{"id":77158,"date":"2022-12-15T11:00:47","date_gmt":"2022-12-15T00:00:47","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=77158"},"modified":"2022-12-15T10:55:34","modified_gmt":"2022-12-14T23:55:34","slug":"how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/","title":{"rendered":"How China is using network vulnerabilities to boost its cyber capabilities"},"content":{"rendered":"
<\/figure>\n

When news of China\u2019s new vulnerability reporting regulations<\/a> broke last year, fears circulated<\/a> that Beijing would use the law to stockpile undisclosed cybersecurity vulnerabilities, known as \u2018zero days\u2019.<\/p>\n

A report<\/a> released last month by Microsoft indicates that these fears have likely been realised.<\/p>\n

The Regulations on the Management of Network Product Security Vulnerabilities require that any vulnerability discovered within China be reported to the relevant authorities within two days. For software and products developed outside mainland China, this is particularly problematic because the Chinese government now has access to vulnerabilities before vendors can patch them. This lead time enables Beijing to assess vulnerabilities for its own operational advantage\u2014in other words, to see whether they can be exploited for use in a cyberattack against foreign entities.<\/p>\n

By developing a better understanding of the structure of China\u2019s system of cybersecurity governance, we might improve our grasp of the wave of new legislation and reforms<\/a> occurring in China\u2019s cybersecurity sector. This in turn will enable us to better understand how laws such as the vulnerability reporting regulations contribute to President Xi Jinping\u2019s vision to make China a \u2018cyber powerhouse\u2019 (\u7f51\u7edc\u5f3a\u56fd), and will give policymakers greater insights into the threats posed by Beijing\u2019s cyber capabilities.<\/p>\n

China\u2019s cybersecurity landscape comprises a complex system, or xitong<\/em> (\u7cfb\u7edf)<\/a>, of command structures and organisational bodies that operate with an interwoven network of laws, supporting regulations and guidelines to enforce China\u2019s overarching cybersecurity strategy. Given the opacity of the Chinese system of governance and recent reforms that have dramatically changed the nation\u2019s cybersecurity sector, attributing responsibility and decoding the hierarchical structure of this xitong<\/em> is difficult. Through careful analysis of primary and secondary sources, ASPI has developed new insights into the major players and the system under which they are organised.<\/p>\n

Driven by a desire to better understand how China\u2019s system of cybersecurity governance operates and to discover how entities have access to cybersecurity vulnerabilities, I have mapped the organisational structure<\/a> and, in doing so, created a resource for others working in this area.<\/p>\n

As part of this work, I delved into how the system facilitates China\u2019s exploitation of vulnerabilities for its offensive cyber activities.<\/p>\n

Article 7.2 of the regulations states that all vulnerabilities must be reported to the Ministry of Industry and Information Technology\u2019s \u2018network security threat information-sharing platform\u2019 within two days of being discovered. However, according to a government-issued infographic<\/a>, sharing of vulnerabilities with additional entities is also encouraged. These include the National Vulnerability Database of Information Security, which sits under the China Information Technology Security Evaluation Centre. Given that both of these entities are overseen by the Ministry of State Security, it\u2019s reasonable to assume that the ministry has access to all vulnerabilities reported to them.<\/p>\n

The Ministry of State Security<\/a> is China\u2019s foremost intelligence and security agency. It has been found to have routinely conducted cyber-enabled espionage and is linked to at least two advanced persistent threats\u2014APT3 (also known as \u2018Gothic Panda\u2019) and APT10 (\u2018Stone Panda\u2019). In 2017, researchers at Recorded Future concluded<\/a> that the ministry\u2019s access to vulnerabilities might \u2018allow it to identify vulnerabilities in foreign technologies that China could then exploit\u2019. The same group later published <\/a>a finding that the National Vulnerability Database of Information Security had manipulated the publication dates of vulnerabilities in an effort to cover up China\u2019s process of evaluating high-threat vulnerabilities to see whether they had \u2018operational utility in intelligence operations\u2019.<\/p>\n

Last month\u2019s Microsoft report indicates that Chinese state has probably taken advantage of the new vulnerability reporting regulations, stating: \u2018The increased use of zero days over the last year from China-based actors likely reflects the first full year of China\u2019s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority.\u2019 CrowdStrike\u2019s 2022 global threat report<\/em><\/a> also identified China as a \u2018leader in vulnerability exploitation\u2019 and reported a six-fold increase in the number of vulnerabilities exploited by \u2018China-nexus\u2019 actors, representing a major shift in the kind of cyberoperations China is conducting.<\/p>\n

The picture we are able to build of the cybersecurity governance structure fits with China\u2019s overarching strategy of military\u2013civil fusion (\u519b\u6c11\u878d\u5408) in that Beijing has sought to engage civilian enterprises, research and talent in the cybersecurity sector to bolster military objectives. The strategy\u2019s goal is to deepen China\u2019s defence mobilisation so that civil society can be used in both war and strategic competition. Military\u2013civil fusion is not a new strategy for China, but it has been increasingly prominent under the leadership of Xi and is a component of<\/a> nearly every major strategic initiative since his ascension to the presidency.<\/p>\n

The Chinese intelligence apparatus\u2019s exploitation of these vulnerability reporting regulations is one further example of how Beijing has leveraged the civilian cybersecurity sector to advance the state\u2019s offensive cyber capabilities.<\/p>\n","protected":false},"excerpt":{"rendered":"

When news of China\u2019s new vulnerability reporting regulations broke last year, fears circulated that Beijing would use the law to stockpile undisclosed cybersecurity vulnerabilities, known as \u2018zero days\u2019. A report released last month by Microsoft …<\/p>\n","protected":false},"author":1536,"featured_media":77160,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[1383,52,391,2138],"class_list":["post-77158","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-ccp","tag-china","tag-cyber","tag-cybersecurity"],"acf":[],"yoast_head":"\nHow China is using network vulnerabilities to boost its cyber capabilities | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How China is using network vulnerabilities to boost its cyber capabilities | The Strategist\" \/>\n<meta property=\"og:description\" content=\"When news of China\u2019s new vulnerability reporting regulations broke last year, fears circulated that Beijing would use the law to stockpile undisclosed cybersecurity vulnerabilities, known as \u2018zero days\u2019. A report released last month by Microsoft ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-15T00:00:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-12-14T23:55:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/12\/GettyImages-1227757609.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"681\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jasmine Latimore\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jasmine Latimore\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/12\/GettyImages-1227757609.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/12\/GettyImages-1227757609.jpg\",\"width\":1024,\"height\":681,\"caption\":\"An instructor teaches an online coding class at Tarena International's Zhongguancun campus in Beijing on July 24, 2020. - Some 700 students enrolled in the Zhongguancun campus, part of the Chinese training company which provides IT training and technical consultation, are currently taking online coding classes due to social restrictions amid the COVID-19 coronavirus pandemic. (Photo by NICOLAS ASFOURI \/ AFP) \/ The erroneous mention[s] appearing in the metadata of this photo by NICOLAS ASFOURI has been modified in AFP systems in the following manner: [Tarena International's Zhongguancun campus in Beijing] instead of [Tarena International's Beijing campus]. Please immediately remove the erroneous mention[s] from all your online services and delete it (them) from your servers. If you have been authorized by AFP to distribute it (them) to third parties, please ensure that the same actions are carried out by them. Failure to promptly comply with these instructions will entail liability on your part for any continued or post notification usage. Therefore we thank you very much for all your attention and prompt action. We are sorry for the inconvenience this notification may cause and remain at your disposal for any further information you may require. (Photo by NICOLAS ASFOURI\/AFP via Getty Images)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/\",\"name\":\"How China is using network vulnerabilities to boost its cyber capabilities | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/#primaryimage\"},\"datePublished\":\"2022-12-15T00:00:47+00:00\",\"dateModified\":\"2022-12-14T23:55:34+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/cfb0b89b19f668c8d41eca4d950c87cc\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How China is using network vulnerabilities to boost its cyber capabilities\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/cfb0b89b19f668c8d41eca4d950c87cc\",\"name\":\"Jasmine Latimore\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2e2ef88527be4f5d7706ac5ff8582159?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2e2ef88527be4f5d7706ac5ff8582159?s=96&d=mm&r=g\",\"caption\":\"Jasmine Latimore\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/jasmine-latimore\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How China is using network vulnerabilities to boost its cyber capabilities | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/","og_locale":"en_US","og_type":"article","og_title":"How China is using network vulnerabilities to boost its cyber capabilities | The Strategist","og_description":"When news of China\u2019s new vulnerability reporting regulations broke last year, fears circulated that Beijing would use the law to stockpile undisclosed cybersecurity vulnerabilities, known as \u2018zero days\u2019. A report released last month by Microsoft ...","og_url":"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2022-12-15T00:00:47+00:00","article_modified_time":"2022-12-14T23:55:34+00:00","og_image":[{"width":1024,"height":681,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/12\/GettyImages-1227757609.jpg","type":"image\/jpeg"}],"author":"Jasmine Latimore","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Jasmine Latimore","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/12\/GettyImages-1227757609.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/12\/GettyImages-1227757609.jpg","width":1024,"height":681,"caption":"An instructor teaches an online coding class at Tarena International's Zhongguancun campus in Beijing on July 24, 2020. - Some 700 students enrolled in the Zhongguancun campus, part of the Chinese training company which provides IT training and technical consultation, are currently taking online coding classes due to social restrictions amid the COVID-19 coronavirus pandemic. (Photo by NICOLAS ASFOURI \/ AFP) \/ The erroneous mention[s] appearing in the metadata of this photo by NICOLAS ASFOURI has been modified in AFP systems in the following manner: [Tarena International's Zhongguancun campus in Beijing] instead of [Tarena International's Beijing campus]. Please immediately remove the erroneous mention[s] from all your online services and delete it (them) from your servers. If you have been authorized by AFP to distribute it (them) to third parties, please ensure that the same actions are carried out by them. Failure to promptly comply with these instructions will entail liability on your part for any continued or post notification usage. Therefore we thank you very much for all your attention and prompt action. We are sorry for the inconvenience this notification may cause and remain at your disposal for any further information you may require. (Photo by NICOLAS ASFOURI\/AFP via Getty Images)"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/","url":"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/","name":"How China is using network vulnerabilities to boost its cyber capabilities | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/#primaryimage"},"datePublished":"2022-12-15T00:00:47+00:00","dateModified":"2022-12-14T23:55:34+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/cfb0b89b19f668c8d41eca4d950c87cc"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/how-china-is-using-network-vulnerabilities-to-boost-its-cyber-capabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"How China is using network vulnerabilities to boost its cyber capabilities"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/cfb0b89b19f668c8d41eca4d950c87cc","name":"Jasmine Latimore","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2e2ef88527be4f5d7706ac5ff8582159?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2e2ef88527be4f5d7706ac5ff8582159?s=96&d=mm&r=g","caption":"Jasmine Latimore"},"url":"https:\/\/www.aspistrategist.ru\/author\/jasmine-latimore\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/77158"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/1536"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=77158"}],"version-history":[{"count":3,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/77158\/revisions"}],"predecessor-version":[{"id":77161,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/77158\/revisions\/77161"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/77160"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=77158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=77158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=77158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}