its growing range of overseas interests. Digitisation is seen as critical for China’s efforts to develop armed forces on a par with its only real comparator, the United States. This is exemplified by an ambitious reorganisation at the end of 2015 which led to the creation of a new Strategic Support Force that combines signals intelligence, electronic warfare and information warfare capabilities within a single organisation that also has responsibilities for space-based activities. After a long period of coyness PLA officers now talk openly of China developing offensive cyber capabilities albeit at a “moderate rate” and in response to the activities of states such as the US.

This posture also translates into a more assertive foreign policy, no longer merely concerned as until recently with ensuring peace and stability to permit economic development. China probably does not aspire to replace the US as, in their words, “global hegemony”.  But it does wish to move from a global governance system dominated by the US and its allies to a world that is multi-polar and which respects different political and cultural systems. And to transition to a “new security concept” which while broadly respectful of international institutions like the United Nations, also subordinates customary international law to the interests of major powers. Here too the cyber domain plays a major role with China championing its vision of a global cyber governance and security order where the USA is no longer predominant. This vision enjoys some support in the developing world, not least due to the activities of national champions such as Huawei and ZTE who are building and operating core backbone IT infrastructure systems in countries that would otherwise remain on the wrong side of the digital divide.

To revert to cyber espionage, it is now clear that US threats of financial sanctions against Chinese companies deemed to have benefited from the theft of US intellectual property (IP) persuaded China’s leaders that this particular game was no longer worth the candle. The “noisy” reduplicative exploits that characterised so many cyber-attacks emanating from China are now much less in evidence. But cyber capabilities have become a major enabler of Chinese statecraft and are inter alia reducing the space within which overseas-based opponents of the regime can operate. For better or worse China is transitioning from becoming a large cyber power to a strong cyber power and can be expected to play an increasingly prominent role in this space.

The west will have to get used to living in a world in which it no longer enjoys the unquestioned technology dominance to which it has long been accustomed.

Show Hide image

Investing in a secure future

Increased training and investment in cyber security infrastructure are essential in the digital age.

It is easy to underestimate how crucial the internet is to our everyday lives. It has become an essential tool in the way we communicate with others and conduct business both at home and abroad. More than 1.6m people work in the digital sector or in digital tech roles in the United Kingdom and the internet continues to provide individuals and businesses with huge opportunities.

However, we know that criminals seek to exploit the many benefits of the internet for their own personal gain, often at great expense to others. The WannaCry ransomware attack, which hit the NHS as well as other organisations, highlights the seriousness of the threat and reinforces the need to properly protect ourselves online.

In the recent Cyber Security Breaches Survey 2017, just under half (46 per cent) of all businesses identified at least one breach or attack in the last year. Although it is difficult to put an exact figure on how much this cost the UK economy, it is likely to be in the billions.

We are also all too aware of attacks by hostile state actors who look to exploit the UK through intellectual property theft, in order to further their own interests and prosperity. We take these attempts to disrupt our national security very seriously.

That is why this the government set up the National Cyber Security Centre (NCSC), which provides cyber security at a national level. In its first year of being operational, the NCSC responded to 590 significant cyber incidents, more than 30 of which were sufficiently serious to require a cross-government response.

It is not just large organisations and our national infrastructure that are targeted by online criminals; individuals also face the daily threat of being scammed in their own homes. It is now the case that British citizens are 20 times more likely to be defrauded at their computer than mugged in the street.

It is a threat we all face. I strongly believe that we – individuals, businesses and the government – must play our own part to mitigate the risk and ensure that the internet is a safe and secure space for everyone. The government has legislated within the Serious Crime Act 2015 to create a new offence that applies where an unauthorised act in relation to a computer results in serious damage to the economy, the environment, national security or human welfare, or a risk of such damage occurring.

Legislating against online criminality goes some way to tackling the problem; however, close collaboration between the government, business and international partners is essential in combating the increasingly sophisticated attacks that the UK faces.

We work closely with the NCSC, which acts as a bridge between industry and government, providing a unified source of advice and the management of cyber-related incidents. It is at the heart of the government’s 2016 National Cyber Security Strategy, which is supported by £1.9bn of transformational investment to 2021.

Our law enforcement agencies across England and Wales also play a vital role in disrupting the activities of cyber criminals and bringing them to justice. They now operate as a single networked resource with the National Crime Agency (NCA) and Regional Cyber Crime Units using shared intelligence and capabilities. The NCA also has a dedicated Dark Web Intelligence Unit which targets those criminals who exploit hidden areas of the internet.

But we also want people to take their own preventative measures, so that they don’t become a target by criminals operating in the cyber space. We are running a series of campaigns and programmes which aim to encourage individuals and businesses to adopt more secure online behaviours.

Cyber Aware works with over 320 public and private sector partner organisations to encourage us all to take simple steps to protect ourselves online including using a strong, separate password for our email accounts and installing the latest software and app updates on our electronic devices.

The NCSC has also recently launched expert guidance on how small businesses can easily avoid common online breaches and attacks. Should organisations seek to improve their cyber security further, they can get certification through the Cyber Essentials Scheme.

To further support the efforts of SMEs in improving their cyber security, regional cyber crime prevention coordinators engage with businesses and members of the public to provide customised cyber security advice based on the latest technical guidance from the NCSC.

We must also look to the future – we now have a whole generation that have grown up immersed in tech. It is hugely important that we harness their talents and put them to good use rather than letting them wander down a path towards criminal online activities.

We must train and engage with the next generation of cyber security experts and is why the NCSC is taking a leading role in promoting a culture where science and technology subjects can flourish within the education system. Their CyberFirst programme identifies and nurtures young talent through a series of summer workshops and competitions. In addition, their CyberUK 2018 programme focuses on encouraging more women to enter into the technology industry, a sector that is largely seen as male-dominated.

There is a great effort across government and law enforcement to pursue online criminals, prevent
those that are headed on a path towards criminal activity, protect the public and prepare for the many threats we face online. We will continue to invest in law enforcement capabilities at a national, regional and local level to ensure agencies have the capacity to deal with the increasing threat from cyber crime.

However, this is not a threat that we can tackle alone. It is everybody’s responsibility, from top to bottom, to follow the guidance provided and increase their awareness of cyber security in order to create a safe space to communicate and conduct business online.