March 26, 2018
At the conclusion of the annual National People’s Congress last week, China’s State Council announced that the Central Leading Group for Cybersecurity and Informatization, created in 2014, has been upgraded to the Central Commission for Cybersecurity and Informatization. Like the Leading Group before it, the Commission is responsible for ensuring security and promoting Chinese government interests in cyberspace and the digital economy, but the upgrade is more than cosmetic and has the potential to clear bureaucratic thickets and advance stalled priorities.
The cyberspace and informatization authorities were one of several central leading groups upgraded to commissions last week. Two others—on foreign affairs and financial and economic affairs—are long-standing bodies, and one—on comprehensively deepening reform—was another recent innovation. In all cases, the change increases their resources and power within the bureaucracy and signals President Xi Jinping’s priorities for the coming years. While cyberspace governance has always been a political priority in the Xi administration, the change consolidates the Party’s ability to supervise and regulate cyberspace despite the power struggles of lower-level bodies.
The Cyberspace Administration of China (CAC), China’s interagency regulator which has sat under the former Leading Group now sits under the Commission. CAC, established in 2014 along with the Leading Group, is central to understanding the pending power shift. CAC is an English name for a “one structure, two nameplates” agency operating as the government’s State Internet Information Office and the Party’s Central Commission for Cybersecurity and Informatization Office—organizations that a recent document clarifies are directly subordinate to the Party Central Committee.
Some implications of this move are clear, while others will become clearer as announcements are made about leadership roles and initial moves under the new status. Whatever happens, however, the new commission’s establishment shines a spotlight on cyberspace regulators and puts a variety of actors on alert for changes of pace and direction.
The significance of an upgrade from leading group to commission
The original Central Leading Group for Cybersecurity and Informatization was established in early 2014 after a period of debate within China’s senior leadership about how best to organize the bureaucracy around the key issues of cybersecurity and the digital economy. The leading group structure, often used to address a pressing shorter-term issue, is not typically designed to provide a permanent bureaucratic solution. In the case of cyberspace affairs, the top-level officials comprising the Leading Group itself met irregularly, and its secretariat CAC consistently lacked resources, even though its minister-level leader made waves at home and abroad.
Although CAC was central in the development of China’s emerging framework for cyberspace governance, arguably the most comprehensive in any country, it consistently ran into major bureaucratic struggles among powerful ministries unwilling to give up control over their equities on cyberspace issues. By upgrading CAC’s parent, the central leadership has sent a clear signal about the continued prioritization of cybersecurity and technology issues in its future policy direction.
In comparison to the Leading Group, which served as an interagency coordinating body for various ministries with a weak bureaucratic center of gravity of its own, the Commission is likely to be a more permanent and well-resourced body. Both the Commission itself and its Office, CAC, can expect to depend less on staff and resources loaned from relevant ministries and to exert greater authority over functional power centers across government.
This greater centralization of authority over cyberspace and digital affairs is not absolute, but rather a continuation of the process began in 2014 to more finely delineate specific roles for the various powerful ministries that play a role in cyberspace governance. Both the creation of the original leading group and its upgrade to commission status reflect an urgent priority among the senior leadership to settle turf battles among actors such as the Ministry of Public Security (MPS), the Ministry of Industry and Information Technology (MIIT), and the Ministry of Propaganda. CAC emerged as both an interagency body and a power center of its own, and its elevation suggests it will have more influence. For instance, CAC is likely to play a stronger role protecting China’s “critical information infrastructure” and directing its technical censorship apparatus via the Great Firewall, while other key players will likely focus their efforts more narrowly. MPS will likely focus more on fighting cybercrime, protecting critical infrastructure via its multi-level protection scheme compliance framework, and regulating illegal virtual private networks (VPNs). MIIT will remain the lead for industrial standards and telecommunications infrastructure, and the announcement establishing the Commission specifically emphasizes MIIT’s continued role. Thus, a strengthened CAC still lacks absolute power, and mandates still overlap.
Prospects for membership and leadership of the new Commission
The composition of central leading groups, which sit under the Party Central Committee, is rarely officially made public, but it can often be ascertained by diligent analysis of news reports on meetings, promotions, and initiatives. For the cyberspace group, the Chinese website Guancha offered a membership list shortly after its initial establishment in 2014.
President Xi will likely remain nominally head of the commission but delegate real oversight to key trusted deputies, potentially including Premier Li Keqiang, Vice Premier Liu He, or Politburo Standing Committee Member Wang Huning. Liu has for years been a leading voice on cybersecurity and the digital economy as a means to increase China’s global competitiveness, and Wang—now thought to lead the propaganda and ideology brief—was the top leader dispatched to CAC’s World Internet Conference in December, giving a speech promoting digital economy development that DigiChina transcribed and translated. Xi’s chairmanship of the leading group beginning in 2014 was an affirmation of the importance he placed on media controls and the other national security aspects of cyberspace governance, and it highlighted his direct authority over cyberspace policy. Even if Xi does not formally head the new commission, his broader power ensures direct influence when desired.
Finally and significantly, the restructuring continues the trends of reducing the policymaking role of line ministries under the State Council and injecting the Party more directly into managing key sectors. Party authorities explicitly see cyberspace as crucial to both national and economic security. Xi has said that “without cybersecurity there is no national security, and without informatization there is no modernization”; his April 19, 2016, speech put cybersecurity front and center in Party priorities; and his October 2017 work report to the 19th Party Congress placed the digital economy at the forefront as the driver of future economic growth.
Will other bureaucratic changes be made to the Chinese cyber interagency?
The State Council announcement explicitly described one important initial move. CAC will now supervise the National Computer Network and Information Security Management Center (NCNISMC), which had previously been supervised by MIIT. NCNISMC, which is closely associated or essentially coterminous with the National Computer Network Emergency Response Technical Team/Coordination Center of China (known as CNCERT or CNCERT/CC), is responsible for developing tools to support the “Great Firewall” Internet censorship systems. This brings a key element of the Party’s censorship apparatus underneath the Commission, and also may reduce some of the overlap between the responsibilities of MIIT and MPS in the cyber domain. NCNISMC will also likely play a major role in protecting critical information infrastructure as designated under the Cybersecurity Law.
Over time, it is likely that other MIIT elements and cybersecurity departments from other ministries will be re-subordinated to the new commission. MIIT’s role in the cyberspace policy interagency appeared to have weakened already with the creation of the leading group and CAC, and these latest changes further this shift. The language of the announcement stressed that “MIIT remains responsible for coordinating the construction of telecommunications networks, the Internet, specialized telecommunications networks [meaning Party and government classified networks], and leading technological innovation and technological progress in the telecommunications sector.” MIIT has continued to maintain a role in cybersecurity, even after two of its cyberspace-related bureaus were placed under the newly formed CAC in 2014, but its scope of responsibility appears to have further narrowed.
NCNISMC’s move out of MIIT also raises questions about the international cooperation prospects for the closely associated CNCERT. On the one hand, any cooperation among CERTs internationally would interface with a more powerful layer of the Chinese political system; on the other, greater centrality may risk greater politicization in a field where technical cooperation can often be helpful despite political tensions.
How will the move impact the Cyberspace Administration of China?
Arguably the biggest winner in the reorganization is CAC, which has experienced some turmoil over the past several months in the wake of a major discipline inspection report that resulted in the expulsion from the Party of former CAC Minister Lu Wei. In addition, a late December 2017 NPC report on the implementation of the Cybersecurity Law was fairly scathing in its criticism of CAC. Current Minister Xu Lin has been rumored to be on the replacement list for some time, and it is likely he will depart CAC during the staffing reshuffles that follow the National People’s Congress.
CAC, as established in 2014, developed intense rivalries with MIIT and MPS that have proved a major obstacle to filling out the framework for cyberspace regulation outlined in the 2017 Cybersecurity Law. Upgrading CAC’s parent to commission status promises to help break that logjam by further centralizing cyberspace policymaking. Specifically, CAC is likely to commit renewed effort and resources to its technical and cybersecurity work, bringing it on par with the media content control side that has so far been the focus of enforcement of the Cybersecurity Law. Xu, like Lu before him, came out of the propaganda system, and the background of Xu’s successor will be a key indicator of how CAC will prioritize work going forward. If his successor comes from a more technical and security background, this will signal that the national security aspects of cybersecurity will now be prioritized.
At the international level, disputes over primacy have complicated Xi’s efforts for China to gain a voice in international fora and push his agenda as part of “building China into a cyber superpower.” It remains unclear how the reorganization will affect the role of the Ministry of Foreign Affairs (MFA) in the cyber interagency, but it is likely that the commission will also seek to ensure interagency unity in approaching the many upcoming challenges for China in cyber diplomacy. The MFA, for example, has appeared to isolate CAC from international outreach affairs, while the international roles of both the CAC and the MFA have been constrained at times by the intervention of the security apparatus on matters of priority importance—such as the 2015 U.S.–China presidential agreement on cyber-enabled intellectual property theft. In that case, Xi chose to send security chief Meng Jianzhu to the United States to deal with the Obama administration, cutting out both CAC chief Lu Wei and MFA leadership.
In summary, elevating the Leading Group to commission status increases the throw weight of China’s central cyberspace regulators. The Commission’s leadership composition, early personnel decisions, and initial moves will help answer many of the still-open questions over the coming weeks in policy areas relevant to a wide variety of Chinese and international actors.
Appendix: Translation of Relevant Passages on Upgrading Central Leading Groups to Central Commissions“(4) The Central Leading Group for Comprehensively Deepening Reform, the Central Leading Group for Cybersecurity and Informatization, the Central Leading Group for Finance and Economics, and the Central Leading Group for Foreign Affairs Work are transformed into commissions. In order to strengthen the Party Center’s concentrated and unified leadership over major work affecting the overall picture of the Party and State’s undertaking, strengthen policymaking and comprehensive coordination functions, the Central Leading Group for Comprehensively Deepening Reform, the Central Leading Group for Cybersecurity and Informatization, the Central Leading Group for Finance and Economics, and the Central Leading Group for Foreign Affairs Work are transformed into respectively the Central Commission for Comprehensively Deepening Reform, the Central Commission for Cybersecurity and Informatization,* the Central Commission for Finance and Economics, and the Central Commission for Foreign Affairs Work, these will be responsible for top-level design, overall arrangements, comprehensive coordination, general progress, and the supervision of implementation in corresponding areas. The four Commissions’ administrative bodies will respectively be the Office of the Central Commission for Comprehensively Deepening Reform, the Office of the Central Commission for Cybersecurity and Informatization, the Office of the Central Commission for Finance and Economics, and the Office of the Central Commission for Foreign Affairs Work.
“(16) Optimizing the duties of the Office of the Central Commission for Cybersecurity and Informatization. In order to safeguard the security and interests of national cyberspace, the National Computer Network and Information Security Management Center is reassigned from Ministry of Industry and Information Technology (MIIT) management to management by the Office of the Central Commission for Cybersecurity and Informatization.
“MIIT remains responsible for coordinating the construction of telecommunications networks, the Internet, and specialised telecommunications networks, for organizing and leading technological innovation and technological progress in the telecommunications sector, for providing guarantees for the National Computer Network and Information Security Management Center’s infrastructure construction and technological innovation. The management structure, main responsibilities, and personnel allocation of telecommunications management bureaus established under all provincial (autonomous region and municipal) governments are maintained without change.”
* Translators’ note: Official Chinese media translate the new commission’s name as the Central Commission for Cyberspace Affairs, but this translation omits the important development theme of informatization that shapes the body’s responsibilities. Thus we follow the Chinese-language version in highlighting both cybersecurity and informatization.