China’s National Security Law and draft Cybersecurity Law are vague and sweeping, giving the government latitude to take whatever security measures it wishes. Article 75 of the National Security Law, for example, authorises state security organs and military units to “employ necessary means and methods, and relevant departments and regions shall provide support and cooperation within the scope of their duties”. There is nary a limiting principle in sight.

The draft Cybersecurity Law has a similar tone, characterised by broad provisions that permit the government to protect itself more than Chinese citizens. Article 50 authorises the government to restrict internet access in certain regions, enabling it to interfere with the ability of protesters to communicate and organise. Article 31 forces operators of critical information infrastructure to store citizens’ personal data within the mainland. This makes it harder for foreigners  to access the data of Chinese citizens, but easier for the  government to get it.  

Taken together, the new legislation represents a state-centric view of digital security, requiring parties such as network operators to take certain measures and directly empowering the government to take steps vis-à-vis networks or threats.  

Despite superficial resemblance of certain Chinese measures to cybersecurity trends in the US, the animating principle  in the US is quite different. The American private sector owns most of the infrastructure. It is the target not only of most commercially motivated attacks but, given  that US military and government communications traverse private networks, also of those that are motivated by political and military reasons. It is businesses who must actually implement most measures required to improve American security.

Cybersecurity laws in the US, therefore, primarily focus on incentivising companies to improve their security and punishing individuals or groups who gain unauthorised access to computer networks. Recently, the Department of Justice obtained a lengthy prison sentence for members of an organised crime group who were trafficking in stolen credit card data, and successfully prosecuted another hacker for breaking into computer networks to steal documents from an insurance company.

The US has even indicted Chinese military figures on charges of stealing commercial data, even though they are unlikely to ever see the inside of a US courtroom. In certain areas, such as health and financial records, Congress has imposed statutory obligations on companies to protect customers’ data. Generally, however, the authority of the federal government to act directly on computer networks that it does not own is extremely limited.

These differences between the US and China in network security priorities highlight two further distinctions. The first emphasises the difference between cybersecurity and surveillance. In America, the law of cybersecurity focuses on preventing unauthorised access to computer systems and communications, while the law of surveillance focuses on authorising such access, generally for law enforcement or intelligence purposes. The former primarily revolves around private citizens and companies, improving their security,  while the latter – a topic of heated public debate – authorises the government to access data in certain circumstances.  These are two different bodies of law, albeit with some overlap. Chinese regulation of security conflates these two ideas, both at a conceptual level and in practice, as evidenced in the new legislation.

The second conceptual and practical difference distinguishes between espionage for commercial purposes and espionage for political or military objectives. The US has long insisted that it does not engage in espionage for commercial purposes – that is, stealing data from foreign companies to benefit their American competitors. China omits this important distinction, reportedly deploying military and other personnel to steal commercially valuable secrets from US companies. This is a natural approach for a communist country that, despite phenomenal economic progress, still lags in research and development, and remains committed to centralised state domination of the economy.

Is there any prospect for progress in US-China cyber-dialogue? The provisions of China’s draft Cybersecurity Law that focus on individual privacy provide a kernel of hope that the US and China might be able to cooperate to safeguard the data of  citizens and companies. But their inconsistent approaches, mutual mistrust and  fear of each other pose significant hurdles.

Confidence-building steps are required. China, for example, can demonstrate its seriousness by ceasing government-sponsored theft of privately held data within and outside China and prosecuting, as the US does, those who gain unauthorised access to computer systems. By some estimates, 90,000 people in China operate in this criminal underground. Such actions would benefit not only Sino-American relations, but also Chinese citizens – those whom the draft law claims to protect.

And the two sides should certainly accelerate the pace of official cybersecurity exchanges and foster regular, unofficial “track two” dialogues, like those that already exist between them regarding human rights and maritime issues. Many Chinese and American NGOs and universities will be eager to launch such discussions, unless another forthcoming Chinese law – one that restricts contacts with foreign NGOs and academic institutions – proves an obstacle.

Zachary K. Goldman is the executive director of the Centre on Law and Security and an adjunct professor of law at NYU School of Law. Jerome A. Cohen is professor and co-director of the US-Asia Law Institute at NYU School of Law and adjunct senior fellow for Asia at the Council on Foreign Relations