Forecast

• China's defensive efforts in cyberspace will remain an uphill battle because of its continued reliance on foreign technology, increasing cyberespionage concerns and enormous population of Internet users.
• China will merge its network security imperatives with ambitions to bolster its own domestic technology sector.
• China's need to boost network security and tap into its own domestic demand will drive Beijing to become increasingly active in developing its domestic industries through partnerships and overseas acquisitions of technology firms.

China's National People's Congress passed a new national security law July 1 comprising an extensive list of national security directives that addresses, among other concerns, network security. The document is meant to provide top-level guidance, so its overall language is vague. However, the law highlights China's growing emphasis on safeguarding against cyberattacks and espionage, as well as its drive to develop native technologies to support network security. Like the United States, China is still developing its own view and strategy of defense in cyberspace.

Unlike the United States, which must seek partnerships with the private sector and international partners in defending its online interests, Beijing assumes sole responsibility for managing security over its immense population of Internet users and devices. This is not an easy task for China, which is encountering a surge in domestic cybercriminals and foreign state actors with highly sophisticated offensive capabilities. Though China faces an uphill battle in developing its defenses in cyberspace, its security needs and virtual threats from the West will help propel its ambition to expand into high-tech industries, thus combining China's network security imperatives with its economic ambitions.

China's Internet Space

In little over a decade, China's Internet presence has experienced explosive growth that has made it the world's leader in terms of Internet users and devices. In 2004, there were some 96 million Internet users in China. By 2014, this number had risen to 641 million, more than North America's entire population. Even with this many users, less than half of China's population has regular Internet access. China's new national security law calls for extending Internet services to rural areas, indicating the significant growth in Internet usage that could occur in the coming years.

The rising number of Internet users in China has paved the way for the expansion of social media platforms, online commerce giants and demands for high-tech services and goods. Mobile Internet devices such as smartphones and tablets are extremely popular in China; in 2014, more Internet users logged on via mobile devices than personal computers. China now boasts the largest online retail market in the world, with nearly $450 billion in retail sales in 2014 (about a 50 percent increase from 2013). The scope of China's Internet presence has helped Chinese companies like Alibaba and Tencent become behemoths in the online world.

Foreign technology companies find the significant and growing demand for tech services and devices in China irresistible, particularly since China's Internet space still stands on foreign-made technology. However, this demand also drives the Chinese government's overarching push to develop indigenous high-tech industries and eventually become innovative itself. Moreover, as a result of China's exploding online population, China's network security concerns have grown, creating a need for online security technologies that China eventually could develop domestically.

The Problems

As China's online economy surges, the government is encountering many of the same network security challenges that other countries face. However, China also faces its own particular challenges. The country's increasing Internet population means that the scale at which China must strictly monitor and control the information disseminated online, particularly via social media outlets, is growing substantially. Thus, China has a pressing need to continue developing technologies to control such a large online crowd. China has already created control strategies such as the "Great Firewall," which controls China's cyberspace links with the global Internet, and the Green Dam, a software package installed on personal computers to monitor online activity.

As attractive as China's Internet population is to both domestic and foreign firms trying to meet the growing demand, it is also an attractive target for both domestic and foreign criminals. By some estimates, the proliferation of malware on Chinese computing devices is among the most extreme in the world. In a 2014 report by Panda Security, China's malware infection rate was estimated at 49 percent, the highest of countries listed in the report.

The Chinese are significant targets of cybercrime. A common form of cyberattack used to steal personal information, login credentials and deploy malware is known as "phishing." Phishing is a tactic in which an attacker attempts to coax an unwitting victim into visiting a malicious website, often through e-mails that entice users to visit a link. A critical component of such an attack often involves registering an Internet domain name to point to a compromised or malicious server. According to a study by the Anti-Phishing Working Group, of the 27,253 malicious domain registrations around the world in the second half of 2014, 84 percent were registered specifically to phish Chinese Internet users, particularly individuals using Taobao, the Industrial and Commercial Bank of China, the Bank of China and Alipay services.

A significant contributor to these security issues is the substantial proliferation of pirated software. According to one estimate, 74 percent of software installed by Chinese users is unlicensed (compared to 18 percent in the United States). Virtually all mainstream software platforms, from operating systems like Microsoft Windows to graphics editors such as Adobe Photoshop, are pirated through end users and Chinese vendors. Users of pirated software often are cut off from critical security updates, increasing the risk of being targeted for cyberattacks including the use of malware. Given the high rate of unlicensed software and the large population of Internet users, China is ripe for lone actors and organized crime to target with malware.

Foreign states, particularly the U.S. government, also pose a substantial threat to China as cyberespionage escalates year after year. Online espionage has led to Beijing's growing distrust of foreign-made devices and software. The classified documents leaked by former NSA contractor Edward Snowden bolstered this distrust by revealing that the United States had compromised widely used software packages and networking devices prior to their export to foreign countries. This tactic is a particular concern for China given its reliance on foreign-made technology to prop up its cyberspace. However, China is constrained by its relative lack of domestic high-tech capabilities.

China's Strategy

The recent national security law is the latest step in China's efforts to bolster its defenses in cyberspace, and one that further legislative announcements are likely to follow in the coming months. The law essentially calls for the combination of China's ambitions in the technology sector with its network security needs. To accomplish this, China intends to leverage the factors that make network security a more important priority — namely, China's enormous Internet presence and market, which attracts foreign technology companies, and its distrust of foreign-made technology, which raises demand for alternatives.

China's efforts to become an innovator in information technology reach back more than a decade; connecting those efforts with network security is more recent. In February 2014, President Xi Jinping assumed the role as head of the newly created Central Internet Security and Informatization Leading Group charged with overseeing China's national cybersecurity. During Xi's assumption of the role, he likened network security and the development of indigenous information technology to "two wings of a bird and two wheels of an engine."

Following the creation of the Central Internet Security and Informatization Leading Group, the government aimed to exchange foreign-made technology with domestically built technology in its banking sector, military, government agencies and state-owned enterprises. In September 2014, the China Banking Regulatory Commission mandated that by 2019, 75 percent of Chinese financial institutions' information technology infrastructure would rely on "secure and controllable" technologies, implying a switch to domestic technology or the use of foreign technology for which the government has thorough access to the associated intellectual property. However, the mandate has since been delayed, probably in part because of foreign pressure but also because Chinese-built systems are simply not effective yet and would even likely increase security vulnerabilities.

To shed its dependence on foreign-made technology, China will have to develop its high-tech industry to the point of becoming an innovator itself. China's efforts to combine domestic innovation and cybersecurity have worried many foreign tech firms operating in China, which see the strategy as an indicator that China will become even more aggressive in acquiring sensitive intellectual property to drive the development of its domestic industry. China is going through the typical stages of development for East Asian economies: first exporting low-end manufactured goods, then moving into middle-end manufacturing while licensing foreign technology, next imitating or developing technology independent of licensing, then focusing on middle- and high-end manufacturing before finally beginning its own innovations. In some sectors, such as building low- and high-end servers, China has already begun its attempts to compete with foreign companies in the domestic market through Chinese companies like Inspur, which is using fears of foreign technology bolstered by the Snowden leaks to persuade Chinese consumers to move away from its competitor, IBM.

In another example of China attempting to push away foreign technology, China banned the installation of the Microsoft Windows 8 operating system on government computers in May 2014. It should be noted that Snowden's documents specified that Microsoft allowed backdoor access to encrypted communication in its Outlook.com service. Beijing would have been aware of this for at least a year before banning Windows 8.

China's need to boost cybersecurity and eventually begin serving its own technology demands will motivate the country to become increasingly active in developing its domestic industries through overseas acquisitions of technology firms and through partnerships. To the ire of foreign firms, partnerships with foreign technology companies will serve China's strategy to "co-innovate" and "re-innovate" — in other words, to imitate or develop technology independent of licensing. Moreover, industrial espionage and intellectual property theft will continue. For many foreign technology companies, the sheer size of China's growing technology demands makes having a stake in the market a necessity. This limits companies' ability to push back against China's ambitions.

The revelations from Snowden's documents and growing network security concerns give China a pretext to push foreign partners to further disclose sensitive intellectual property and possibly even to install backdoors. In this way, China will be able to accelerate its progress toward developing its own domestic technology sector, giving domestic firms the ability to meet the country's demand for technology while greatly improving China's cyberdefense capabilities.