Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year.
Details of holes cannot be publicized until the bugs are fixed. Malicious exploit code cannot be released. There are restrictions on disclosing details of flaws to foreign organizations. And vendors will be under pressure to address these vulnerabilities as soon as they can and set up bounty programs to reward researchers.
The regulations are intended to tighten up the nation’s cyber-security defenses, crack down on the handling and dissemination of bugs, and keep China’s elite up to speed on exploitable flaws present in Chinese-made communications systems, wherever in the world that technology may be deployed.
It appears these rules ensure Beijing will be among the first to know of security weaknesses in equipment and software potentially present in foreign infrastructure and networks as well as domestic deployments. The rules were issued on Tuesday, come into effect on September 1, and apply to people and organizations operating within China. The following articles stuck out to us:
Though the rules are a little ambiguous in places, judging from the spirit of them, they throw a spanner in the works for Chinese researchers who work with, or hope to work with, zero-day vulnerability brokers. These sorts of regulations matter a lot: infosec experts in the Middle Kingdom earlier pulled out of exploit contests like Pwn2Own due to changes to the law within China.
“Chinese teams stopped participating in Pwn2Own after 2017 when there were regulatory changes that no longer allowed for participation in global exploit contests,” Brian Gorenc, head of ZDI and Pwn2Own at Trend Micro, told The Register on Wednesday.
It will also complicate matters for those hoping to engage with foreign bug bounty programs, which may or may not follow China’s strict rules – particularly articles 7 and 9 – creating legal uncertainty for those participating.
“The law looks rather unclear,” Katie Moussouris, founder of Luta Security and a pioneer in designing bug bounties, told The Register. “There are Chinese bug bounty programs but whether or not Western based companies would comply is a question that needs answering. We’ll need to see a case emerge where the Chinese authorities attempt to exert the directive to see.”
Another part of the order that worries Moussouris is the central Chinese vulnerability database that will be created to house all of these reported bugs: it’s an obvious target for espionage. Then there’s the fact that two days is not long enough to triage a bug report.
“Two days isn’t enough for a thorough investigation for a flaw and certainly not enough time to make a fix that works,” she said.
“It’s also a dangerous place to be for an unpatched-vulnerabilities database, which would be an incredibly attractive target for adversaries – our people will be targeting it, I’m sure.”
Who could forget Uncle Sam’s Office of Personnel Management, which was ransacked in 2015 by Chinese cyber-spies who made off with sensitive records on more than 20 million US govt staff. Former NSA boss Michael Hayden said the US, given the opportunity, would have done the same to a foreign power.
“If I as director of CIA or NSA would have had the opportunity to grab the equivalent from the Chinese system, I would not have thought twice, I would not have asked permission, I’d have launched the Star Fleet and we’d have brought those suckers home at the speed of light,” Hayden said.
There’s also the question of what the Chinese government will do with its haul of vulnerability reports. With some in the West hurrying to remove Chinese vendors’ kit from networks, this edict may intensify such efforts for fear a zero-day in such equipment will be exploited by Beijing. ®