GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET
Yuan Wei considered himself one of a legion of China’s so-called “ethical hackers” — computer programmers who spend their free time prowling corporate servers trying to detect security vulnerabilities in order to help fix them.
Now he’s sitting in jail.
Self-proclaimed “white hat” hackers often play a valuable role for companies and governments around the world as they scramble to keep up with increasingly sophisticated cybersecurity threats. But in China, they operate in unchartered legal territory. Their work may be indispensible to exposing threats, but legally, their actions are often indistinguishable from the malicious hacks they are trying to prevent.
Beginning in late 2015, 34-year-old Yuan Wei was spending most of his free time honing his hacking skills on WooYun, a vulnerability-reporting platform with nearly 5,000 registered “white hats.” By day, Yuan worked as an information security director at a home-appliance retailer in Zhejiang. By night, he vied for cash prizes offered by WooYun’s corporate members in exchange for exposing security breaches. His hacking yielded 11 exposed breaches, eight of which were fixed.
So how did Yuan find himself behind bars? It began with a seemingly routine vulnerability detection and report.
According to his father, Yuan Guanyang, Yuan Wei discovered on Dec. 3 a vulnerability on Jiayuan.com, China’s largest online dating website. The leak allowed him to browse some of the data stored on Jiayuan.com servers. His father said Yuan Wei confirmed the vulnerability the next morning and filed a report with WooYun. Three days later, Jiayuan.com confirmed that it had fixed the problem, thanking WooYun and the white hat that had filed the report.
But a month later, on Jan. 18, Jiayuan.com’s parent company, Shanghai Flower Information Technology Co. Ltd., filed a report with the Beijing police alleging that private information from over 4,000 registered accounts had been stolen. The alleged attack had begun on Dec. 3, the same day Yuan Wei’s father claims his son conducted his vulnerability test.
On March 8, two police officers showed up at Yuan Wei’s office to arrest him and confiscate his computer. Yuan’s case is still under investigation, and he remains in criminal custody. Caixin was unable to interview Yuan Wei or his lawyer for this report.
On July 19, WooYun abruptly discontinued its services and remains offline today, its home page promising a return after system upgrades.
Server logs appraised as part of Beijing’s investigation show that Jiayuan.com received over 4,400 access requests from 11 different IP addresses on the day of the alleged attack. The servers were infiltrated using a popular hacking technique called “SQL injection.” In the process, 932 pieces of data underwent a “reading” operation by the attacker.
The case is complex and unprecedented. The courts are still trying to figure out whether Yuan Wei’s test was indeed mistaken by Jiayuan.com for an attack, or if perhaps his test and a separate attack happened to occur on the same day.
But the online backlash against Jiayuan.com shows that in the court of public opinion, Yuan Wei is innocent. Following reports of his arrest, fellow white hats rushed to his defense, threatening revenge attacks on Jiayuan.com. There was indeed a spike in attacks on Jiayuan.com, according to company insiders. Reports to WooYun of vulnerabilities on Jiayuan.com increased as well.
Jiayuan.com CEO Wu Linguang said that the company had no way of knowing how the compromised information would be used, and so decided to report the attack to the police. WooYun never provided Jiayuan.com the contact information of the white hat who discovered their vulnerability, according to Wu.
“We had no way of knowing whether the attacker and the white hat were the same person,” he said.
Legal Grey Area
White hats operate in a legal gray area in China. There are no specific laws addressing white hats, vulnerability detection and reporting, or third-party platforms like WooYun, according to Huang Daoli, director of the Third Research Institute of the Ministry of Public Security’s Cybersecurity Law Research Center. The laws are designed to prosecute malicious hackers and haven’t caught up to the reality that, as McAfee antivirus software creator John McAfee pointed out at this year’s China Internet Security Conference in Beijing, “Most hackers are white hats.”
According to Article 285 of the Criminal Law, the access, transmission or process of data stored on computer data systems, or illegally controlling these systems, is subject to a fine and up to three years in prison.
The problem with this legal framework is that white hats have become critical to ensuring cybersecurity.
Since security vulnerabilities will always exist, repeated testing and trial and error are the only ways to expose and fix them, according to Wu Jiangxing, director of the China National Digital Switching System Engineering and Technological R&D Center.
“Existing scientific capabilities are not enough to completely prevent vulnerabilities,” added Wu, who is also a scholar at the Chinese Academy of Engineering.
Many governments and companies around the world have already begun harnessing the power of white hats, encouraging their work through financial incentives and programs.
In March, the U.S. Department of Defense announced the launch of its “Hack the Pentagon” initiative, inviting vetted hackers to test the cybersecurity of the department.
In South Korea, universities often offer direct admissions to winners of youth hacking competitions. Later, university competition winners are regularly recruited by state security agencies.
In the corporate world, Facebook and Google, among others, have long offered substantial monetary rewards to white hats that uncover vulnerabilities in their systems.
The key to establishing a legal basis for white hats is preauthorization from targeted websites and companies, said Xu Xiaojun, deputy director of an information security assessment center under the Ministry of Public Security. This is where third-party platforms like WooYun have served as a bridge between companies and white hats. Companies who register on the platform must sign an agreement authorizing the white-hat testing.
Yuan Wei in Limbo
But Yuan Wei’s case shows that in the murky world of white-hat hacking in China, these authorization agreements may not be enough to protect white hats from prosecution. According to Yuan Wei’s family, WooYun sent them proof that Jiayuan.com had authorized white-hat testing.
Another issue blurs the line between ethical and malicious hackers: White hats often take advantage of the established practice of exposing vulnerabilities in exchange for money.
It is not uncommon for white hats to leave a backdoor open after discovering a vulnerability, according to a report by Patching the Sky, a third-party vulnerability reporting platform operated by Internet security and antivirus software provider Qihoo 360. This practice allows the white hats to infiltrate a second time and claim another monetary reward. Yuan Wei’s father said his son never received any money for his white-hat activities.
The Future for China’s White Hats
Yuan Wei’s case is likely the first time the issue of white hats will be directly addressed by China’s legal system. It has the potential to define the role that ethical hacking will play in China’s online world for years to come.
“If our solution to protecting cybersecurity is forbidding the testing of vulnerabilities, then these vulnerabilities will never be addressed,” according to Xie Yongjiang, deputy director of the Internet Governance and Law Research Center at the Beijing University of Posts and Telecommunications. The market for vulnerability reporting is not going to disappear. “Instead of forcing it underground, we have to cultivate it,” he said.
Xie said that the only way to strengthen cybersecurity is to offer white hats and the third-party platforms that facilitate their work a place within the legal framework.
In countries that have begun to embrace white hats, such as the U.S. and the U.K., penetration testing that is authorized by the attacked party is legal.
For now, Yuan Wei’s family is still waiting for clarity. Did Yuan Wei steal information from Jiayuan.com, or was he locked up simply for exposing a vulnerability? “Is my son guilty or not?” Yuan Guanyang asked. “I hope the law will give a fair answer soon.”