The Defense Department released its annual report to Congress on Military and Security Developments Involving the People’s Republic of China 2013. Besides being delivered relatively early compared to past editions and being almost twice as long as the 2012 version, this year’s version has at least three interesting points about Chinese cyber activities.

First, as many have noted, the sharpest break from the past is that the report directly ascribes blame for cyberattacks to the Chinese government and military, saying, “numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military.” The 2012 report, by contrast, speaks of attacks “which originated within China” and active and persistent “Chinese actors.” The 2011 report describes cyber intrusions, “some of which appear to have originated within the People’s Republic of China (PRC).” The 2010 report seemed to split the difference, stating it was “unclear if these intrusions were conducted by, or with the endorsement of, the People’s Liberation Army (PLA) or other elements of the PRC government.”

Second, as David Sanger notes in the New York Times, the report tries to describe Chinese thinking about offensive cyber operations by citing two works of military doctrine, “Science of Strategy” and “Science of Campaigns.” This is not new—the 2011 report mentions them by name, while the 2010 report uses the same phrase “authoritative PLA military writings.” Sanger uses the report’s claim that neither Chinese document “identifies specific criteria for employing computer network attack against an adversary” to turn the mirror back on its authors, and note that the Defense Department has also been opaque about the conditions under which it would employ offensive capabilities. This lack of transparency is extremely destabilizing; the military doctrine of both countries emphasizes the importance of early attacks to gain information dominance, creating intense pressure to “use it or lose it,” but there is little knowledge of the other sides’ red lines and how they might escalate.

Third, despite the announcement of a U.S.-China working group on cybersecurity during Secretary of State John Kerry’s visit to China, and General Fang Fenghui’s declaration that China was willing to set up a cyberserurity “mechanism” during a meeting with chairman of the Joint Chiefs of Staff, General Martin E. Dempsey, the report does not give much reason for optimism that the two sides will find common ground on the rules of the road. For the first time, the report calls China out for playing a “disruptive role in multilateral efforts to establish transparency and confidence building measures in international fora such as the Organization for Security and Cooperation in Europe, Association of Southeast Asian Nations Regional Forum, and the United Nations Group of Governmental Experts.”

Mistrust between the two sides was always going to make cooperation hard. The week before General Dempsey’s visit, the PLA Daily ran a piece with the headline, “U.S. Cybersecurity Strategy is Fake Cooperation and Real Confrontation.” Playing a spoiler in international meetings, however, suggests how broad and deep the divide really is.

A few days after the New York Times, Wall Street Journal, and Washington Post all admitted that their computer networks had been attacked, apparently by China-based hackers, it seems fair to say that both sides agree the “naming and shaming” approach to the problem is not working. The United States can call China out, but it has no real affect on behavior.

In one of the interviews she did in her last days as secretary of state, Hillary Clinton said that “We have to begin making it clear to the Chinese—they’re not the only people hacking us or attempting to hack us—that the United States is going to have to take action to protect not only our government, but our private sector, from this kind of illegal intrusions.” But as Jack Goldsmith notes, the use of “begin” is puzzling: administration officials say they have raised the point with their Chinese counterparts numerous times before. Perhaps Clinton’s statement should be read with less emphasis on “making it clear” and more on “have to take action.” The National Intelligence Council is reportedly finishing a National Intelligence Estimate detailing the cyber threat, particularly from China, and suggesting concrete measures the United States may take, including cancelling visas and vetting “major purchases of Chinese goods through national security reviews.”

Several commentaries and an article in the People’s Daily all suggest that Beijing is not reacting to the public announcements with anything approaching shame. In fact, they all portray the claims as part of an effort to discredit China and distract from the offensive actions the United States is taking in cyberspace. The People’s Daily notes that while the United States is portraying itself as the “patron saint of the free Internet” it has plans to expand U.S. Cyber Command fivefold. He Hui, deputy director at the Communication University of China, argues that the claims about Chinese hacking are getting tiresome and in fact serve three alternate purposes: they raise suspicion about China’s rise in the United States and the rest of the world; help raise defense budgets, especially for cyber weapons; and justify protectionist trade measures against Chinese firms that are beginning to challenge the big American companies.

All of these articles suggest a real problem in the U.S.-China cyber relationship: it seems to be happening primarily through the media. Cyber has been a topic at the Strategic and Economic Dialogue and other more formal discussions. But these do not seem to be succeeding in either mitigating the problem or addressing the mistrust between the two sides. Today the New York Times reported that President Obama has broad powers to order a pre-emptive cyber strike; the PLA Daily retorts that the United States is using the military to respond to network challenges and could trigger a worldwide arms race. Unless we find a better medium than the major papers to signal our disapproval, the PLA Daily may be right.

Mr. President, as you look toward Asia in your second term, cybersecurity will be a grain of sand in the eye, a major irritant but not one that blocks the larger vision of what you hope to accomplish in the region. That grain, namely Chinese cyber espionage, is not going away any time soon, but there are things you can do to make it slightly less annoying. Moreover, many of the policies to mitigate the situation will overlap with other efforts to re-energize the U.S. presence and boost ties to allies and friends in the region.

There seems little hope that the speck of sand will just come out on its own. Cyber espionage attacks are accelerating, up 75 percent from 2011 to 2012, according to the Defense Security Service. Over the course of your first administration, numerous officials raised the issue with their Chinese counterparts. It was on the agenda at the 2012 Security and Economic Dialogue and was raised during U.S. Secretary Hillary Clinton’s meeting with Chinese Foreign Minister Yang Jiechi and U.S. Secretary Leon Panetta’s dialogue with Chinese Defense Minister General Liang Guangjie. It is time, however, for you to raise the issue, Mr. President. If you want the leaders in Beijing to think this really matters to the United States, you have to tell them yourself.

It may also be time to start showing the stick. In his October 2012 speech to Business Executives for National Security, Secretary Panetta suggested that the United States was making progress on attribution: “Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions…” There are bound to be some costs in showing how capable the United States truly is, but you should consider having your administration provide evidence that Chinese-based hackers are behind the espionage attacks. And once that evidence is public, policy makers can either consider trade sanctions or criminal cases against firms or individuals that benefit. The Department of Justice is reportedly preparing to indict hackers or state-owned enterprises that benefit from stolen intellectual property.

You can also lean more on our allies and friends. The Liberal Democratic Party is well placed to “reinforce cybersecurity as national security” in Japan. Revising the war contingency bill to include cyber attacks and enacting a law to protect classified information should make it easier for Tokyo to cooperate with Washington. South Korea will host the third International Cyberspace Conference (the first was in London, the second in Budapest), and the World Bank and Korea Communications Commission recently signed a deal for the joint development of a “Global Cybersecurity Center.” Delhi has announced a five-year plan to reform the country’s cybersecurity institutions as well as new cooperation with the United Kingdom and expanded dialogue with Japan on cybersecurity. The United States and Australia have declared that their mutual defense treaty applies to cyberattacks, and Australian Prime Minister Julia Gillard announced on Wednesday the establishment of the Australian Cyber Security Centre.

You need to do more capacity building. Many characterized the breakdown of the International Telecommunication Union (ITU) World Conference on International Telecommunications as the beginning of the “Internet cold war.” While it is true that there was a divide between those who support an open Internet and those who want more state control, not all of those who eventually signed the treaty did so for ideological reasons. Instead, they have real security problems, lack technical expertise, and see the ITU as a credible partner (signatories in Southeast and East Asia include Vietnam, Singapore, China, Indonesia, Malaysia, Thailand, Cambodia, and South Korea). The United States, along with Japan and Australia, has to provide an alternative through on-the-ground technical assistance.

In short, don’t avoid taking on China directly over cyber espionage, Mr. President, but don’t expect much from it either. The good news, however, is that there is much the United States can do with its friends and allies in the region.

With 2012 coming to an end, here are some of the larger trends to watch in Chinese cybersecurity in the upcoming year.

New institutions/bureaucratic reform. There are rumors that there will be another round of bureaucratic reforms in the spring. Chinese analysts have pointed out that one of the great weaknesses in their defenses is that institutional oversight of cybersecurity is fragmented and ineffective, and there is a low degree of information sharing between the government and industry. There have also been complaints that China lacks adequate strategic planning for information security. In the past, efforts at ministerial reform have been underwhelming, resulting in little more than shuffling around of titles. This CCID report, however, does make the interesting suggestion that China should set up an “information security agency” to better coordinate cyber strategy.

New threats. Chinese security specialists, like their counterparts in the rest of the world, are worried about the growth of malware targeting smartphones and other mobile devices. Mobile data traffic grew tenfold in 18 months in China, accounting for some 10 percent of total global Internet activity. This year China Mobile established the country’s largest information security center in Beijing, and recently the Ministry of Industry and Information Technology announced that it would regulate the Chinese app market.

More talking, little progress. After a steady stream of announcements from U.S. officials that Chinese hackers were engaged in the widespread theft of American intellectual property, cybersecurity is now a topic of discussion at almost all high-level bilateral meetings.  It was on the agenda at the 2012 Security and Economic Dialogue and was raised during Secretary Clinton’s meeting with Foreign Minister Yang Jiechi and U.S. Defense Secretary Leon Panetta dialogue with Defense Minister General Liang Guangjie. This month, at the 13th annual Defense Consultative Talks, Jim Miller, U.S. undersecretary of defense for policy, and Lieutenant General Qi Jianguo, deputy chief of the People’s Liberation Army general staff, stressed the need to avoid miscalculation on cyber, space, nuclear, and missile defense issues. On the positive side, there have been some articles in the Chinese press suggesting the need for crisis communication mechanisms, a hot line for the cyber age. On the negative side, all the talking and “naming and shaming” appear to have had little or no impact on the pace and scope of cyber espionage. In fact, the attacks are accelerating, according to Rear Admiral Samuel Cox, former director of intelligence for Cyber Command.

A coming cyber trade conflict? The report by House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member C.A. Dutch Ruppersberger (D-MD) on the national security issues posed by Huawei and ZTE unleashed a torrent of stories in the Chinese press on the cyber threat posed by Chinese dependence on Western technology companies, and Cisco in particular (see this magazine cover, for example, with Cisco as a snake). So far, the actual response has been fairly moderate. Some analysts have called for China to create a foreign investment review board, and China Unicom reportedly replaced Cisco routers for security reasons, though American industry analysts have told me that the move was scheduled for long before the issuance of the report, and at any rate China Unicom replaced Cisco with Nortel routers. Still, Huawei’s problems continue to multiply. India has said that it will examine the risks of using Huawei products, a European Commission report called for action against the company, and a British committee is expected to find that the company poses a cybersecurity risk. If any of these reports lead to trade or investment restrictions, the Chinese government may have no choice but to respond with its own sanctions against Western technology companies.

A two Internet world. A number of reports have characterized the U.S., UK, Canada and others’ decision to walk away from the World Conference on International Communications (WCIT) without signing an updates to a 1988 treaty on international telecommunications as the first clash in a digital cold war. On one side, the U.S. and its allies said they could not sign the treaty because they wanted to preserve the free, open model of Internet governance. On the other, Russia, China and many Arab nations believe that states should have a greater say in how the Internet is managed and more ability to control the flow of information over networks. For example, in response to the introduction of “human rights obligations” in the proposed telecom treaty, the Chinese delegation noted that the “security of the state” was an equally valid concern. The end of the WCIT does not end the discussion, and we can expect Russia, China, and other authoritarian states to continue to promote their state-centric views of cybersecurity and Internet governance.

China will announce its new leadership slate this week and the rest of the world will start scrambling, trying to figure out what the lineup means for the prospects of economic and political reform as well as the direction of Chinese foreign policy.

It is hard to know what, if any, impact the political succession will have on Chinese cyberspace policy. Despite the claim in a State Department cable published on WikiLeaks that Politburo members Li Changchun, the propaganda chief, and Zhou Yongkang, China’s top security official, coordinated the hack on Google, we do not have a clear vision of what the top leadership thinks about cybersecurity and cyber power. The incoming leaders do have policy experience, probably more than their predecessors. Li Keqiang, who is expected to be named Premier, chaired the National Network and Information Security Coordination Small Group, and Zhang Dejiang (possibly chairman of the National People’s Congress) and Liu Yunshan (Li’s successor as propaganda head) both served on the group, which drafted and approved major cybersecurity-related policies and national strategies. The group was briefly disbanded and later reconvened, but there have been no public reports of it meeting for several years.

Xi Jinping and the rest of the new leadership are likely to continue and deepen China’s development as a cyber power. Hu’s report to the National Congress is in part about his legacy, but also lays out some hints of how the Party sees the future. And cyber plays a more prominent role than in past reports. Hu Jintao’s 2007 report mentioned the management of the Internet (网络管理), the informatization of the People’s Liberation Army (信息化, greater use of information technology in modernization, support, and warfighting), and “non-traditional” security threats, but does not specifically mention cyber or information security. His 2012 report repeats the discussion of Internet management and informatization, but also admonishes China to “attach great importance to maritime, space, and cyberspace security.” This focus is reinforced by the promotion of Ma Xiaotian, who has cybersecurity expertise and experience, to head of the PLA Air Force. In a section on adjusting the economy, the report calls for setting up a trustworthy “information security system” (信息安全保障体系). And the report’s section on world trends notes network security along with food, resource, and energy security as important global issues.

We will have to wait and see if the new leadership has a different view of cyberspace and cyber power. As in all policy arenas, short-term change is highly unlikely as the new leaders consolidate their positions. I think it is unlikely in the mid-term as well. I suspect the top leadership is united in its view of cyberspace as an area of increasing global competition and that China must continue to develop its defensive and offensive capabilities.

Most of the attention generated by the report by Chairman Mike Rogers and Ranking Member C. A. Dutch Ruppersberger of the House Select Committee on Intelligence (HSCI) has focused on the issues of trade, trust, and Huawei’s and ZTE’s future access to the U.S. market. The report, however, should also be seen as another step in the effort to construct a coherent foreign policy response to cyber espionage.

The domestic agenda has revolved around three debates: the government’s role in setting security standards for the private sector; how the government and private sector should share threat information; and the respective roles of DHS and NSA in defending the private sector. The foreign policy component has been more difficult. Deterrence statements that the United States reserves the right to respond to a cyberattack through kinetic means are not credible in the case of espionage. The call for norms of behavior and rules of the road in cyberspace are applicable to the use of force and acts of war, but not spying. Moreover, the U.S. position, especially in regard to China, is basically that it should be able to continue what it is good at—political and military spying—while Beijing ceases something Washington prohibits by law—economic espionage.

The public foreign policy response to Chinese cyber espionage has been naming and shaming, and raising the issue at high level bilateral meetings. After months if not years of limiting themselves to saying that state-based actors were behind an attack without specifying which state, U.S. officials are no longer shy about calling out China, Russia, and others as being the culprits. The Office of the National Counterintelligence Executive called Chinese actors the “world’s most active and persistent perpetrators of economic espionage.” High level meetings, such as Secretary Clinton’s meeting with Foreign Minister Yang Jiechi and Secretary Panetta’s discussion with Defense Minister General Liang Guangjie, are now used to express American unhappiness with Chinese attacks.

These have not had the desired effect yet; Rear Admiral Samuel Cox, Cyber Command’s intelligence chief, recently said that attempts by Chinese hackers to steal corporate secrets have been growing. Now the HSCI report has suggested two additional steps: penalizing individual entities and increased intelligence community (IC) involvement in monitoring foreign private sector actors. The report is about Huawei and ZTE, but is also signaling to Chinese entities that if there is enough* open source and classified intelligence to suggest attacks on U.S. economic interests, then the U.S. government will respond. In this instance, Rogers and Ruppersberger suggest limiting access to the domestic market, but future options could include financial, travel, or other sanctions directed not just at companies but also universities or individual hackers.

The report also hints at, but does not discuss directly, the possibility that Chinese companies will come under (greater?) scrutiny from the intelligence community. The report notes that the investigation involved two connected elements: a review of Huawei and ZTE and an effort to “ascertain whether the IC is appropriately prioritizing and resourced for supply chain risk evaluation.” This is not publicly discussed—footnote three mentions a classified annex with “information about the resources and priorities of the IC”—but I assume it means counterintelligence against Chinese collection efforts.

The question of what is enough or appropriate evidence is going to be difficult for the United States moving ahead. Many will find U.S. government assurances that it has the goods unbelievable, and the report itself is thin on details, with the majority of evidence being nothing direct but rather the Chinese firms refusal to answer questions or giving contradictory and confusing responses.

Most of the threats the report identifies as being characteristic of Huawei—unsecured supply chains in China, vulnerability of middle managers to recruitment by intelligence agents, government access to networks for state security—could be said to afflict any telecommunications company in the world. These are real threats and the solution promoted by many, including Huawei, is a transparent process of inspections that could be scaled globally (a process Huawei agreed to in the United Kingdom). The report dismisses Huawei’s suggestions as insufficient and the process as too complicated. Both may be true, but Rogers and Ruppersberger could have made more of an effort to describe a process that would work. Here the report missed an opportunity to address its own credibility issues, broaden the problem, and build a coalition.

In a speech two weeks ago, Harold Koh stated that the United States government believes that cyberattacks can amount to armed attacks and are subject to international law. “International law principles do apply in cyberspace,” said Koh. “Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force.” Self-defense, proportionality, neutrality, and distinction should all apply in cyberspace, though there remain questions and ambiguities about defining the use of force, distinguishing between military and civilian-use networks, and the continuing problem of attribution.

This is not the first time the United States has made such an announcement—in 2004, for example, the U.S. and UK declared in a submission to the UN Secretary General that international humanitarian law covered the use of information and communication technologies. But as the New York Times noted, the speech is part of a greater willingness of the administration to speak about offensive cyber capabilities.

In his speech, Koh also noted that this view is not “universal”:

At least one country has questioned whether existing bodies of international law apply to the cutting edge issues presented by the Internet. Some have also said that existing international law is not up to the task, and that we need entirely new treaties to impose a unique set of rules on cyberspace.

China appears to be both “at least one country” and among the “some” who think new treaties are necessary. Given Chinese concerns about the free flow of information, Beijing’s opposition to the U.S. position stems in part because the focus is too narrow. The International Code of Conduct for Information Security, submitted to the UN by China and Russia along with Tajikistan and Uzbekistan, is much more expansive, allowing countries room to interpret the spread of rumors, gossip, and other malicious information through the use of communication technologies as a security threat. In addition, through the Shanghai Cooperation Organization, Beijing has suggested that a new treaty is needed to “curb proliferation and use of information weapons . . .”

Some Chinese analysts see extreme difficulties in applying the Law of Armed Conflict (LOAC) to new a domain. For example, Shi Haiming, a researcher at the National University of Defense Technology, argues that LOAC is not applicable because: cyberattacks, despite being acts of “aggression”, do not threaten territorial integrity or sovereignty; there can be no neutrality in cyberspace since attacks would undoubtedly transit through neutral countries networks; it is impossible to distinguish between civilian and military assets; and the proportionality requirement is much more difficult in cyberspace because of the expanse and penetration of the Internet and the difficulty in containing unintended effects of attacks.

A failure to agree on these norms is destabilizing. One country may see its action as permissible, the other as an act of war. It is unclear how wedded Beijing is to its opposition to cyber and LOAC, and we could begin to see some modification of the Chinese position. Wang Tianlong of the China Center for International Economic Exchanges writing in the Shanghai Securities News last week argued “we should study the feasibility of applying the principles of the Law of Armed Conflict to cyberspace and push for the formulation of a code of conduct for cyberconflict.”

The United States has certainly upped its rhetorical pressure on China over the last year. The more open discussion of offensive cyber has been accompanied by the increasing number of U.S. government officials naming and shaming Chinese hackers (the most recent is Rear Admiral Samuel Cox stating that the pace of attack was actually increasing). Secretary Clinton and Secretary Panetta both raised cyber with their Chinese counterparts during recent meetings.

The most important driver may be that Beijing could soon find itself isolated. Russia has been much more receptive to discussing how LOAC applies to cyber, and has been less adamant about the International Code of Conduct in multilateral meetings recently. The United States needs to keep engaging Beijing on this issue, but, as with so many issues, it is likely to get better traction with China by scheduling more meetings in other countries’ capitals.

Website defacement played a large part of the standoff between China and the Philippines over the Scarborough Shoal/Huangyan Island. From April 20 until May 18 hackers on both sides traded blows, posting messages claiming sovereignty over the disputed islands and taunting the other side. Chinese hackers attacked the websites of the Department of Budget and Management and the University of Philippines, and posted the Chinese flag on the Philippines News Agency site; Filipino hackers responded with attacks on government sites and the message: “You may continue bullying our country’s waters but we will not tolerate you from intimidating our own cyber shores.” After three Chinese surveillance ships cut the exploration cables belonging to a Vietnamese ship on May 26, Chinese and Vietnamese hackers defaced and brought down thousands of websites.

China’s most recent territorial flare up with Japan over the Diaoyutai/Senkaku Islands has involved confrontations at sea, heated rhetoric, and amphibious landings by nationalist activists, but notably missing is widespread website defacement, with only the website of the National Nara Museum attacked. Chinese hackers have talked about possible targets, listing IP addresses and email addresses, but there has been no reported follow up. Given what happened with the Philippines and Vietnam, one would have expected a great deal more activity. So what’s happening?

Two possible explanations. Perhaps Japanese and Chinese hackers have reached a point where they view website defacement as ineffective against the other side and are relying on more sophisticated attacks to cause real damage. Though I am not too convinced of the strength of this argument, in September of 2010 members of the hacking group the Chinese Honkers Union argued against “pointless attacks” and instead suggested that hackers concentrate on real attacks that “fatally damage the enemy’s network or gain access to its sensitive information,” adding that “any attack will be executed silently.”

Second, widespread website defacement/political hacking may be more likely when there is a serious power differential between the two sides. With a big gap, the more powerful state is fairly confident that it dictates outcomes at any level of conflict and assumes that the weaker state will not escalate. Taking websites down is low risk. For the weaker side, cyber is an asymmetric weapon that has the added benefit of plausible deniability. It is also relatively confident that the other side does not escalate since it will look like it is overreacting.

With China and Japan, the two sides are near competitors in conventional military strength and the stakes are higher. Neither side can be confident that it controls the escalation ladder or that it can manage signaling. As with the case of the citizen who tore off the flag from the car of the ambassador, website defacement can pour fuel on the fire when the two sides would like to start reeling the conflict back in. Moreover, as Evan Osnos points out, outbreaks of nationalism are a qualitatively different phenomena now that China has over 500 million Internet users.

To strengthen the second argument, it would be nice to see some evidence of the Chinese or Japanese governments coordinating attacks, and eventually signaling to hackers that attacks should not happen or should stop. The role and position of patriotic hackers remains unclear, and the argument could quickly become ad hoc. Hacking between Japan and Korea may be an exception to the power differential rule, one grounded in the fact that there is very little chance of military conflict between two important U.S. security partners.

Cyber conflict is new so there are relatively few cases to study. This is changing, but if analysis is going to truly progress it will have to include this instance between China and Japan, an instance of non-conflict.

There is a long tradition of the Chinese Communist Party acknowledging and honoring “model workers,” selfless citizens who contribute to the building of modern China. While in the early years after the revolution these individuals were usually peasants or ordinary workers like Zhang Binggui who worked at a candy counter and could “count out prices and change in his head,” the category has expanded to encompass almost all professions including the astronaut Yang Liwei and NBA-great Yao Ming.

The most famous model of serving the people was Lei Feng, the young soldier who became the subject of a massive propaganda campaign in 1963, a year after his death. As China Daily put it, Lei Feng “is hailed as a cultural icon, symbolizing selflessness, modesty, and dedication. His name creeps into people’s hearts, daily conversation, music, even movies.”

These model worker campaigns serve a number of purposes: to mobilize and motivate citizens; identify qualities and characteristics that would be valued in the new China; and signal political priorities and concerns. Campaigns to “Learn from Comrade Lei Feng” have been rolled out numerous times over the last six years (see this timeline at Danwei) in efforts to divert from corruption scandals and other bad news as well as address the very real growing absence of civic mindedness and public-spiritedness.

The Chinese press has recently introduced two new model workers active in cybersecurity: Li Congna (李聪娜) of the PLA, and the “Legendary Female Cyber Cop,” Gao Yuan (高媛) of the Beijing Public Security Bureau’s Cybersecurity Defense Division. The stories of these two women repeat many of the same tropes from campaigns in the 1950s and 1960s, especially those focused on what historian Tina Mai Chen calls “female kind first“—the first woman tractor driver, welder, or train conductor.

The heroes of these stories must overcome both physical and mental hardships. Sun Xiaoju, the first female train conductor, faced temperatures of minus twenty degrees Celsius but refused to let the frostbite affect her. After working on one project for a month, Li Congna lost 7.5 kg, and a marathon coding session left her unconsciousness for three days (physical hardship is missing from Gao’s story; her greatest hardship seems to be someone stole her identity on the instant messaging service QQ). As with Tang Sumei, an ordinary “peasant girl” who knew nothing about the machinery when she first entered a Beijing electric substation in 1952 but was a manager by 1953, hard study and individual resolve save the day. Confronted by source code she couldn’t read or understand, Li stayed late in her office “memorizing related functions, studying protocol mechanisms, researching both foreign and domestic computer program models. In one month, she had written 300,000 lines of code, more than 100 types of functions, more than 60 protocol mechanisms, and more than 20 design algorithms.”

What do these model workers tell us about Chinese cyber policy? While news of U.S. military exercises and the supposed interest of the Pentagon in Li’s cyberwarfare capabilities is the lead into the story, two main points quickly replace it. First is the need for constant innovation. Li keeps confronting problems that require a new, self-developed technological solution. In her office, she has posted the slogan: “Yesterday’s technology cannot win tomorrow’s wars.” Facing a difficult problem, the advice of a teacher rings in Li’s ear: “the world of information networks is a game of new knowledge and new technologies.”

Second, there is an acknowledgement that traditional top-down, hierarchical organizational and training procedures are not up to the task of network warfare. Several times we are told that Li is not afraid to let others take the lead and in particular she lets “young daring people” assume responsibility as group leaders.

Gao Yuan is a model of how the Chinese government can successfully use Weibo and other social media to bolster public approval by providing useful services and eschewing overt propaganda. Her story is filled with how helpful she is to Chinese netizens—Gao has “tweeted over 1,500 times; spread knowledge about staying vigilant over 700 times; has answered netizens’ questions close to 2,000 times; and has provided technological support over 400 times.” The political content of Gao’s work appears to be low, and as a result she seems to be highly respected. She currently has 1.52 million followers on Weibo, and one follower has started a cartoon series about her. In contrast, a number of commenters were highly critical of the Li Congna story, with several mocking the idea of Li’s falling unconscious.

Gender matters to these stories, as information security is a heavily male profession (see for example, the recent discussions about sexism and sexual harassment at DEF CON, the annual hacker conference held in Las Vegas). The descriptions of both Li and Gao as beautiful strike one as unnecessary, if not slightly retrograde; but as Chen notes about the model tractor workers of the past, these stories send an important message about the ability of women to master new technologies. The Li story goes even further noting “female service members will inevitably assume more responsibility, and will make greater achievements.” As a result, the PLA will have to adjust: “The armed forces at all levels should provide them with a wide arena.”

It is easy to dismiss these stories as out-of-date and heavy-handed. But, assuming the press doesn’t turn to new model workers, Li’s and Gao’s future adventures are likely to provide further insights into some real issues in Chinese cyber policy.

Last week, the State Council issued a new policy opinion for promoting the development of Chinese information technology and information security. In the State Council’s view, “international competition over the acquisition, use, and control of information is increasingly fierce” and China faces urgent challenges. In particular, the policy opinion notes the disparity between China and developed countries in broadband infrastructure; a low degree of information sharing between the government and industry; the control of core technologies by foreigners; inadequate strategic planning for information security and weak basic network defense capabilities; and the rapid growth of mobile Internet and other new technologies.

The policy opinion has a slight “ripped from the headlines” feel, reflecting the threats that must be looming large for Chinese policymakers. There is a large section that deals with strengthening industrial control systems for nuclear facilities, aviation, oil and petrochemicals control networks, electrical systems, and transportation systems that immediately brings Stuxnet to mind. Another section focuses on securing government and other confidential information systems that could be the target of espionage exploits like Flame, or Anonymous and other political hacktivists. And the large-scale data breaches that were part of the attacks on Tianya, China Software Developer Network, and 360buy.com are covered in a section on protecting personal information and user data. There is, however, also a great deal of continuity with earlier plans for information security. The 2003 “Document 27: Opinions for Strengthening Information Security Assurance Work,” for example, also stressed the protection of critical infrastructure, and both the 2003 and 2012 opinions note the need for dynamic monitoring of the Internet as well as talent development and greater leadership and coordination.

By contrast, the United States‘ ability to move forward with its own cybersecurity policies and plans does not look particularly promising right now. On Thursday, President Obama wrote an op-ed in The Wall Street Journal urging the Senate to pass the Cybersecurity Act of 2012. A number of Senators opposed an earlier version of the bill that empowered the Department of Homeland Security to define security standards for critical infrastructure and required power grid, gas pipelines, and water supply companies to meet a certain level of security. A new compromise version makes industry participation voluntary; best practices will be created and companies offered incentives to adopt them.

Even with the compromise, the bill’s future in the Senate and in the House is uncertain (uncertain may be kind—Jessica R. Herrera-Flanigan and Paul Rosenzweig think legislation is basically dead, and Senator McCain said on Monday that the bill “has zero chance of passing in the House or ever being signed into law”). Still it would be premature, if not misguided, to tout the State Council opinion as one more piece of evidence of China’s ability to get things done. For one, the opinion is a grab bag of vague policy proposals, spanning tens of different policy arenas. Some will work out, some will be dropped. Moreover, these proposals are not always internally consistent. There is, for example, a strong government hand involved, but the opinion also “advocates for industry self-regulation.”

And politics are unavoidable in China too. As Jimmy Goodrich notes, after the introduction of the 2003 opinion different parts of the Chinese bureaucracy launched competing policy initiatives and waged fierce battles over their policy turf.  The 2012 opinion highlights the leadership of the national leading small group for informationization and national coordinating small group for cyber and information security, but strong leadership is needed at the top and it is a real question if any of China’s top leaders are focused on cybersecurity right now given the state of the economy and the fallout from the removal of Bo Xilai. There is no doubt the United States could be doing more at home, and another year passing without any legislation to address what the President calls “one of the most serious economic and national security challenges we face” does not look good.  But developing smart information security policies is hard, even for China.