China’s Ministry of Industry and Information (MII) has revealed a new draft cybersecurity policy detailing a three-year plan to develop the country’s capabilities. But though the document states that changes in the security of 5G, cloud computing and artificial intelligence are vital for China to achieve the necessary level of protection for its digital assets, detail around how it will implement these changes and build a cyber workforce is lacking.
The release of the draft policy on Monday came following a series of cybersecurity measures undertaken by the Chinese government to uphold the sovereignty of its data. New cybersecurity rules were released by the country’s primary internet regulator, the Cyberspace Administration of China (CAC), on Saturday, and last week the watchdog launched a cybersecurity review into China’s main ride-hailing app, Didi, days after it debuted on the New York Stock Exchange.
What does China’s the draft cybersecurity policy mean?
China’s draft security policy calls for more secure networks and upgrading of infrastructure in critical sectors, including energy, finance, transport, health and education. It prioritises strengthening the network security in 5G, cloud computing, artificial intelligence and other emerging technology fields, noting that “further optimisation of data security management” is needed in order to “strengthen the research and application of data security technology”. China’s cybersecurity industry could be worth more than 250bn yuan ($38.6bn) by 2023 according to the document.
“While the policy states clearly how the MII would like the country’s cybersecurity posture to improve, the draft lacks detail in how these improvements would be implemented,” explains Greg Austin, senior fellow for cyberspace and future conflict at International Institute for Strategic Studies think tank, and author of the book Cyber Security Policies in China. “They’re basically saying ‘we need to increase the number of cybersecurity graduates, we need to increase the areas of coverage in the industry and we need to make sure it’s capable of dealing with all of the modern technology’.”
The clearest path towards the projected level of improvement detailed in China’s draft cybersecurity policy is through increasing training in cybersecurity in China’s education system, says Austin. However, there is little indication that this has been included in the strategy. “China needs to make big reforms in a lot of areas, but it is not prepared to detail and direct and drive the education systems,” he says. “Talent team building is one of the areas where China’s security industry has fallen down considerably and there are some recommendations there, but if you look at what [the new policy] says about talent, it’s very general.”
According to Austin, this approach is not unusual within the realms of Chinese policy. “It’s what you might call a typical Chinese government mobilisation document,” he says. “No target, no detail, no commitment of expenses or expenditure, but wanting all of the outcomes. I think there’s an increasing opinion that the policymaking in a lot of tech areas is becoming weaker, not stronger.”
What’s more, though the draft has been released in part to stimulate investment, and Austin says this tactic has not proved successful in the past. “It’s a familiar story for China,” he explains. “It finds itself deficient in something, the government announces a strategy to try to stimulate investment but not everybody is rushing to invest.”
The Chinese cybersecurity industry has catching up to do
If implemented, the plan could hand a boost to the cybersecurity industry in China, which is small compared to the US and other Western countries. In fact, its lack of scale may be a contributing factor to the new policy launch. “The Chinese industry is only a fraction of the size of the US industry,” says Austin. “It has been expanding but it has far fewer firms, particularly global cybersecurity firms.” This is partly because “cybersecurity firms in the West were already well established, fighting viruses and all sorts of things before the Chinese cybersecurity sector really kicked off,” Austin says.
This lack of a developed security ecosystem is perhaps in part down to the low percentage of the Chinese population which has had access to the internet. But as more citizens get connected and services move online, the need for cybersecurity infrastructure is growing.
According to China's five-year economic plan released last year, the country aims to accelerate the development of technology to make it a global technology powerhouse, according to analysis by data research business GlobalData. "To achieve technological advancement, China needs to strengthen its diplomatic ties to boost trade and create new trade opportunities," it states. "To make China more self-reliant in technology, this economic plan is based on three pillars; reform, opening up and innovation."
The cybersecurity policy released this week addresses both reform and innovation. However, even with a substantial policy change, the country has a lot of work to do to become competitive with Western countries, particularly the US, concludes Austin. "This draft strategy, if implemented, will help concentrate their minds, but there's a long way to go," he says.