(File photo)

So-called white hat hackers, who are part of a booming industry in China, may find themselves increasingly curtailed by a lack of legal identity, even as huge Internet companies continue to seek out their services.

In contrast with regular hackers, white hat hackers are computer security specialists who hack into protected systems and networks to test and asses their security and report about systemic problems. Generally speaking, their aims when hacking do not include causing a disturbance or stealing private information.

White hats behind bars

The behind-the-scenes technicians began to receive more public attention after one of their own, Yuan Wei, was arrested in April for hacking into dating service provider Jiayuan.com. Yuan previously helped to detect an Internet vulnerability on the website in December 2015, but Jiayuan later reported information theft to the police.

More concerns over the legitimacy of white hat hackers arose when two of China’s major domestic Internet security monitoring platforms suspended their operations in July. The cause behind this suspension has yet to be announced.

There is no exact known number of Chinese white hat hackers. According to a report released by Internet giant Tencent and online security community GeekPwn, more than 60 percent of white hat hackers in China were born after 1990. On domestic Internet security monitoring platform Wooyun.org alone, there were more than 7,200 registered security staff members, China Daily reported.

Passion continues

However, despite some suspicions, the growth of white hat hacking is unstoppable thanks to elevated security awareness. The most noted white hat hacking companies are WooYun.org and Vulbox.com.

Many Chinese Internet giants such as Tencent, Alibaba and Qihoo 360 also offer rewards to white hat hackers who lend their expertise to security detection. Qihoo 360’s security monitoring platform, butian.360.cn, had offered white hat hackers cash rewards totaling 7.6 million yuan as of press time, with more than 24,000 hackers registered on its website. These hackers have helped to detect more than 96,000 vulnerabilities for 3,412 companies.

Li Yin, the white hat hacker who reportedly earns the most income on butian.360.cn, said he could earn up to 60,000 yuan from the platform each month, and that his average monthly rewards total around 20,000 yuan, The Beijing Times reported. The newspaper added that high-level white hat hackers can even earn up to hundreds of thousands of yuan every month if they join official Internet companies.

Such high payment levels continue to attract new blood to the business, and some training camps have also arrived to capitalize on the trend. The ISC has offered a cyber security training camp every year since 2014. With top white hat hackers invited as tutors, the camp attracts many enthusiasts each year, even as the “tuition” has soared to 20,000 yuan.

(File photo)

Illegal vigilantes?

Cyber security experts spoke at a Tuesday forum about the dangers of large-scale Internet vulnerabilities, which require improved methods for detection and defense. Naturally, the employment of white hat hackers constitutes one such method.

“Internet vulnerabilities are a double-edged sword. One can see them causing damage to users, but they can also become data weapons or strategic resources for some,” said Xie Yongjiang, an associate professor at Beijing University of Posts and Telecommunications.

While admitting the potential of tapping into such resources, Huang Daoli, an associate researcher with the Cyber Security Legal Studies Center under the Ministry of Public Security, warned that white hat hackers could easily find themselves in a legal gray area, since there is so far no legal regulation of the practice.

“There are legal risks for white hat hackers to tap into the resources of Internet vulnerabilities. Many IT workers, honestly speaking, often lack legal awareness,” Huang said. There are also no specific stipulations or guidelines relating to the detection and reporting of Internet vulnerabilities, or the trade of such information. Nor are there legal terms defining what constitutes a white hat hacker, she added.

Both experts made their remarks at a forum held on the sideline of the 2016 China Internet Security Conference (ISC), which was put on by Qihoo 360, the Internet Society of China and the Cyber Security Association of China.

Chinese criminal law currently states that those breaching the defenses of websites dealing with national affairs, national defense or cutting-edge technologies can be detained for up to three years, while those who hack into and change data on Internet systems can be put behind bars for more than five years.

“White hat hackers today indeed face hidden risks because they are hacking into systems to detect vulnerabilities, but with benign intentions. I hope our country will offer more recognition and support [to the hackers],” said Zhou Hongwei, CEO of Qihoo 360, to reporters at ISC.

“The detection of vulnerabilities is strategically important for all countries. There is no such thing as a bystander or survivor when it comes to cyber security,” Zhou noted, adding that white hat hackers in China already constitute a sizable population.

It is a global “best practice” to conduct research on Internet vulnerabilities by offering company or government rewards, according to Huang, who urged white hat hackers to abide by the law and suggested that authorities impose a registration system.

Echoing Huang, Xie added that specific regulations on Internet vulnerabilities should be released as soon as possible to better regulate the market and boost the development of the cyber security industry.