China—the country that has stolen billions of dollars in intellectual property and pilfered millions of records from U.S. government agencies, insurance companies, and credit-reporting giants’ records—is just getting started on its plans to become a “cyber powerhouse” (网络强国). Since 2017, it has been building a National Cybersecurity Center (国家网安基地, NCC) as big as its ambitions: a 15-square-mile campus in Wuhan that will serve as school, research lab, incubator, and talent cultivator.
A new report by Georgetown University’s Center for Security and Emerging Technology (CSET), together with an interactive map of satellite photos, examines the NCC — formally, the National Cybersecurity Talent and Innovation Base (国家网络安全人才与创新基地). The site includes seven centers for research, talent cultivation, and entrepreneurship; two government-focused laboratories; and a National Cybersecurity School.
For all of China’s past successes, which have established it as a near-peer cyber competitor to the United States, its path to becoming a “cyber powerhouse” is not free of obstacles.
First, China’s military faces a shortage of cyber operators. The country’s deficit of 1.4 million cybersecurity professionals weighs on the military’s ability to recruit qualified candidates. Two of the NCC’s 10 components will help address the shortage by cultivating talent. The center’s “leading mission” is the National Cybersecurity School, whose first class of 1,300 students will graduate in 2022. Ultimately, Party policymakers hope to see 2,500 graduates each year, though by when remains unclear. The center also hosts the Talent Cultivation and Testing Center, which is being built to offer courses and certifications for some 6,000 early- and mid-career cybersecurity professionals per month, or more than 70,000 per year. Combined, both components of the NCC could train more than a half-million professionals in a decade. Even half that number would still help overcome the talent gap.
Second, China’s current system for innovation in the cyber domain will not meet its strategic goals. Chinese military strategists view cyber operations as a possible “Assassin’s Mace” (杀手链): a tool for asymmetric advantage over a superior force in military confrontation. Advanced militaries rely on interconnected networks to operate as a unified system, or “system of systems.” Chinese strategists argue that disrupting communications within these systems is key to deterring military engagement. No single tool will establish an asymmetric advantage. Instead, China must reliably produce attack types for each system targeted. There are no silver bullets, but a workforce capable of significant innovation is critical to implementing the strategy.
Three of the NCC’s 10 components directly support innovation. Students and startups can solicit business guidance and investment funds at the NCC’s Incubator. Besides supporting private-sector innovation, two other components of the NCC support government-focused research. The NCC hosts two non-private laboratories, the Combined Cybersecurity Research Institute and the Offense-Defense Lab. Both institutions likely conduct cybersecurity research for government use. Other components indirectly support innovation. The NCC’s Exhibition Center, for example, hosts events that attract inventive talent from across the country. China’s Military-Civil Fusion strategy ensures that the People’s Liberation Army can acquire new tools that come from the NCC, regardless of who develops the tools, which may help China develop asymmetric advantage.
Third, China aims to reduce its reliance on foreign cyber technology. The Snowden revelations reinforced PLA concerns that foreign technology facilitates espionage. Leaked documents revealed occasional close cooperation between the U.S. government and technology companies. The CCP wants indigenous replacements for foreign software to protect its military and critical infrastructure from foreign interference. To this end, a local government report shows that policymakers intend to harvest indigenous innovation from the NCC. Citing important Party organs, the report states that “leaders have repeatedly made it clear that the National Cybersecurity Base must closely monitor independent innovation (自主创新) of core cybersecurity technologies, promote Chinese-made independently controllable (自主可控) replacement plans, and build a secure and controllable information technology system….” Local officials serve as a pipeline between the NCC’s ecosystem and the needs of the Party by targeting nascent technologies. If the NCC is successful at spurring innovation, the pipeline may ease adoption of indigenous products and facilitate the replacement of foreign technology.
Over the long run, the NCC’s talent cultivation efforts will likely impact the dynamics of nation-state cyber competition. The tools these operators use may well be designed by NCC graduates, too. China’s competitors should be prepared to respond to — but not to mimic—these developments. The National Security Commission on Artificial Intelligence’s recommendation to build a Digital Services Academy may seem like an appropriate response, but building it would bypass the solid foundation for cybersecurity education that the United States already enjoys. Instead, U.S. policymakers could turn toward machine-learning automation to identify intrusions and defend networks and increase spending on network defenses. But it must determine a course of action quickly. The National Cybersecurity School’s first class of graduates will cross the stage next June.
Dakota Cary is a Research Analyst at Georgetown’s Center for Security and Emerging Technology (CSET), where he works on the CyberAI Project.