China’s Approach to Software Vulnerabilities Reporting
Oct 19, 2023
auto_awesome
Guest_1, an author of a report on how China manages software vulnerabilities, discusses China's regulations on reporting software vulnerabilities, the implications for stockpiling vulnerabilities for offensive operations, and the comparison to the US voluntary system.
China's regulations on software vulnerabilities reporting require researchers to inform the government of any flaws discovered within 48 hours, effectively supporting efforts to stockpile vulnerabilities for offensive cyber operations.
China's vulnerability collection system has evolved over the years, with regulations and decisions shaping its current state, raising concerns about limited access to China's vulnerability discoveries and potential intelligence exploitation.
Deep dives
China's Regulations on Software Vulnerabilities Reporting
China's regulations on software vulnerabilities reporting require researchers to inform the government of any flaws discovered within 48 hours, effectively supporting efforts to stockpile vulnerabilities for offensive cyber operations. The regulations apply to network product providers and organizations conducting security research on software. Under the new system, researchers are required to report vulnerabilities to the Ministry of Industry and Information Technology, which shares the information with the China Cert Database. There has been a significant decrease in the number of vulnerabilities made public since the regulations were implemented, leading to concerns about reduced information sharing and potential offensive use of the collected data. Violators can face fines and suspension from data-sharing platforms.
Evolution of China's Vulnerability Collection System
China's vulnerability collection system has evolved over the years, with regulations and decisions shaping its current state. In 2017, restrictions were imposed on cybersecurity researchers traveling to competitions without permission from the Ministry of Public Security. This change marked a shift towards viewing vulnerabilities as valuable resources that should be kept within China. The government aimed to promote cybersecurity education and careers while controlling the flow of vulnerability information. This approach has created concerns about limited access to China's vulnerability discoveries and potential intelligence exploitation.
Corporate Compliance and Impact on the Vulnerability Ecosystem
Companies operating in China are required to comply with the regulations on software vulnerabilities reporting. Foreign firms are also believed to comply, although the extent of their compliance is uncertain. The regulations have led to a decrease in public disclosures of vulnerabilities, raising concerns about limited information sharing. The impact on the vulnerability ecosystem includes a possible increase in zero-day exploitation by Chinese hacking groups and limitations on the availability of vulnerability data to external researchers. Different jurisdictions have adopted varying approaches, highlighting the need for global discussions on vulnerability disclosure and incentivization.
Importance of Avoiding Replication of China's System
While China's vulnerability collection system may appear effective in enhancing product security, it raises concerns about potential offensive use and intelligence targeting. The system involves reporting vulnerabilities and incident details to the government, which can be leveraged for offensive cyber operations. It is crucial not to replicate China's system in democratic jurisdictions, given the risks of centralized control, intelligence exploitation, and hindrance to security research. Instead, the focus should be on awareness, conversations, and incentivization to bridge the gap between voluntary disclosures and government-driven discoveries, while safeguarding the openness and integrity of the vulnerability ecosystem.
In July 2021, the Chinese government published its “Regulations on the Management of Network Product Security Vulnerabilities.” These rules require researchers to inform the government of all flaws in code within 48 hours of their discovery, effectively supporting efforts to stockpile software vulnerabilities, which can then be used for offensive cyber operations.
Lawfare Fellow in Technology Policy and Law Eugenia Lostri sat down with two guests who recently authored a report on how China manages software vulnerabilities. Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub and a consultant at Krebs Stamos Group. Kristin del Rosso is a public sector field CTO at IT security company Sophos. They talked about how companies have adjusted to China’s rules, how their system compares to the U.S. voluntary approach, and the incentives to collect vulnerabilities for offensive operations.
