Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year.
Details of holes cannot be publicized until the bugs are fixed. Malicious or weaponized exploit code cannot be released. There are restrictions on disclosing details of flaws to foreign organizations. And vendors will be under pressure to address these vulnerabilities as soon as they can and set up bounty programs to reward researchers.
The regulations are intended to tighten up the nation's cyber-security defenses, crack down on the handling and dissemination of bugs, and keep China's elite up to speed on exploitable flaws present in Chinese-made communications systems, wherever in the world that technology may be deployed.
It appears these rules ensure Beijing will be among the first to know of security weaknesses in equipment and software potentially present in foreign infrastructure and networks as well as domestic deployments. The rules were issued on Tuesday, come into effect on September 1, and apply to people and organizations operating within China. The following articles stuck out to us:
- Article 3 puts China's National Internet Information Office, Ministry of Industry and Information Technology, and Ministry of Public Security in charge of coordinating and managing network security vulnerabilities.
- Article 4 forbids the exploitation or use of bugs "in activities that endanger network security."
- Article 5 orders "network product providers, network operators, and network product security vulnerability collection platforms" to make it painless to report flaws, and keep a log of these bugs.
- Article 7 tells product makers to ensure patches are developed "in a timely manner and reasonably released," and that customers are kept in the loop with regards to mitigations, updates and repairs, and support. Crucially, vendors are told that all "relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within two days" of them learning of security holes in their products.
- Article 8 leans on network operators to shore up their systems as soon as they learn of a vulnerability in their equipment or software.
- Article 9 is another crucial one. This strives to keep details of security flaws under wraps until patches are available or special permission is granted by the government to go public. Folks are not allowed to "deliberately exaggerate the hazards and risks" of a bug. They are also "not allowed to publish or provide programs and tools specially used to exploit network product security vulnerabilities to engage in activities that endanger network security."
And "it is prohibited to provide undisclosed network product security vulnerability information to overseas organizations or individuals other than network product providers."
- Article 11 implores organizations to keep a lid on non-public bugs so that details don't leak before patches are available.
- Articles 12 to 15 make it clear that anyone who breaks these rules and related legislation will feel the full force of the Chinese government.
Though the rules are a little ambiguous in places, judging from the spirit of them, they throw a spanner in the works for Chinese researchers who work with, or hope to work with, zero-day vulnerability brokers. These sorts of regulations matter a lot: infosec experts in the Middle Kingdom earlier pulled out of exploit contests like Pwn2Own due to changes to the law within China.
“Chinese teams stopped participating in Pwn2Own after 2017 when there were regulatory changes that no longer allowed for participation in global exploit contests,” Brian Gorenc, head of ZDI and Pwn2Own at Trend Micro, told The Register on Wednesday.
It will also complicate matters for those hoping to engage with foreign bug bounty programs, which may or may not follow China's strict rules – particularly articles 7 and 9 – creating legal uncertainty for those participating.
"The law looks rather unclear," Katie Moussouris, founder of Luta Security and a pioneer in designing bug bounties, told The Register. "There are Chinese bug bounty programs but whether or not Western based companies would comply is a question that needs answering. We'll need to see a case emerge where the Chinese authorities attempt to exert the directive to see."
Another part of the order that worries Moussouris is the central Chinese vulnerability database that will be created to house all of these reported bugs: it's an obvious target for espionage. Then there's the fact that two days is not long enough to triage a bug report.
"Two days isn't enough for a thorough investigation for a flaw and certainly not enough time to make a fix that works," she said.
"It's also a dangerous place to be for an unpatched-vulnerabilities database, which would be an incredibly attractive target for adversaries – our people will be targeting it, I'm sure."
- Hong Kong working to share its digital IDs with mainland China
- Microsoft names Chinese group as source of new attack on SolarWinds
- Beijing further tightens its grip on local web giants with 'Network Security Review Measures'
- Biden takes another step to discard Trump-era Chinese social media app ban
Who could forget Uncle Sam's Office of Personnel Management, which was ransacked in 2015 by Chinese cyber-spies who made off with sensitive records on more than 20 million US govt staff. Former NSA boss Michael Hayden said the United States, given the opportunity, would have done the same to a foreign power.
"If I as director of CIA or NSA would have had the opportunity to grab the equivalent from the Chinese system, I would not have thought twice, I would not have asked permission, I'd have launched the Star Fleet and we'd have brought those suckers home at the speed of light," Hayden said.
There's also the question of what the Chinese government will do with its haul of vulnerability reports. With some in the West hurrying to remove Chinese vendors' kit from networks, this edict may intensify such efforts for fear a zero-day in such equipment will be exploited by Beijing. ®