Foreign media and experts discuss the “Regulations on the Management of Security Vulnerabilities in Network Products”

According to foreign media reports, China stipulates that all zero-day vulnerabilities must only be disclosed to the Chinese government. From September 1, 2021, the Chinese government will require any Chinese citizen who discovers zero-day vulnerabilities to report details to the competent network department of the Chinese government, and not to sell or provide relevant information to any third party outside of China (vulnerable products Except for manufacturers). The following is a review of the reports on the new regulations by the “Security Weekly”, The Associated Press, the Hindu and other media, as well as the comments of relevant security experts on the regulations.

Foreign media and experts discuss the “Regulations on the Management of Security Vulnerabilities in Network Products”

  Media reaction

“Security Weekly” stated that China’s vulnerability disclosure rules described this action as “further strengthening the control of information.” This is unlikely to be the main motivation for the introduction of the new rules, because the government’s control of data is already bad. Companies may not store Chinese customer data outside of China. Foreign companies that sell routers and some other network equipment in China must disclose how the encryption function works to regulators.

Article 7 of the National Intelligence Law promulgated in 2017 already requires Chinese citizens to support, assist and cooperate with national intelligence work. Therefore, this has implied that Chinese citizens must support China’s cyber operations. The new regulations clarify this support, and it is more likely to be related to China’s intelligence-led cyber operations rather than to strengthen the control of internal information. If this is true, it is worth exploring what impact this rule might have on the rest of the world. The most obvious hypothesis is that the zero-day vulnerabilities discovered by China will flow into China’s APT organization and will not be offered for purchase by the US National Security Agency or Russian state actors.

The Associated Press (AP) released a report on July 13, 2021 local time, providing brief details. Apart from the statement, there are no other sources of information. “According to the regulations issued by the National Internet Information Office, the Ministry of Public Security and the Ministry of Industry and Information Technology, no one is allowed to’collect, sell or publish information about the security vulnerabilities of network products’.” Regarding whether private research is prohibited, or whether the results of private research are controlled, This report is not clear. The latter is the most likely.

The Hindu newspaper reported that the new rules would prohibit private sector experts from discovering “zero day”, which is a previously unknown security breach, and selling information to the police, spy agencies or companies. Such vulnerabilities have always been a feature of major hacking attacks. A hacking attack this month was blamed on an organization associated with Russia that infected thousands of companies in at least 17 countries.

Beijing is becoming more and more sensitive to controlling information about the people and the economy. Companies are prohibited from storing data about Chinese customers outside of China. Some companies, including Didi Global Inc., a ride-hailing service that recently went public in the US, have been publicly warned to strengthen data security.

According to the new regulations, anyone who finds a loophole in China must inform the government, and the government will decide what repair measures to take. Except for product manufacturers, no information can be provided to “overseas institutions or individuals”.

According to the regulations issued by the National Internet Information Office, the Ministry of Public Security, and the Ministry of Industry and Information Technology, no one is allowed to “collect, sell, or publish information about security vulnerabilities in network products.” The new regulations will take effect on September 1.

The People’s Liberation Army, the military faction of China’s ruling party, is in a leading position as the United States and Russia in terms of cyber warfare technology. PLA officers have been accused by US prosecutors of invading US companies and stealing technology and trade secrets.

The consultants who discovered the “zero-day” weakness said that their work is legal because they serve the police or intelligence agencies. Some are accused of helping governments or organizations that monitor activists accused of human rights violations.

There is no indication that such private-sector researchers are working in China, but the decision to ban this field shows that Beijing sees it as a potential threat.

In the past 20 years, China has steadily strengthened its control over information and computer security.

Banks and other entities deemed sensitive are required to use only safe products made in China as much as possible. Foreign suppliers that sell routers and some other network products in China are required to disclose how encryption functions work to regulators.

  Security expert opinion

Joseph Carson, Chief Security Scientist and Chief Information Security Officer, ThycoticCentrify

“I expect the Chinese government to weaponize any security breaches it finds to enhance China’s cyber security capabilities,” he told Security Weekly. “This new regulation will tighten any flexibility that security researchers previously had, forcing them to share security research with the Chinese government and restrict further disclosure.”

Jack, co-founder and CTO of BreachQuest? Jake Williams

“The government will almost certainly pass these vulnerabilities to threat actors with government backgrounds. This may not lead to an increase in the number of attacks, but it is likely to increase complexity. As a side note,” he added, “Chinese government agencies can The defensive advantage of mitigating discovered vulnerabilities may far outweigh any offensive gains.”

Bruce, a well-known cryptographer and network security expert.Schnell

He gave positive comments on the new rules, saying that China is controlling zero-day attacks and will ensure that all newly discovered zero-day vulnerabilities are disclosed to the government. According to the new regulations, anyone who finds a loophole in China must inform the government, and the government will decide what repair measures to take. Except for product manufacturers, no information can be provided to “overseas institutions or individuals”. The regulations issued by the State Internet Information Office, the Ministry of Public Security, and the Ministry of Industry stipulate that no one may “collect, sell, or publish information about security vulnerabilities in network products.” This just prevented the cyber weapon trade. This does not prevent researchers from telling the company of the product, even if the product is outside of China.

  Impact on vulnerability research

There will be other less noticeable trickle-down effects. Carson pointed out that this has had an adverse effect on Western organizations doing business development in China, because the Chinese government will learn about potential security vulnerabilities in their products before them. Although the regulations state that vulnerabilities may be disclosed to foreign product manufacturers, it is not certain that this will happen.

If Chinese researchers are really unwilling to disclose their findings to Western manufacturers, this will affect the number of defects discovered (the APT organization knows these defects, but the manufacturers still don’t). This may be a big number. In Adobe’s patch announcement this week (July 13, 2021), researchers such as Xu Peng from the University of Chinese Academy of Sciences (UCAS) and Wang Yanhao from the Qi’anxin Institute of Science and Technology were praised by Adobe for their work.

China’s new regulations may also have an impact on the bug bounty program and the Pwn2Own hacking competition, which usually has contestants from China. It is not clear whether participation in the vulnerability reward program is explicitly prohibited because it is equivalent to “selling” research results, but it may be exempted because these findings are ultimately provided to the product manufacturer in theory-this is allowed. However, when the researcher can sell zero-days to another person who offers more than zero-days, the bounty program has been skipped-this is expressly prohibited.

The same basic argument applies to the Pwn2Own competition. Although any reduction in the number of Chinese participants will not affect the continuation of the bounty program and hacking competition, it may affect the number of vulnerabilities discovered and disclosed.

But this may rebound to China. Williams said: “One of the most likely problems is the brain drain. If Chinese researchers can make huge profits from their work elsewhere, but not in China, why should they stay? This may be in the short term. It’s good for China, but it’s bad for China in the long run.”

According to foreign media reports, China stipulates that all zero-day vulnerabilities must only be disclosed to the Chinese government. From September 1, 2021, the Chinese government will require any Chinese citizen who discovers zero-day vulnerabilities to report details to the competent network department of the Chinese government, and not to sell or provide relevant information to any third party outside of China (vulnerable products Except for manufacturers). The following is a review of the reports on the new regulations by the “Security Weekly”, The Associated Press, the Hindu and other media, as well as the comments of relevant security experts on the regulations.

Foreign media and experts discuss the “Regulations on the Management of Security Vulnerabilities in Network Products”

  Media reaction

“Security Weekly” stated that China’s vulnerability disclosure rules described this action as “further strengthening the control of information.” This is unlikely to be the main motivation for the introduction of the new rules, because the government’s control of data is already bad. Companies may not store Chinese customer data outside of China. Foreign companies that sell routers and some other network equipment in China must disclose how the encryption function works to regulators.

Article 7 of the National Intelligence Law promulgated in 2017 already requires Chinese citizens to support, assist and cooperate with national intelligence work. Therefore, this has implied that Chinese citizens must support China’s cyber operations. The new regulations clarify this support, and it is more likely to be related to China’s intelligence-led cyber operations rather than to strengthen the control of internal information. If this is true, it is worth exploring what impact this rule might have on the rest of the world. The most obvious hypothesis is that the zero-day vulnerabilities discovered by China will flow into China’s APT organization and will not be offered for purchase by the US National Security Agency or Russian state actors.

The Associated Press (AP) released a report on July 13, 2021 local time, providing brief details. Apart from the statement, there are no other sources of information. “According to the regulations issued by the National Internet Information Office, the Ministry of Public Security and the Ministry of Industry and Information Technology, no one is allowed to’collect, sell or publish information about the security vulnerabilities of network products’.” Regarding whether private research is prohibited, or whether the results of private research are controlled, This report is not clear. The latter is the most likely.

The Hindu newspaper reported that the new rules would prohibit private sector experts from discovering “zero day”, which is a previously unknown security breach, and selling information to the police, spy agencies or companies. Such vulnerabilities have always been a feature of major hacking attacks. A hacking attack this month was blamed on an organization associated with Russia that infected thousands of companies in at least 17 countries.

Beijing is becoming more and more sensitive to controlling information about the people and the economy. Companies are prohibited from storing data about Chinese customers outside of China. Some companies, including Didi Global Inc., a ride-hailing service that recently went public in the US, have been publicly warned to strengthen data security.

According to the new regulations, anyone who finds a loophole in China must inform the government, and the government will decide what repair measures to take. Except for product manufacturers, no information can be provided to “overseas institutions or individuals”.

According to the regulations issued by the National Internet Information Office, the Ministry of Public Security, and the Ministry of Industry and Information Technology, no one is allowed to “collect, sell, or publish information about security vulnerabilities in network products.” The new regulations will take effect on September 1.

The People’s Liberation Army, the military faction of China’s ruling party, is in a leading position as the United States and Russia in terms of cyber warfare technology. PLA officers have been accused by US prosecutors of invading US companies and stealing technology and trade secrets.

The consultants who discovered the “zero-day” weakness said that their work is legal because they serve the police or intelligence agencies. Some are accused of helping governments or organizations that monitor activists accused of human rights violations.

There is no indication that such private-sector researchers are working in China, but the decision to ban this field shows that Beijing sees it as a potential threat.

In the past 20 years, China has steadily strengthened its control over information and computer security.

Banks and other entities deemed sensitive are required to use only safe products made in China as much as possible. Foreign suppliers that sell routers and some other network products in China are required to disclose how encryption functions work to regulators.

  Security expert opinion

Joseph Carson, Chief Security Scientist and Chief Information Security Officer, ThycoticCentrify

“I expect the Chinese government to weaponize any security breaches it finds to enhance China’s cyber security capabilities,” he told Security Weekly. “This new regulation will tighten any flexibility that security researchers previously had, forcing them to share security research with the Chinese government and restrict further disclosure.”

Jack, co-founder and CTO of BreachQuest? Jake Williams

“The government will almost certainly pass these vulnerabilities to threat actors with government backgrounds. This may not lead to an increase in the number of attacks, but it is likely to increase complexity. As a side note,” he added, “Chinese government agencies can The defensive advantage of mitigating discovered vulnerabilities may far outweigh any offensive gains.”

Bruce, a well-known cryptographer and network security expert.Schnell

He gave positive comments on the new rules, saying that China is controlling zero-day attacks and will ensure that all newly discovered zero-day vulnerabilities are disclosed to the government. According to the new regulations, anyone who finds a loophole in China must inform the government, and the government will decide what repair measures to take. Except for product manufacturers, no information can be provided to “overseas institutions or individuals”. The regulations issued by the State Internet Information Office, the Ministry of Public Security, and the Ministry of Industry stipulate that no one may “collect, sell, or publish information about security vulnerabilities in network products.” This just prevented the cyber weapon trade. This does not prevent researchers from telling the company of the product, even if the product is outside of China.

  Impact on vulnerability research

There will be other less noticeable trickle-down effects. Carson pointed out that this has had an adverse effect on Western organizations doing business development in China, because the Chinese government will learn about potential security vulnerabilities in their products before them. Although the regulations state that vulnerabilities may be disclosed to foreign product manufacturers, it is not certain that this will happen.

If Chinese researchers are really unwilling to disclose their findings to Western manufacturers, this will affect the number of defects discovered (the APT organization knows these defects, but the manufacturers still don’t). This may be a big number. In Adobe’s patch announcement this week (July 13, 2021), researchers such as Xu Peng from the University of Chinese Academy of Sciences (UCAS) and Wang Yanhao from the Qi’anxin Institute of Science and Technology were praised by Adobe for their work.

China’s new regulations may also have an impact on the bug bounty program and the Pwn2Own hacking competition, which usually has contestants from China. It is not clear whether participation in the vulnerability reward program is explicitly prohibited because it is equivalent to “selling” research results, but it may be exempted because these findings are ultimately provided to the product manufacturer in theory-this is allowed. However, when the researcher can sell zero-days to another person who offers more than zero-days, the bounty program has been skipped-this is expressly prohibited.

The same basic argument applies to the Pwn2Own competition. Although any reduction in the number of Chinese participants will not affect the continuation of the bounty program and hacking competition, it may affect the number of vulnerabilities discovered and disclosed.

But this may rebound to China. Williams said: “One of the most likely problems is the brain drain. If Chinese researchers can make huge profits from their work elsewhere, but not in China, why should they stay? This may be in the short term. It’s good for China, but it’s bad for China in the long run.”

The Links:   EP1C12Q240C8N CLAA150XP03

Author: Yoyokuo