China’s Struggle for Data Security

China’s Struggle for Data Security: To meet the ever-mounting threats posed by data hacks, cybersecurity has risen to the top of Beijing’s agenda.

In the age of digitalization, organizations as varied as hospitals, banks and police departments are accumulating vast amounts of data to find new ways of creating value from information. But these huge stores are often poorly guarded, making them honey pots for hackers.

To meet the ever-mounting threats posed by data hacks, cybersecurity has risen to the top of Beijing’s agenda, as seen in the government’s renewed focus (link in Chinese) on “key information infrastructure” in fields like finance, energy, communications, and transport. Industry experts said it is high time that China shored up its data security apparatus.

Amid heightened geopolitical tensions between China and the West, some cyberattacks are carried out by foreign states, as seen in a recent case that allegedly involved the U.S. National Security Agency. In a September report, the Chinese government accused the intelligence agency of hacking Northwestern Polytechnical University in Xi’an, Shanxi province, using more than 40 sophisticated hacking tools to break into the computer system and steal data.

But often, hackers are simply motivated by money, ransoming stolen data or seeking to trade it on the vast black market that has emerged for such information.

That was reportedly the case in August of 2018 when hotelier Huazhu Group Ltd. hit the headlines after 500 million pieces of customer information were stolen from the firm and sold online. Shanghai police investigated the leak, which included names, phone numbers, government-issued IDs and even home addresses, according to a Beijing Youth Daily report at the time.

Pei Zhiyong, an in-house researcher who works for Qi An Xin (688561:SH -1.36%), a cybersecurity spin-off of antivirus software maker Qihoo 360 (601360.SH -0.73%), said at the start of the pandemic, China’s medical system was a primary target for hackers.

While a few years ago data leaks in China might have consisted of tens or hundreds of thousands of pieces of information, typically names and phone numbers, they can now involve millions of pieces of rich data including bank card numbers, government-issued IDs, passwords, and even the selfies of people holding their ID cards next to their face often used for identity verification.

Industry experts said it is important for China to ensure the effective implementation of recent regulation on data security. However, other measures, including increasing cybersecurity drills and creating internal data security management systems, are also needed.

Lack of sound system

There are two main dynamics are behind the increasing prevalence of cyberattacks experienced by various types of organizations in China.

First is the rapid adoption of cloud technology, which enables organizations to outsource all or part of their data storage to third party cloud computing companies like Alibaba Cloud, a unit of Alibaba Group Holding Ltd. In 2021, China’s cloud computing market had sales of 328 billion yuan ($46 billion), a figure expected to reach 1.2 trillion yuan by 2025, according to industry research group iResearch.

The use of cloud technology doesn’t necessarily mean a compromise to security. But a confluence of factors — including the technology’s rapid adoption, lack of talent and poor security management experiences — among many Chinese organizations means that they are vulnerable to cyberattacks.

For many organizations, the investment in data security as a percentage of total IT spending is still relatively small, said an analyst who works for a Beijing-based industry research group. Many of them do not have a specific team managing data security issues, added the analyst.

The other primary factor that makes Chinese organizations vulnerable to cyber-attacks is their increasing reliance on third-party vendors — usually involving multiple suppliers — for building their technology capabilities. That means hackers can just focus on the suppliers, slipping a malicious code or component into a target company’s piece of software or hardware.

This kind of hacking method, called a “supply-chain attack” has become increasingly popular in China, said Pei. As a result, organizations must better manage their suppliers to ensure software or hardware products are free of security risks before being used, said industry experts.

Black market:  A black market for stolen data has developed in China alongside the increasing prevalence of data leaks. As of 2020, at least 400,000 people were involved in the industry of stealing and selling data, which generates estimated annual sales of over 100 billion yuan, according to a separate report by iResearch.

Typically, data are sold in large volumes and contain abundant sensitive information.

But the fight against cyberattacks is challenging, due partly to difficulties tracking hackers, who use innovative methods to avoid detection or lie low after an attack before selling the stolen data.

According to Qihoo 360’s Pei, hackers only put data on sale months after obtaining it, which gives them time to better cover their tracks. Trading of the data is usually done through specialized hidden websites, creating yet another layer of difficulty for hunting hackers, Pei said.

Amending regulation: In recent years, China has passed a series of laws and regulations as part of a broader effort to bolster its information security system. Last year, two new regulations concerning data security and personal information protection were introduced, complementing the cybersecurity regulation that went into effect in 2017.

But the regulation is pocked with ambiguities. For example, the data security law passed last year includes clauses that emphasize the need for organizations to protect “key” data but does not explain what that includes. For organizations to benefit from these laws, these points need to be clarified, said Zhu Sha, partner at KinDing, a Zhejiang province-based law firm.

Additionally, cybersecurity drills have become a regular practice conducted by the Chinese government since at least 2016 as an effort to examine and encourage cyber defense practices among a wide variety of organizations. But many use various tactics to evade such exercises — for instance, by removing the target computer system meant to be examined in advance, in order to avoid penalties or save the costs of upgrading it — undermining their effectiveness, according to a person familiar with the matter. In part, the government should be responsible for better supervising such organizations, the person said.

Regulations aside, many organizations are adopting new technologies in their fight against cyberattacks. Some are employing privacy computing, which allows data to be circulated among different organizations without being shared physically. In 2021, the market for privacy computing technology in China was worth 860 million yuan and is expected to skyrocket in value over the next few years, according to a report from research group IDC.

But more important is for organizations to establish an effective data protection management system, said a source at a Beijing-based software company, adding that there is still a long way to go “for China to build up a robust information security system.”

Caixin Global:  Download the app to receive breaking news alerts and read the news on the go.  Get Caixin Global’s weekly free Must-Read newsletter.

Source: Caixin Global