Spying made easier: China demands tech firms reveal weak spots


For a couple of years now, China has been ordering any tech company operating on its soil to hand over information about unpatched vulnerabilities. This is invaluable for state-sponsored hacking operations, research says.

In a report called “Sleight of hand: How China weaponizes software vulnerabilities,” the Atlantic Council thinktank investigates the dangerous consequences of a bill passed in China in 2021.

The law, named “Regulations on the Management of Network Product Security Vulnerabilities,” was designed to change how companies and security researchers working in China handle the discoveries of security vulnerabilities in tech products.

ADVERTISEMENT

Software vulnerabilities — flaws in code that attackers can exploit — are now required to be reported by companies operating in China to the Ministry of Industry and Information Technology within 48 hours of their discovery.

Researchers cannot publish information about the discovered vulnerabilities before a patch is available — unless the product owner and the aforementioned ministry agree. The flaws are added to the National Vulnerability Database, officially called the National Computer Network Emergency Response Technical Teams/Coordination Center (CNCERT/CC).

On the one hand, one could say China simply cares about information security and wants to defend the country’s networks. Moreover, the United Kingdom recently unveiled plans to revise the Investigatory Powers Act 2016 and require companies and researchers to report newly discovered security vulnerabilities and leave them unpatched.

However, leaving unpatched vulnerabilities can be valuable for state-sponsored hacking operations. Intelligence agencies seek to exploit flaws in software — especially foreign-made — and carry out their campaigns of cyber-espionage.

If tech companies comply with the new regulations and report the vulnerabilities to the Chinese authorities before patching them, Beijing’s agents can infiltrate the product and its users — who could be living anywhere in the world.

The National Vulnerability Database is then essentially a pipeline of fresh exploitable flaws, “particularly valuable in a changing operational environment,” the Atlantic Council says in the report.

Even more importantly, researchers found that CNCERT/CC makes its reports available to “partners” that seem to be devoted to exploiting vulnerabilities — not fixing them.

ADVERTISEMENT

For example, one such agency is the Beijing bureau of China’s Ministry of State Security, responsible for aggressive state-sponsored hacking operations in recent years.

The collected flaws are also shared with Beijing Topsec, a known People’s Liberation Army (PLA) contractor, and a research center at Shanghai Jiao Tong University responsible for “advanced persistent threat attack and defense,” which houses a cybersecurity school tied to PLA hacking campaigns.

This is tricky for foreign technology companies operating in China, and, according to the Atlantic Council, some foreign firms with China-based operations are complying with the law and thus opening their doors to Beijing’s cyber spies.

Essentially, the conundrum is as follows: either give sensitive descriptions of flaws in the company’s products to the government that could use the information for offensive hacking, or leave China.

Geopolitical implications could be serious, as US-China tensions over cyber-espionage have peaked in recent months. For instance, in July, it was revealed that Chinese hackers somehow obtained a cryptographic key that allowed Beijing’s spies to access the email accounts of 25 US organizations, including the State Department and the Department of Commerce.