What China’s One Billion Person Data Leak Tells Us about Government Cybersecurity
On June 30, an anonymous user claimed to have stolen the records of one billion Chinese citizens on a cybercrime forum. The user claimed that the database totaling 42 terabytes—the equivalent of about 21,000 hours of movies—was leaked from the Shanghai Police Department. It allegedly contains sensitive personal information and criminal records. If the data’s authenticity is confirmed, it would be one of history’s largest personal data leaks.
The leak revealed several institutional shortcomings in the Chinese government’s cybersecurity. While the U.S. government has mechanisms to help prevent similar incidents from happening, this leak can help highlight several areas for improvement.
First, unlike the Chinese government, the U.S. government has proper vulnerability disclosure avenues for vulnerabilities found in government systems. As early as April 2021, Leak IX, a service indexing platform, had already found the Chinese database’s public-facing interface through web scanning—a common practice that security professionals use to look for open vulnerabilities on the internet. However, Chinese Regulations on the Security Protection of Critical Information Infrastructure outlaw unauthorized vulnerability scanning against government systems, preventing the platform’s researchers from reporting the issue and leaving the public access open for a year.
In addition to the Cybersecurity and Infrastructure Security Agency’s Vulnerability Disclosure Policy (VDP) Platform in the United States, which centralizes and regulates vulnerability reporting related to government entities, many government agencies like the Department of Defense have established their own rules that allow researchers to look for gaps in their systems. Earlier this year, the U.S. Department of Justice also specified a policy that they will not prosecute “good-faith hackers.”
These measures effectively improve government cybersecurity without incurring the extra financial and administrative costs of expanding internal security teams. However, these efforts remain largely at the federal level while threat actors increasingly target local government infrastructures. Bug bounty programs, which incentivize public participation in vulnerability disclosure, are also scarce. As a next step, the U.S. government could integrate existing federal resources related to private security research, including the VDP and federal bug bounty programs, and potentially expand the scope of these programs to local and state governments to encourage broader public-private partnerships.
Second, cybersecurity assessment procedures are more comprehensive in the U.S. government than in the Chinese government, but the accuracy and effectiveness of the assessment methods need to be improved. The primary cybersecurity measure for Chinese government agencies is the annual cybersecurity drill known as the “Web Protection Operation.” Organized by national and local law enforcement agencies, the drills simulate a two-week-long cyberattack, where a red team (penetration testers) tries to break the defense set up by the blue team (internal security team). The effectiveness of these drills, however, is questionable. Participants of the operations recalled that the blue teams often used temporary measures to conceal their vulnerabilities, such as hiring hundreds of contractors to inspect and block IP addresses suspected to come from the red team manually, or simply unplugging vulnerable systems from the network to create an impenetrable airgap. Security experts also observed that the red teams often attacked using technically sophisticated zero-days in vendor software to guarantee quick results, but ignored common exploits or vulnerabilities such as spearphishing or, in the case of the Shanghai Police Department, publicly exposed databases.
In the United States, each federal agency’s inspector general or an independent external auditor must conduct annual cybersecurity audits under the Federal Information Security Modernization Act of 2014 (FISMA). However, the Government Accountability Office in part found that the FISMA framework may not accurately reflect an agency’s cybersecurity standing due to its focus on compliance with specific practices rather than risk evaluation in a dynamic threat environment, leading agencies to prioritize resources based on checking items off lists rather than on meaningful cybersecurity improvements. A more practical framework that better reflects the agencies’ cybersecurity would help make a more convincing case for effective spending, resource prioritization and improvement in cyber.
Third and most importantly, U.S. agencies must prioritize acquiring necessary cybersecurity tools and training the cyber workforce. Adequate software tools can automate threat detection and visualize traffic movement, allowing information technology professionals to identify and eliminate the low-hanging fruits in the network effortlessly. Identity and Access Management (IAM) software, for example, can ensure that only authorized users have access to sensitive resources, such as databases containing the personal information of a billion people. Public information on the Shanghai Police Department’s cybersecurity resources is scarce, but records of government purchases show that the department uses Alibaba Cloud as its software provider, which offers an IAM solution. The department also outsourced the operation of its servers right after the leak, so the database was likely maintained by an internal team that did not correctly utilize the provided software. It seems that in the Shanghai Police’s recent campaign to digitalize its services, securing their sprawling information system was not the main focus.
The U.S. government has similarly struggled with adopting better cybersecurity infrastructure and strengthening cyber talent, but has gradually improved in recent years. Government spending on cybersecurity has increased steadily, with an 11 percent increase in the budget proposed for FY 2023 compared to the previous year. Due to a robust domestic tech industry, the U.S. government has access to plenty of quality off-the-shelf security solutions. An expanded budget can help agencies adopt new tools, but the leak in China shows that good software is only the first step toward good cybersecurity. The cybersecurity workforce shortage severely limits the government’s ability to upgrade its systems and manage incidents. The government and private companies are pushing out training programs to address the issue, with the federal government’s cybersecurity rotational program as one of the most recent efforts. However, it remains to be seen whether the 600,000 and growing cybersecurity job vacancies across public and private sectors can be filled in time.
Thanks to the powerful censorship regime in China, one of the biggest personal data leaks in the history of the internet may soon be forgotten, but the lessons on how to improve government cybersecurity should not. Specifically, the United States should learn from the shortcomings that China’s data leak exposed to improve its cybersecurity posture and help prevent similar breaches.
Jeff Qiu is a research assistant with the R Street Institute’s Cybersecurity and Emerging Threats Team. He is pursuing a master’s degree in cybersecurity and public policy at the Fletcher School at Tufts University. Before joining R Street, he worked as a software engineer at U.S. and Chinese tech companies. He earned his bachelor’s degree in economics and computer science from the University of Chicago.
Image credit: Steven McDowell