China rules that all zero-day vulnerabilities must be disclosed only to the Chinese Government
Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government and must not sell or give the knowledge to any third-party outside of China (apart from the vulnerable product’s manufacturer).
Brief details are provided in a report by the Associated Press (AP) published Tuesday, July 13, 2021. No source is provided beyond the statement, “No one may ‘collect, sell or publish information on network product security vulnerabilities,’ say the rules issued by the Cyberspace Administration of China and the police and industry ministries.” The report is unclear over whether private research is being banned, or whether the result of private research is being controlled. The latter is the most likely.
AP describes this action as “further tightening the Communist Party’s control over information”. This is unlikely to be the primary motivation for the new rule since the government already has a vice-like grip on data. Companies may not store data on Chinese customers outside of China. Foreign companies selling routers and some other network devices in China must disclose to regulators how any encryption features work.
Article 7 of China’s national intelligence law, enacted in 2017, already requires Chinese nationals to support, assist and cooperate with national intelligence efforts. Two of the primary intelligence agencies, the Ministry of State Security (MSS) and the People’s Liberation Army Strategic Support Force (PLA) lie behind almost all of China’s state-affiliated APT groups. So, it is already implicit that Chinese nationals must support China’s cyber efforts.
[ READ: Combating China’s Insider Threat: Can New Laws Curb IP Theft by Spies? ]
The new rule makes that support explicit – and is more likely associated with China’s intelligence-led cyber efforts than with a desire to tighten control over internal information. If this is true, it is worth exploring what effect the rule might have on the rest of the world.
The most obvious assumption is that Chinese found zero-days will be funneled into the Chinese APT groups, and will not be made available for purchase by the NSA or Russian state actors.
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, agrees with this view. “I would expect the Chinese Government to weaponize any discovered security vulnerabilities to enhance China’s cybersecurity capabilities,” he told SecurityWeek. “This new rule will tighten any prior flexibility security researchers had and will force them into sharing security research with the Chinese government and limit further disclosures.”
Jake Williams, co-founder and CTO at BreachQuest, basically agrees, but with a rider. “The government will almost certainly funnel these vulnerabilities to Chinese government threat actors. This probably won’t cause a rise in the volume of attacks, but may well increase the sophistication. As a side note,” he added, “the defensive advantages of Chinese government organizations being able to mitigate vulnerabilities discovered may well outweigh any offensive gains.”
The fact remains, however, that Chinese APTs are likely to acquire a greater stockpile of zero-days than they already have.
There will be other, less dramatic, trickle down effects. Carson notes an adverse effect on western organizations doing development in China, since the Chinese government will know about security vulnerabilities in their own products potentially before they do. While the rule states that vulnerabilities may be disclosed to foreign product manufacturers, it isn’t certain this will happen.
If Chinese researchers do become reluctant to disclose their findings to western manufacturers, this will influence the number of discovered flaws (that become known to Chinese APTs, but remain unknown to the manufacturer). This could, again potentially, be a large number. In Adobe’s Patch Tuesday announcements this week alone (July13, 2021), Xu Peng from UCAS and Wang Yanhao from QiAnXin Technology Research Institute are among the researchers credited for their work by Adobe.
The new China rule may also have an effect on both bug bounty programs, and Pwn2Own hacking competitions – both of which usually feature people from China. It is not yet clear whether participation in bug bounty programs is explicitly forbidden since it amounts to ‘selling’ the research, but it may be exempt since the findings are at last theoretically provided to the product manufacturer – which is allowed. However, bounty programs are already by-passed when the researcher can sell the zero-day to another party who offers more than is available from the bounty – and this is expressly forbidden.
The same basic argument applies to Pwn2Own competitions. While any reduction in the number of Chinese participants will not affect the continuation of bounty programs and hacking competitions, it may affect the number of discovered and disclosed vulnerabilities.
But this could rebound against China. “One of the biggest likely issues,” suggests Williams, “is brain drain. If Chinese researchers can profit handsomely from their work anywhere else, but can’t do so in China, why would they stay? This probably helps China in the short term but harms them in the long term.”
Related: Multiple Exchange Server Zero-Days Under Attack by Chinese Hacking Group
Related: Chinese Hackers Using Previously Unknown Backdoor
Related: Chinese Cyberspies Target Military Organizations in Asia With New Malware
Related: The United States and China – A Different Kind of Cyberwar