Under the Radar: How WannaCry boosts China’s social credit system
June 16, 2017
The global WannaCry ransomware attack demonstrated the weaknesses in international computer networks. China emerged as one of the main victims, with tens of thousands of institutions (and many more private citizens) affected. Various government and business entities were laid low by the attack, including China National Petroleum Corporation – which cut service links to 20,000 petrol stations preventing electronic and online payment options like Alipay. Any consumer seeking an ATM to acquire cash for their gas purchases, would have faced further obstacles as Bank of China machines went offline across the country as well. China’s securities regulator also took down its network, with the banking regulator warning financial institutions.
WannaCry exposes China’s bad habits
Interestingly, one of the main classes of victims were Chinese education facilities, with over 4,300 institutions attacked. This number was disputed by the Chinese Education Ministry, which claimed only 66 of 1,600 universities were affected. The use of pirated software by universities in turn made the China Education & Research Network (CERNET) main transmitter of the virus. The fact that CERNET links Chinese universities to state-owned companies also using outdated security systems only accelerated infection rates. Of particular concern were attempts by WannaCry to hack into leading institutions such as Beijing University and Tsinghua University (which hosts a central CERNET server), two entities with close ties to the Chinese defense ministry and armed forces. The fact that WannaCry is based on a leaked NSA program – Eternal Blue – and the fact that the NSA has attempted to hack into said universities in the past raises serious concerns for the Chinese government.
While stolen American code supports the WannaCry ransomware, the biggest security breach came from within, namely from the prevalent use of pirated software in China. Surveys have shown that 70% of software used on Chinese computers is either pirated or otherwise not properly licensed. Chinese universities, companies and even government agencies are using outdated or pirated copies of Windows, a fact that enabled WannaCry to spread faster in China.
For instance, once China Telecom was infected, the company directed employees to use solutions from Qihoo 360; a popular site that supports pirated software. Unsurprisingly this did not work. Pirated copies of Windows miss out on the regular security updates that protect users from viruses like WannaCry. Even in instances when Chinese institutions are using legitimate copies of Windows, these are often old operating systems, such as Microsoft XP, which Windows discontinued support for in 2014, 14 years after its inception.
Chinese firms and government agencies are so reliant on XP that China made a deal with Microsoft and a state-owned firm that works with the defence industry to offer free upgrades for a version catered to China’s specific needs.
Pirated software has exposed major weaknesses in Chinese cyber-security and as such is likely to become a target for Beijing in the future. Cyber-security advisor Thomas Parenty notes that “the only way I see this changing [China’s use of pirated software] is if the central government decides there is a risk to critical infrastructure from this threat and forces people to buy legitimate software.”
Pirated software as score killer
The prolific and very public impact of WannaCry in China is a powerful message, one that Beijing could well capitalize on, using public awareness of the event to crack down on the kind of behaviour that made China particularly susceptible to the virus.
One way that Beijing could pressure its citizens to reject pirated software is by influencing consumption patterns via its nascent social credit system. Counterfeit products have become a serious concern for the government in other areas, be it food, medication or consumer goods, sparking scandals and embarrassing the regime. A crackdown on pirated software would mesh well with current anti-counterfeiting and anti-corruption efforts. China’s social credit score, currently undergoing eight private sector and municipal trials seeks to use financial, social and economic data to allot citizens a social credit rating, which in turn could lead to traveling, purchasing or credit access restrictions for those with poor scores.
The publicly available version is called Sesame Credit and is owned by Ant Financial, a subsidiary of Alibaba. There is growing speculation that the system aims at societal control, specifically as a means to stimulate consumption. Some netizens are speculating that one way to increase one’s score is to purchase more via Alipay. Shazeda Ahmed, a PhD candidate at UC Berkeley elaborates: “[These rumours on China’s internet] reinforce my hunch that the story in the shadows of the Western media portrayals of “social credit as Big Brother” is actually one of social credit being about spurring consumerism in a country where people have historically saved more than they’ve spent.”
Using the social credit system to penalize users of pirated software meshes with both Beijing’s and Alibaba chairman Jack Ma’s goals. Ma has recently shifted from his hitherto pro-counterfeit stance, with March marking his first time directly calling out the Chinese government for its lax laws and modest penalties for counterfeit goods. Specifically, Ma stated that “if, for example, we imposed a seven day prison sentence for every fake product sold the world would look very different […] in terms of intellectual property.”
Chinese consumers could raise their scores by buying legitimate goods such as software, ideally through Alipay, in order to get benefits such as faster visa access and expedited security checks. It is interesting to note that the countries already planning to partner with these simplified travel initiatives, such as Luxembourg and Singapore, are also where Alipay users can already use the app to make purchases overseas. This would be a huge boon to software providers and other companies currently losing out on Chinese business due to the high rates of counterfeit product use.
Ironically, if WannaCry spurs the government’s efforts to tackle fake software via the social credit system, Beijing will face a new kind of hacking risk – that of users hacking the social credit system to boost their scores, a contingency already being discussed in Chinese forums. Alongside boosting the social credit system, the weaknesses exposed by using old / pirated copies of Windows reinforces Xi Jinping’s efforts to create an Chinese alternative to Windows. The problem is that nothing suggests that a Chinese OS would be any more secure. “China is not known for designing hacker-proof tech, and Alipay in particular could do with better cyber-security practices,” notes Ahmed.