China was hit hard, very hard, by the recent WannaCry ransomware attack. Of course, government institutions and businesses world-wide suffered from the virus but it seems that China was disproportionally affected. China has a huge online population, which may be one factor explaining the widespread impact of the attack. According to media reports citing data from the China Internet Network Information Center, China’s internet users (or “netizens” to use a favoured English-language adaptation in China) totalled 731 million at the end of 2016, an increase of over 40 million from a year earlier. But the attack was directed more at institutions than individuals. The New York Times reported that over 40,000 institutions and companies in China were affected including major universities, airlines, railway stations, gas stations and social media outlets.
While China has a large (and savvy) internet population, much of China’s corporate and institutional vulnerability comes from the widespread use of pirated software. This year’s submission by the Business Software Alliance (BSA) to the US Trade Representative’s annual Special 301 report noted that China’s rates of software piracy had “declined slightly” to the range of about 70%. Still, seventy-percent of all the software used in China is a lot of unlicensed product although how anyone can be sure with any accuracy how extensive the piracy rate is in a country as large and diverse as China is frankly beyond me. Let’s just say that it is enormous, fed by a corporate culture that doesn’t like paying for things that can be taken for “free”, along with lax government enforcement and ready availability of pirated software. The sale of computers pre-loaded with pirated software has long been a problem in China; back in 2012 Microsoft mounted a publicity campaign to alert Chinese consumers to the prevalence of malware in computers installed with pre-loaded unlicensed software.
The Chinese authorities do not officially condone software piracy, but the phenomenon of “the mountains are high and the emperor is far away”, a traditional Chinese saying used to reflect the practice of local mandarins ignoring edicts from the emperor in Beijing, is very pervasive. Local officials have little incentive to enforce regulations regarding use of pirated software that could put businesses in their bailiwicks at a competitive disadvantage vis a vis businesses in other parts of China. (In fact they may well be using unlicensed software in their own offices). Until very recently, however, economic growth was priority no. 1, with all else being subservient to this over-riding objective. Now the vulnerabilities exposed by the WannaCry ransomware attack may start to change all that. Here’s why.
China is a paradox. The world’s largest country by population is not easy to govern. On the one hand it is a highly centralized structure with a dual party and government apparatus. The tentacles of the Chinese Communist Party (CCP) extend everywhere in China. According to official Chinese estimates there are over 85 million members of the CCP, with a Party presence in almost every major state enterprise and institution, right down to the county level. These party members, many of whom serve as “Party secretaries” in various work units, ensure that Party discipline is maintained and that policies emanating from Party Central are implemented nation-wide. Party members are even subject to a separate code of discipline which is outside the judicial system and has a distinct resemblance to a modern-day “Star Chamber”.
While Party members are the backbone of the system that transmits doctrine to the provinces, cities, towns, counties, educational institutions, government controlled enterprises etc., the system also allows these party bureaucrats an enormous amount of power and leeway at the local level. This is because, in the absence of any real grassroots democracy, it is difficult if not impossible to counter a local Party official who may be abusing power and acting like a local tyrant. History is full of local officials in China who chose to ignore the dictates of Beijing, whether in the days of the emperor or today. For local residents faced with the tyranny of a local Party official, often the only recourse is to make the pilgrimage to Beijing and petition the Central authorities to right the grievances, as was done in imperial times. Every day outside the gates of Zhong Nan Hai (the residence of CCP leaders) a gaggle of petitioners from the provinces gather with placards, posters and petitions to present cases of apparent miscarriages of justice, hoping against hope for remedy. Local governments have become adept at heading off these petitioners, often holding them under a form of house arrest in Beijing before bundling them back home before they can cause trouble for their local masters.
What all this means is that while there is a highly structured centralized system that can transmit edicts, and ensure their implementation when the Central authorities deem this necessary, at the same time there is a great deal of tolerance for what is euphemistically called “local initiative”. Regulations and laws promulgated by the central government are, often as not, more honoured in the breach than in the observance. In fact generally speaking the further away one gets from Beijing, the less likely it is that the rules will be strictly observed, unless the rules affect an issue central to the existence of the CCP.
When policies are deemed critical, like the CCP’s current anti-corruption campaign, or its campaign against followers of the Falun Gong, the whip is cracked and central policies are implemented quickly and almost uniformly. However, when it is not really a matter of Party survival, a much more laissez-faire attitude prevails. Sometimes an effort is grudgingly made to follow central direction and a high profile local campaign is launched for a limited period of time. In terms of anti-counterfeiting and piracy efforts, these campaigns are often characterized by a series of high-profile raids wrapped up in a publicity package labelled something like “Strike Hard”. This was a typical move, for example, back in the days of rampant optical disk piracy. The campaign would be rolled out with great fanfare, raids would be publicized, a few low-level vendors would be arrested, photographers would be trundled out to document the destruction of piles of pirated or counterfeited goods—and as soon as the campaign was over (usually in a couple of weeks), business would resume as normal. This is what can happen when the local authorities feel the pressure to “do something” without really dealing with systemic change or the roots of the problem.
When it comes to an issue like pirated software, needless to say it hardly falls into the “mission critical” category for the CCP and so, at least until now, policy direction and enforcement has been sporadic. By the same token, there is no pressure from the grassroots for change either. No petitioners are going to Beijing to complain about widespread use of pirated software! However, with WannaCry’s widespread disruption, this could be the wake-up call that finally brings about real change.
It has been shown time and again that there is a strong connection between malware, infrastructure vulnerabilities and the use of pirated software. A BSA study published in May of 2016 demonstrated a high positive correlation between use of unlicensed software and the prevalence of malware attacks. The BSA’s Global Software Survey found that “the higher the rate of unlicensed PC software, the higher the likelihood that users will experience potentially debilitating malware”. That report cited a Symantec study showing that there was a 35% increase in ransomware attacks in 2015 and that almost two-thirds of them attacked small and medium sized businesses. The report added a warning that was prescient;
“The findings highlight that a significant hidden cost associated with using unlicensed software is the possibility of unwittingly opening up an organization to cyber risk in doing so. The findings also argue for instituting first lines of defense: ensuring that no illegitimate or unlicensed software is acquired by anyone, and that software is regularly updated and security patches are installed as soon as they are received. Failure to do so can cause serious problems”
Part of the problem in China was precisely that security patches issued by Microsoft in March to address the loophole exploited by WannaCry were not available to older, unlicensed versions of the operating system. The vulnerability to malware is not restricted to use of pirated software but also extends to accessing websites hosting large amounts of copyright-infringing material, as I have discussed in an earlier blog.
While the widespread use of pirated software in China means that it has become almost an accepted fact of life and way of doing business, the Chinese Central Government and the CCP is not happy to see these vulnerabilities exposed. Cybersecurity is already a sensitive policy issue; public humiliation by a bunch of ransomware criminals doesn’t enhance China’s reputation. Watch for the rollout of a campaign to tackle the problem of unlicensed software, but a campaign that just could be more than just the usual 30 day wonder.
Just as respect for copyright for China in areas other than software is growing as Chinese companies such as search engine Baidu become creators and owners of content, so too is it likely that the high rate of software piracy in China will start to drop, aided by a government push to strengthen security but reinforced by growing Chinese domestic innovation in software. This should improve the business prospects for BSA members in the short run; in the long run this may be a somewhat bitter victory as China is eager is to develop its own software and end its dependence on operating systems like Microsoft. When that happens, as it inevitably will (although perhaps not to the complete exclusion of foreign participation in the Chinese software industry), the rate of software piracy in China will drop even more rapidly.
When we look back a few years from now, it may be that the WannaCry attack will have marked the turning point in bringing the Chinese software market more into line with global standards. If that is the case, it is probably the only good thing to have come out of the ransomware attack.
© Hugh Stephens, 2017. All Rights Reserved.