US Companies in China Threatened by New Law

This post is also available in: עברית (Hebrew)

Concerns rise that China might exploit cyber vulnerabilities in tech used broadly across the US public and private sectors.

China’s new Data Security Law (DSL), which took effect on September 1, includes cyber vulnerability disclosure provisions that will provide its government with nearly exclusive early access to a steady stream of zero-day vulnerabilities — potentially to include those discovered in technologies used by the US Defense Department and Intelligence Community.

Zero-day vulnerabilities are security flaws that are not publicly known and therefore have no available patch.

Interested in learning more about the latest cyber technologies? Attend INNOTECH 2021 Cyber, HLS, and Innovation Event at Expo Tel Aviv, Nov. 17-18.

The DSL’s vulnerability disclosure provisions are a concern given both China’s recent behavior and its activities in cyberspace over the past two decades. China is now poised to collect information on zero-days that it can use for both defensive and offensive purposes, with no obligation to share that information with other governments or companies, reports breakingdefense.com.

The law’s provisions require all Chinese security researchers, Chinese businesses, and — most notably — foreign companies with a footprint inside China to report any zero-day vulnerability to the Chinese Ministry of Industry and Information Technology (MIIT) within two days of a vulnerability’s discovery. Under this law, China will compel certain security researchers and companies to disclose zero-day vulnerabilities to MIIT, while the sources of those flaws will be severely limited in who else they can share the information with. Meanwhile, China could exploit the vulnerabilities present in US government and American corporate networks.

The law’s provisions are backed by stiff financial penalties for non-compliance and the possibility of further legal actions by the Chinese government against offending entities.