Will a New Law Help the Chinese Government Stockpile Zero-Days? (securityweek.com) 27
"Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government," reports SecurityWeek, "and must not sell or give the knowledge to any third-party outside of China (apart from the vulnerable product's manufacturer)."
Brief details are provided in a report by the Associated Press (AP) published Tuesday, July 13, 2021. No source is provided beyond the statement, "No one may 'collect, sell or publish information on network product security vulnerabilities,' say the rules issued by the Cyberspace Administration of China and the police and industry ministries...."
AP describes this action as "further tightening the Communist Party's control over information". This is unlikely to be the primary motivation for the new rule since the government already has a vice-like grip on data. Companies may not store data on Chinese customers outside of China. Foreign companies selling routers and some other network devices in China must disclose to regulators how any encryption features work.
"I would expect the Chinese Government to weaponize any discovered security vulnerabilities to enhance China's cybersecurity capabilities," Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, tells SecurityWeek. And Jake Williams, co-founder and CTO at BreachQuest adds that "the defensive advantages of Chinese government organizations being able to mitigate vulnerabilities discovered may well outweigh any offensive gains...."
But he also believes this could rebound against China. "One of the biggest likely issues is brain drain. If Chinese researchers can profit handsomely from their work anywhere else, but can't do so in China, why would they stay? This probably helps China in the short term but harms them in the long term."
The new law does encourage network operators and product vendors to set up a reward mechanism for reported vulnerabilities, according to the Record. But Katie Moussouris, founder and CEO of Luta Security, also raises the issue of western-based bug bounty platforms that have been working with Chinese security researchers for the past years. "If Western-based bug bounty platforms comply with this requirement in order to continue to legally receive bug reports from Chinese researchers, we must assume they will be required to hand over vulnerability data to the Ministry within two days of receiving the reports," Moussouris said. "That requirement will effectively introduce a backdoor straight to the Chinese government in any VDP [vulnerability disclosure program] or bug bounty program where Chinese researchers submit bugs via platforms, even to non-Chinese companies."
AP describes this action as "further tightening the Communist Party's control over information". This is unlikely to be the primary motivation for the new rule since the government already has a vice-like grip on data. Companies may not store data on Chinese customers outside of China. Foreign companies selling routers and some other network devices in China must disclose to regulators how any encryption features work.
"I would expect the Chinese Government to weaponize any discovered security vulnerabilities to enhance China's cybersecurity capabilities," Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, tells SecurityWeek. And Jake Williams, co-founder and CTO at BreachQuest adds that "the defensive advantages of Chinese government organizations being able to mitigate vulnerabilities discovered may well outweigh any offensive gains...."
But he also believes this could rebound against China. "One of the biggest likely issues is brain drain. If Chinese researchers can profit handsomely from their work anywhere else, but can't do so in China, why would they stay? This probably helps China in the short term but harms them in the long term."
The new law does encourage network operators and product vendors to set up a reward mechanism for reported vulnerabilities, according to the Record. But Katie Moussouris, founder and CEO of Luta Security, also raises the issue of western-based bug bounty platforms that have been working with Chinese security researchers for the past years. "If Western-based bug bounty platforms comply with this requirement in order to continue to legally receive bug reports from Chinese researchers, we must assume they will be required to hand over vulnerability data to the Ministry within two days of receiving the reports," Moussouris said. "That requirement will effectively introduce a backdoor straight to the Chinese government in any VDP [vulnerability disclosure program] or bug bounty program where Chinese researchers submit bugs via platforms, even to non-Chinese companies."
I do not get it (Score:2)
Seems like a way to discourage work (Score:3)
Why put you efforts toward finding vulnerabilities if you do not think that you can either profit from it or tell anyone about it?
Sure some may find interest in handing everything over to the government or keeping all your findings to yourself in a personal collection, but it is quite likely that neither will go far in paying your bills.
Re: (Score:2)
Oh my God the bridge is out, meh, so what why should I bother to tell anyone when instead I can facebook videos of people going over to sell advertising space, hey, hey, what is in if for ME, fuck em, their fault for not paying enough attention.
The law makes sense, find a fault, more concerned about how much you can make, then go to jail instead. Yes, find a fault, report it to a government authority and they ensure the manufacturer repairs and if found to be criminally negligent, as in the fault should hav
Re: (Score:2)
Why put you efforts toward finding vulnerabilities if you do not think that you can either profit from it or tell anyone about it?
Sure some may find interest in handing everything over to the government or keeping all your findings to yourself in a personal collection, but it is quite likely that neither will go far in paying your bills.
Why would anyone do something when the carrot is so small? Maybe because the stick is so large? What is the penalty for for noncompliance?
noncompliance in China (Score:1)
"What is the penalty for noncompliance?"
Sorry, but this question shows you have no clue about these regimes. In China, you can pretty easily receive any penalty. I mean, ANY. You can find yourself in a concentration camp, possibly with your family. Or you can disappear... Whatever.
Effort (Score:2)
Why put you efforts toward finding vulnerabilities...
Because the effort might be negligible. The bugs I found in third-party libraries all came from the specific use I had, and the effort to make my own software working. When the debugging went into the third-party library, I located the flaw. The same library probably worked like a charm for other people with more general usage.
Re: (Score:1)
Re: (Score:2)
If you have been around for any length of time you would know that the reason bug sharing with open source groups became a thing is that without a concern about exposure software companies seldom patched things.
This created opportunities for people to develop reputations based on the quality of their finds and eventually created the proof needed to develope things such as well established open source intelligence and companies that specialized in coordinating bug bounty programs, and decentralized pen testi
Re: (Score:2)
They are allowed to give the vulnerability to the vendor, so the vendor can still have a bug bounty programme. It just makes it illegal to be unethical and sell it to anyone else.
At least for companies inside China, it's not clear what the deal is with with vendors who don't have a presence there. FWIW both Microsoft and Apple do. Google doesn't but a lot of Chinese companies use Android so there would likely be a specific phone manufacturer to report to.
Some Chinese companies have bug bounties, some are we
Re: (Score:2)
Why put you efforts toward finding vulnerabilities if you do not think that you can either profit from it or tell anyone about it?
This is similar to the argument people use to make back the early 90's against Linux and FOSS in general (why use/support it if you can't sell it.)
People are motivated by things other than direct profit. Moreover, there are many ways to profit without direct remuneration. Prestige and recognition in the ITSec industry is a real currency, a form of social capital, in the same way that one can accrue social capital as a developer from doing important contributions to, say, the Linux Kernel or the Spring Fra
Re: (Score:2)
It is one thing to choose to put your efforts into free or open source efforts, it is another thing for the government to mandate that you only share with them and not with others (such as open source intelligence groups).
Re: (Score:2)
It is one thing to choose to put your efforts into free or open source efforts, it is another thing for the government to mandate that you only share with them and not with others (such as open source intelligence groups).
That is true, and this is an excellent argument that deserves its own discussion. Nevertheless, that is not the argument I am replied to, in particular the sentence I quoted in my original post. /goalpostsaremovingmysteriously
Re: (Score:2)
It is what the article is referring to
must not sell or give the knowledge to 3rd-party (Score:2)
"and must not sell or give the knowledge to any third-party outside of China (apart from the vulnerable product's manufacturer)."
So can you give it to a third party that will sell it to someone outside of China?
Potato vs Potato (Score:2)
Technically, there isn't much difference in how China is treating these vs how the United States Intelligence Agencies treat them.
They will both stockpile them, weaponize them and deploy them when they see fit.
Go ahead, tell me I'm wrong :P
i do not see how (Score:2)
Will ./ always parrot CIA propaganda? (Score:1)
It's not China that has an obsession with monitoring every electronic communication from every person on the planet. That would be the NSA.
Re: (Score:1)
What evidence do you have for your claim "It's not China that has an obsession with monitoring every electronic communication from every person on the planet"?
Re: (Score:3)
That's like asking for evidence that Obama is the first black POTUS. Some words you can toss at the Google for further reading:
Obama Angela Merkel's cell phone
The Five Eyes
Fusion Centers
and that's off the top of my head
Re: (Score:1)
so, to recap it:
- you claimed "It's not China that has an obsession..."
- I asked about any evidence about China not having that obsession
- you provided a set of topics unrelated to China
If you can't show any reasoning behind your claim, then it's fair to label it bullshit.
Re: (Score:2)
Just because you don't like it doesn't mean the reasoning isn't right in front of your face. Lucky for you I'm an absolutist that the person making the claim has the job to back it up - but yes this is as banal as asking for evidence that Obama is black. Long before Snowden we knew of the NSA's massive and massively illegal warrantless wiretapping program back in 2005. [nytimes.com] Obama personally approved the tapping of Angela Merke
Re: (Score:1)
So here's the list of the subjects you write about: Obama, Snowden, NSA, Merkel.
Can you please note that this way it's impossible to prove anything about China?
Chinese researcher in a western cybersec company (Score:2)
If this applies to EVERY Chinese citizen (which it probably does), then it's going to be pretty risky to employ Chinese cybersecurity experts (or collaborate with them).