Inside China's Smoke-Filled Room

Sorry, folks: The votes are in, and the ballots have already been counted.

HONG KONG — With its control of 1.3 billion people -- and an economy expected to surpass that of the United States in the next 20 years -- the Chinese Communist Party is the most powerful political machine in the world. Given that it holds a national congress only once every five years to confirm a new slate of leaders, Beijing has pulled out all the stops to prevent any mishaps.

A month before the weeklong 18th party congress starts Thursday, Nov. 8, Beijing-based dissidents such as Nobel Peace Prize nominee Hu Jia were forced to take "vacations" thousands of miles from the capital. Meanwhile, 1.4 million "volunteers" have been mobilized in Beijing to perform the function of vigilantes-cum-informants, reporting to the authorities potentially threatening characters -- for example, suspicious-looking Uighurs from western China who could be separatist-inclined terrorists. Authorities have forbidden supermarkets from selling cleavers, told Beijing residents not to fly carrier pigeons or play with remote-controlled toy airplanes, and instituted a state of emergency equivalent to martial law on the district that houses the West Beijing, the mammoth military-run hotel where many of the delegates stay.

With the unprecedented security and the fact that a generational change of leadership takes place only once a decade and that political and institutional reforms have been frozen for the last two decades, one would assume that the 2,270 congress deputies would be doing something extraordinarily spectacular. After all, these delegates represent China's 82 million party members, and they include not only mid- to senior-ranked cadres but also the cream of the intelligentsia and business world. This congress, however, seems destined to be one of the most anti-climactic party conclaves in recent memory. The delegates are supposed to read party documents and attend meetings within the confines of the well-guarded hotel; they are not supposed to meet family and friends or even talk on the phone for long periods of time so that they don't leak state secrets, according to conversations I've had with past delegates.

According to the latest edition of the Chinese Communist Party's constitution, updated in 2007, the congress is the party's highest leadership organ, charged with discussing and making decisions on important matters of the party and state. Moreover, it selects the party's two foremost executive bodies: the Central Committee, which decides on major policies when the congress is not in session, and the 127-member Central Commission for Discipline Inspection (CCDI), the country's top anti-corruption agency. The congress also ratifies changes in the party's constitution that the previous Central Committee may have recommended.

After the congress closes on Nov. 14, the 200 or so full members of the newly established Central Committee -- which also includes 150-odd alternate, or second-tier and nonvoting, members -- will select from among themselves 25 members of the ruling Politburo, as well as a more elite group for China's supreme ruling council, the Politburo Standing Committee.

That's what the law says, anyway.

In reality, current and former Central Committee members choose their successors and the members of the CCDI. So when the deputies meet this Thursday, much of their work will have already been done for them. They will likely be handed an all-but-final list of candidates for the 18th Central Committee, with a "margin of elimination" of 15 percent. In other words, all the delegates need do is throw out 15 percent of the least popular candidates.

President Hu Jintao has already twice been outfoxed by his old adversary, ex-president Jiang Zemin. Before Jiang retired as the party's general secretary at the 16th congress in 2002, he was able to install several allies on the new Politburo and the Standing Committee. This year, the situation is particularly unusual -- and even by Chinese standards, unruly. Contrary to the party's constitution, the outgoing Standing Committee members, in consultation with long-retired octogenarian stalwarts such as Jiang and ex-premiers Li Peng and Zhu Rongji, have already picked their replacements, according to two senior cadres working in departments directly under the Central Committee.

In early November, Hong Kong newspapers and overseas Chinese websites published their predictions on the lineup of the new Standing Committee. The list is the same as what my Beijing sources say (and the overseas Chinese websites correctly predicted the identities of the Standing Committee members in 2007): Vice President Xi Jinping, 59; Executive Vice Premier Li Keqiang, 57; vice premier and Chongqing party secretary Zhang Dejiang, 66; Shanghai party secretary Yu Zhengsheng, 67; Propaganda Department Director Liu Yunshan, 65; Vice Premier Wang Qishan, 64; and Tianjin party secretary Zhang Gaoli, 66.

According to Beijing-based sources, the titles and functions of the seven top leaders have already been confirmed. Xi, "first among equals" in the Standing Committee, will become general secretary (and in March, state president). Li will become premier. Zhang, who will be ranked third, will chair the National People's Congress, China's rubber-stamp legislature. Yu will be named chairman of the Chinese People's Political Consultative Conference, China's top advisory council. Liu will be named head of the Central Committee Secretariat and, later, possibly also state vice president. Zhang Gaoli will become executive vice premier (who helps run the economy) and CCDI secretary will go to Wang.

That long-retired Standing Committee members are making a phenomenal comeback this year has spawned a kind of geriatric politics with Chinese characteristics. Like former leaders Mao Zedong and Deng Xiaoping before them, octogenarians such as Jiang -- who officially retired eight years ago -- have refused to fade into the sunset. The 86-year-old Jiang suffered a series of heart ailments last year; premature announcements of his death appeared in several Hong Kong and Japanese media in mid-2011. In the past several months, however, Jiang has not only experienced an amazing recovery but also made several high-profile appearances in the mass media. He showed up at a concert at Beijing's National Center for the Performing Arts in late September. In October, he met with representatives of Shanghai Ocean University. And an October article in People's Daily, the official newspaper of the Communist Party, extolled Jiang's extraordinary memory to testify to his intellectual capabilities: Jiang can reportedly still recite the lyrics of an old pop song, "Moonlight and Shadows."

The sudden preponderance of octogenarians such as Jiang has meant that two relatively liberal cadres favored by Hu have likely failed to make the Standing Committee: Wang Yang, the charismatic party secretary of Guangdong, 57; and Li Yuanchao, the reform-minded director of the Communist Party's powerful Organization Department, 62.

A few of the incoming Standing Committee members, moreover, are ultraconservatives. Veteran propaganda chief Liu Yunshan tightened up media and Internet censorship in the past decade; Zhang Dejiang, a graduate of Kim Il Sung University in Pyongyang, was the only senior cadre to have opposed the reform Jiang introduced in 2001 to allow private businessmen to join the party.

The consolation for Hu is that like Jiang he may remain chairman of the Central Military Commission -- China's equivalent of commander in chief of the armed forces -- for at least two more years beyond his retirement from his other party posts at the congress. Hu's residual clout in the People's Liberation Army is reflected in a series of just-announced military appointments. The new chief of the general staff, Gen. Fang Fenghui, and the director of the General Political Department, Gen. Zhang Yang, are considered to be Hu's protégés.

If Hu keeps the top military spot, Xi might not assume real power until 2014 or 2015. This combination of factors, along with Xi's apparently risk-averse personality, means that Xi's leadership priority will likely be maintaining the Communist Party's monopoly on power, silencing dissent, and sustaining economic growth and employment instead of hacking out new paths for political and economic reforms.

It is possible that many of the 2,270 delegates might not be too happy about the continuation of rule of man at the expense of rule of law. Because all important deliberations of the congress will be behind closed doors, however, any show of dissent among the deputies will not see the light of day.

After all, the unprecedentedly tight web of security that China's formidable state-security apparatus has spun around the 18th party congress is as much to ensure that trouble -- what the party calls "disharmonious voices" -- does not break out within the West Beijing Hotel as without.

Andrew Wong/Getty Images

National Security

Network News

Sandy turned off the lights, the phones, and the heat. A cyber attack could make it all happen again.

Verizon's chief technology officer surveyed a flooded major switching facility in lower Manhattan and put it bluntly: "There is nothing working here. Quite frankly, this is wider than the impacts of 9/11." Damage from Sandy is estimated to reach $20 billion, and interrupted phone service is among the least of it. Flooding in New York's century-old subway system is without parallel. Bridges and roads, homes and businesses have been destroyed. Days after the storm, many businesses remain closed, their employees out of work. And tens of thousands are suffering -- cold and in the dark.

Storms and floods are not the only infrastructure threats that invoke comparisons to 9/11. Secretary of Defense Leon Panetta made headlines recently when he noted that the economic consequences of a successful cyber attack on our financial system, electric grid, or other infrastructure could dwarf the economic consequences of 9/11. Actually, this wasn't news. Former Director of National Intelligence Mike McConnell had said the same thing five years earlier. They're both right. And the consequences of that kind of attack might not be merely financial. A cyber attack causing an explosion at a chemical plant, for example, could cause grievous loss of life.

This is not fantasy. We know we can blow up an electric generator using nothing but a keyboard and a mouse. Water systems have been polluted using a laptop. Centrifuges in nuclear plants have been physically destroyed with software. In August, a computer virus called "Shmoon" wiped all the information off 30,000 computers at Saudi Arabian Oil Co. The virus came from Iran. Today, half a dozen U.S. banks are under attack, almost certainly also from Iran. We know our electric grid is being probed from abroad.

Who's paying attention?

The Senate can't pass even watered down legislation that would simply require that critical infrastructure sectors develop their own security standards. In early August a bill sponsored by Senators Collins and Lieberman went down to defeat when the owners and operators of the electric grid objected vehemently about government-mandated standards. The objection was frivolous. The bill called for voluntary standards to be promulgated by industry, not government. Still, the owners demanded liability protection. From what? From the risk of observing their own standards! This is ironic, because if disaster struck, rate-payers (that's us), insurance (we pay the premiums through our rates), and the government (that's us again) would be stuck with the tab -- not shareholders. No wonder the grid's owners and operators have a higher taste for risk than the businesses that depend on them.

In fact, government policies actually encourage such risk-taking. Insurers play an important role in reducing risk because they have a direct interest in reducing claims, but this market dynamic works poorly when government shields shareholders from liability. Consider how government-subsidized flood insurance prevents markets from requiring people to assume the risk of their own choices. More significantly, the U.S. government currently indemnifies the owners of nuclear power plants on a no-fault basis for damage in excess of $12.6 billion. That limit is derisory compared to the potential damage from a nuclear meltdown. Raising or eliminating that limit would require higher insurance coverage, which in turn could lead insurers to play a tougher role in setting and enforcing their own security standards.

To be fair, the big, private-sector electricity generators and transmission companies are serious about security. But their security officials are no match for a state-sponsored attack. The Department of Homeland Security has Industrial Control System Response Teams, known as ICS-CERT. These fly-away teams respond to advanced cyber threats at the urgent request of system owners, and they reportedly spend most of their time dealing with power systems -- electricity and gas. So the threat is real, yet many players in this industry still don't understand it. In some cases, employees of grid operators can reportedly access remote field equipment through Bluetooth connections to the Internet. These practices are rash. An attacker doesn't care whether he gets into the grid through a big company's main generator or a carelessly connected municipal field station. Once he's in, he's in; and if the electricity goes out, everything stops.

That's why isolating the key control systems of our critical infrastructure from the Internet should be a national goal. But the trend is in the opposite direction. If you have an iPhone, try this experiment: Search "SCADA" in the app store. (SCADA stands for "supervisory control and data acquisition.") You'll find a handful of free or cheap mobile apps for accessing industrial control systems through their programmable logic controllers, or PLCs. As an ad for one of these apps puts it, "Plant engineers, PLC software developers, maintenance people, and in general anyone dealing with PLC based systems will be able to connect to them at any time, from anywhere." This is convenient, but it's a security nightmare.

The Internet is porous and insecure, and if you can penetrate a publicly accessible network to steal information, you can also corrupt or wipe the information on the network, or shut the network down, or destroy the equipment that runs on it. Sound melodramatic? It isn't. The Stuxnet cyber attacks on centrifuges in the Iranian nuclear program resulted in the physical destruction of centrifuges. If Saudi Aramco can wake up and find 30,000 of its computers wiped, the same thing can happen to your bank or your power company. The "Shmoon" virus apparently didn't reach the control systems on the Saudi company's extraction and refining operations -- but only because the attackers couldn't get to those systems. In North America, many of our electric grids operating systems are exposed to the public Internet and therefore penetrable.

The plain truth is that the United States cannot defend the electronic systems that create much of our wealth and power. The government alone cannot fix this. Most of our networks are privately owned and operated. Even if government had the resources to strengthen and police these networks (it doesn't), we don't want the government living in the channels through which we conduct our business and private lives. Nor do we want the government mandating invariably rigid standards for industry. Unfortunately, however, much of our critical industry is not stepping up to the task.

Congress should learn a lesson and deal with cyber vulnerabilities one at a time and not in an omnibus bill that won't pass. Here's what it should do:

1. Require the owners and operators of a narrow class of critical infrastructure to promptly develop cyber security standards in a government-approved process. Standards should be flexible and regulatory layers should be rationalized. Failure to meet these standards after a reasonable interval should be made public.

2. Amend or repeal laws to enhance the role of private insurers in security standards. When shareholders rather than government bear risk, risk drops because businesses buy it down. That dynamic should be encouraged, not suppressed.

3. Protect companies from liability for sharing threat information with the government, with insurers, and among themselves. Companies often complain that the government doesn't share enough information with them -- especially classified information. But why don't companies improve security by sharing cyber threat information among themselves? The ostensible reason is fear of antitrust liability. The real reasons are potential damage to their brand and the belief that hoarding threat information creates competitive advantage. But the risk of brand damage can be avoided if sharing is restricted to threats, not damage; and it can't be true that all companies in an industry have a competitive advantage in security. Those that don't would improve their competitive position by sharing threat data. As a former antitrust prosecutor, I think the antitrust excuse is a red herring, but let's remove the excuse. It's easy to do, and cost free.

4. Encourage private investment in cyber security through favorable tax treatment. When Congress gets serious about an issue, its agenda shows up in the tax code.

We don't just store information on our "information" networks; we use them to run everything we do -- from the ventilation and security system in your office building, to the operation of the switches on Amtrak and big city subways, to the matching and clearing systems behind our securities exchanges, the governance of the electricity grid, controls over off-shore drilling rigs in the North Sea and the Gulf of Mexico, and local water treatment plants. Many of these systems are poorly protected. The vulnerability of our critical infrastructure is what permits a third-rate power like Iran to play jujitsu with a superpower. Let's not wait for a disaster to happen. A nation that permits this vulnerability to continue is a nation that has lost the will to defend itself.

Matt Cardy/Getty Images