The Microsoft Exchange server hack that the U.S. just attributed to China could become an even more common and dangerous occurrence with the announcement of China’s new rules for software vulnerabilities. The regulations, which go into effect in September, force foreign firms to disclose these faults if they want to do business in China. In so doing, they weaponize the vulnerability discovery process and have significant national security consequences for the U.S. and its allies.
A vulnerability, when correctly exploited, allows an attacker to access something they shouldn’t have been able to reach. In the U.S., an active community of cybersecurity researchers, incentivized by corporate bounty programs and lucrative cybersecurity competitions, voluntarily disclose information about vulnerabilities to companies or the U.S. government. The National Institute of Standards and Technology manages this process, issuing an ID number and listing the vulnerability in the National Vulnerability Database. Government hackers discover their own vulnerabilities, either by doing dozens of hours of research or by purchasing them from vendors. But China’s new rules on software vulnerabilities try to upend this system. The new policies co-opt the global cybersecurity community into China’s vulnerability discovery pipeline by requiring companies doing business in China to disclose their vulnerabilities to the government.
China’s new policies would allow its hacking teams to free ride on cybersecurity research conducted outside its borders, turning defensive research into offensive capabilities. Article 2 and Article 7(2) of China’s new regulations require companies operating within China to report known software vulnerabilities to the Ministry of Industry and Information Technology (MIIT) within two days of becoming aware of the issue. In effect, the new regulations would transfer software vulnerabilities found in the United States and other countries to China’s MIIT before the company could patch the vulnerability. The regulatory structure positions China’s security services to evaluate new vulnerabilities as they are reported. Research conducted outside China will facilitate its hacking campaigns against other nations.
Despite the new regulations, this is not a new playbook for China — it’s just the most emboldened version to date. Research published by Recorded Future in late 2017 described how government hackers were harvesting vulnerabilities submitted to China’s own National Vulnerability Database for hacking campaigns. The security services delayed publication of the most critical vulnerabilities and created malware to exploit them. There is no reason to think MIIT’s new policy won’t play a similar role in collecting software vulnerabilities that support China’s espionage. But instead of relying on purely domestic researchers voluntarily submitting vulnerabilities, China intends to draw on both its cybersecurity community and foreign companies under penalty of law.
For China, it is the most widespread application of military-civil fusion in the cyber domain to date. The strategy that previously permitted behavior like working closely with its private sector firms and universities is expanding beyond its borders. The policy weaponizes a process that previously served to make the internet safer. It is an attack on global cybersecurity and is an irresponsible grab for software vulnerabilities.
Governments around the world, including the United States, may need to lean into a new form of “reverse coordinated disclosure” — one where companies disclose vulnerabilities to a short list of U.S., EU, and NATO government officials anytime it reports one to China’s MIIT. If such a policy is clearly articulated and adopted by U.S. firms, it could deter China from enforcing its new rules, since no government would have an advantage over another. Firms would lose out in the short term if China forces them to disclose vulnerabilities discovered and reported abroad, but they would benefit from a system where no governments required disclosure of vulnerabilities: the old system. Like China’s new anti-foreign sanctions law, the new policy’s most important impact may not lie in its implementation, but in the new grey zone of legality that companies are forced to operate in.
China’s new policy would enable the behaviors that the United States, NATO and EU countries denounced earlier this week. Putting itself in a privileged position to evaluate and harvest all software vulnerabilities from researchers within China is an audacious implementation of its military-civil fusion strategy: Harnessing the efforts of researchers outside China is a step too far.
Vulnerabilities used to be an area of common interest whose public disclosure was largely respected as necessary to improve everyone’s cybersecurity. China’s new policy will weaponize that public good.
Dakota Cary is a research analyst at Georgetown’s Center for Security and Emerging Technology (CSET), where he works on the CyberAI Project.