China Taking Control of Zero-Day Exploits

China is making sure that all newly discovered zero-day exploits are disclosed to the government.

Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to “overseas organizations or individuals” other than the product’s manufacturer.

No one may “collect, sell or publish information on network product security vulnerabilities,” say the rules issued by the Cyberspace Administration of China and the police and industry ministries.

This just blocks the cyber-arms trade. It doesn’t prevent researchers from telling the products’ companies, even if they are outside of China.

Tags: , , , , ,

Posted on July 14, 2021 at 6:04 AM16 Comments

Comments

Winter July 14, 2021 6:50 AM

On the face of it, this law looks “good”.

However, I am worried that anyone who finds a Zero-Day exploit and discloses it to government&manufacturer has no other options left if neither wants to do anything about the exploit. As I read it here, disclosure to the press if no action is taken would be breaking this law.

I have understood that there have been cases in the past where manufacturers have not responded adequately to the reporting of exploits, as have governments.

echo July 14, 2021 6:54 AM

The loophole is this protects Chinese official exploits created with willing or otherwise cooperation from domestic Chinese manufacturers from anyone spilling the beans. This is as you would expect and stictly speaking no different in effect from the UK’s blanket official secrets act. NOBUS by another name with a “go to jail” if you disagree rider. It’s the kind of policy an empire building ass covering civil servant on the “long march” to their pension would think up.

I wonder if the best approach may be akin to anti-proliferation protocols or other “public interest” treaties like the ones dealing with space launch notifications or environmental issues.

Banks and other entities that are deemed sensitive are required to use only Chinese-made security products wherever possible. Foreign vendors that sell routers and some other network products in China are required to disclose to regulators how any encryption features work.

This is pretty much the policy the West has lurched towards too.

The big problem with China I see is their leadership behave like a 1950’s scary stepfather. Can’t they lighten up a bit?

Cody July 14, 2021 8:14 AM

My worry would be if this applies to foreign antivirus companies. Does this trigger if a security researcher collaborates with an antivirus company based in another country? Does it trigger if you use an antivirus product that automatically sends virus samples out of the country?

Note: I didn’t register, so I can’t read the original article.

wumpus July 14, 2021 11:41 AM

@noone

Pretty much every intelligence agency knows more exploits in MS software than Microsoft. I’d expect this is even true for the bigger hacker groups.

I can’t say I’ve been paying much attention to the post-Bill Gates Microsoft (they maintain their legacy monopolies and milking those cash cows, but don’t appear to be driving the industry or invading new markets), but NSA/MSFT cooperation always seemed a laughable conspiracy the further down the details you go. This doesn’t have anything to do with “playing fair” and each side has shown total indifference to the law. The problem is they don’t work at all the same way.

Say “national security” and you’ll see an (old school) IBMer salute (not sure about the current crop). Pretty much any other hardware/software company can be brought on board after a brief word to the VP of government sales. The catch is that the NSA would assume that all work would be done by cleared personnel (don’t ask the cost of that) in a SCIF while Microsoft assumes that work will be done by Chinese/Indian nationals working as permatemps over a wide open network. Perhaps the NSA could hand Microsoft a binary blob and say “insert this here”, but it would probably be easier to subvert MS employees directly and hand them the code.

My guess is if the NSA bothers with the “binary blob” or “subvert an employee” route, all other intelligence agencies do the same. And back when the “fire the bottom 10%” rule was in place, this must have been easy. Find the underperformers and hand them enough code to get them out of the hole. Then you have an easy route to insert all the code you want.

But of course, back when the “fire the bottom” rules were in place, you could hack NT by looking at your inbox and cut and pasting the most effective viri, see the “Mellisa” virus. No need to subvert anyone.

ADFGVX July 14, 2021 12:52 PM

@ wumpus

NSA/MSFT cooperation always seemed a laughable conspiracy the further down the details you go. This doesn’t have anything to do with “playing fair” and each side has shown total indifference to the law.

MSFT has so many holes and vulnerabilities there’s no hope of keeping anything on the Microsoft desktop safe from common thieves — “the usual” adware, malware, spyware, worms, trojans, viruses, screenscrapers and keyloggers — let alone the NSA, FSB or any other major nation-state intelligence agency.

It’s not a matter of a “back door” versus a properly warranted and lawfully intercepted “front door” like DIRNSA and other government spokesmen and talking heads put it on TV — the worldwide communist party culture puts everything on the table in plain view for every major law enforcement and intelligence agency in the world.

SpaceLifeForm July 14, 2021 3:39 PM

Alternate coverage

hxtps://therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules/

Joshua Gruber July 14, 2021 6:07 PM

If you found a vulnerability in a Chinese product would it now be illegal to tell anyone outside of China about the vulnerability? That seems significant.

lurker July 14, 2021 6:43 PM

@Spacelifeform:
… any Chinese company that serves more than one million users must undergo a security audit before listing its shares overseas.
Q. what other country is watching its back so well? &
who audits the auditors?

SpaceLifeForm July 14, 2021 7:16 PM

@ Joshua Gruber

hxtps://www.datacenterdynamics.com/en/news/fcc-to-spend-up-to-19bn-reimbursing-small-telcos-for-ripping-out-huawei-and-zte-hardware/

Winter July 15, 2021 12:49 AM

@SLF
“fcc-to-spend-up-to-19bn-reimbursing-small-telcos-for-ripping-out-huawei-and-zte-hardware”

Let’s look at the original post in a different way. Say, this works and China starts to deliver better and more secure products because of the audits. The it could also be a way to push the global sales of Chinese products. Would be very ironic if Huawei comes back in a few years as being the most secure system. (and I know, this is all very unlikely)

It is not that US and European companies make an effort to deliver secure products when there is no legal standard forcing them to do so. Food and car safety only stopped being such a big problem after strict laws and quality checks were hammered into the industry.

noone July 15, 2021 7:55 AM

@wumpus

thank you very much for your insights!

The bottom 10% rule explains todays software quality 😉
(we need those underperformers!!11)

ResearcherZero July 15, 2021 9:48 PM

Commercial companies sell 0dayz faster than companies can patch their products. Politicians should have taken security a little more seriously.

“despite repeated warnings, many lawmakers remain unwilling to take the most basic precautions against attacks such as creating more secure passwords or installing anti-virus programs on their private devices”

hxxps://www.politico.eu/article/hacked-information-bomb-under-germanys-election/

or as one of them said “I don’t give a s**t about security”.

Eventually though they may be forced to take their own security a little more seriously, and perhaps everyone else’s (?).

“economic and industrial growth will stop, and then decline, which will hurt food production and standards of living… In terms of timing, the BAU2 scenario shows a steep decline to set in around 2040.”

hxxps://advisory.kpmg.us/content/dam/advisory/en/pdfs/2021/yale-publication.pdf

That leave them enough time to clean out the coffers and pick up a sweet job as a consultant or lobbyist. Not that some of them haven’t already, they have had access to these reports for decades.

hxxps://sustainable.unimelb.edu.au/__data/assets/pdf_file/0005/2763500/MSSI-ResearchPaper-4_Turner_2014.pdf

But everything is above board, it’s probably not technically illegal to gain from insider trading if you word it correctly.

hxxps://www.salon.com/2021/07/14/gop-rep-on-cyber-committee-dumped-msft-stock-shortly-before-10b-pentagon-contract-was-scrapped/

ResearcherZero January 15, 2022 3:27 AM

At the core of the case, those officials said, was a software update from Huawei that was installed on the network of a major Australian telecommunications company. The update appeared legitimate, but it contained malicious code that worked much like a digital wiretap, reprogramming the infected equipment to record all the communications passing through it before sending the data to China, they said.

Australia’s intelligence agencies determined that China’s spy services were behind the breach, having infiltrated the ranks of Huawei technicians who helped maintain the equipment and pushed the update to the telecom’s systems.

American intelligence agencies that year confirmed a similar attack from China using Huawei equipment located in the U.S., six of the former officials said, declining to provide further detail.
https://www.bloomberg.com/news/articles/2021-12-16/chinese-spies-accused-of-using-huawei-in-secret-australian-telecom-hack

Clive Robinson January 15, 2022 7:20 AM

@ ResearcherZero, ALL,

“https://www.bloomberg.com”

Treat with significant caution tech stories from Bloomberg they have been at best misleading through to out right nonsense in the past and Bloomberg’s response has been not to admit the truth but doubledown…

Unfortunately Bloomberg has decided my browser is not suitable for their “Data Rape, pilliging and plundering” needs so will only show a few lines of “journalistic drivel” devoid of anything other than political innuendo.

But I suspect analysis of the rest of it will show very little different than what the NSA and other 5Eye SigInt agencies have done to US Companies like Cisco, Microsoft and others.

But then you also need to remember that Huawei have had a technology center in the UK that worked closely with the UK GCHQ SigInt agencies commercial arm. GCHQ were given free access not just in product knowledge but in the design process as well, the equivelent of an “access all areas” pass.

GCHQ broke the agrement by using it to give “backdoor access” to US personnel who reported back not just to the US IC but to US Corporate Competitors of Huawei. So the Huawei design engineers had been working alongside NSA personnel, and everything Bloomberg is claiming about Chinese IC and Huawei applies as equally to the UK and US IC…

When Huawei raised this with GCHQ, GCHQ’s response was to publish what appeared to many to be a damming indictment on Huawei’s Quality Control in design.

Well some of us who have worked for other design organisations in the telco industry, not just recognised the process, but realised it was better than in most if not all companies we knew of.

In short GCHQ had done a “stich up job” by holding Huawei to a standard way above that of anyone else in the industry… The Huawei GCHQ relationship also got tightend up by Huawei to closer to what had originally been agreed.

But it’s reasonable to assume that by then the NSA had sufficient information to “back-door” all Huawei products as they have Cisco, Jupiter, Microsoft, RSA and way to many others to list. So the NSA would be fully capable of pulling a “Red Flag” operation that would cover what Bloomberg is claiming[1].

The reason for the GCHQ “stich-up” of Huawei was not that clear at the time. But there were strong and very public differences between the UK and US Governments over China and especially Huawei. The UK Government was very clearly going against the US Government by saying they had no reason to consider Huawei a security issue let alone risk and that even if they were it could be easily mitigated.

So many suspected that GCHQ was once again “siding with big brother across the pond”. Which tended to be confirmed by a change of political leadership in the UK to a US born citizen and ardent admirer of the then US President and like magic the policy changed…

Other indicators show that the real reason for anti-5G sentiment in the US is that the more Open system of the GSMA has stopped US companies doing their usuall underhanded patent tricks and the like, thus they have fallen a long long way from the technical lead they had back in the 1980’s. So if they can scare off the GSMA members, block Chinese patents –which they are actively doing– and pull their other tricks they think they can capture what will be 6G to US economic and inteligence advantage (and every consumer every where’s disadvantage).

But as a citizen not of the US or China knowing what SigInt agencies get upto which scares me more? Well it’s the US, plain and simple by a very very large margin. Yes China can be and is bad news in many ways. But realistically I’m in more danger from the UK, then US and other FiveEyes, Israel, then down through Russia and even North Korea and Iran before I get to China…

I know the list ordering will be different for you for various reasons… but I still advise caution with Bloomberg Stories. In the technology area, to many of Bloomberg’s past stories have be found to be fake etc even close to being deliberate stock market manipulation. So much so not to do some real verification on any Bloomberg tech story would be very unwise.

[1] Bloomberg has regularly been used by vested interests to place ambiguous or fake news stories favourable to certain vested interests. Which has included US “unnamed sources” of administration insiders, the IC, military War Hawks, and MIC. They “seed” the storirs then direct the journalist to people who become named sources that will sing the right song. Due to Bloomberg’s editorial policy little or no source checking takes place. This goes on so much someone I know who works in the UK finance sector who has to read their stories less than jokingly calls Bloomberg “The Neo-Con Sentinel” or “War-Hawk Rag” (what I tend to call Bloomberg is shall we say NSFW).

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.