{"id":66825,"date":"2021-08-31T14:30:14","date_gmt":"2021-08-31T04:30:14","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=66825"},"modified":"2021-08-31T21:48:05","modified_gmt":"2021-08-31T11:48:05","slug":"chinas-vulnerability-disclosure-regulations-put-state-security-first","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/","title":{"rendered":"China\u2019s vulnerability disclosure regulations put state security first"},"content":{"rendered":"
<\/figure>\n

On 1 September, new regulations will come into effect in China that tighten the requirements for reporting security vulnerabilities in network products (pertaining to \u2018weaknesses or flaws\u2019 in \u2018software, hardware, or organizational processes\u2019<\/a>) to the government. When they were first published in July, the Regulations on the Management of Network Product Security Vulnerabilities<\/a> incited a flurry of commentary about Beijing\u2019s intentions. For example, some posited that the regulations would enable the government to \u2018stockpile<\/a> zero-days<\/a>\u2019, while others said the party-state might seek to \u2018weaponize<\/a> any discovered security vulnerabilities\u2019.<\/p>\n

The regulations do create space for opportunistic offensive action, but they also have a defensive intent that has been largely overlooked. Understanding the multiple purposes the regulation can serve helps us better understand the implications for entities that are subject to the law, including potential conflicts of interest for businesses with operations in China and elsewhere.<\/p>\n

President Xi Jinping and China\u2019s leadership espouse the view that \u2018without network security there is no state security<\/a>\u2019. The internet has become central to all facets of national development, including politics, economics and military affairs. In this context, the new regulations are directed at ensuring that vulnerabilities are identified and fixed quickly to prevent a situation that, as one People\u2019s Daily Online<\/em> commentary put it<\/a>, \u2018threatens state security\u2019, including through the leakage overseas of \u2018public data and information\u2019.<\/p>\n

Network vulnerabilities are seen as strategic resources<\/a> that can be used by foreign adversaries against China. The regulations emphasise preventing malicious activities that target Chinese networks; articles 3 and 4 specifically prohibit actions that enable activities harmful to network security and other internet-based crimes. The scope of such activities is left intentionally vague; named concerns include fraud and extortion, but foreign espionage was almost certainly on the minds of the regulation\u2019s creators, and they also understood that activities \u2018harming network security\u2019 can be political in nature.<\/p>\n

In 2019\u2014the year the first draft of the vulnerability regulations was issued\u2014China\u2019s principal civilian intelligence service, the Ministry of State Security, asserted<\/a> that just one out of nearly 100 advanced persistent threat groups targeting China initiated almost 4,000 attacks, including on major political events such as the \u2018two sessions\u2019, the Belt and Road Forum, and the 70th anniversary of the founding of the People\u2019s Republic of China. Chinese cybersecurity firm Qihoo 360 alleged<\/a> that a group affiliated with the US Central Intelligence Agency conducted a years-long cyber campaign against Chinese government agencies and critical sectors from 2008 through 2019.<\/p>\n

In the years prior to the draft regulation being put forward, China\u2019s cybersecurity was generally weak. In 2015, Qihoo 360 found<\/a> that 43.9% of more than two million websites had vulnerabilities, 13% of which were high threat. More worrisome, the fix rate was just 4.7% after notification\u2014\u2018more than 95% of website vulnerabilities went unrepaired for a long time\u2019. The situation appears to have improved some since, based on a much smaller sample<\/a> taken in 2019. Yet market research that year suggested<\/a> that investment in network security as a proportion of all informatisation expenditure was still lagging (1% compared with 15% in the United States). As of 2020, China\u2019s National Computer Network Emergency Response Technical Team reported that China\u2019s cybersecurity apparatus continued to face increasing<\/a> threats.<\/p>\n

The regulations are also a part of an expanding Chinese legal framework governing network security, ranging from the 2016 cybersecurity law<\/a> to the new data security law<\/a>, which also takes effect on 1 September. Both lay the groundwork for enhancing state security by addressing perceived weaknesses. Article 23 of the new data security law is particularly relevant. It calls for the state to establish an emergency response mechanism for data security incidents that requires relevant departments to activate emergency response plans to prevent further harm and security gaps as well as, where required, warn the public.<\/p>\n

The new vulnerability regulations are in line with the data security law and appear to create a framework for implementing a data security emergency response mechanism when a network vulnerability is discovered. It places a number of obligations on network product vendors (this term is not defined in the regulation; it likely refers to any developer of network hardware or software, including servers, web applications<\/a> and websites) that operate in China, and on other parties in China that discover vulnerabilities. These obligations include reporting vulnerabilities to China\u2019s Ministry of Industry and Information Technology within two days. Vendors now also have a legal obligation to fix known vulnerabilities.<\/p>\n

Despite addressing real security concerns, the state security environment created by the Chinese government gives rise to unique political risks for any entity subject to the law. China\u2019s state security interests are explicitly defended before the interests of any other affected party. The vulnerability regulations apply to all relevant actors operating within China, including Chinese companies that have a global footprint and international companies with operations in China. Any vulnerability in their products would likely affect systems and users beyond China, yet Article 9 states that vulnerabilities cannot be disclosed publicly until Chinese authorities have undertaken assessments. Article 9 also explicitly prohibits sharing vulnerability information with anyone overseas, unless the vendor itself is overseas. The Chinese government, therefore, is to be given access to information on vulnerabilities before any other interested party.<\/p>\n

There\u2019s also a real likelihood that the regulations will facilitate China\u2019s cyber espionage efforts opportunistically in the gaps between reporting, patching and disclosure. Research by cybersecurity company Recorded Future has shown that network vulnerabilities known to the government are very likely evaluated for espionage utility.<\/p>\n

The Ministry of State Security\u2019s vulnerability database, which is separate from Ministry of Industry and Information Technology\u2019s vulnerability database, typically publishes vulnerabilities in an average<\/a> of 13 days. Yet \u2018high threat\u2019 vulnerabilities are consistently<\/a> published much later. In one instance, Chinese hackers actively exploited one of these high-threat vulnerabilities during the delay period. In another example, the winning hack from China\u2019s 2018 Tianfu Cup\u2014the first major domestic hacking competition since Chinese white hats were banned<\/a> from international competitions\u2014was reported to the vendor as is convention, but was used<\/a> for espionage almost from the moment of discovery until Apple issued a fix.<\/p>\n

The new vulnerability regulations, coupled with all of the government\u2019s other cybersecurity-related legislation in recent years, is partly meant to ensure China is capable of withstanding a major adversarial confrontation from abroad. China-headquartered technology companies with global operations<\/a> are increasingly put in a difficult position.<\/p>\n

Global companies with a footprint in China will also be challenged by the tightening restrictions. It is becoming increasingly difficult for a company to navigate the regulatory requirements of operating in China while not undermining the national security of other countries in which it may have business operations. Under Xi, the state security apparatus has more explicitly placed responsibility on everyone<\/a> to maintain and guarantee China\u2019s state security, which prioritises the party\u2019s power over all else<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

On 1 September, new regulations will come into effect in China that tighten the requirements for reporting security vulnerabilities in network products (pertaining to \u2018weaknesses or flaws\u2019 in \u2018software, hardware, or organizational processes\u2019) to the …<\/p>\n","protected":false},"author":1412,"featured_media":66831,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[52,749,2138],"class_list":["post-66825","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-china","tag-cyber-espionage","tag-cybersecurity"],"acf":[],"yoast_head":"\nChina\u2019s vulnerability disclosure regulations put state security first | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"China\u2019s vulnerability disclosure regulations put state security first | The Strategist\" \/>\n<meta property=\"og:description\" content=\"On 1 September, new regulations will come into effect in China that tighten the requirements for reporting security vulnerabilities in network products (pertaining to \u2018weaknesses or flaws\u2019 in \u2018software, hardware, or organizational processes\u2019) to the ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-31T04:30:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-31T11:48:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/08\/GettyImages-683984956.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"724\" \/>\n\t<meta property=\"og:image:height\" content=\"483\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Devin Thorne\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Devin Thorne\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/08\/GettyImages-683984956.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/08\/GettyImages-683984956.jpg\",\"width\":724,\"height\":483,\"caption\":\"Data protection, binary code with China flag\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/\",\"name\":\"China\u2019s vulnerability disclosure regulations put state security first | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/#primaryimage\"},\"datePublished\":\"2021-08-31T04:30:14+00:00\",\"dateModified\":\"2021-08-31T11:48:05+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/33a4e5003c508b617e25867f13c3bcbb\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"China\u2019s vulnerability disclosure regulations put state security first\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/33a4e5003c508b617e25867f13c3bcbb\",\"name\":\"Devin Thorne\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2378bbc3d319468a923d776f951eaee0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2378bbc3d319468a923d776f951eaee0?s=96&d=mm&r=g\",\"caption\":\"Devin Thorne\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/devin-thorne\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"China\u2019s vulnerability disclosure regulations put state security first | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/","og_locale":"en_US","og_type":"article","og_title":"China\u2019s vulnerability disclosure regulations put state security first | The Strategist","og_description":"On 1 September, new regulations will come into effect in China that tighten the requirements for reporting security vulnerabilities in network products (pertaining to \u2018weaknesses or flaws\u2019 in \u2018software, hardware, or organizational processes\u2019) to the ...","og_url":"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2021-08-31T04:30:14+00:00","article_modified_time":"2021-08-31T11:48:05+00:00","og_image":[{"width":724,"height":483,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/08\/GettyImages-683984956.jpg","type":"image\/jpeg"}],"author":"Devin Thorne","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Devin Thorne","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/08\/GettyImages-683984956.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/08\/GettyImages-683984956.jpg","width":724,"height":483,"caption":"Data protection, binary code with China flag"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/","url":"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/","name":"China\u2019s vulnerability disclosure regulations put state security first | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/#primaryimage"},"datePublished":"2021-08-31T04:30:14+00:00","dateModified":"2021-08-31T11:48:05+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/33a4e5003c508b617e25867f13c3bcbb"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/chinas-vulnerability-disclosure-regulations-put-state-security-first\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"China\u2019s vulnerability disclosure regulations put state security first"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/33a4e5003c508b617e25867f13c3bcbb","name":"Devin Thorne","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2378bbc3d319468a923d776f951eaee0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2378bbc3d319468a923d776f951eaee0?s=96&d=mm&r=g","caption":"Devin Thorne"},"url":"https:\/\/www.aspistrategist.ru\/author\/devin-thorne\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/66825"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/1412"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=66825"}],"version-history":[{"count":6,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/66825\/revisions"}],"predecessor-version":[{"id":66846,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/66825\/revisions\/66846"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/66831"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=66825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=66825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=66825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}