China cybersecurity update: DNS hijacking and IoT crimes

In a welcome patch of good news for the cybersecurity community, on December 25, 2018, the Chinese Supreme People’s Court (SPC”) highlighted five cybersecurity cases in its most recent release of Guiding Cases – the 20th such iteration of case law publication from the Chinese government including a landmark case on DNS hijacking.

Since November of 2010 the Chinese government has issued about 100 Guiding Cases which calls attention to a carefully curated selection of legal opinions on important recent cases. In China Guiding Cases serve dual purposes of establishing a controlling precedent for future cases in lower courts as well as putting the public on notice of the government’s law enforcement and policy priorities.

This is similar to how the US Supreme Court grants certiorari intentionally focusing its docket to decide in its sole view the most important matters within its jurisdiction. However the absence of western-style “checks and balances” across branches of government in China allows the Chinese system to reflect executive and legislative priorities as well providing a clear view of the whole government’s priorities.

A priority in Chinese government

While Guiding Cases historically include a variety of civil and commercial criminal and administrative cases the 20th Guiding Cases publication contained cybersecurity cases exclusively a move perhaps intended to acknowledge and reinforce President Xi Jinping’s cybersecurity priorities. President Xi has been clear that cybersecurity is a Chinese government priority including his mention of it in a speech at the Chinese National Cybersecurity and Informatization Work Conference on April 20 2018 where he declared “Without cybersecurity there is no national security the economy and society will not operate in a stable manner and the broad popular masses’ interests will be difficult to guarantee.”

Building on this direction from President Xi the 20th SPC Guiding Cases publication advances this priority by highlighting five different types of cybersecurity cases including the landmark decision on DNS hijacking. In the headlining case the defendants used malicious code to redirect internet users away from their intended destination and instead directed the unsuspecting Internet users to Chinese search engine motivated by payments of over 750 000 RMB ($100 000 USD) from the website’s parent company in compensation for the stolen web traffic.

Applying best practices

MarkMonitor encourages its clients to use good SSL Certificate management practices and to explore HSTS listing to mitigate the effects of these types of attacks. Prior to this ruling similar cases involving DNS hijacking in China had been treated as civil matters. Here the Shanghai court found that this behavior rose to the level of the “crime of destroying the computer information system ” and sentenced the defendants to three years in prison. If these facts sound familiar a British hacker-for-hire was recently sentenced to two years and eight months in prison for deploying a botnet of Internet of Things (“IoT”) connected devices to a Liberian ISP for use against a rival ISP’s network resulting in a DDoS attack that ironically disabled all Internet connectivity in the west African country.

Of the other four SPC Guiding Cases two clarify that hosting gambling operations on popular platforms such as WeChat constitutes cybercrime and the other two highlight that interference with IoT connected devices either by electronic or manual interference also constitutes the “crime of destroying the computer information system” in China. Cybersecurity professionals might be encouraged by the vast factual differences between the types of IoT Guiding Cases: in the first IoT case the defendant was sentenced to two and half years in jail for using a “GPS jammer” to hack into five concrete pump trucks; in the second government officials responsible for air quality monitoring stations received varying sentences of around one year in jail for using a less high-tech “cotton yarn to block the sampler” and distort publicly-reported air quality results.

What comes next?

It is yet to be seen what deterrent effect these Guiding Cases might have on cybercrime in China and cybersecurity professionals may remain skeptical especially considering news such as Bloomberg’s October 2018 report that Chinese operatives had successfully embedded spy chips in hardware used by the largest US companies a claim disputed by the claimed victims.