When news of China’s new vulnerability reporting regulations broke last year [2021], fears circulated that Beijing would use the law to stockpile undisclosed cybersecurity vulnerabilities, known as ‘zero days’.
A report released last month by Microsoft indicates that these fears have likely been realized.
The Regulations on the Management of Network Product Security Vulnerabilities require that any vulnerability discovered within China be reported to the relevant authorities within two days. For software and products developed outside mainland China, this is particularly problematic because the Chinese government now has access to vulnerabilities before vendors can patch them. This lead time enables Beijing to assess vulnerabilities for its own operational advantage—in other words, to see whether they can be exploited for use in a cyberattack against foreign entities.
By developing a better understanding of the structure of China’s system of cybersecurity governance, we might improve our grasp of the wave of new legislation and reforms occurring in China’s cybersecurity sector. This in turn will enable us to better understand how laws such as the vulnerability reporting regulations contribute to President Xi Jinping’s vision to make China a ‘cyber powerhouse’ (网络强国), and will give policymakers greater insights into the threats posed by Beijing’s cyber capabilities.
China’s cybersecurity landscape comprises a complex system, or xitong (系统), of command structures and organizational bodies that operate with an interwoven network of laws, supporting regulations and guidelines to enforce China’s overarching cybersecurity strategy. Given the opacity of the Chinese system of governance and recent reforms that have dramatically changed the nation’s cybersecurity sector, attributing responsibility and decoding the hierarchical structure of this xitong is difficult. Through careful analysis of primary and secondary sources, ASPI has developed new insights into the major players and the system under which they are organized.
Driven by a desire to better understand how China’s system of cybersecurity governance operates and to discover how entities have access to cybersecurity vulnerabilities, I have mapped the organisational structure and, in doing so, created a resource for others working in this area.
As part of this work, I delved into how the system facilitates China’s exploitation of vulnerabilities for its offensive cyber activities.
Article 7.2 of the regulations states that all vulnerabilities must be reported to the Ministry of Industry and Information Technology’s ‘network security threat information-sharing platform’ within two days of being discovered. However, according to a government-issued infographic, sharing of vulnerabilities with additional entities is also encouraged. These include the National Vulnerability Database of Information Security, which sits under the China Information Technology Security Evaluation Centre. Given that both of these entities are overseen by the Ministry of State Security, it’s reasonable to assume that the ministry has access to all vulnerabilities reported to them.
The Ministry of State Security is China’s foremost intelligence and security agency. It has been found to have routinely conducted cyber-enabled espionage and is linked to at least two advanced persistent threats—APT3 (also known as ‘Gothic Panda’) and APT10 (‘Stone Panda’). In 2017, researchers at Recorded Future concluded that the ministry’s access to vulnerabilities might ‘allow it to identify vulnerabilities in foreign technologies that China could then exploit’. The same group later published a finding that the National Vulnerability Database of Information Security had manipulated the publication dates of vulnerabilities in an effort to cover up China’s process of evaluating high-threat vulnerabilities to see whether they had ‘operational utility in intelligence operations’.
Last month’s Microsoft report indicates that Chinese state has probably taken advantage of the new vulnerability reporting regulations, stating: ‘The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority.’ CrowdStrike’s 2022 global threat report also identified China as a ‘leader in vulnerability exploitation’ and reported a six-fold increase in the number of vulnerabilities exploited by ‘China-nexus’ actors, representing a major shift in the kind of cyberoperations China is conducting.
The picture we are able to build of the cybersecurity governance structure fits with China’s overarching strategy of military–civil fusion (军民融合) in that Beijing has sought to engage civilian enterprises, research and talent in the cybersecurity sector to bolster military objectives. The strategy’s goal is to deepen China’s defense mobilization so that civil society can be used in both war and strategic competition. Military–civil fusion is not a new strategy for China, but it has been increasingly prominent under the leadership of Xi and is a component of nearly every major strategic initiative since his ascension to the presidency.
The Chinese intelligence apparatus’s exploitation of these vulnerability reporting regulations is one further example of how Beijing has leveraged the civilian cybersecurity sector to advance the state’s offensive cyber capabilities.
Republished from the Australian Strategic Policy Institute under a Creative Commons license in the Commonwealth of Australia. Read the original article.
Jasmine Latimore is a research intern at the Australian Strategic Policy Institute.
More than 86 million Americans use the social media app TikTok to create, share, and view short videos, featuring everything from cute animals and influencer advice to comedy and dance performances.
Concerned experts point out that TikTok’s parent company, the Beijing-based ByteDance, has been accused of working with the Chinese government to censor content and could also collect sensitive data on users.
The recent leak of Pentagon documents included the suggestion that China is developing sophisticated cyber attacks for the purpose of disrupting military communication satellites. While this is unconfirmed, it is certainly possible, as many sovereign nations and private companies have considered how to protect from signal interference.
The Wisconsin shipyard that builds the U.S. Navy’s Freedom-class Littoral Combat Ship and the Constellation-class guided-missile frigate suffered a ransomware attack last week that delayed production across the shipyard, USNI News has learned.
Fincantieri Marinette Marine experienced the attack in the early morning hours of April 12, when large chunks of data on the shipyard’s network servers were rendered unusable by an unknown professional group, two sources familiar with a Navy summary of the attack told USNI News on Thursday.