KSG Exec Brief: Software Vulnerability Disclosure in China
Between an intelligence service and a hard place
Recent research published by the Atlantic Council’s Global China Hub, and co-authored by one of KSG’s experts, demonstrates how new disclosure regulations direct software vulnerabilities into the hands of China’s government hackers. KSG advises firms to reconsider how to comply ethically with a system meant to cause harm.
The conversation in the US about “responsible disclosure” of software vulnerabilities evolved over the last 30-years. In the 1990s, companies sued and sought to prosecute researchers finding vulnerabilities in their products. Over the intervening 30 years, the ecosystem has matured to one of mutual respect, benefit, and security. In the US and much of the world, researchers voluntarily provide information to companies, often in exchange for payment, on vulnerabilities in their products.
Now, China’s 2021 Regulations on the Management of Software Vulnerabilities require companies doing business in China to disclose software vulnerabilities to the government within 48 hours of discovery or being notified by a security researcher. The rules apply to companies that sell or provide software, hardware, and network devices in China.
China’s new system has weaponized the global vulnerability disclosure ecosystem. The same payouts from firms that incentivize researchers to find vulnerabilities are now effectively subsidizing China’s offensive hacking teams' collection of vulnerabilities.
What to do?
Companies operating in China should do everything in their power to comply minimally with the system and inform customers and defenders of issues in their products.
Corporate leaders outside the PRC should determine whether their company is submitting vulnerabilities to the Ministry of Industry and Information Technology. Local offices may be complying with the regulations without having informed leadership outside China, not out of malice, but rather the straightforward notion that all of your global offices comply with local regulations.
Companies submitting vulnerability information through the MIIT’s portal should withhold specifics about vulnerabilities, and only provide the minimum required details.
Companies should distribute to their customers and other government agencies, wherever it does business, the same information provided to the MIIT, at the same time.
Companies should prioritize patching vulnerabilities that it reports to the MIIT and any vulnerability reports it receives from researchers in the PRC, under the assumption that they have complied with the regulations and also reported the vulnerability to the government.
As the Atlantic Council report pointed out, there are few good options for policymakers outside of China. Responsible, deliberate action by companies is required to head-off well meaning, mandatory vulnerability regimes that could be initiated outside China.
Available data from a Mandiant report (now part of Google Cloud) demonstrated that 0days were patched just 9 days after observed exploitation. That is quite quick. The Atlantic Council report concludes that mandatory reporting in the US would not benefit defenders, as the patch time is quick. Keeping that patch time low for all vulnerabilities reported to MIIT and submitted to companies by researchers from the PRC will be critical to mitigating calls for a mandatory reporting structure in the US and will stop the PRC from successfully weaponize your company’s vulnerability disclosure program.
Unfortunately the PRC has been caught acting in bad faith. This time it falls on companies to stand up for the security of its customers.
For more information or assistance on these issues, please reach out to email@example.com.
Forwarded this Exec Brief by a friend? Click below to sign up for our weekly dispatch.
NATO Plans Largest Exercise Since Cold War in 2024: Over 40,000 troops, 50 ships, and dozens of aircraft will convene around Germany, the Baltics, and Poland next February through March to practice repelling Russian aggression against one of the alliance’s members. Member-in-waiting Sweden is also expected to join.
US, Vietnam Elevate Ties in Historic Presidential Visit: The now “comprehensive strategic partnership” included billions in new aviation and technology deals. Hanoi is taking a pragmatic approach, however, as significant economic and security ties to Russia and China remain.
New Rail, Sea Corridor to Link India, Middle East, Europe: Announced on the sidelines of the G20, the US-funded project promises to cut trade time between India and Europe by 40 percent, with a critical role for Saudi, UAE, Jordanian, and Israeli participants. The project is broadly seen as a counterweight to China’s Belt and Road Initiative (BRI).
Ransomware in UK Reached Record Level in 2022: Data on over 5 million people from over 700 organizations was potentially compromised, according to a dataset published by the Information Commissioner’s Office (ICO), revealing concerning disparities in official tallies by government agencies, and self-reporting by victims.
Pegasus Spyware Concerns Continue to Proliferate: Activists are again warning that states – including European democracies – are using no-click commercial spyware, including against dissidents. An EU Commission panel has called for a full accounting from Poland, Hungary, Greece, Spain, and Azerbaijan.
Hacks of MGM, Caesar’s Casinos Highlight Social Engineering Threat: The ransomware group behind the crippling attacks, ScatteredSpider, reportedly used phishing to obtain credentials and one-time-password (OTP) codes, as well as so-called “multifactor authentication (MFA) notification fatigue” tactics to gain administrative-level access.
Strategic and Emerging Technology
Taiwan’s TSMC Reportedly Set for Production Delays: The company is said to have told its major suppliers to hold off on delivering high-end chipmaking equipment, citing fears of waning customer demand in the short term.
Dormant US Volcano Holds Massive Lithium Deposit: The recent discovery along the Nevada-Oregon state line could alter the price, security, and geopolitics of lithium, as the cache potentially surpasses those in Australia and Chile.
Washington Looks to Secure Open-Source Software Ecosystem: Following the release of the Cybersecurity and Infrastructure Security Agency (CISA) roadmap this week, major industry and government representatives convened for a status check – finding major questions remain on funding and artificial intelligence.
California Setting the Pace on US Tech Regulation: The state passed landmark bills curbing data-broker practices and expanding consumers’ “right to repair,” while legislation on AI safety is already in the works. The moves come as federal-level regulations on similar issues is moving at a relative crawl.
Tech Policy Press: A Step Forward for EU Digital Markets Act, But Questions Remain