Morals, Money Motivate Do-Good Hackers
More than a decade ago, Sun Yi first encountered the world of hacking as a high-school student while he was browsing a magazine stand. A computing publication’s cover story about the malicious program MS05-002 caught his eye.
At that time Sun, who hails from Jiamusi City in the northeastern Chinese province of Heilongjiang, didn’t have a clue what a Trojan was in an online context. Intrigued, he purchased the issue. At the very least, he thought, it would make him look cool to his classmates.
Sun was right about the cool factor — a Trojan is a piece of software that looks benign but gives the unscrupulous access to passwords, bank accounts, or other sensitive information — but the magazine article also triggered in him an interest in hacking that in 2007 led to his decision to work in cybersecurity.
That was nearly a decade ago. Today Sun, 28, is the director of online training programs at Integrity Tech, a Chinese cybersecurity company whose building stands next to internet giant Baidu’s in a high-tech park in northwest Beijing. Integrity Tech went public last month on the National Equities Exchange and Quotations (NEEQ) market.
“Everyone agrees that information technology security is hot right now,” Sun told Sixth Tone in an Integrity Tech conference room named “Apple,” after the U.S. consumer electronics brand.
Sun’s rise from curious teenager to leading cybersecurity authority mirrors the evolution of hacking in China. Mounting losses from security breaches is one reason behind the increased awareness of cybersecurity: Companies and individuals in China suffered losses amounting to 91.5 billion yuan (over $13.7 billion) in the 12 months before this June because of information leaks, scams, and fraudulent information, according to a report from the Internet Society of China released June 23. That number is up 13.7 percent from the previous period.
So, too, is the topic rising in the consciousness of the country’s political and business leaders. President Xi Jinping remarked in 2014 that there could be no national security without internet security, and about two dozen conferences for cybersecurity products and service providers — some backed by the government, others backed by leading tech companies like Tencent and Qihoo 360 — are held every year.
The revenues of China’s nascent cybersecurity market — broadly considered to include anti-virus software, firewalls, and related consulting services — totaled $4.9 billion in 2012, and this figure is likely to double by 2017, according to a report by the London-based consultancy ABI Research.
By 2013 only 50,000 cybersecurity professionals had been trained in China, but the industry is estimated to need another additional half million experts. And demand is expected to increase by 20,000 positions each year, according to a joint report by the Shanghai Information Security Trade Association and the Institute of Information Sciences of the Shanghai Academy of Social Sciences.
All this is good news for hackers like Sun who want to use their skills to protect online information. Many like him call themselves “white hat” hackers to distinguish themselves from the “black hat” hackers who wreak havoc online.
The current trend is also good news for Sun’s company, as it offers training to those hoping to improve their hacking skills.
Training programs at Integrity Tech emphasize cybersecurity technology, and they have attracted nearly 200,000 participants, including experienced IT specialists who want to broaden their skill sets and beginners with dreams of someday becoming do-good hackers, said Fu Lei, the marketing director in charge of training programs.
The courses teach beginners what cybersecurity is, what kinds of jobs can be found in the industry, and what they need to know for each job.
“Demand in the IT industry is huge but diversified,” Sun said. “Each post requires special skills, and so you must learn the right skills to reach the position you’re hoping for.”
When Sun first started out, he didn’t have a guide like the participants in the training program he went on to design. Sun went to school in Jilin province in China's Northeast, which shares a border with North Korea. His mother ran a retail clothing business. Sun quit school when he was 17: He saw no future in formal academic study. Instead, he went back to his hometown and made a living selling secondhand books, while also self-studying coding and computing.
Driven by curiosity, Sun studied every technique in every magazine he could get his hands on. He also joined online forums and created a group with other novice hackers so they could support each other in their informal studies.
Sun began to entertain the idea of becoming a professional hacker in 2007. “I liked reading books, but I didn’t like selling them,” he said. “And the money I made was only barely enough to make ends meet.” Sun made around 2,000 yuan per month selling books on the street. But winters in Heilongjiang are well below freezing, and so he was forced to stay indoors for several months out of the year, earning a pittance of 500 yuan per month leveling up peoples’ video game characters.
Then a bug Sun discovered in an online forum of one of the magazines he bought led to a part-time job at the magazine.
Sun’s job at the magazine was to answer questions from fans and subscribers in an online forum and record video training lessons from home, explaining the principle of bugs and how to exploit them. What began as a side project brought Sun to Beijing in 2007, first as an editor and training program designer with the magazine, and then later as a cybersecurity engineer with his current company.
Sun considers a career in cybersecurity as being “on the frontier of the current era.” “Knowledge of IT security is the survival skill of the future,” he told Sixth Tone.
Many share this sentiment. In fact, this year 29 universities in China received authorization to confer the first batch of doctoral degrees in cybersecurity.
In addition, competitions are held throughout the country to discover new talent. Last year, a competition in Shanghai saw top university-age hackers recommended for positions offering up to 500,000 yuan a year.
For 36-year-old Hu Lei, who began to develop his hacking skills in 2001, these lucrative realities for hackers would have been hard to imagine a decade ago. “In the past, we gathered once a year at most,” he said. “Now you see people pouring lots of money into meetings and conferences.”
Hu was once in charge of a hackers’ website which also provided online training in hacking skills. In 2008, as authorities began to crack down on dubious online exploits, Hu’s website was taken offline temporarily, and he was taken into custody for 30 days for illegally providing hacking tools.
In 2009 China passed the seventh amendment to its criminal law, formally stipulating that hacking to steal and providing tools for hackers are unlawful.
Despite his detention, Hu doesn’t blame the government for taking action because rigorous attacks by black hats were common at the time. “They planted Trojans everywhere, and once you clicked the link they sent you, your money would be gone,” he said.
Sun was in favor of the amendment, as it would help eliminate hackers with less noble intentions.
Black hats have approached Sun about joining “the dark side,” but he refused their modest offer of 3,000 yuan a month. He now specializes in making anti-virus software that is invisible to the malicious programs planted by black hats.
“I was tempted, sure,” Sun said. “But I thought I’d rather do something constructive instead.” Sun believes that as long as there are legitimate jobs for the people who possess his unique skillset, they will be unlikely to choose criminal paths.
“Knowledge of cybersecurity is like nunchaku: You can use them to kill, or you can use them to defend,” said Wang Qi, a 36-year-old hacker who founded Microsoft’s Security Response Center (MSRC) in China. In the past, he said, the word “hacker” often triggered negative associations — but now things have changed.
“The families of those who worked in the cybersecurity industry once thought they were doing bad deeds,” said Wang. “People respect the industry now.”
After studying information security at Shanghai Jiao Tong University, Wang joined Microsoft as a digital forensic expert in 2005, looking for loopholes whenever the system was penetrated. Then in 2007 Wang founded China’s MSRC, the first corporate SRC to invite IT enthusiasts to detect and report vulnerabilities in its system.
Wang left Microsoft in 2011 and founded the Keen Team, a crew of cybersecurity technicians whom Forbes called “one of the most respected benevolent hacker teams in the world.” They are consistently Asia’s top prizewinning team at Pwn2Own, a top hackers’ competition. (“Pwn” is hacker-speak for “gain control of a system.”)
Since 2014, Wang has organized his own hacking contest, GeekPwn, which focuses on security loopholes in web-connected household products. A recent convention in Macau saw young researchers infiltrate and commandeer routers, intelligent safes, cameras, and other products that can be controlled remotely via the internet.
Wang said his purpose is not to attack, but to tap into young minds and showcase how innovative some of their ideas are. “I also want to say to anyone interested in hacking: Instead of doing bad things, you can be rewarded for helping to expose security flaws,” he added.
Yu Yang, chief judge of the GeekPwn contest in Macau, told Sixth Tone that many individuals and companies are not vigilant enough when it comes to detecting security risks.
“Our physical world is becoming integrated with the digital world,” Yu said. “The public will pay a high price if their awareness of security problems lags behind. We hope to attract more attention to this issue.” Yu is one of three hackers to win a $100,000 prize from Microsoft for discovering serious bugs in its system.
Sun is optimistic when it comes to future prospects for hackers in China. He said that most current cybersecurity problems involve computers and cell phones, but that in the future, this could shift to automated doors or even vehicles. Sun is certain of one thing: “There will be more cyber-attacks in the future.”
(Header image: Andrew Brookes/Getty Images/Corbis/VCG)