Dams, oil and gas pipelines, factories and other computer-controlled infrastructure are more vulnerable to cyber-attacks in China than in other countries, security specialists say.
The effectiveness of such an attack was demonstrated last year when the Stuxnet computer worm slowed Iran’s nuclear program by taking control of and disabling hundreds of uranium-enriching centrifuges.
A cyber-attack on China’s computer-controlled infrastructure would imperil the world’s second-largest economy, which likely would affect the economies of Beijing’s trading partners, including the United States.
China’s vulnerability lies in its fledgling domestic software industry, which Beijing nurtures and promotes, and in the lack of transparency in its computer-defense organizations, which makes hacking into its systems easier than gaining unauthorized access to Western systems, security specialists say.
Coincidentally, China is widely viewed as an aggressor in cyberspace. The U.S. and other Western nations have identified Beijing as being behind cyber-espionage attempts against their infrastructure computer systems.
Factories, dams, utilities and other industrial operations rely on computers that use special software to run, maintain and troubleshoot their machinery — Supervisory Control and Data Acquisition (SCADA) systems. Malicious computer programs such as the Stuxnet worm allow hackers to hijack SCADA controls.
China’s premier domestic producer of SCADA software is Beijing-based WellinTech Inc., which boasts on its website that its Kingview SCADA package is the most widely used in China and has customers in the aerospace and national defense industries.
When a security researcher discovered a critical flaw in Kingview and reported it to the company and Chinese authorities last year, he met a wall of denial that raises grave doubts about Chinese cybersecurity procedures.
The vulnerability would enable a hacker to gain control of any industrial machinery operated by Kingview SCADA software, security researcher Dillon Beresford said.
“Exploiting this bug correctly would allow the attacker to gain remote control of the machine” that the software was running, he told The Washington Times.
Mr. Beresford, who looks for flaws in Chinese software as a hobby alongside his day job for a U.S. computer security firm, said he identified the vulnerability last year and immediately notified both the company and China’s Computer Emergency Response Team, CN-CERT.
Neither ever acknowledged his communication nor moved to deal with the flaw for 3½ months.
“I never got any response at all until I put some proof-of-concept data on the Internet, and the computer security press picked it up,” he said.
By putting proof-of-concept data on the Web, Mr. Beresford raised the stakes significantly. He made the vulnerability public — and in a way that would allow any programmer to use the code he had written to develop malicious software to attack Kingview.
CN-CERT posted a fix for the vulnerability within a few days.
In an e-mail to its American counterpart, U.S.-CERT, a few days later, the center said Mr. Beresford’s e-mail “had been missed by the duty staff,” which deals with “thousands of emails every day. It’s a big pity, as well as a mistake that our duty staff [did] not notice such an important email,” CN-CERT concluded.
“Did it really slip through the cracks?” Mr. Beresford said. “I think there was a bit of embarrassment, and they were concerned about the implications.”
Mr. Beresford said it was not the first time he had found flaws in Chinese software.
“When it comes to vulnerabilities in software produced by domestic manufacturers, they’re not exactly transparent or open,” he said of CN-CERT and China’s other official computer security organizations.
That lack of transparency is a problem because, in order to patch a vulnerability effectively, it must be done publicly so that everyone who owns the software knows they need to download and apply the patch.
China’s infrastructure is “just as vulnerable [as anyone else’s] and probably more because of the lack of transparency,” Mr. Beresford said.
“The Chinese are very vulnerable to being compromised, but we haven’t seen a lot of work on this by U.S. or other Western researchers.”
James A. Lewis, a cybersecurity scholar at the Center for Strategic and International Studies, agreed, saying there are other reasons why China’s infrastructure is more vulnerable to cyber-attack.
Several surveys show that the great majority of computers used in China run pirated software, he said. “So your software sector is stunted” because no one can make any money selling a product that will be so quickly and easily pirated.”
Moreover, “If you use pirated software, you have no idea where it comes from,” he said, adding that much of China’s has come from the Russian mafia.
Pirated software cannot be patched or updated and might have flaws or “back doors” deliberately inserted into it to allow easy, unauthorized access. “If you use pirated software, you’re gonna be vulnerable,” Mr. Lewis said.
“The Chinese don’t have the same problems we do,” he said. “But they have their own, and theirs may sometimes be worse.”