Marxism Research Network
Unofficial English Translation

Sun Zao and Wang Le: Safeguarding National Economic Security with Information Security

General Research

Security is the prerequisite for development, and development is the guarantee of security.

The Outline of the 15th Five-Year Plan proposes to "guarantee national economic security." Economic security is the key to sustained and healthy economic development, as well as an important guarantee for the construction of Chinese-path modernization. With the development of digital technology and the expansion of the scale of digital industries, the digital economy has become an important driver of high-quality development. At the same time, digital security risks have become increasingly prominent. General Secretary Xi Jinping has emphasized that "we must resolutely safeguard our country's developmental interests, actively guard against various risks, and ensure national economic security," and that we must "safeguard national data security and protect personal information and commercial secrets." In an era where the global digital economy is developing rapidly and digital factors have become core productive materials, guaranteeing information security has become an inevitable requirement for defending economic security. We should base our efforts on the Holistic Approach to National Security [1] and implement a systematic layout—clasping everything from legal and policy guarantees, talent cultivation and technological R&D in information security, to the strengthening of information security awareness and international cooperation. By ensuring national economic security through information security, we can solidify the foundation for the great undertakings of comprehensively advancing the construction of a strong nation and the rejuvenation of the Chinese nation through Chinese-path modernization.

1. Improving the Legal and Policy Guarantee System for Information Security

We should further refine the system of information security laws, regulations, and supporting policies. Building upon the existing legal frameworks such as the Data Security Law and the Cybersecurity Law, we must detail supporting regulations and implementation rules to clarify the responsibilities and obligations of all parties involved in guaranteeing information security.

This involves strengthening rigid constraints in key fields and optimizing governance models for critical industries. For data in key areas—such as critical information infrastructure, personal privacy, and national secrets—we must strictly implement the requirements that "original data does not leave its domain, backup data is traceable, and highly sensitive data is localized." Regarding key emerging industries such as artificial intelligence, we should, on one hand, focus on security risks by formulating specialized rules and policies, creating detailed regulations for the verification standards of training data sources, requirements for preventing and controlling algorithmic discrimination, and obligations for labeling generated content. On the other hand, we should accelerate the inclusion of requirements for the proportion of self-developed data processing algorithms into the legal framework. Through supporting policies such as establishing special support funds, we can guide enterprises to tackle core algorithmic technologies and improve their security autonomy in data processing.

We must correctly handle the relationship between data security and economic benefits, always regarding security as the top priority while regulating data circulation and trading. At the domestic level, clear data trading rules and processes should be formulated to ensure the legality, standardization, and transparency of data transactions, using technical means such as data encryption, access control, and security audits to guarantee transaction security. At the cross-border level, the supervision mechanism for cross-border data circulation should be optimized: establishing a dynamic "white list + security assessment" management mechanism for cross-border data flow, clarifying the scope of countries and regions allowed to receive data legally to ensure cross-border flows are controllable and traceable; and constructing a full-chain supervision system of "pre-assessment, mid-event monitoring, and post-event tracing," requiring data operators to complete the collection and storage of information and data within the territory, and to conduct security assessments and submit corresponding security reports before data leaves the country.

A multi-agent collaborative guarantee system should be constructed, and the cross-departmental coordinated supervision mechanism improved. We should establish a joint meeting mechanism where relevant departments share key information such as data security filings, circulation and transactions, entry-exit management, risk assessments, and post-event handling. We must build a national information security assessment platform and a unified indicator system, improve information sharing mechanisms, and promote the formation of an information security protection ecosystem in which the government, enterprises, associations, and research institutes all participate.

Furthermore, we must strengthen law enforcement and supervision and improve emergency response mechanisms. A review system for key data should be strictly implemented, applying technologies such as "encrypted transmission + implicit watermarking" to critical data to ensure transmission security. Based on data volume and type, cybersecurity testing and risk assessments should be conducted for data operators and related enterprises, with regular specialized inspections to nip problems in the bud [2]. Standardized emergency plans for graded and classified information security incidents should be formulated under an emergency response framework of "discovery–control–assessment–handling–remediation–summary," clarifying standardized disposal processes for scenarios such as data leaks, cyberattacks, and system paralysis to ensure the timeliness and effectiveness of emergency response.

2. Strengthening Talent Cultivation and Technological R&D for Information Security

Information security work requires the support of high-quality talent and takes innovation-driven development as its core. Only by integrally promoting the development of education, technology, and talent [3], doing a good job in talent cultivation, persisting in leading industrial upgrading through technological R&D, and accelerating the transformation of scientific and technological achievements, can we empower national information security work through talent and technology and lay a solid foundation for the effective protection of information security.

We must strengthen high-level talent cultivation and enhance practical training in information security. Universities should be guided to establish customized majors in the field of information security and optimize their cultivation systems, focusing on the cross-disciplinary integration of information security with artificial intelligence, biomedicine, economics, and law to cultivate high-quality talent with interdisciplinary backgrounds. We should deepen the collaborative cultivation of talent among industry, academia, and research institutes (the "Triple Helix"), supporting stable partnerships between universities, information security tech enterprises, and research institutions to cultivate composite talent [4] with both innovative and practical capabilities. In digital economy demonstration zones, universities, research institutions, and enterprises should be supported in co-constructing information security training bases to cultivate professional and technical talent with practical experience in computers, AI, and information security. Ideological and political education [5] should be precisely integrated throughout the entire process of classroom teaching and practical training to build a high-quality information security workforce that is loyal to the Party, loves the country, and is firm in its convictions.

Government investment in information security must be increased to accelerate the R&D and application of security technologies. First, investment in fundamental research and core technology R&D in the information security field should be expanded. This includes establishing national-level special funds for information security technology and issuing policies such as technological innovation rewards, financial support, and government procurement to prioritize the R&D of key core technologies like data encryption, security auditing, and intrusion detection, thereby encouraging enterprises to develop protective technologies. Second, universities and research institutions should be supported in co-building innovation platforms with enterprises to promote the deep integration of technological and industrial innovation in information security, opening up all links in the chain from "basic research to technical breakthroughs to industrial application." Finally, we should promote the application of advanced technologies such as "security sandboxes," "data masking," and "zero-trust architecture" in the field of information security, while encouraging enterprises to use localized information security technologies to achieve structured management of "information security filtering + intellectual property protection + personal information masking."

3. Raising Information Security Awareness

Firmly establishing national security awareness and creating a thick atmosphere [6] where the whole of society values information security are the value goals and practical orientations for effectively carrying out information security work. We should strengthen the information security awareness of enterprises, vigorously improve the information security literacy of the masses, resolutely hold the bottom line of information security, and form a powerful synergy across society to safeguard national information security.

Professional information security governance organizations should be formed by industry, with industrial security assessment and sharing mechanisms established. On one hand, key industries such as finance, energy, and AI should be supported in establishing professional information security protection organizations. These would bring together enterprise leaders, scientific experts, and information security practitioners to jointly formulate industry self-discipline conventions, clarifying code of conduct for all links including data collection, storage, and transactions. Technical specifications for information security protection should be improved, refining operational requirements for key technologies and embedding the principles of "minimum necessity" and "informed consent" into the entire data processing flow to create a compliant and orderly industrial ecosystem. On the other hand, industry associations should take the lead in conducting annual security compliance ratings, releasing industry security white papers and typical risk cases, and building cross-enterprise security information sharing platforms to provide risk warning services for small and medium-sized enterprises.

The primary responsibility of enterprises must be strengthened to build a solid line of defense for information security. Enterprises should be encouraged to embed information security concepts into their development strategies and conduct regular specialized training to strengthen the awareness of all employees. We should promote the establishment of sound data life-cycle management systems in enterprises to achieve closed-loop supervision of the entire chain of data collection, storage, use, and destruction. The grading and evaluation system for enterprises' digital information management capabilities should be improved, with incentives such as government procurement priority and project application preference given to high-rated enterprises, guiding them to enhance their capacity for autonomous information security protection.

We must also carry out "science popularization" (képǔ) for the whole people to enhance the information security literacy of the entire society. On one hand, relevant departments should coordinate the use of television, social media, and community outreach to strengthen the interpretation of information security policies, risk warnings, and knowledge popularization. On the other hand, industry associations and information security enterprises should be supported in providing free public-interest consultations and volunteer help for the public regarding personal information protection and cybersecurity troubleshooting. Additionally, attention should be paid to the risk of information leakage during citizens' cross-border exchanges; specialized publicity and education should be conducted, and cross-border information security guidelines should be released and popularized to guarantee the security of information in such exchanges.

4. Participating in International Information Security Cooperation

The rapid evolution of emerging technologies such as artificial intelligence and cloud computing has made information attack methods increasingly diverse and intelligent. Faced with these common challenges, no country can remain aloof or solve them alone. Only by actively participating in international information security cooperation and reaching an international consensus can we provide a secure information network environment and a safe, orderly ecosystem for human development and progress.

We must deeply participate in the formulation of international rules for information security and align with high-standard digital economic and trade rules. In terms of rule-making, relying on the United Nations, G20, and APEC, we should participate deeply in international standard consultations in fields such as critical information infrastructure, cybersecurity, personal information protection, and data security, contributing Chinese solutions [7] to information security governance. We should establish efficient information security response cooperation mechanisms with other governments, focusing on promoting consensus on "mutual recognition of security assessments" and "alignment of compliance systems" for cross-border data flows to improve the ability to respond to and handle cross-border information and data security incidents. In terms of technical standard application, relying on the International Organization for Standardization, we should take the lead in formulating usage specifications for technologies such as data encryption, anonymization processing, and generative AI security labeling, pushing technical solutions in China's advantageous fields—such as quantum secure communication and industrial internet security—to become international standards.

A multi-level multilateral information security cooperation framework should be constructed to strengthen transnational collaborative governance capabilities. We should actively build transnational cooperation frameworks, strengthening mutual trust through high-level dialogues and specialized meetings to establish an international security cooperation system for cross-border data flows. We must deepen transnational joint R&D of key info-security technologies, focusing on core areas like data encryption and anonymization to build a global consensus on maintaining information security. Furthermore, we should actively promote academic exchanges and cooperation between Chinese information security research teams and the world's top institutions to jointly cultivate high-quality talent. Mechanisms for cooperative handling of information security crimes should be established to collaboratively combat cross-border illegal acts such as data theft, personal privacy leaks, and attacks on corporate property rights.

Finally, we should improve the system for protecting the overseas rights and interests of enterprises to build a security barrier for "going global" [8]. An information security maintenance service platform should be established to provide overseas Chinese enterprises with information security assessments, risk warnings, and legal adaptation services, guiding them in responding to overseas data reviews and security litigation. Overseas information security threats should be handled categorically: for general threats, relevant parties should be urged to make timely rectifications through bilateral consultations and public statements; for serious infringements such as malicious suppression, data theft, and cyberattacks, reciprocal countermeasures should be taken in accordance with the law, provided they adhere to international rules.