While China’s political and academic discourse on cybersecurity uses many of the same concepts as other countries’, the notion of deterrence is largely missing from its vocabulary. This can be explained by China’s relative vulnerability to cyberattacks: deterrence through denial lacks credibility and deterrence through punishment would be counter-productive. China has chosen instead to promote an international convention on interstate conduct in cyber affairs that would prevent severe attacks on China while making it possible to conduct cyber espionage without major repercussions. The EU should examine the factors behind China’s thinking on cyber deterrence when it considers the feasibility of its own cyber policies.
China’s overall cyber strategy
The People’s Republic of China’s white papers on national defence emphasise the importance of cyber capabilities to both China’s military strategy and intelligence activities, but in neither context is the focus on deterrence. For a long time, China’s cyber espionage activities were focused on gathering information with economic value to its industrial and military complex. This policy began to shift around the mid-2010s. The revelation of severe deficiencies in China’s own cybersecurity by the Mandiant report and the Snowden leaks likely contributed to this change. However, as in many other fields, the greatest impact can be traced to Xi Jinping. He oversaw the production of a cyber strategy for China, and in announcing it made a single reference to the enhancement of ‘cybersecurity defense and deterrence capabilities’. Cyber defence has also become its own branch of the People’s Liberation Army (PLA) as part of a large-scale military restructuring under Xi. This restructuring has been accompanied by legislative reforms related to cybersecurity and terrorism that have affected China’s cyber policies both domestically and internationally.
China’s overall cyber strategy works towards three types of aims:
1) the PLA’s military defence and offence capabilities in the cyber realm,
2) economic benefits through industrial espionage, and
3) maintenance of domestic security.
The informatisation of warfare has been a key factor in China’s military doctrine since the 2000s, under the label integrated network electronic warfare. In line with developments in contemporary conflicts, this has been supplemented by asymmetric and hybrid forms of waging war. The PLA’s Strategic Support Force has been tasked with developing China’s offensive cyber capacities and defending China’s military and state assets.
With regard to the economic aims of China’s cyber strategy, Xi’s path has been to reduce the role of industrial espionage in favour of political intelligence, aligning China’s conduct with that of the other great powers. Indeed, Xi’s stated goal is to make China a cyber power and a leader in many fields of technology. Copying and stealing technologies won’t get China there. This shift is also evident in the publicly identified activities of China-affiliated advanced persistent threat (APT) groups. While China’s brand is shifting away from economic espionage, it still largely avoids the use of damaging cyber capacities, with the exception of displays of its potential.
Finally, China’s third aim, maintaining domestic security, has included the development of the world’s most efficient surveillance and dataveillance system, which is directed at China’s own citizens. These systems deploy facial recognition and wide-scale censorship activity to target both potential violent terrorist activities and political dissidence. While China is connected to the worldwide internet, it also has the ability to isolate itself and prevent most of its netizens from accessing information freely. These systems are in place to guarantee the security of the Communist Party (CCP), but they have also made online China doubly vulnerable. Because citizens cannot be allowed to have secure communication that prevents intervention, Chinese citizens and small businesses have very low levels of cybersecurity systems in place. Chinese cybersecurity education, industry and culture are all underdeveloped. This has made China very vulnerable to international cyberattacks as well as espionage.
Indeed, China’s vulnerabilities in the cyber realm can be traced to particular features of its political order and politics of technology. China’s primary concerns have been deterring dissident political views and preventing the formation of political competitors to the CCP. The internet and other networks have been built on technological infrastructure that enables the Party to control and modulate flows of information online. A pre-requisite for this has been to deny individuals strong information security capacities. This has made the culture of Chinese cybersecurity very weak, and is a significant hindrance to cyber resilience.
Chinese academic discussion on cyber deterrence
The Chinese politics of technology have resulted in an underdeveloped private cybersecurity culture of both users and companies that specialise in cybersecurity. Academic research and education on cyber issues reflects this, despite Xi Jinping’s calls for China to become a cyber power. The lack of academic interest in cyber deterrence is particularly striking: there are only three Chinese academic articles on the topic, all of which were explicitly inspired by the 2015 white paper on China’s military strategy. They make a clear link between nuclear and cyber deterrence, as the Chinese command and control system of its nuclear forces could be hacked. As with its nuclear equivalent, they see deterrence as stemming from capabilities, and believe it rests on mutually assured destruction. One even suggests the development of a ‘cyber nuke’. To achieve effective deterrence, the authors recommend the show of resolve through policy statements. At the same time, the articles suggest that China must improve its resilience to cyberattacks by cooperating with private enterprises. They also recognise that the US has a significant lead in this field, and is able to monitor Chinese activities.
While the few papers that exist on Chinese cyber deterrence connect it directly to nuclear deterrence and a military confrontation with the US, China’s official policy emphasises the peaceful use of cyberspace, in line with its overall foreign policy proclamations. China does have the ability to close its connections to international networks and rely on its own Chinese version of the internet. However, in a scenario in which China used this ability to respond to a cyberattack, it would prevent most Chinese citizens from accessing outside information, but opponents’ cyber capabilities would already be through the gate and able to wreak havoc. To prevent this from happening, China argues for the demilitarisation and desecuritisation of cyberspace. While China emphasises the enhancement of its cyber capacities both in terms of defence and offence, the official line makes a clear distinction between kinetic war and cyber ‘unpeace’. This also includes China’s continuous repetition of the notion of cyber (or internet) sovereignty. Overall, China has consistently insisted on non-interference in the internal affairs of all states. This notion expands this to include the internet and other information networks where states should have full control over them thus expanding the idea of territory to the cyber realm.
Making sense of the lack of Chinese cyber deterrence
Deterrence as a concept appears in Chinese white papers on the tasks of its nuclear and other military forces, but cyber is conceptualised in terms of security rather than deterrence. In contrast, cyber deterrence is prevalent in US policy documents, and the EU also promotes its own take on it.
However, China’s approach is not an oversight: it’s consistent with the country’s overall foreign policy statements, and makes sense in light of China’s vulnerability in this domain. Chinese society has become more reliant on cyber technologies than even the US or Europe. While China does not rely on US companies like Facebook and Twitter because it has developed its own equivalents, their base technology and source code came from the US. This makes them vulnerable to compromise. At the same time, everyday life in China – things like medical appointments, payments and travel – is far more reliant on networked technologies than in almost any other society. Any disruption would be extremely costly, not only in terms of the disruption caused to people’s lives, but also because of how it would undermine the political credibility of the Party.
For example, Russia is not as domestically reliant on cyber technologies as China. This has allowed it to be more reckless in its external cyber activities. As China is both vulnerable and highly dependent on its domestic cyber systems, this likely dissuades China from being as aggressive internationally and incentivises it to emphasise the non-militarisation of cyberspace. The situation is similar to the deterrent effect strong economic interdependence is thought to have. At the same time, China needs a safe domestic cyber realm because the main threats to its political security are domestic rather than foreign.
In light of this, China’s position on strong internet sovereignty and the establishment of a new international treaty that would codify the conduct of cyber operations seems coherent. This line places China closer to Russia and directly counter to the position of the US, which supports the application of pre-existing international law to the field of networked information spaces. As in its international politics overall, China is against the militarisation of such networks and promotes the view that states should respect the sovereignty of others and not interfere in their internal affairs. This view does leave room for conducting non-damaging intelligence gathering and low-level interference such as DNS attacks.
The EU should take China’s situation and its rationalisation into account when contemplating its own cyber policies, both with regard to deterrence and an international treaty on states’ cyber conduct. As the Chinese discussion and position show, even in the cyber realm, deterrence has a military connotation that does not fit well with the EU’s vision of itself as a normative power. Indeed, the militarisation of cyberspace is not in the interest of the PRC, and it is not in the interest of the EU either.
About the Author
Dr Juha A. Vuori is professor of International Politics at Tampere University. His research interests include the politics of security, nuclear weapons and cyber deterrence. Most of his empirical research has been on Chinese politics. He is currently the PI of the Academy of Finland Consortium Security in China.