Demanding the Vulnerabilities of Tech Companies? Worrying New Policy in China

This post is also available in: עברית (Hebrew)

China has for the past few years ordered any tech company within its borders to hand over any information about unpatched vulnerabilities, which researchers say is invaluable for state-sponsored hacking operations.

This law is named “Regulations on the Management of Network Product Security Vulnerabilities,” and was apparently designed to change how companies and security researchers working in China handle the discoveries of security vulnerabilities in tech products.

According to Cybernews, software vulnerabilities must now be reported by companies operating in China to the Ministry of Industry and Information Technology within 48 hours of their discovery. Furthermore, researchers can’t publish information about the discovered vulnerabilities before there is an available patch, unless the owner of the product and the ministry agree. The flaws are then added to the National Vulnerability Database.

Despite possible claims that China simply cares about information security and wants to defend the country’s networks, leaving unpatched vulnerabilities can be valuable for state-sponsored hacking operations.

This to say, if tech companies obey the regulations and report their vulnerabilities to the Chinese authorities before patching them, Beijing’s agents can then potentially infiltrate the product and its users worldwide.

Moreover, researchers found that the reports in the National Vulnerability Database are available to “partners” that are more aligned with exploiting vulnerabilities than fixing them, like the Beijing bureau of China’s Ministry of State Security, which is responsible for recent aggressive state-sponsored hacking operations.

Essentially, tech companies in China are given the choice either to give sensitive descriptions of their vulnerabilities to the government (that could use this information for attack) or leave China.

This whole situation joins the recent US-China tensions over cyber espionage and can cause serious geopolitical implications. An example of such tension is the recent revelation that Chinese hackers obtained a cryptographic key, allowing Beijing spies to access the email accounts of 25 US organizations, including the State Department and the Department of Commerce.