China Taking Control of Zero-Day Exploits

China is making sure that all newly discovered zero-day exploits are disclosed to the government.

Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to “overseas organizations or individuals” other than the product’s manufacturer.

No one may “collect, sell or publish information on network product security vulnerabilities,” say the rules issued by the Cyberspace Administration of China and the police and industry ministries.

This just blocks the cyber-arms trade. It doesn’t prevent researchers from telling the products’ companies, even if they are outside of China.

Posted on July 14, 2021 at 6:04 AM14 Comments

Comments

Winter July 14, 2021 6:50 AM

On the face of it, this law looks “good”.

However, I am worried that anyone who finds a Zero-Day exploit and discloses it to government&manufacturer has no other options left if neither wants to do anything about the exploit. As I read it here, disclosure to the press if no action is taken would be breaking this law.

I have understood that there have been cases in the past where manufacturers have not responded adequately to the reporting of exploits, as have governments.

echo July 14, 2021 6:54 AM

The loophole is this protects Chinese official exploits created with willing or otherwise cooperation from domestic Chinese manufacturers from anyone spilling the beans. This is as you would expect and stictly speaking no different in effect from the UK’s blanket official secrets act. NOBUS by another name with a “go to jail” if you disagree rider. It’s the kind of policy an empire building ass covering civil servant on the “long march” to their pension would think up.

I wonder if the best approach may be akin to anti-proliferation protocols or other “public interest” treaties like the ones dealing with space launch notifications or environmental issues.

Banks and other entities that are deemed sensitive are required to use only Chinese-made security products wherever possible. Foreign vendors that sell routers and some other network products in China are required to disclose to regulators how any encryption features work.

This is pretty much the policy the West has lurched towards too.

The big problem with China I see is their leadership behave like a 1950’s scary stepfather. Can’t they lighten up a bit?

Cody July 14, 2021 8:14 AM

My worry would be if this applies to foreign antivirus companies. Does this trigger if a security researcher collaborates with an antivirus company based in another country? Does it trigger if you use an antivirus product that automatically sends virus samples out of the country?

Note: I didn’t register, so I can’t read the original article.

wumpus July 14, 2021 11:41 AM

@noone

Pretty much every intelligence agency knows more exploits in MS software than Microsoft. I’d expect this is even true for the bigger hacker groups.

I can’t say I’ve been paying much attention to the post-Bill Gates Microsoft (they maintain their legacy monopolies and milking those cash cows, but don’t appear to be driving the industry or invading new markets), but NSA/MSFT cooperation always seemed a laughable conspiracy the further down the details you go. This doesn’t have anything to do with “playing fair” and each side has shown total indifference to the law. The problem is they don’t work at all the same way.

Say “national security” and you’ll see an (old school) IBMer salute (not sure about the current crop). Pretty much any other hardware/software company can be brought on board after a brief word to the VP of government sales. The catch is that the NSA would assume that all work would be done by cleared personnel (don’t ask the cost of that) in a SCIF while Microsoft assumes that work will be done by Chinese/Indian nationals working as permatemps over a wide open network. Perhaps the NSA could hand Microsoft a binary blob and say “insert this here”, but it would probably be easier to subvert MS employees directly and hand them the code.

My guess is if the NSA bothers with the “binary blob” or “subvert an employee” route, all other intelligence agencies do the same. And back when the “fire the bottom 10%” rule was in place, this must have been easy. Find the underperformers and hand them enough code to get them out of the hole. Then you have an easy route to insert all the code you want.

But of course, back when the “fire the bottom” rules were in place, you could hack NT by looking at your inbox and cut and pasting the most effective viri, see the “Mellisa” virus. No need to subvert anyone.

ADFGVX July 14, 2021 12:52 PM

@ wumpus

NSA/MSFT cooperation always seemed a laughable conspiracy the further down the details you go. This doesn’t have anything to do with “playing fair” and each side has shown total indifference to the law.

MSFT has so many holes and vulnerabilities there’s no hope of keeping anything on the Microsoft desktop safe from common thieves — “the usual” adware, malware, spyware, worms, trojans, viruses, screenscrapers and keyloggers — let alone the NSA, FSB or any other major nation-state intelligence agency.

It’s not a matter of a “back door” versus a properly warranted and lawfully intercepted “front door” like DIRNSA and other government spokesmen and talking heads put it on TV — the worldwide communist party culture puts everything on the table in plain view for every major law enforcement and intelligence agency in the world.

SpaceLifeForm July 14, 2021 3:39 PM

Alternate coverage

hxtps://therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules/

Joshua Gruber July 14, 2021 6:07 PM

If you found a vulnerability in a Chinese product would it now be illegal to tell anyone outside of China about the vulnerability? That seems significant.

lurker July 14, 2021 6:43 PM

@Spacelifeform:
… any Chinese company that serves more than one million users must undergo a security audit before listing its shares overseas.
Q. what other country is watching its back so well? &
who audits the auditors?

SpaceLifeForm July 14, 2021 7:16 PM

@ Joshua Gruber

hxtps://www.datacenterdynamics.com/en/news/fcc-to-spend-up-to-19bn-reimbursing-small-telcos-for-ripping-out-huawei-and-zte-hardware/

Winter July 15, 2021 12:49 AM

@SLF
“fcc-to-spend-up-to-19bn-reimbursing-small-telcos-for-ripping-out-huawei-and-zte-hardware”

Let’s look at the original post in a different way. Say, this works and China starts to deliver better and more secure products because of the audits. The it could also be a way to push the global sales of Chinese products. Would be very ironic if Huawei comes back in a few years as being the most secure system. (and I know, this is all very unlikely)

It is not that US and European companies make an effort to deliver secure products when there is no legal standard forcing them to do so. Food and car safety only stopped being such a big problem after strict laws and quality checks were hammered into the industry.

noone July 15, 2021 7:55 AM

@wumpus

thank you very much for your insights!

The bottom 10% rule explains todays software quality 😉
(we need those underperformers!!11)

ResearcherZero July 15, 2021 9:48 PM

Commercial companies sell 0dayz faster than companies can patch their products. Politicians should have taken security a little more seriously.

“despite repeated warnings, many lawmakers remain unwilling to take the most basic precautions against attacks such as creating more secure passwords or installing anti-virus programs on their private devices”

hxxps://www.politico.eu/article/hacked-information-bomb-under-germanys-election/

or as one of them said “I don’t give a s**t about security”.

Eventually though they may be forced to take their own security a little more seriously, and perhaps everyone else’s (?).

“economic and industrial growth will stop, and then decline, which will hurt food production and standards of living… In terms of timing, the BAU2 scenario shows a steep decline to set in around 2040.”

hxxps://advisory.kpmg.us/content/dam/advisory/en/pdfs/2021/yale-publication.pdf

That leave them enough time to clean out the coffers and pick up a sweet job as a consultant or lobbyist. Not that some of them haven’t already, they have had access to these reports for decades.

hxxps://sustainable.unimelb.edu.au/__data/assets/pdf_file/0005/2763500/MSSI-ResearchPaper-4_Turner_2014.pdf

But everything is above board, it’s probably not technically illegal to gain from insider trading if you word it correctly.

hxxps://www.salon.com/2021/07/14/gop-rep-on-cyber-committee-dumped-msft-stock-shortly-before-10b-pentagon-contract-was-scrapped/

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.