A few posts back, I told the story of how Trend Micro identified “Luckycat,” a Chinese hacker who had attacked the Dalai Lama, aerospace firms, and other targets. Based on what we know so far, it looks likely that the hacker is Gu Kaiyuan, formerly a student at Si Chuan University’s Information Security Institute and currently employed by Tencent, the huge Chinese instant message firm. Gu insists that two people used some of the credentials in question, and that he’s innocent. According to the New York Times, the University issued what seem like a carefully limited statement that it never “hired any unit or individual to participate in Internet attacks or hacking activities.” Tencent’s statement is similarly cautious: “We have checked with our colleague Mr. Gu Kaiyuan, who denied he was involved in any hacking activities…..Nor was he named by the author of the report as a hacker.”
It’s clear that Trend Micro has taken attribution pretty far, but more needs to be done if we’re going to get to the bottom of the case. The usual assumption in these cases is that nothing more can be done. The Chinese government isn’t likely to help, and Gu isn’t likely to come to the US any time soon.
But it’s a globalizing world. And the US has more leverage than it’s using. Let’s start with Tencent. It’s a big Chinese company, but it seems to do plenty of business in the United States as well. It has a joint venture in China with Groupon that might require CFIUS approval. It has a gaming company in Boston with 10 to 50 employees, so its executives are likely to want visas to come to the United States. Whether it’s seeking CFIUS approval or more visas, Tencent cannot afford to acquire a reputation for hiring hackers. If the United States asks for more information about Gu, or a chance to interview him, Tencent cannot say no.
Or take Si Chuan University. We’ve got some leverage there, too. The University sends plenty of students to the United States, and it accepts US exchange students as well. In fact, just three weeks after the Trend Micro report had fingered Si Chuan University for possible complicity in hacking American companies, the State Department sent a couple of consular representatives to the school to encourage its students to apply early for visas to study in the United States.
That of course was the wrong message for our diplomats to send, and it suggests that the State Department is still not taking hacker attribution and retribution seriously. Instead, the Department of Homeland Security, which has cybersecurity responsibilities as well as student visa authority, should open an investigation into Si Chuan University and its Information “Security” Institute. Those institutions may or may not be complicit in the Luckycat attacks, but the public data about Si Chuan and its Information Security Institute isn't particularly comforting on that score.
The Information Security Institute was China’s first, established in December 1997. It doesn't just do research; it actually produces products, and it benefited from “Program 863,” a government research program to develop and acquire sophisticated technologies in a handful of high priority fields. (A Chinese spy was convicted last year of stealing US technology and giving it to Program 863-- and to a Chinese university.) Among the Institute’s products that have been highly praised in China are systems “to improve network attack and defense and network behavior regulation, strengthen information security management, real-time monitoring, tracking competitors , industry, government and other sectors dynamic, capture, analysis, favorable or unfavorable information.” (Emphasis added.) It would be wrong to condemn the institution based only on the Google Translate version of an Internet report, but it’s surely fair to ask Si Chuan University if its products really do improve “network attack” or facilitate “real-time monitoring” of people in public networks. (Readers who know Chinese are invited to offer their views in the comments.)
The answers to these questions are surely relevant to how welcome Si Chuan researchers should be in the United States. After all, if the University is a front for organized attacks on US institutions, or a handmaiden of Chinese repression, or if it just refuses to cooperate in an inquiry, why should the United States grant visas to its students or professors?
Indeed, you kind of wonder why American schools, where academic boycotts to show moral disapproval of apartheid South Africa and even of Israel have been widely mooted, aren’t reconsidering their ties to Si Chuan over its possible complicity in attacks on the Dalai Lama. (If you'd like to ask them yourself, here’s a list of Si Chuan’s Western exchange program partners.)