What to Make of the Newly Established CyberSecurity Association of China

The People’s Republic of China (PRC) is moving at breakneck speed to develop the institutions, as well as legal and regulatory mechanisms, necessary to strengthen cyber governance. This policy trajectory has been particularly evident during the last few months, a period that featured:

  • President Xi Jinping’s speech on cybersecurity to a meeting of the Leading Small Group (LSG) for Network Security and Informatization;
  • The National People’s Congress announcement that China’s Cybersecurity Law will go through a second reading (three readings are required for passage) this June;
  • And the State Council’s public notification of work being done on laws related to encryption and critical infrastructure, two hot-button cyber issues.

With all these changes, the creation of the CyberSecurity Association of China (CSAC; 中国网络空间安全协会 ) on March 25 has received far less attention. Yet the CSAC is important, not only as a prominent example of President Xi and his chief cybersecurity deputy Lu Wei’s quest to align government, industry, and academia around a shared set of cyber-governance objectives, but also as a force for shaping both the present and future of Chinese cybersecurity policy and the PRC’s engagement with international stakeholders on cyber issues.

This commentary contextualizes the creation of the CSAC within China’s broader drive to strengthen cyber governance and explores the purpose of the CSAC by looking at its mandate and stakeholders. We then assess early indications of its intentions and identify coming signposts to watch in order to gauge the impact of its establishment.

CSAC in Context: China’s Drive to Strengthen Cyber Governance

The creation of the CSAC is but the latest element of the Chinese government’s rapid construction of a system of institutions, laws, regulations, and policies aimed at strengthening cyber governance . Indeed, the CSAC is a direct extension of two other recently created Chinese institutions, the LSG and its functional office, the Cyberspace Administration of China (CAC), into the realm of industry, academia, and research institutions. The LSG, a party entity chaired by President Xi himself, exerts ultimate authority over the CAC. Along with the construction of these institutions, the government has produced at least a dozen separate but mutually reinforcing laws, regulations, and policies (some passed; many still pending) meant to enhance cybersecurity. This combination of institutions, laws, and policies is quickly fleshing out the skeleton of the Chinese cyber-governance mechanism. The table below gives a snapshot of the most recent entities and rules that extend an already existing regulatory framework.

The Purpose of the CSAC: Mandate and Stakeholders

Within this context, the creation of the CSAC, a Chinese Communist Party (CCP)–controlled industry association, connects the major stakeholders in China’s evolving cyber-governance regime—government, the private sector, and researchers. Thus, its establishment aligns with the broader effort by President Xi to consolidate and centralize power over the cybersecurity political bureaucracy.

Initial statements about the CSAC’s mandate suggest that its work will focus on cyber governance from the perspectives of law, technology, industrial development, and public information and social stability. More specifically, Fang Binxing, chairman of the CSAC, has indicated in interviews that the association’s efforts will fall into the following topical baskets:

· Laws and regulations helping to build out the new information and communications technology (ICT) legal regime

· Technology support helping to boost the domestic ICT industry

· Public opinion supervision to help in information control and propaganda

· Security and stability of information systems, products, and services (conventional cybersecurity)

· Protecting core Chinese interests under globalization, and promoting globally competitive Chinese IT companies

The combination of these diverse goals under the umbrella of one association, the CSAC, underscores a trend that started with the creation of the LSG: President Xi is tightly tying together the political bureaucracies overseeing ICT (hardware and software) and digital content (propaganda system).

CSAC Impacts: Early Signs and Coming Signposts

It remains too early to predict the effect the CSAC will have on Chinese cybersecurity policy or Chinese engagement with international cyber-governance efforts. However, a number of factors provide insight into the CSAC’s possible impact on these arenas, including the CSAC’s leadership and the constitution of its general membership.

CSAC Leadership and Membership

There are two principal concerns regarding the CSAC’s makeup:

1. Its chair, Fang Binxing, is best known as the “Father of the Great Firewall,” China’s Internet censorship and surveillance system;

2. There are no non-Chinese representatives among its initial 257 members.

The selection of Fang as head of the association implies that the organization will have, like Fang himself, a hardline, or nationalistic, orientation. Fang has done little to alter this image in the CSAC’s early days. Quite the contrary, in a recent interview about the association, Fang justified favoring Chinese companies over their (possibly) technologically more sophisticated foreign competitors on the grounds that they are more secure since they are bound by local government laws. This statement captures a broader trend in China’s evolving ICT policy environment: linking security with a product or service’s Chinese origin.

The constitution of the CSAC’s membership is also likely to raise eyebrows internationally. CSAC features 257 individual members, including senior representatives from Chinese Internet champions like Alibaba, Chinese network security companies, and influential scientific universities and research institutes, such as the Chinese Academy of Engineering and the Beijing University of Posts and Telecommunications. Of these 257 members, there are no non-Chinese entities.

What to Look for Next to Gauge CSAC Impact

The optics of the CSAC do not augur well for the development trajectory of cyber governance in China. Yet the book on the CSAC’s ultimate impact has hardly been written. Moving forward, several signposts will point to CSAC’s overall influence and direction.

1. Will the CSAC be opened to international representatives?

Sources in Beijing indicate that the CSAC’s broader leadership team is of two minds on the value of opening the association to foreign participants. Such an opening would align with the recent actions of other key Chinese information security institutions, such as the China National Information Security Standards Technical Committee (TC260). Whether it occurs will be an important factor in determining its intentions and impact.

2. How will CSAC’s international relationships and engagements shape its vision and mandate?

With the creation of the LSG and CAC, Beijing has for the first time an institution that can engage in international cyber diplomacy at more senior levels. Previously, the cybersecurity bureaucracy had been fragmented among players and agencies who lacked authority to engage in a meaningful capacity with international counterparts. Such engagement will prove more important than ever as the Xi administration seeks to expand its global influence in shaping the rules and norms of Internet governance. As part of this broader effort, the CSAC will be the lead in engaging with the international industry, academic, and research associations that constitute the global cyber-governance ecosystem. Indeed, they have already begun these engagements, with a recent forum in Moscow where Lu Wei and Fang told a receptive Russian audience that greater “cyber sovereignty” is needed and a visit to the Information Technology Industry Council (ITI) in Washington, D.C., completed last week. Thus, while the CSAC is currently an organization closed to international stakeholders, its work will very much include regular interaction with these institutions and individuals. These interactions should be watched closely for evidence of how the CSAC is evolving, both in its vision and mandate.

3. What will be the relationship between CSAC and CAC?

It is not clear whether CSAC will simply take marching orders from the CAC and the LSG or whether it will provide substantive input to decisionmakers in these higher-level bodies. Will the CSAC members from private industry, for example, have an opportunity to use this as a new channel to shape policy? Or does their participation simply allow them to demonstrate to government stakeholders that they support ideas and initiatives like Internet sovereignty and Internet Plus? If the former proves true, and influence flows back and forth between CSAC and CAC, then both the impact and the implications of CSAC’s existence will prove far different than if it is in place merely to magnify the party’s established views on cyber governance.

4. How will the CSAC facilitate the development of China’s ICT legal and regulatory regime?

As the pace of new ICT-related laws and regulations picks up this year and next, CSAC’s role in the build out of this new framework remains unclear. We will focus subsequent commentaries on the politics and implications of these coming regulatory developments.

Conclusions

With the creation of the CSAC, the intertwined matrix of Chinese cyber-governance institutions, laws, and policies has a new constituent. The ultimate effect of this constituent on cyber governance—in China and internationally—remains to be seen, but the breadth of its mandate, the endorsement of the CAC, and the swiftness with which it has begun its work make it an organization every international cybersecurity analyst and stakeholder should watch closely.

Samm Sacks is an adjunct fellow with the Strategic Technologies Program at the Center for Strategic and International Studies, and a senior analyst for China at the Eurasia Group, in Washington, D.C. Robert O’Brien is a senior cybersecurity strategist at Microsoft Corporation. The views expressed in this article are the authors’ own and do not necessarily reflect the position of any affiliated organization.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2016 by the Center for Strategic and International Studies. All rights reserved.

Samm Sacks

Robert O’Brien