Data Insecurity Behind The Great Wall

On June 1 the Chinese government kicked off its second annual Cybersecurity Week in Beijing. The Cyberspace Administration of China, Ministry of Education, and Ministry of Public Security jointly organized multiple exhibitions aimed at educating the public about Internet security risks.

Regular reports about Chinese-sponsored hacks of Western governments and corporations have well informed the public of the threat China poses to others. However, little focus has been placed on the state of cybersecurity within China itself. This event highlights China’s insecurity about its vulnerability to cyber attacks, at a time when it is relying upon greater integration of information technology to propel future economic growth.

Chinese leaders understand that their country has become a breeding ground for thousands of hackers who are increasingly as willing to target their fellow countrymen as they are foreigners.

One reason for this is that in China the targets are easy. The results of a survey released by the Ministry of Industry and Information Technology paint a sobering picture of the state of security awareness in the general public. An overwhelming majority of those surveyed confessed poor password security practices:

  • 81 percent said they rarely changed their passwords
  • 76 percent admitted they use the same password across multiple accounts
  • 60 percent of respondents use easily deciphered passwords such as birthdates, phone numbers, or simply strings of letters or numbers (e.g. “123456” or “abcabc”).

The result: More than 55 percent of those polled had been victims of online fraud. Compounding the problem is that only about 12 percent of these victims reported the crime. About 17 percent chose to ignore the theft because the amount stolen was small, and 26 percent claimed not to have known how to deal with the theft.

The Chinese public’s vulnerability to data breaches, however, is not merely the result of poor personal computing practices. Larger societal factors are also at work.

The government and business community (both state-owned and private) are contributing massively to the proliferation of new hackers. The People’s Liberation Army (PLA), China’s armed forces, officially acknowledged in 2013 the existence of several offensive cyber warfare divisions. For example, the infamous Unit 61398, which was exposed in 2013. Despite previously denying the existence of these forces, the PLA has been actively searching for talent to fill its ranks for years, even sponsoring hacking competitions for university students.

However, the most talented and dangerous hackers are more likely to be employed as freelancers in the far more lucrative private sector. These “hackers for hire” can earn six figure salaries helping companies get ahead of their competition by stealing trade secrets or even damaging networks. Chinese companies have little to fear from employing hackers. The notoriously inefficient and corrupt state of the Chinese legal system discourages lawsuits between firms. Going to the police is also another likely dead-end, as local law enforcement agencies are engaging the services of the same freelance hackers to track dissidents and silence political opposition.

For firms currently operating in China a data breach, like anywhere, is inevitable. In the near term, businesses should focus on hardening their defenses. Having a circumspective security plan in place, with all the associated Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS), is an obvious first step. As the state of the Chinese cybersecurity consultancy market is still nascent and tainted by allegations of fraudulent practices, having a Western cybersecurity firm on retainer can help. Providing thorough and regular security awareness training to employees is also critical.

In the long run, the evolving nature of China’s economy will likely reduce the threat of cyber attack – at least from domestic hackers. As the government pursues its “Internet Plus” strategy for economic growth, more and more businesses will be incentivized to incorporate technologies such as cloud computing, e-commerce, and “smart” devices into their businesses. This reliance on a “safe” Internet will inevitably lead to legal and security reforms that, on top of current anti-corruption efforts, should provide ample recourse for future victims of cyber attacks and a disincentive for would-be hackers.