Slash Boxes

SoylentNews is people

posted by hubie on Thursday September 14, @07:33AM   Printer-friendly
from the dirty-little-secrets dept.

For state-sponsored hacking operations, unpatched vulnerabilities are valuable ammunition. Intelligence agencies and militaries seize on hackable bugs when they're revealed—exploiting them to carry out their campaigns of espionage or cyberwar—or spend millions to dig up new ones or to buy them in secret from the hacker gray market.

But for the past two years, China has added another approach to obtaining information about those vulnerabilities: a law that simply demands that any network technology business operating in the country hand it over. When tech companies learn of a hackable flaw in their products, they're now required to tell a Chinese government agency—which, in some cases, then shares that information with China's state-sponsored hackers, according to a new investigation. And some evidence suggests foreign firms with China-based operations are complying with the law, indirectly giving Chinese authorities hints about potential new ways to hack their own customers.

Today, the Atlantic Council released a report—whose findings the authors shared in advance with WIRED—that investigates the fallout of a Chinese law passed in 2021, designed to reform how companies and security researchers operating in China handle the discovery of security vulnerabilities in tech products.
The report's authors combed through the Chinese government's own descriptions of that program to chart the complex path the vulnerability information then takes: The data is shared with several other government bodies, including China's National Computer Network Emergency Response Technical Teams/Coordination Center, or CNCERT/CC, an agency devoted to defending Chinese networks. But the researchers found that CNCERT/CC makes its reports available to technology "partners" that include exactly the sort of Chinese organizations devoted not to fixing security vulnerabilities but to exploiting them. One such partner is the Beijing bureau of China's Ministry of State Security, the agency responsible for many of the country's most aggressive state-sponsored hacking operations in recent years, from spy campaigns to disruptive cyberattacks. And the vulnerability reports are also shared with Shanghai Jiaotong University and the security firm Beijing Topsec, both of which have a history of lending their cooperation to hacking campaigns carried out by China's People Liberation Army.

Original Submission

This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by PiMuNu on Thursday September 14, @08:06AM (2 children)

    by PiMuNu (3823) on Thursday September 14, @08:06AM (#1324581)

    Note that in EU it is also required that vulnerabilities are disclosed, if personal data may be exposed. It's a provision of GDPR, although a bit more indirect because it is attached to the "protect personal data" thing. The provision requires disclosure both to the data subject and also to the government.

    • (Score: 5, Interesting) by Unixnut on Thursday September 14, @09:21AM (1 child)

      by Unixnut (5779) on Thursday September 14, @09:21AM (#1324591)

      AFAIK in the UK any vulnerabilities in our products are to be disclosed to GCHQ as soon as we find them, and likewise I believe the USA has a similar thing with the NSA.

      Officially it is so that they can disseminate the information to other more critical industries to be extra vigilant of any attempted exploits, or to find temporary workarounds until a fix is released. However it would be naive to think they would not use these in their own state sponsored cyberwar/espionage against others.

      So it sounds to me like the Chinese are just catching up to what is already being done over here.

      • (Score: 0) by Anonymous Coward on Thursday September 14, @03:46PM

        by Anonymous Coward on Thursday September 14, @03:46PM (#1324647)

        In a world dominated by ruthless, deceitful, self-dealing globalist oligarchs, national sovereignty is a necessary bulwark between human freedom, dignity, and self-determination, and permanent enslavement to the central government of a globalist-dominated hive-world.

  • (Score: 2) by Opportunist on Thursday September 14, @09:10AM (3 children)

    by Opportunist (5545) on Thursday September 14, @09:10AM (#1324588)

    How China gets intel on everyone's security problems? Same way we get intel on everyone's stockpile of WMDs: They produce them and sell them.

    • (Score: 5, Insightful) by Gaaark on Thursday September 14, @12:08PM (1 child)

      by Gaaark (41) on Thursday September 14, @12:08PM (#1324608) Journal

      Or just make it up to justify invasion: []

      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 0) by Anonymous Coward on Friday September 15, @01:02PM

        by Anonymous Coward on Friday September 15, @01:02PM (#1324800)

        Do you reckon China could borrow that play-book WRT Taiwan?

    • (Score: 0) by Anonymous Coward on Thursday September 14, @03:48PM

      by Anonymous Coward on Thursday September 14, @03:48PM (#1324649)

      The more members of the public understand what the globalists and their Chinese allies have done to them, the more danger the globalists are in, and the more incentive they have to exercise the "Samson Option" (total world destruction to avoid being brought to justice).

  • (Score: 1) by shrewdsheep on Thursday September 14, @09:11AM (1 child)

    by shrewdsheep (5215) Subscriber Badge on Thursday September 14, @09:11AM (#1324589)

    The first entry in the related links list points to Should this tell us something?

  • (Score: 4, Insightful) by istartedi on Thursday September 14, @05:16PM

    by istartedi (123) on Thursday September 14, @05:16PM (#1324681) Journal

    I hate to defend them, but I'm pretty sure the USA and other countries have "back-doored" various things over the years.

    Perhaps the most famous case of this is Stuxnet []. I seriously doubt these companies are just "reporting" vulnerabilities. They're almost certainly *developing* them at the behest of the government, just as we have.

    They don't call it cyber warfare for nothing.

    Appended to the end of comments you post. Max: 120 chars.