For state-sponsored hacking operations, unpatched vulnerabilities are valuable ammunition. Intelligence agencies and militaries seize on hackable bugs when they're revealed—exploiting them to carry out their campaigns of espionage or cyberwar—or spend millions to dig up new ones or to buy them in secret from the hacker gray market.
But for the past two years, China has added another approach to obtaining information about those vulnerabilities: a law that simply demands that any network technology business operating in the country hand it over. When tech companies learn of a hackable flaw in their products, they're now required to tell a Chinese government agency—which, in some cases, then shares that information with China's state-sponsored hackers, according to a new investigation. And some evidence suggests foreign firms with China-based operations are complying with the law, indirectly giving Chinese authorities hints about potential new ways to hack their own customers.
Today, the Atlantic Council released a report—whose findings the authors shared in advance with WIRED—that investigates the fallout of a Chinese law passed in 2021, designed to reform how companies and security researchers operating in China handle the discovery of security vulnerabilities in tech products.
[...]
The report's authors combed through the Chinese government's own descriptions of that program to chart the complex path the vulnerability information then takes: The data is shared with several other government bodies, including China's National Computer Network Emergency Response Technical Teams/Coordination Center, or CNCERT/CC, an agency devoted to defending Chinese networks. But the researchers found that CNCERT/CC makes its reports available to technology "partners" that include exactly the sort of Chinese organizations devoted not to fixing security vulnerabilities but to exploiting them. One such partner is the Beijing bureau of China's Ministry of State Security, the agency responsible for many of the country's most aggressive state-sponsored hacking operations in recent years, from spy campaigns to disruptive cyberattacks. And the vulnerability reports are also shared with Shanghai Jiaotong University and the security firm Beijing Topsec, both of which have a history of lending their cooperation to hacking campaigns carried out by China's People Liberation Army.
Related Stories
The Biden administration on Tuesday warned the nation's governors that drinking water and wastewater utilities in their states are facing "disabling cyberattacks" by hostile foreign nations that are targeting mission-critical plant operations.
"Disabling cyberattacks are striking water and wastewater systems throughout the United States," Jake Sullivan, assistant to the president for National Security Affairs, and Michael S. Regan, administrator of the Environmental Protection Agency, wrote in a letter. "These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities."
[...] The letter extended an invitation for secretaries of each state's governor to attend a meeting to discuss better securing the water sector's critical infrastructure. It also announced that the EPA is forming a Water Sector Cybersecurity Task Force to identify vulnerabilities in water systems. The virtual meeting will take place on Thursday.
"EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems," Regan said in a separate statement.
(Score: 4, Informative) by PiMuNu on Thursday September 14 2023, @08:06AM (2 children)
Note that in EU it is also required that vulnerabilities are disclosed, if personal data may be exposed. It's a provision of GDPR, although a bit more indirect because it is attached to the "protect personal data" thing. The provision requires disclosure both to the data subject and also to the government.
(Score: 5, Interesting) by Unixnut on Thursday September 14 2023, @09:21AM (1 child)
AFAIK in the UK any vulnerabilities in our products are to be disclosed to GCHQ as soon as we find them, and likewise I believe the USA has a similar thing with the NSA.
Officially it is so that they can disseminate the information to other more critical industries to be extra vigilant of any attempted exploits, or to find temporary workarounds until a fix is released. However it would be naive to think they would not use these in their own state sponsored cyberwar/espionage against others.
So it sounds to me like the Chinese are just catching up to what is already being done over here.
(Score: 0) by Anonymous Coward on Thursday September 14 2023, @03:46PM
In a world dominated by ruthless, deceitful, self-dealing globalist oligarchs, national sovereignty is a necessary bulwark between human freedom, dignity, and self-determination, and permanent enslavement to the central government of a globalist-dominated hive-world.
(Score: 2) by Opportunist on Thursday September 14 2023, @09:10AM (3 children)
How China gets intel on everyone's security problems? Same way we get intel on everyone's stockpile of WMDs: They produce them and sell them.
(Score: 5, Insightful) by Gaaark on Thursday September 14 2023, @12:08PM (1 child)
Or just make it up to justify invasion:
https://www.nbcnews.com/id/wbna7634313 [nbcnews.com]
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Friday September 15 2023, @01:02PM
Do you reckon China could borrow that play-book WRT Taiwan?
(Score: 0) by Anonymous Coward on Thursday September 14 2023, @03:48PM
The more members of the public understand what the globalists and their Chinese allies have done to them, the more danger the globalists are in, and the more incentive they have to exercise the "Samson Option" (total world destruction to avoid being brought to justice).
(Score: 1) by shrewdsheep on Thursday September 14 2023, @09:11AM (1 child)
The first entry in the related links list points to intel.com. Should this tell us something?
(Score: 3, Touché) by cereal_burpist on Friday September 15 2023, @03:56AM
Pay no attention to that man(agement engine) behind the curtain!
(Score: 4, Insightful) by istartedi on Thursday September 14 2023, @05:16PM
I hate to defend them, but I'm pretty sure the USA and other countries have "back-doored" various things over the years.
Perhaps the most famous case of this is Stuxnet [wikipedia.org]. I seriously doubt these companies are just "reporting" vulnerabilities. They're almost certainly *developing* them at the behest of the government, just as we have.
They don't call it cyber warfare for nothing.
Appended to the end of comments you post. Max: 120 chars.