As the incidence of cyber crime continues to rise, Charles Sturt University (CSU) adjunct lecturer and leading Australian cyber security expert, Dr Craig Wright believes government should push China to responsibly manage its cyber contractors.
“Forget the 30,000 people in ’computer security’ that the People's Liberation Army have in China wearing uniforms. Think of the 160 000 external ’consultants’ with Microsoft, Adobe and other source code. They know zero-days before we do. When we find zero-days, expect that others have been using them for months.”
The term ’zero-days’ refers an attack or threat that tries to exploit computer application vulnerabilities that are unknown to others including the software developer. An attack occurring before the first day of developer awareness gives ‘zero day’ its title, meaning the developer has not had any opportunity to distribute a security fix to users of the software.
Dr Wright believes China has a team greater than all the people Microsoft employs whose goal is to find and exploit the vulnerabilities in computer systems. These are generally Microsoft systems, as there are simply more of them. “You attack the system with the largest user base to get the best return on investment,” Dr Wright explained.
“Basically, China has many times the number of people looking through source code than Microsoft does. This opportunity to work on computer security, and to ensure that there were no backdoors in the code, was supplied to the Chinese as a part of the conditions of trade in China. Importantly, however, there have not been too many formal vulnerability releases by the Chinese government.”
Dr Wright believes there are approximately 10 Chinese software testers for each person coding in Microsoft, “and yet Microsoft finds bugs, external parties find bugs, but the Chinese groups do not find any bugs, or at least report the finding of any bugs.”
“These Chinese groups are yet to issue a single Common Vulnerabilities and Exposures
for all of the effort they expend on analysing the source code that Microsoft and others have provided.”
Dr Wright’s concern regarding cyber crime comes from his extensive study into the area for his fourth CSU Masters as well has his PhD and second doctorate, all through CSU.
“I find it remarkably surprising that we wonder how systems are exploited and data extruded time and again from locations in China and we are not looking at the fact that China is expending more effort than Microsoft and the rest of the information security world as a whole in looking for vulnerabilities in the Microsoft software platform and yet they are not actually releasing vulnerabilities. It’s food for thought.”