WannaCry in China: A Silver Lining to a Cybersecurity Breach

On June 1, China’s new Cybersecurity Law will take effect. The law, passed last fall despite concerns from foreign governments (including the United States), will require mandated security reviews for data storage and other IT equipment used in “critical information infrastructure” (a term that is left undefined). In addition, critical information infrastructure providers will be required to inspect their networks for security risks at least once a year, and submit reports to the authorities. The law will also, controversially, require all firms operating in China to store relevant data on Chinese soil.

According to the law, the purpose is to “ensure network security, to safeguard cyberspace sovereignty, national security and the societal public interest, to protect the lawful rights and interests of citizens, legal persons and other organizations, and to promote the healthy development of economic and social informatization.” China has long argued (truthfully) that it is one of the most often targeted countries in the world when it comes to cyber attacks and thus desperately needs a cybersecurity strategy.

However, critics look at the provisions of the law and see a thin excuse to boost Chinese domestic IT firms. Western giants such as IBM, Microsoft, and Apple could be arbitrarily barred from China’s information infrastructure out of nebulous “security concerns” simply because they are foreign companies. Likewise, requiring companies to store data in China will make it more difficult for foreign firms to operate while also increasing their vulnerability to Chinese demands for user information, a key human rights concern given Beijing’s extensive online censorship network.

Against this backdrop, a massive global cyber attack, dubbed “WannaCry” struck. The ransomware attack, which locked users out of their computer networks and demanded a fee to restore systems and data, exploited a vulnerability in the Windows operating system. That vulnerability, crucially, was first discovered by the U.S. National Security Agency, which keep quiet about the security flaw (presumably to gather intelligence using the exploit). Information about the vulnerability was included in an NSA data dump by a group of hackers called Shadow Brokers, giving cyber criminals around the world a U.S. government toolkit for entering and manipulating computer systems.

China was reportedly one of the countries hardest hit by the attack, in part because many Chinese operate pirated versions of Windows and thus did not receive a security patch that fixed the vulnerability prior to the ransomware attack. According to South China Morning Post, citing a Chinese cybersecurity firm, nearly 30,000 organizations across China were impacted by the attack. Xinhua reported that infected systems were found across China, in the “banking, education, electricity, energy, healthcare, and transportation” sectors.

The scale of the cyber damage caused hand-wringing among Chinese cybersecurity experts, with one telling SCMP that the weaknesses exposed by WannaCry “leave the door wide open to enemies.”

Chinese Foreign Ministry spokesperson Hua Chunying confirmed that China was among the countries impacted. “We realize that this hacking has affected such an extensive area and a wide range of countries, which also speaks to the complexity of dealing with the cybersecurity issue,” Hua said. “All parties should strengthen the concept for common security, safeguard the peace of cyberspace, prevent a cyber arms race, and ensure that cyber technologies are used for mankind's well-being.”

Shadow Brokers, the same group that previously released the NSA files, has also threatened to release data relating to China’s missile and nuclear programs starting in June, further underlining China’s vulnerability to cyber attacks.

While the WannaCry attack was devastating for the companies impacted, it had a silver lining for the government: it strengthened Beijing’s rationale for the new Cybersecurity Law. To quote Chinese President Xi Jinping’s strong statement at the first meeting of the new Central Leading Group for Cyberspace Affairs in 2014, “Without cybersecurity, there is no national security.” WannaCry provided a devastating example of the truth of Xi’s maxim.

Plus, as an added bonus, the United States – which China has long accused of bad cyber behavior – is indirectly tied to the attack. Not only did the NSA originally discover the vulnerability, but it spread to China because of the country’s reliance on Windows, a U.S.-created operating system.

An editorial in the state-run ­China Daily argued that, while the criminals behind the WannaCry attack remain unknown, “the US National Security Agency must shoulder some of the blame” for the attack. The editorial continued: “[...N]o other country has mounted such wide-ranging, costly, and long-term surveillance operations in the history of the internet as the NSA's PRISM and other spy programs.”

The WannaCry attack’s exclusive focus on the Windows operating system also bolstered China’s push to crown domestic champions in the IT field. “Among other things, the latest cyberattack should instill greater urgency in China's efforts to produce its own core technologies, as President Xi Jinping has urged,” China Daily noted.

However, cyber crime is rarely clear cut and China’s narrative became complicated the moment cybersecurity firms began piecing together clues as to the culprits. Those clues pointed to China’s neighbor and ally, North Korea.

As with North Korea’s nuclear and missile programs, China has generally looked the other way when it comes to the issue of Pyongyang’s offensive cyber capabilities. Whenever a specific attack is linked to North Korea, China demands to see more evidence. Since attribution of cyber attacks is never ironclad, Beijing can get away with dragging its feet indefinitely. Reports suggest that China in fact plays host to at least part of North Korea’s cyber offensive, with military groups from North Korea working from Chinese soil to stage cyber attacks against South Korea.

However, Cheng Xiaohe, an international relations professor at Renmin University, told The New York Times it would be a “big change” if North Korea was behind the WannaCry attack. “This time if it’s from North Korea, the malware was targeted indiscriminately against all computers… It harms and threatens China.”

At the moment, North Korean hackers are believed to be migrating to Southeast Asia, in part because Chinese authorities are cracking down on their activities. If Beijing is even partially convinced of links between WannaCry and Pyongyang, it will likely step up efforts to weed out North Korean cyber militias from Chinese territory.

For now, however, China is sticking to the narrative that the United States bears the brunt of the blame. WannaCry thus underlines the necessity of Beijing’s new cybersecurity strategy, and provides useful cover from persistent overseas calls for the law’s implementation to be delayed. The provisions of the law – especially the necessity of an annual security check-up – could have helped close the vulnerabilities WannaCry exploited. After all, a simple Windows update (coupled with ensuring all software is legitimate) would have prevented the damage caused by WannaCry, and that would be the first step in any cybersecurity review.

It may be cold comfort to the many Chinese universities, businesses, and even local governments whose data was taken hostage, but WannaCry helped prove Beijing’s point about the crucial nature of cybersecurity reforms in China.