I have started thinking this is a major systemic weakness the US has vs China. Companies in America operate as individual entities more or less vs the top down model in China. Every company I have worked with in China had a group of government agents it just seems to be standard operating procedure there. Maybe they weren't around for day to day operations but they were definitely around whenever Americans were there. It's apparent they have vast cyber and intel efforts intertwined with the major corporations. Contrast this to our model, I don't even know how to alert the US government if I see something suspicious related to cyber security.
It's both a strength and weakness. For innovation, U.S. was among the strongest in the world during Strategic Computing Initiative where DARPA funded all kinds of industry work. Led to many innovations of today. Then, the weakness comes in with them caring only about profit (security is cost center), short term gains tied to executives' bonuses, and so on. That's when state involvement can help. We did have that under the TCSEC with DOD making security standards, incentivizing private sector to build them, and evaluating their security. Multiple agencies also offer security advice and testing. The middle ground looks to be regulations ensuring the basics are in place on top of continual improvement.
If China wants a model, the TCSEC is a decent start at one. It was made for military requirements, though. Like MLS. The next approach should focus on commercial needs. Also, both TCSEC and Common Criteria were paper heavy with long evaluations after product development was done. The next should focus on actual code with reviewers getting into the process early on, reviewing deliverable by deliverable, so they have better insight into what's going on with faster time to market. Lots of room for improvement over the current model.
