For state-sponsored hacking operations, unpatched vulnerabilities are valuable ammunition. Intelligence agencies and militaries seize on hackable bugs when they're revealed—exploiting them to carry out their campaigns of espionage or cyberwar—or spend millions to dig up new ones or to buy them in secret from the hacker gray market.
But for the past two years, China has added another approach to obtaining information about those vulnerabilities: a law that simply demands that any network technology business operating in the country hand it over. When tech companies learn of a hackable flaw in their products, they're now required to tell a Chinese government agency—which, in some cases, then shares that information with China's state-sponsored hackers, according to a new investigation. And some evidence suggests foreign firms with China-based operations are complying with the law, indirectly giving Chinese authorities hints about potential new ways to hack their own customers.
Today, the Atlantic Council released a report—whose findings the authors shared in advance with WIRED—that investigates the fallout of a Chinese law passed in 2021, designed to reform how companies and security researchers operating in China handle the discovery of security vulnerabilities in tech products.
[...]
The report's authors combed through the Chinese government's own descriptions of that program to chart the complex path the vulnerability information then takes: The data is shared with several other government bodies, including China's National Computer Network Emergency Response Technical Teams/Coordination Center, or CNCERT/CC, an agency devoted to defending Chinese networks. But the researchers found that CNCERT/CC makes its reports available to technology "partners" that include exactly the sort of Chinese organizations devoted not to fixing security vulnerabilities but to exploiting them. One such partner is the Beijing bureau of China's Ministry of State Security, the agency responsible for many of the country's most aggressive state-sponsored hacking operations in recent years, from spy campaigns to disruptive cyberattacks. And the vulnerability reports are also shared with Shanghai Jiaotong University and the security firm Beijing Topsec, both of which have a history of lending their cooperation to hacking campaigns carried out by China's People Liberation Army.
(Score: 4, Informative) by PiMuNu on Thursday September 14 2023, @08:06AM (2 children)
Note that in EU it is also required that vulnerabilities are disclosed, if personal data may be exposed. It's a provision of GDPR, although a bit more indirect because it is attached to the "protect personal data" thing. The provision requires disclosure both to the data subject and also to the government.
(Score: 5, Interesting) by Unixnut on Thursday September 14 2023, @09:21AM (1 child)
AFAIK in the UK any vulnerabilities in our products are to be disclosed to GCHQ as soon as we find them, and likewise I believe the USA has a similar thing with the NSA.
Officially it is so that they can disseminate the information to other more critical industries to be extra vigilant of any attempted exploits, or to find temporary workarounds until a fix is released. However it would be naive to think they would not use these in their own state sponsored cyberwar/espionage against others.
So it sounds to me like the Chinese are just catching up to what is already being done over here.
(Score: 0) by Anonymous Coward on Thursday September 14 2023, @03:46PM
In a world dominated by ruthless, deceitful, self-dealing globalist oligarchs, national sovereignty is a necessary bulwark between human freedom, dignity, and self-determination, and permanent enslavement to the central government of a globalist-dominated hive-world.