China's 'White Hat' Hackers Get With the Program
Do-gooders join forces to weed out online security risks, but few are willing to give up their day jobs.
By Li Xuejing
Every day after he comes home from his full-time job as an IT maintenance specialist, hacker “system_gov” puts in another four hours of work trying to break into the computer systems of other companies — but his intentions are good.
When so-called white hat hackers like system_gov succeed, they alert companies of their vulnerability. Their work is invisible but indispensable, especially as China looks to the Internet as a new engine of economic growth while online security remains poor.
Specialized websites have sprung up around the work of white hat hackers, with the idea being that by banding together they can convince more customers of their good intentions and boost their incomes from hacking.
System_gov, who asked to be identified by his online moniker to prevent becoming a victim of hacking himself, studied computer network technology as an undergraduate. The 23-year-old first became interested in detecting vulnerabilities in computer systems in 2015, following an incident where his former company was targeted by less scrupulous “black hat” hackers.
Benign white hat hackers are not a new phenomenon, but their emergence in China in particular had not developed into a mainstream trend until recently.
Now, Chinese Internet giants such as Tencent, Alibaba and Qihoo 360 offer rewards to white hats. But the scale of such programs is small, considering the prominence and sheer size of the tech industry in China. At the end of 2015, state news agency Xinhua reported that there were close to 4.3 million websites in China, an increase of 17 percent from the previous year.
Yet many computer system operators in the country still lack the basic knowledge of security or the capability to defend against attacks. System_gov said that some of the bugs or vulnerabilities he found were so rudimentary that they took him less than a few minutes to crack.
Recent years have witnessed the emergence of a number of companies whose goal is to promote white hat hacking and increase security awareness among Chinese companies. Among them are nonprofit bug-reporting platform WooYun.org and security test crowd-sourcing portal Vulbox.com.
System_gov works with another Web company that goes by the English name Butian Vulnerability Coordination and Bug Bounty Platform.
In Chinese, butian means “patching the sky.” Butian traces its origins to 2013, and it is a nonprofit subsidiary of Internet security company Qihoo 360. When system_gov finds a bug, he reports it to Butian, which verifies the warnings and alerts the owner of the website or computer system of the risk.
When informed of the risk or vulnerability, many companies are so grateful that they pay cash rewards to system_gov. Some companies even voluntarily reach out to Butian to invite white hat hackers to run tests on the security of their information systems and websites.
Since 2014 the white hat platform has distributed 6 million yuan (around $927,000) in reward money, with about one-sixth of this coming from grateful companies. “We want to have the white hats paid in proportion to their work, and we want to make the systems safer for the companies,” said Lin Wei, head of Butian.
As one of the best-paid hackers on his platform, system_gov received one-third of his reward money from companies he had helped. They include such large companies as online travel agency Ctrip, Ping An Insurance, and the Postal Savings Bank of China.
Since he registered as a white hat hacker with Butian about a year ago, system_gov has earned nearly 150,000 yuan — not bad considering that he only works around four hours a day. By comparison, the average GDP per capita in China in 2015 was around a third of this figure.
How much companies pay system_gov depends on how egregious the bugs are. The risk level is defined based on the potential damage the bug could cause, for example, the amount of information that could potentially be stolen by hackers and the scale of economic losses that could occur. “For bugs considered ‘high risk,’ reward money can be as high as 5,000 or 10,000 yuan per catch,” said system_gov, adding that electronics companies and financial service businesses tend to be the most generous when it comes to payouts.
Shi Kaifeng, a public relations manager for online travel company Ctrip, said he considers white hat hackers necessary, even though his company has its own IT security team. “White hat hackers add value to companies with their skills,” said Shi. “And they also spur our in-house engineers to work better.” Ctrip offers rewards of up to 3,000 yuan for every bug reported by Butian.
A screenshot taken April 18 of Butian’s website shows a list of companies that have paid cash rewards, with figures for total monetary rewards, bugs found, companies aided, and white hat hackers registered.
However, not all companies seem to value the work of Butian’s white hat hacker community. Less than 5 percent of the bugs reported by its members are fully fixed by the companies whose vulnerabilities have been exposed, Butian said. It classifies bugs as fully fixed when companies close the loop by informing Butian that they have taken steps to rectify the problem.
Platforms like Butian, WooYun, and Vulbox are important to white hats because they bridge the communication gap between hackers and system owners. If white hats contact a system owner themselves, it’s unlikely the company would take much notice, said Bao Yu, a former white hat and current Qihoo 360 engineer.
According to Lin, the personal backgrounds of the 20,000 white hat members on Butian are more diverse than one can imagine: In their day jobs, community members are students, workers, taxi drivers, and Internet security engineers.
Another white hat hacker who goes by the name “Tiger of Hefei Binhu” said he had earned more than 450,000 yuan for finding 1,420 bugs for Butian since April 2013, all the while working his full-time job at an Internet security company in Hefei, capital of the eastern Chinese province of Anhui.
The Chinese government has recognized the positive impact of platforms like Butian in identifying tech vulnerabilities and helping to fix them. Under the guidance of the Ministry of Industry and Information Technology (MIIT), the National Computer Network Emergency Response Technical Team has collaborated with bug-finding platforms such as WooYun, Butian and Vulbox, focusing on identifying bugs in the computer systems of government institutions and other large enterprises, according to the MIIT’s website.
Despite the growing online community and backing from the central government, white hat hackers remain legally vulnerable.
Huang Jinshen, a Beijing lawyer, gave a webinar — the first of its kind in China — on the topic of legal liability and hacking to Butian members late last year. According to Huang, any breach into the system without the owner’s permission may break the law and could mean jail time if more than 20 computer systems are hacked into, or if the damages caused exceed 10,000 yuan.
“The law doesn’t have a clear characterization of white hat hacking, nor has it realized the profession’s positive impact on society,” said Huang of the legal hurdles the white hats are facing if the profession is to further develop. “It’s not enough to just tell the white hats what can’t be done. We need laws and regulations that can guide and regulate the profession and its behavior.”
Beyond the legal implications, the white hat hacking industry has not yet matured to the point where members can give up their day jobs. Neither system_gov nor Tiger of Hefei Binhu looks to hacking as a full-time job, at least for now. That’s mainly because the job is inherently unpredictable, unstable, and sometimes risky — and it can also be lonely and often thankless work.
Tiger of Hefei Binhu has already cut down on the time he spends detecting bugs, figuring he’s better off with his full-time job, and that moonlighting as a hacker is only a hobby that helps him to sharpen his skills.
“You have no cooperation, interpersonal communication, or prospects of promotion,” said system_gov. “In the end, white hat hackers act alone.”
(Header image: VCG)