Inside China’s cyber system – China’s cybersecurity landscape

China aims to become a "cyber superpower" and a technology leader. To achieve these strategic goals, the policy priority given to digital technology has increased significantly since 2012, and a comprehensive institutional framework for cyber governance has been established. Previously, this policy area was fragmented and divided among many different institutions. The system now consists of numerous party and state bodies, affiliated (ostensibly non-governmental) think-tanks or research institutes, and technical entities, sectoral associations, and industry alliances. The following blog post illustrates the underlying structure of China's cybersecurity landscape and introduces the key players, drawing particularly on a paper by Rogier Creemers (2021), wherein he traces and further elaborates on the reorganization of these institutions.

Figure 1: Illustration of the institutional cyber governance framework.

China's cyber policy is directed from the top down by Xi Jinping himself, who chairs the Central Commission for Cybersecurity and Informatization (CCCI). The CCCI is one of the most powerful Chinese government organizations. Its responsibilities include providing leadership and interagency coordination, coordinating the fusion of national defense and the private sector, facilitating decision-making, and resolving interdepartmental tensions in the area of cybersecurity and informatization. However, it operates largely in secret.

On the next level of the pyramid is the Cyberspace Administration of China (CAC), which is the main working body of the CCCI and provides administrative support. Its role centers on coordination, including the appointment of the CAC as the competent department for cybersecurity review and critical information infrastructure management, leading the department for online personal data protection, co-managing data security, and drafting the national cyberspace security strategy. In addition, the CAC has regulatory responsibility and is in charge of online content control and related licensing formalities for online operators. It thus oversees five subordinate organizations: Technical Committee 260 (TC260) is responsible for technical information security standards. It is estimated that TC260 has issued approximately 300 such standards since 2015. Officially, it is an independent body, but there are clear links to the CAC. It consists of seven regular working groups that focus on different cybersecurity issues. Foreign companies are allowed to participate in some of these working groups, but some others are exclusively for Chinese officials and representatives of Chinese technology companies. These standards present numerous challenges and contribute to making it increasingly difficult for foreign companies to do business in China. The Cybersecurity Association of China (CSAC) is also overseen by the CAC. It is an intermediary organization that assists government departments in the effective implementation of laws, regulations and policies. The CAC further oversees the Chinese Academy of Cyberspace Studies (CACS), an affiliated think tank. It does not operate internationally, but publishes annual reports on the development of the Internet in China and around the world. The CAC also oversees the CNCERN/CC, which is tasked with responding to cyber-attacks and preventing, detecting, and responding to vulnerabilities and incidents. Moreover, it engages internationally, claiming to be a non-governmental technical center, but is closely linked to government institutions. The China Internet Network Information Center (CNNIC), which oversees the technical operation of the DNS for the .cn top-level domains as well as for Mandarin-language domain names, also falls under the CAC's jurisdiction.

China's network security priorities are mostly motivated by the CCP's primary goal of maintaining its grip on power. As a result, content control plays an important role: The Ministry of Public Security (MPS) is tasked with issuing direct instructions on how to report or censor specific types of information. It commands China's police forces, is responsible for enforcing laws and regulations, and conducts targeted campaigns on high-priority issues. For example, it oversees the “Golden Shield Project” and the National Information Security Management System, better known as the “Great Firewall”. The Great Firewall is part of the "Golden Shield Project" and was launched in 2000. It describes the Chinese government's Internet censorship and surveillance project, which consists of both censorship mechanisms and propaganda elements designed to restrict content, such as blocking certain foreign websites, identifying and locating individuals, and providing access to their personal information. The Golden Shield project shares hardware and software with the Great Firewall, but deals with domestic law enforcement issues and constitutes a database that could be linked to the social credit system. In addition, the 11th Bureau oversees the operation of the Cybersecurity Multi-Level Protection System (MLPS) for information security and efforts to combat cybercrime.

The Ministry of Industry and Information Technology (MIIT) is responsible for the construction and management of network infrastructure, including the deployment of 5G technology, and related information security tasks, in addition to regulating industrial policy in the ICT sector. As such, it plays an important role in Internet and telecommunications infrastructure. It oversees the China Academy for Information and Communication Technologies (CAICT) and the Internet Society China (ISC). Both of whom present themselves as non-governmental institutions and claim to be independent. The CAICT is a think-tank that conducts research and policy development, issues publications, and provides input to industry and government, such as technical standards. It thus plays a role in the development of ICT policies and standards, in particular by being an important interlocutor for foreign ICT companies on these issues. The ISC, on the other hand, is an intermediary organization for the Internet sector, with 16 working groups dealing with issues ranging from online copyright protection and rural informatization to spam messaging and Internet finance. Internationally, the ISC presents itself as a non-governmental, multi-stakeholder organization for China's digital environment, while in reality it plays a regulatory role.

Despite efforts to reorganize the institutional landscape so that responsibilities are no longer spread across many different institutions, bureaucratic responsibilities for cybersecurity and privacy remain diverse and conflicting, with the CAC, MIIT, MPS, TC260, and CACS all having some say in standards, regulations, and implementation.

When it comes to external issues in the international arena, the Ministry of State Security (MSS) is critical to China's cyber diplomacy and the implementation of its cybersecurity agenda. Although there is little public information about China's intelligence and security agency, it is suspected to be associated with hacking groups such as APT3, APT10. The MSS oversees two institutions: The China Institute of Contemporary International Relations (CICR) and the China Information Technology Security Evaluation Center (CNITSEC). CNITSEC collects information on vulnerabilities in software and hardware products and information systems. It manages the China National Vulnerability Database for Information Security (CNNVD) and conducts the security review processes prescribed by the CSL and its subordinate regulations. CICR presents itself as a research institution focused on international affairs, but it is closelylinked to the MSS and many of its senior leaders have intelligence backgrounds. It is the primary institution responsible for Track 1.5 and Track 2 relations internationally.

Finally, the Ministry of Foreign Affairs (MFA) is tasked with participating in international cyber diplomacy processes in this area. However, as in other thematic areas, the MFA has very little direct authority over cyber-related policy.

Figure 2: Summary of the tasks of each institution.

In addition, other departments are involved in cyber issues from time to time: specialized technical bodies, departments supporting education and research, and financial elements of China's digital strategy. Moreover, although China's digital technology policy is largely a civilian prerogative, it is increasingly intertwined with the capabilities and doctrines of the PLA. For example, the People’s Liberation Army (PLA) Cyber Force is also a major player, conducting cyber operations abroad, engaging in economic espionage abroad, or being closely linked with various APTs. It also views cyberspace operations as an important component of information warfare.

In summary, the CCP is largely involved in all stages of the cyber governance system. Moreover, the restructuring and expansion of the cyber governance system is largely complete. However, new developments as well as the upgrading of the bureaucracy and key technology sectors cannot be ruled out: for example, a new data management authority was only established at the beginning of 2023 as part of the further restructuring of the State Council. It will be responsible for coordinating and promoting the construction of the data factor system, the overall planning of the integrated sharing, development and use of data resources, and the overall planning of the promotion of digital China, the digital economy, and the planning and construction of the digital society. In this way, data will serve as the "fifth factor of production". In addition, also driven by the government's security concerns, the goal of "indigenization" of technology is even more emphasized (the goal is to be technologically self-sufficient and the world's top innovator by 2035). To this end, national innovation and research are increasingly being promoted. The new government is expected to strengthen the oversight and policy role of the Ministry of Science and Technology (MoST) in the pursuit of scientific and technological success.

Furthermore, the private sector also plays an important role in China's cybersecurity landscape, especially the largest ICT companies, such as Alibaba, Baidu, and Tencent, as well as industry associations and alliances. They are at the forefront of China's global technology ambitions, especially when it comes to China's international cyber ambitions to set standards, influence the global digital order, and achieve technological self-reliance. As such, they also have a significant influence on domestic ICT policies.

Finally, the governance system consists of interlocking policies, laws, policies, regulations, and standards, making it "the most comprehensive governance regime for cyberspace and information and communications technology (ICT) of any country in the world". While the Cybersecurity Law is the most central, it has been criticized for enabling extensive data control and increasing the risk of intellectual property theft. Moreover, its wording and definitions are quite vague, increasing the government's grounds to make broad claims about the need for investigation and reducing the ability of foreign companies to challenge a government demand for data access. All of these documents deal with the digital economy as well as security issues such as security reviews, critical infrastructure protection, online content management, encryption, and data flows. This governance system gives China the opportunity to position itself alongside Europe as having a robust governance model for data and security. Other countries are even adopting laws similar to China's, creating the risk of spreading and strengthening authoritarian regimes.

In addition, the Wuzhen Internet Conference has been held annually since 2014 and is an important platform for promoting the CCP's ideas on cyber issues. The conference is used to discuss Internet issues and policies, and is intended to provide an opportunity for states to establish their own rules for cyberspace, as Xi presented his concept of cyber sovereignty there. Such an understanding runs counter to the currently dominant Western notion of a free Internet, as it would allow states to have ultimate authority in digital space. It would erect national boundaries in cyberspace that block the free flow of information, making it easier to control the Internet and enabling "digital authoritarianism". China is therefore seeking to shape cyberspace according to its own ideas at the global level, for example through UN processes, such as proposals for the "International Code of Conduct for Information Security to the United Nations" in 2011, or proposals such as "New IP" at a meeting of the Internet Telecommunication Union in 2019.

We are witnessing the rapid rise of China as a technological power: its capabilities are growing, but it is not yet dominant. Beijing’s ambitions also have their limits: There is a lack of talent and innovation to implement these strategic goals, and there is a high dependence on foreign technologies. One measure the Chinese government has taken to overcome these obstacles is the establishment of the National Cybersecurity Center in 2017. It consists of seven centers for research, talent development, and entrepreneurship. Another vital aspect of overcoming this challenge, and thus fulfilling the aspiration to become a cyber superpower, is the tools of economic diplomacy and the global activities of Chinese technology companies, such as the "Digital Silk Road". Chinese technology companies play an increasingly important role in this regard. Projects like these are driven by Chinese companies seeking new markets and support the government's ambitions to gain economic, strategic, and political influence. For these reasons, the government provides financial support and invests heavily in such companies and their innovation projects, focusing primarily on emerging technologies such as 5G, AI, and semiconductors.

In addition, the new government is placing an even greater emphasis on (national) security and control, which will also shape technology policy. A recent ASPI report warns that while China does not yet have technological superiority, it has laid the groundwork to dominate critical future technologies in a wide range of areas, such as AI. This prediction seems plausible, as innovation and technological self-sufficiency are high strategic priorities in China, as President Xi stated in 2018: "Self-determination and innovation is the unavoidable path… to climb to the world’s top as a leading player in technology." The outlined institutional cyber governance system is a cornerstone for achieving all of these goals. Therefore, it is crucial to understand it in order to analyze China as an actor and its ambitions in cyberspace.