Dark Times Ahead for Chinese White Hats

Lincoln Davidson is a research associate for Asia Studies at the Council on Foreign Relations.

Over the last few years, Chinese President Xi Jinping has made improving cybersecurity a major policy goal. And yet the Chinese leadership is moving towards criminalizing the people that have the power to make that happen—white hat hackers.

On March 8, 2016, police in Chaoyang District, Beijing detained a 34 year-old security researcher named Yuan Wei on suspicion of hacking into a dating website and stealing user information. In doing so, they pushed white hat hacking into the center of a national debate about the future of cybersecurity in China, right as the country is considering comprehensive legislation on the issue.

Last year, Yuan, a cybersecurity manager for a Hangzhou household appliance company, came across security vulnerabilities in Jiayuan, a Chinese dating website, and published them to Wooyun. With around five thousand members, Wooyun is China’s largest platform for disclosing computer vulnerabilities, and one of the centers of a growing community of Chinese white-hat hackers. Security researchers publish proof-of-concepts for exploits they’ve discovered, making Wooyun like an online version of security conferences like Black Hat or DEF CON. For example, Wooyun published a vulnerability discovered in October 2015 that would have allowed hackers to access the data of 500 million users of NetEase, one of China’s largest email providers (although there’s no evidence that malicious hackers actually exploited the vulnerability).

After Yuan published the vulnerabilities he had discovered, Jiayuan reportedly fixed the bug and publicly thanked him for spotting it. But a month later, upon discovering that data had been exfiltrated from their system, the company called the authorities. A subsequent police investigation determined that Yuan had stolen user data from Jiayuan, leading to his detention in March. While Jiayuan claims they did not suspect Yuan of being behind the data theft, an open letter distributed by Yuan’s father at a Beijing security conference in early July questions that claim and accuses the company of setting his son up.

The letter sparked outrage in the Chinese security community. In every country, white hat hackers occupy a gray area. While they work for the common good—improved cybersecurity—they often do so in violation of laws that forbid “unauthorized access” to computer systems, and to someone on the inside of one of those systems, the well-intentioned probing of a white hat is often indistinguishable from the attacks of a malicious actor. Chinese white hats were horrified to see one of their own arrested on the report of a company whose users he’d help protect from hacking.

Little did they know their problems were just beginning.

Late last month, Chinese authorities detained around ten leading members of the Wooyun community, including site founder Fang Xiaodun, former head of security at Chinese search giant Baidu. On July 19, Wooyun’s site went offline, only to be replaced the following day by a notice that the site is being “upgraded” and would return “as soon as possible.” When contacted by journalists, the site declined to comment, citing an ongoing official investigation but saying it did not have to do with Yuan Wei’s arrest. Around the same time, Vulbox, China’s second largest bug reporting platform, stopped accepting vulnerability reports.

Against this backdrop, the Chinese government is pressing ahead with cybersecurity legislation that has been in the works since last year, and prominent academics who work on cybersecurity policy are calling for greater restrictions on white hats.

In June, the National People’s Congress, China’s legislature, began reviewing a second draft of the Cybersecurity Law, which has been harshly criticized for requirements that data be stored locally. The new draft includes a requirement that “network operators…respect social morality and commercial ethics…accept supervision from government and the social public, and bear social responsibility.” It also outlaws “software or tools for the specific use of making network intrusions”—software frequently used by security researchers to test networks.

Even more alarming, the new draft criminalizes both security research and vulnerability disclosures that are not in accordance with the “relevant state provisions” as well as penalizes any form of assistance for such activities, including sale of network intrusion tools or other “activities harming cybersecurity”. Individuals found guilty of these crimes are subsequently banned from working in “cybersecurity management and network operations for the rest of their lives.”

Commenting on the proposed law, Chinese experts have complained about the growing black market for vulnerabilities, and praised the draft law for authorizing vulnerability regulation and criminalizing vulnerability disclosure.

Weighing in on Yuan Wei’s arrest, one expert writes that white hat hackers need the “affirmation and encouragement of the internet security industry” and that laws protecting their rights need to be perfected. But he goes on to recommend making it illegal to disclose vulnerabilities in a computer system without the express permission of the system’s owner, and suggests looking to the Wassenaar Arrangement, an international agreement forbidding the export of network intrusion software, for guidance on how to regulate vulnerabilities while continuing to encourage security research—never mind that cybersecurity experts have roundly critiqued the pact for stifling research.

Chinese security researchers are increasingly leading the world in vulnerability discovery—just this weekend, a team of Chinese researchers demonstrated a way to hack the autopilot feature of a Tesla Model S. And yet taken together, the newest draft of the Cybersecurity Law and comments on it by Chinese legal and cybersecurity experts offer a bleak outlook for Chinese white hats. There seems to be a growing consensus among Chinese legislators, regulators, and academics that security research needs to be severely restricted. While the Cybersecurity Law still needs to be finalized and passed, and implementation regulation have yet to be drawn up, the newest draft of the law represents a sharp move towards outlawing white hat hacking. The Chinese government frequently claims that China is the world’s “biggest victim of cyberattacks.” If they wish to improve that situation, criminalizing security research is the wrong way to go.