Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New Law Will Help Chinese Government Stockpile Zero-Days

China rules that all zero-day vulnerabilities must be disclosed only to the Chinese Government

China rules that all zero-day vulnerabilities must be disclosed only to the Chinese Government

Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government and must not sell or give the knowledge to any third-party outside of China (apart from the vulnerable product’s manufacturer).

Brief details are provided in a report by the Associated Press (AP) published Tuesday, July 13, 2021. No source is provided beyond the statement, “No one may ‘collect, sell or publish information on network product security vulnerabilities,’ say the rules issued by the Cyberspace Administration of China and the police and industry ministries.” The report is unclear over whether private research is being banned, or whether the result of private research is being controlled. The latter is the most likely.

China vulnerability disclosure lawAP describes this action as “further tightening the Communist Party’s control over information”. This is unlikely to be the primary motivation for the new rule since the government already has a vice-like grip on data. Companies may not store data on Chinese customers outside of China. Foreign companies selling routers and some other network devices in China must disclose to regulators how any encryption features work.

Article 7 of China’s national intelligence law, enacted in 2017, already requires Chinese nationals to support, assist and cooperate with national intelligence efforts. Two of the primary intelligence agencies, the Ministry of State Security (MSS) and the People’s Liberation Army Strategic Support Force (PLA) lie behind almost all of China’s state-affiliated APT groups. So, it is already implicit that Chinese nationals must support China’s cyber efforts.

[ READCombating China’s Insider Threat: Can New Laws Curb IP Theft by Spies? ]

The new rule makes that support explicit – and is more likely associated with China’s intelligence-led cyber efforts than with a desire to tighten control over internal information. If this is true, it is worth exploring what effect the rule might have on the rest of the world.

The most obvious assumption is that Chinese found zero-days will be funneled into the Chinese APT groups, and will not be made available for purchase by the NSA or Russian state actors.

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, agrees with this view. “I would expect the Chinese Government to weaponize any discovered security vulnerabilities to enhance China’s cybersecurity capabilities,” he told SecurityWeek. “This new rule will tighten any prior flexibility security researchers had and will force them into sharing security research with the Chinese government and limit further disclosures.”

Advertisement. Scroll to continue reading.

Jake Williams, co-founder and CTO at BreachQuest, basically agrees, but with a rider. “The government will almost certainly funnel these vulnerabilities to Chinese government threat actors. This probably won’t cause a rise in the volume of attacks, but may well increase the sophistication. As a side note,” he added, “the defensive advantages of Chinese government organizations being able to mitigate vulnerabilities discovered may well outweigh any offensive gains.”

The fact remains, however, that Chinese APTs are likely to acquire a greater stockpile of zero-days than they already have.

There will be other, less dramatic, trickle down effects. Carson notes an adverse effect on western organizations doing development in China, since the Chinese government will know about security vulnerabilities in their own products potentially before they do. While the rule states that vulnerabilities may be disclosed to foreign product manufacturers, it isn’t certain this will happen.

If Chinese researchers do become reluctant to disclose their findings to western manufacturers, this will influence the number of discovered flaws (that become known to Chinese APTs, but remain unknown to the manufacturer). This could, again potentially, be a large number. In Adobe’s Patch Tuesday announcements this week alone (July13, 2021), Xu Peng from UCAS and Wang Yanhao from QiAnXin Technology Research Institute are among the researchers credited for their work by Adobe.

The new China rule may also have an effect on both bug bounty programs, and Pwn2Own hacking competitions – both of which usually feature people from China. It is not yet clear whether participation in bug bounty programs is explicitly forbidden since it amounts to ‘selling’ the research, but it may be exempt since the findings are at last theoretically provided to the product manufacturer – which is allowed. However, bounty programs are already by-passed when the researcher can sell the zero-day to another party who offers more than is available from the bounty – and this is expressly forbidden.

The same basic argument applies to Pwn2Own competitions. While any reduction in the number of Chinese participants will not affect the continuation of bounty programs and hacking competitions, it may affect the number of discovered and disclosed vulnerabilities.

But this could rebound against China. “One of the biggest likely issues,” suggests Williams, “is brain drain. If Chinese researchers can profit handsomely from their work anywhere else, but can’t do so in China, why would they stay? This probably helps China in the short term but harms them in the long term.”

Related: Multiple Exchange Server Zero-Days Under Attack by Chinese Hacking Group

Related: Chinese Hackers Using Previously Unknown Backdoor

Related: Chinese Cyberspies Target Military Organizations in Asia With New Malware

Related: The United States and China – A Different Kind of Cyberwar

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.