Chinese Hacking Chinese

Whenever the United States raises computer attacks that appear to come from computers based in China, Chinese government officials are quick to point out that they are also victims: "The fact is that China itself faces a rapid rise of cyber-crimes and attacks."

These claims are usually made to draw attention to hacks that come from outside China— "according to the 2010 report by the China National Computer Emergency Response Team (CNCERT), nearly half of Trojan server and Zombie server attacks on Chinese computer systems came from outside China"—but the Yangtse Evening Post has an interesting article on cyber espionage ordered by one Chinese firm on a potential supplier.  The story goes like this:

A Nanjing-based company invested over 1 million RMB in developing  new publishing software, receiving patents and grabbing a relatively large size of the market.  After short negotiations over licensing the software, a Shanghai company decided the fee was too expensive and set about trying to steal the source code.  6000 RMB was set aside for the job.  The original person contracted to conduct the operation found it too difficult and so posted the job online.  Eventually, a hacker named Liu, a graduate of a top university, a software engineer at another university, and a member of the hacker community took the job.  It took him "no more than a few hours.  Customers told the Nanjing-based company that its software was now available in Shanghai, and, after examining the software and finding it virtually the same as the original product, the company reported it to the Public Security cyber group.  In what the newspaper calls the first case of “illegal acquisition of computer information systems data” uncovered by Nanjing police, Liu, and the two others were arrested.

Three issues emerge from this story.  First, at least in cases where the intellectual property has an immediate market use, the actor is just as likely to be criminal or commercial as it is state or state-sponsored.  If even small Chinese companies are adopting cyber espionage as a business strategy, controlling the problem is going to be extremely difficult.

Second, almost anyone could be a target.  I heard this when I was in Germany and Switzerland, where there is deep concern about protecting the manufacturing competitiveness of small and medium-sized enterprises.  If you have any type of market or price advantage based on intellectual capital, there may be a small company targeting you.  And given how hard it has been for the big companies to develop effective cybersecurity, the small companies are going to be even more vulnerable.

Third, this is not good for China’s long-term goal of building an innovative economy.  It is hard to see why small companies would invest 1 million RMB in R&D when they can steal it for 6000 RMB.  This threat to the innovation economy may be the one silver lining to extremely dark skies.  If Chinese policymakers see cyber espionage as a big enough threat to their own companies, then they are more likely to actually begin to control hackers.  But that "if" is pretty conditional—policymakers would need a comprehensive view of (and authority over) innovation and espionage, and they would also have to be motivated to control hacking focused on both domestic and foreign companies.  In fact, the simplest thing to do would be to protect innovative Chinese  firms while continuing attacks on foreign ones.