China suspends info-sharing deal with Alibaba over Log4j reporting
China’s Ministry of Industry and Information Technology will suspend their cybersecurity agreement with Alibaba Cloud for six months.
China’s internet security regulator announced on Wednesday the suspension of the information-sharing deal with Alibaba Cloud, the cloud computing subsidiary of Alibaba Group.
Notifying vendors first about security flaws has been a longstanding norm in the global cybersecurity industry. But a new law “encourages Chinese companies to first notify the government,” South China Morning Post reports.
Log4j (aka Log4Shell), the “extremely critical” bombshell of a vulnerability tracked as CVE-2021-44228, was first reported on November 24 by Alibaba’s Chen Zhaojun, who notified the Apache Software Foundation (ASF) about the security flaw.
However, according to a report by Reuters, Alibaba did not immediately report the infamous Log4j vulnerability to China's telecommunications regulator, drawing the ministry’s ire. China’s internet regulator claims that it received the report “from a third party about the issue, rather than from Alibaba Cloud.”
“In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms, to be reassessed in six months and revived depending on the company's internal reforms,” Reuters reports.
China's tightening grasp on data holders
According to Reuters, the suspension points to China’s intentions to “strengthen control over key online infrastructure and data in the name of national security.”
In addition to forcing vendors to report security flaws to the government first, China’s regulators also demand that state-owned companies “migrate their data from private operators such as Alibaba and Tencent to a state-backed cloud system by next year.”
“This vulnerability may lead to remote control of equipment, which may lead to serious harms such as the theft of sensitive information and interruption of equipment services. It is a high-risk vulnerability,” China’s Ministry of Industry and Information Technology said in a statement.
More from CyberNews
Subscribe to our newsletter