As hacking hits home, China strengthens cyber laws

Cybercrime maximum sentences jump from three years to seven

A year ago, when a Time Magazine reporter told Tan Dailin that he'd been identified as someone who may have hacked the Pentagon, he gasped and asked, "Will the FBI send special agents out to arrest me?"

The answer, it turns out, was, "No, the Chinese government will."

Dailin, better known in Chinese hacker circles as Withered Rose, was reportedly picked up last month in Chengdu, China, by local authorities.

He is now facing seven years in prison under a new Chinese cybercrime law that was passed in late February.

Although the Western media has been awash with stories of Chinese hacking for years, cybercrime was until recently governed by three articles added to China's criminal code in 1997.

The laws were out-of-date and "failed to correlate proportionately with the tremendous social harm" caused by cybercrime, according to a recent paper on Chinese cyber-law published in the International Journal of Electronic Security and Digital Forensics.

"China has made significant progress in cybercrime legislation and is putting in great efforts to strengthen it," said Man Qi, one of the paper's co-authors, in an e-mail interview.

However, the paper concludes that the country's laws are still in the early stages of development. "Gaps and inadequacies exist in traditional offense provisions," said Qi, a senior lecturer in the Department of Computing at Canterbury Christ Church University in the U.K.

Until the new law was passed in February, computer crimes carried a maximum of three years' jail time. That has now been extended to seven years, and the definition of computer crime has also been broadened.

"These changes to the criminal code are important to crack down [on] cybercrime and also help to strengthen the protection of privacy and personal property," Qi said.

However, the laws are still not as tough as those in the U.S., where perpetrators of computer fraud routinely face 20-year sentences. And many security experts accuse China of sponsoring politically motivated cyber-attacks and turning a blind eye to cybercrime.

Still, China has expressed some willingness to work internationally on crime, Qi said. While preparing for the 2008 Beijing Olympics, "China was praised by Interpol for their 'highest possible standard' work," she noted.

The new law comes as cybercrime is starting to hit home in China, according to Scott Henderson, the author of a blog that covers Chinese hackers.

In the past few years, criminals posing as security experts have begun calling small-business owners, offering their services, Henderson said. If they're not hired, they simply attack the business, typically with distributed denial of service (DDOS) attacks, unless they are paid. "We're starting to see Chinese hackers hacking internally now, too," he said.

Dailin reportedly was arrested after he trained a DDOS attack on rival hacker groups. His victims went to authorities with evidence.

With China's economy struggling, some IT professionals have begun turning to crime in the past two years, Beijing-based security expert Wei Zhao said recently.

"They cannot easily find jobs, maybe the security market is too small for them," he said in an interview.

Zhao, the CEO of security consultancy Knownsec, called China "the world's malware factory," saying that the country has become a major source of online attacks and so-called zero-day attacks, which target previously undisclosed software flaws.

In recent months, Chinese hackers have gained fame for launching widespread attacks against programs such as Internet Explorer and Adobe Flash, but they have also targeted popular local programs such as Xunlei, QQ and UUSee.

Join the CSO newsletter!

Error: Please check your email address.

Tags Chinalegalcybercrimehacking

More about Adobe SystemsFBIInterpolRose

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts