China: Information Security

A June 1999 report from U.S. Embassy Beijing

Summary: Officials of the China National Information Security Testing, Evaluation and Certification Center (CNISTECC), an independent, government-sponsored organization which has been designated the national certifying authority for 11 security-related items, are very interested in pending changes to U.S. policy on encryption technology exports. In addition, they told U.S. Embassy Beijing officers on June 9 that they want to know more about the current status of the USG debate on establishing a key recovery system in the U.S. and about how the USG would deal with American companies that were offering to sell restricted technology to China. CNISTECC Director Wu Shizhong knew of "PICTURE.EXE," a widely-publicized virus that searches for passwords and emails them back to China, but said he was not free to talk about it. Appended to this report are descriptions of the PICTURE.EXE virus, PRC information security regulations, and the State Council Information Office Computer Information Security Section web site.

Professor Wu Shizhong , Director of the China National Information Security Testing Evaluation and Certification Center (Zhongguo Guojia Xinxi Anquan Ceping Renzheng Zhongxin) told Embassy officers on June 9 that the center was officially authorized to issue internet security certifications in November 1998. It was later given a broader role by the China Quality and Technical Supervision Bureau (Guojia Zhiliang Jishu Jiandu Ju) (TSB) to do hardware, software and data security certification. Wu added that in February 1999 the China National Accreditation Council for Product Certification Bodies and the TSB certified that CNISTECC had met the criteria in ISO/IEC Guideline 65 as an accredited certification body.

NCISTECC Strives for International Standards of Information Security

The CNISTECC, which the Chinese government established as a non-profit, independent organization, is supervised by a committee that includes representatives of the Ministry of Public Security, the PLA-affiliated Secrecy Bureau (Baomi Ju), and other PRC agencies involved in information security. Wu said that the CNISTECC has reached ISO and IEC standards in its certifications for several aspects of security and encryption, and would like to apply U.S. and international standards on computer security in China so that China would be WTO-compliant in this area. Wu said that he would attend an ISO conference on computer security in the United States this Fall.

Encryption Modules Can Meet Chinese Needs and U.S. Regulations

Wu stressed that Chinese companies and foreign companies alike had information security requirements. He suggested that U.S. companies might be able to meet Chinese needs and comply with U.S. encryption regulations if the U.S. companies completely removed the U.S. encryption module and replaced it with a Chinese-made module. This would be possible, said Wu, if the U.S. company provided Chinese customers with information on the applications programming interface (API) of the software.

China's Encryption Software Market

According to a recent article in Shichang Yu Judao (Market and Distribution No. 8, 1999) The top four encryption software companies in the Chinese market have a combined market share of 90 percent. Several Chinese companies in the mid-1990s switched from developing their own encryption software to serving as sales agents for foreign companies because they found competing in this capital and technology intensive field difficult. Jintiandi has sixty percent of the market; Rainbow Technologies (http://www.rainbow.com) of the United States, in second place, is moving up fast. In third and fourth places are Shensi and Aladdin Knowledge Systems (http://www.aks.com) and (http://www.aladdin.com.cn) of Israel which entered the China market in 1997. Some information industry observers believe non-U.S. companies may have an advantage due to the Chinese desire to diversify the sources of its high tech imports away from the U.S. Aladdin's Software Security Unit General Manager Jacob Vind, when announcing the opening of Alladin's Beijing office in March 1999 said, "Our activities have played a key role in heightening awareness both in political and commercial circles as to the threat of illegal software usage which has been running over 95 percent...Piracy seriously damages the software industry, costing them billions (of Chinese RMB) every year, and eliminates thousands of jobs." A 1998 study conducted by PriceWaterhouseCoopers estimated that the total value of the software market in China should reach USD 3.6 billion by 2001.

Despite repeated anti-piracy campaigns and the March 1999 State Council decree prohibiting unauthorized software in government offices, retail sale of pirated software and end-user piracy are widespread and highly visible throughout China.

Export Controls and American Firms

Wu asked about pending relaxation of U.S. export controls on encryption and high technology. In particular, Wu expressed interest about the debate over establishing a key recovery system and distinguished between the "trusted third party" key escrow method used in commercial situations and the encryption needs related to state security. However, neither Wu nor his colleagues, including Chen Xiaohua (STC: 7115 2556 2901), mentioned information available on the Internet nor did they discuss their long-delayed plans to establish their own web site.

In August last year, Director Wu first met with Embassy Officers and stated that a web site would open shortly. No mention of this web site was made in the June 9 meeting and CNISTECC now hopes to open its facilities in July. The slow pace of these developments caused private companies to question CNISTECC and its effectiveness.

American firms view CNISTECC as lacking in technical expertise. In addition, CNISTECC responsibilities for testing and certification appear to overlap with the responsibilities of organizations under the Ministry of Public Security and the Ministry of Information Industries. The U.S. business criticism of CNISTECC is that it cannot cope with the demands of businesses booming with the rise of e-commerce. A non-governmental body, even if certified, may not have the resources to cope with testing and evaluation issues relating to new products. Director Wu suggested as much when asked about Shanghai e-commerce organizations such as pilot projects for testing and evaluation.

Wu said that CNISTECC would certify such centers as branches or as testing and evaluation centers to handle the actual process dealing with new products and software.

Offer to Share Information on Export Control Violations

Wu asked how the USG would deal with U.S. companies found to be violating U.S. export controls. He also inquired whether the U.S. would like information on U.S. companies attempting to sell China higher levels of encryption than permitted by U.S. regulations. When asked if Chinese companies were often approached with offers of restricted software, Wu replied "occasionally." Wu said that in his experience apparent violations of export controls often turn out to be sales agents exaggerating the encryption capabilities of U.S. software they want to sell. However, he mentioned that some cases involved attempts to provide U.S. technology indirectly through third countries. Wu said that he welcomed exchanges of information with U.S. export control authorities to ensure that U.S. regulations are met.

According to Wu, many computer security standards in China are not compulsory and some regulations applied only to government organizations. To illustrate, Wu stated that at present even the widely available Pretty Good Privacy (PGP) 128-byte encryption program could be downloaded from the Internet in China and private users here could use it legally. (Note: ESTOFF has seen references to PGP in PRC popular computer magazines. End note.) Wu said the State Council would likely promulgate compulsory certification laws for encryption products by Fall 1999. When Econoff mentioned Public Security regulations that advise against the use of foreign-origin security software and browsers for "sensitive" uses, Wu dismissed this as a serious restraint on sales, and implied that as long as the foreign software was properly certified it could be used.

Requests for Information on U.S. Information Security Policy

Wu also asked if there were any pending relaxation of U.S. export controls on encryption and high technology and asked about the current status of the USG debate on establishing a key recovery system in the U.S. He differentiated the "trusted third party" key escrow method employed in commercial situations from encryption needs related to state security.

CNISTECC: A Channel for Anti-Hacker Cooperation

Wu said that the CNISTECC would welcome any information about Chinese hacker attacks against U.S. targets since "China and the U.S. should cooperate on information security matters." Embassy EST officer asked Wu about the PICTURE.EXE virus (described in a Chinese report in Appendix One below and in a report on the Anti-Online information security web site (http://www.antionline.com). Wu responded that he was aware of PICTURE.EXE but he was not at liberty to discuss the matter.

Public Security Warned of CIH in 9/98 But Was Widely Ignored

Wu said that Public Security had issued a notice warning of the CIH virus in September 1998 calling on all government units to use virus protection software. He added that computer users in some government units had ignored the notice and were affected by the virus. Last year there were many warnings about the CIH virus in the Chinese press, including a front-page story in the Beijing Evening News (Beijing Wanbao). Wu said that most Chinese users are new to computers and are not as sophisticated about how to prevent viruses as users in the United States. When asked about press reports of widespread damage in China from the CIH virus, Wu replied that the impact had been exaggerated by anti-virus software vendors in order to generate business for themselves.

The April 26 CIH Virus and PRC Computer Vulnerabilities

Other information industry sources have indicated that the CIH virus did cause serious damage to both private and government computers. These sources claim that there were at least four variants of the virus, one of which is rumored to specifically target computers using the simplified Chinese characters which are standard in mainland China. Official Chinese media reported that 360 thousand computers in China were damaged by the CIH virus on April 26, causing an economic loss of more than RMB 1 billion.

Information industry sources claim that the computer systems at some Ministries were inoperable for several days. An official at one ministry said that they were instructed not to turn on their computers on May 26 (to avoid activating the virus, which re-occurs on the 26th of each month).

According to a report on the web site of a Chinese anti-virus software company (http://www.rising.com.cn), the CIH computer virus affected computers at MOFTEC, the Ministries of Agriculture, Finance, Science and Technology as well as at universities, insurance companies and local television stations. China may be especially vulnerable to computer viruses because of the widespread use of shareware downloaded from Internet sites and pirated software, reportedly used even in government offices.

Rumors and Computer Press on the CIH Virus

Rumors are reportedly circulating in academic circles in China and on electronic bulletin boards that the CIH virus was a deliberate attack on PRC computers by a mentally unstable Taiwan soldier. Embassy officers have not seen this accusation repeated in the official Chinese press, but according to the Chinese computer magazine "Software," there are five varieties of the CIH virus:

The October 1998 issue of the PRC computer magazine "China Computer News" (Zhongguo Jisuanjibao) came with a CIH-infected CD-ROM that spread CIH to many Chinese computer users. CD-ROMs, as read-only media, carry viruses permanently. According to one report, CIH affects five-volt EEPROM BIOS chips but not the traditional motherboard mounted non-flash EPROMs.

Why Was China Hit So Hard, Despite Warnings, by the CIH Virus

Chinese newspapers and computer industry magazines pointed to computer user inexperience and the deficiencies of virus protection software commonly used in China as reasons for the impact of the April 26 CIH virus attack. Among factors identified that make the CIH problem more severe in China were:

Virus protection software is expensive. The most popular anti-virus program, KV300, sells for RMB 300 (USD 35), a large sum compared with the "free" pirate software may people use.

A list of the Chinese Public Security Public Information Network Security Supervisory Bureau computer security regulations is at (http://www.infosec.org.cn/law/seclaw.htm) and (http://www.infosec.org.cn/week/zhengwen.htm). Additional information on PRC information security regulations (including several Chinese Public Security notices such as the September 1998 CIH virus warning) and information security problems is available on the State Council Information Office Information Security Section web site at (http://www.infosec.org.cn). This web site also announces that the first Chinese conference on computer and information security will be held in Beijing on December 8 - 10, 1999 and that there will be an international exhibition on computer security held at the Beijing Exhibition Hall (Beijing Zhanlan Zhongxin) on October 26-28. Details in Chinese at (http://exhi99.infosec.org.cn/) and in English at (http://exhi99.infosec.org.cn/englishversion.htm). The conference bills itself as "the ONLY gateway to the emerging information security market in China."


Appendix One: Bug Finds Passwords, Emails Them to China

Below is a description of the "PICTURE.EXE" virus from the web site of the PRC anti-virus software KV300 (http://www.jiangmin.com/new.htm/upgrade):

BEGIN TRANSLATION

About the Widespread Hacker Program PICTURE.EXE

Users of KV300 can detect and eliminate PICTURE.EXE. This Trojan horse virus became widespread in December 1998. The latest version is not called PICTURE.EXE but instead MANAGER.EXE. This virus spreads via e-mail and can end up on your computer if you are not careful when using software that might include this Trojan horse virus. The following might occur:

The virus will put NOTE.EXE (an exact copy of PICTURE.EXE) in the Windows directory in the RUN section of the WIN.INI file. Thus, it will execute at system start-up. Once it executes, it will look among Windows files for 3231.EXE. If that file does not exist, it will create a temporary file (FILE0001.CHK) in the root directory. If this is successful, it will create directories of text and HTML files for the hard drive and repeat for all the hard drives until it can't create such a file (this typically happens on the CD ROM drive). The directory lists are then written to 2321.DAT. Five is subtracted from each ASCII code and the program exits.

At the next system start-up, NOTE.EXE reads the files in 2321.DAT. From the C:\Windows\Temporary Internet Files directory it builds a URL directory that is encrypted by subtracting five from each ASCII code. The program then exits.

If users have America-on-Line software on their hard disk, the virus will check for the C:\AOL\IDB\MAIN.IDX file, which contains the user name and password saved in a cache. Perhaps the program checks for this file to prepare to send this information back to the author of the virus.

The next time MANAGER.EXE executes, it tries to send the files 2321.DAT and 4341.DAT to an e-mail address in China. More details on PICTURE.EXE are available at (http://www.iss.net/xforce/alerts/advise20.html).

END TRANSLATION


Appendix Two: Chinese Public Security and Other Web Resources:

Several security web page URLs contain Chinese characters and cannot be given here. The Ministry of Public Security Public Information Network Security Supervisory Bureau on May 30, 1999 listed computer security information software products certified for sale in China. A Public Security noted dated September 30, 1998 warned of the CIH virus and called on all government organizations to use anti-virus software. These notices can be reached from http://www.infosec.org.cn/) by clicking near the Public Security emblem. Another list of anti-virus software products approved for sale can also be reached through (http://www.infosec.org.cn/). This site has links to a Chinese computer security online discussion forum and to other computer information sites around the world. A web page on security flaws of commercial software can be found at (http://www.infosec.org.cn/netsec/netsec.htm). Links to PRC computer magazines that frequently carry articles on computer security can be found at (http://www.infoweb.com.cn), (http://www.computerdaily.com), (http://tech.sina.com.cn), (http://www.netweek.com.cn), (http://www.computerworld.com.cn).

This is a joint report of the EST and Economics sections of U.S. Embassy Beijing.