/

After Snowden revelations, China worries about cyberdefense

by William Wan

The Washington Post

When it comes to cyberattacks, China is often seen in the West as a fierce aggressor — the ultimate hacking threat to American government and businesses. In China, however, Internet users are increasingly preoccupied with their own vulnerability.

Cybersecurity, in many ways, is a more widespread problem in China than in the United States, say industry experts.

Holes in China’s systems are more numerous, and its public less protected. Worry about those vulnerabilities has surged in the wake of disclosures by U.S. National Security Agency contractor Edward Snowden about American operations to hack into Chinese Internet traffic hubs and cellphone companies.

The latest revelations, in documents provided to The Washington Post, showed that China was among the top targets of cyberoperations carried out by U.S. intelligence services in 2011.

But the threat to Chinese computers comes not simply from foreign agents, according to technology experts. Increasingly, officials and business leaders are also fretting about the widespread damage caused by China’s own hackers.

Now, officials in the Chinese government and the cybersecurity sector are pushing for a national strategy to protect information in the country’s computer systems. Demand for Chinese-made tech security products is on the rise, industry analysts say. And many Chinese are calling for a ban on U.S. hardware in sensitive government and industrial sectors.

“For those in the industry, we really need to thank Snowden,” joked Tony Yuan, founder of Netentsec, a Beijing company selling firewall hardware as well as Internet filtering tools.

Government and company officials who once saw information technology security as an unnecessary cost, Yuan said, have suddenly become interested in upgrades. “Now, you just mention Snowden as an example, and they easily understand the need for something like next-generation firewalls,” he said.

Many industry analysts believe China reserves its best defensive cybersecurity technology for elite echelons of the military and the ruling Communist Party. But for most people in the world’s second-largest economy, computer security is poor, and the damage caused by everyday hacking is immense.

The threat is the result of China’s huge pool of hacking talent, a culture of corruption and a lack of enforcement.

“In the U.S., if you’re local and you hack someone else, you’re going to jail because law enforcement has built up the tools and awareness for that,” said Richard Bejtlich, chief security officer at Alexandria-based firm Mandiant, which specializes in cyberforensics. “In China, you get the sense there’s a lot of activity but not much institutional ability to deal with it.”

One government commissioned survey estimated 60 percent of China’s Internet users have lost personal data online. Another academic study last year put the economic cost of hacking in China at $852 million.

In the past two years, Chinese criminals have stolen several databases with millions of logins and passwords in a series of raids on China’s largest Web portals and retailers. Chinese companies have been known to use hackers to spy on their competition and immobilize their websites and sabotage payment systems, security experts say.

Scams have even allegedly been perpetrated by China’s cybersecurity industry itself.

One of China’s larger antivirus firms, Rising, was accused in recent years of creating and spreading computer viruses, then bribing a Beijing security official to issue alerts for online users to download Rising’s antivirus software to combat them. The official in question received a suspended death sentence for bribery, but the company continues to deny wrongdoing.

“There’s significant control in some areas, but in others it’s just the wild, wild West,” said Tom Creedon, a longtime cybersecurity expert specializing in East Asia.

One reason computers in China are so vulnerable is the widespread use of pirated software, including in government ministries and state-owned companies.

While authentically licensed software such as Windows and Microsoft Office receive frequent security updates to patch exploitable holes, unregistered pirated versions don’t. Some hackers have even been known to seed the Internet with free copies of software to which they have added unique vulnerabilities, so they can later sell such back-door access to other people, experts in China say.

The fragmented nature of China’s Internet and businesses also contributes to the weakness in network security. Even bank and cellphone accounts from the same companies often run on different systems from province to province. That presents Chinese hackers with a wider assortment of vulnerabilities and systems to exploit.

When it comes to the highest levels of Chinese government, however, the depth of vulnerability is less clear, say American and Chinese industry analysts. As in most developed nations, key military systems in China are believed to be “air gapped,” or cut off from the global Internet.

The Chinese government reacted at first with loud indignation to the Snowden revelations. But that has given way to internal discussions on how to beef up domestic security.

In recent weeks, key Chinese ministries held a meeting with leading tech companies to probe the impact from U.S. surveillance and begin formulating a response, according to reports in a handful of Chinese tech-focused media and cybersecurity experts with knowledge of the session.

China’s government is highly reliant on the country’s private cybersecurity firms to help protect its secrets. Such firms typically draw their biggest share of revenue from government work, according to market researchers.

Because such firms are circumspect about their work, estimates of the growth in China’s cybersecurity industry vary. One government report estimated a 30 percent growth rate from 2006 to 2010.

But what’s clear is that the market has huge space to expand. According to calculations by one market research firm in Beijing, IDC, only 1 percent of total information technology spending in China currently goes toward cybersecurity. In the United States, the ratio is roughly estimated at 11 percent.

Chinese spending will likely rise even quicker because of the news on U.S. intelligence operations, said Dai Xiangjun, an analyst for CCID, a research firm affiliated with the Chinese government. “The Snowden scandal has caused real panic.”

Snowden’s allegations have raised suspicion of foreign companies to a fever pitch. One state-run magazine ran a cover story on how China allegedly has been “seamlessly penetrated” by eight American companies — Cisco, IBM, Google, Qualcomm, Intel, Apple, Oracle and Microsoft.

But the reality, say many industry insiders, is that China’s technology isn’t anywhere close to being able to replace U.S. suppliers.

“There’s not one Chinese company within years of reaching what some U.S. tech companies are doing at the highest levels,” said one Chinese expert in the security industry, who spoke on condition of anonymity due the sensitive nature of his work.

Chinese banks, for example, need equipment that is reliable, which often means foreign hardware. Cisco routers still form the backbone of much of China’s telecom networks.

The Snowden backlash, however, has been worrisome enough to prompt Cisco to declare on its Chinese website that it had nothing to do with the U.S. surveillance programs revealed recently.

Meanwhile, some of China’s booming cybersecurity firms are trying to export abroad, including to the United States, where they have faced suspicion because of their close ties to the Chinese government.

Jeffrey Carr — founder of Virginia-based Taia Global, which specializes in thwarting cyber-espionage and theft — recalled his surprise at seeing Chinese vendors this year setting up their booth at a San Francisco convention right up the aisle from Mandiant, a company that has made headlines for its investigations of Chinese state-sponsored hacking.

“It was shocking, but also kind of funny to see,” Carr said. He added, however, that he wouldn’t write off the companies’ efforts.

“There’s quite a bit of money being spent in China right now,” he said. “The growth opportunities there are simply tremendous.”