A two-year-old regulation, which requires organizations doing business in China to alert the government of software vulnerabilities within 48 hours of discovery, reflects the Chinese government’s growing treatment of security flaws as strategic resources over the years.
While previously, few details had been publicly disclosed about China's “Regulations on the Management of Network Product Security Vulnerabilities" (RMSV) law since its 2021 implementation, a report by the Atlantic Council this month shed light on how companies are complying with it, and the mandate’s impact on the broader vulnerability disclosure landscape and China’s offensive hacking capabilities.
“It’s a bit of a sea change from a systems standpoint,” said Dakota Cary, a non-resident fellow at the Atlantic Council’s Global China Hub and a consultant at Krebs Stamos Group, and one of the co-authors of the Atlantic Council report along with Kristin Del Rosso, product manager at Sophos. “Companies still have bug bounties, they still have public facing programs where people are compensated to submit… so the incentive for the researcher still exists, but now the government has inserted itself into that process, and in doing so it’s weaponizing that entire vulnerability research system, and it’s piggybacking on the incentives that private companies are providing for researchers to discover these vulnerabilities.”
China’s regulation requires companies to report vulnerabilities to a database managed by the Ministry of Industry and Information Technology (MIIT). At the same time, security researchers cannot publish information about vulnerabilities before a patch is available and are prohibited from publishing PoC code or “exaggerating the severity” of a flaw.
“In effect, the regulations push all software-vulnerability reports to the MIIT before a patch is available,” said the researchers.
“We find that the 2021 RMSV allows the PRC government, and subsequently the Ministry of State Security, to access vulnerabilities previously uncaptured by past regulatory regimes and policies.”
When reports first emerged of China’s disclosure mandates, researchers voiced concerns that such a regulation would provide a pipeline for Chinese nation states to access company zero-day flaws before they issued patches. In the Cyber Safety Review Board’s (CSRB) assessment in 2021 of the Log4j flaw, for instance, the board highlighted press reports that China-based Alibaba was sanctioned after it violated the regulation in its reporting of Log4j to the Apache Software Foundation.
“This line of inquiry raised Board concerns around the mandatory vulnerability disclosure laws in the PRC and whether their enforcement may afford the PRC government early access to serious, exploitable vulnerabilities before they are patched,” according to the CSRB report. “The Board raised similar concerns about whether these laws and reports of the PRC’s alleged decision to sanction Alibaba for responsibly reporting a vulnerability to ASF will create a chilling effect that deters researchers from using coordinated vulnerability disclosure best practices.”
Upon further investigation into the structure of the database and the companies participating in these systems, researchers also found that the MIIT’s database of vulnerability and threat data is shared with the National Computer Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), which could give various partners access to the reports, including known offensive hacking entities in China.
Outside of the Atlantic Council's research, other reports have demonstrated “a decrease in software vulnerabilities being reported to foreign firms and the potential for these vulnerabilities to feed into offensive operations.” In its Digital Defense report in 2022, Microsoft explicitly attributed the increase in zero-days deployed by PRC-based groups as a “likely” result of the mandate. And in 2017, Recorded Future found that critical flaws reported to China’s National Information Security Vulnerability database were being withheld from publication for offensive operations.
In the Atlantic Council report, researchers found that “at least some” foreign firms that do business in China were complying with the regulations (though they had limited visibility into the specific numbers). Interestingly, researchers said that at least one foreign firm that was submitting to the MIIT database was not seeing any benefits, claiming it was not receiving reciprocal reports of flaws in its products found by other researchers, and saw a “significant decrease” in flaws reported from China.
“We find that the 2021 RMSV allows the PRC government, and subsequently the Ministry of State Security, to access vulnerabilities previously uncaptured by past regulatory regimes and policies,” according to researchers. “In some cases, the regulations also facilitate access to some companies’ internal code repositories.”
“The early twenty-teens are the golden years of Chinese hacking operations - we saw Marriott, Anthem Insurance, OPM - all huge collections.”
Microsoft in its 2022 Digital Defense Report called the regulation “a major step in the use of zero-day exploits as a state priority.” However, China for years now has been treating vulnerabilities as what the Qihoo360 CEO has called a “national resource” for the country.
Over the past few years, for instance, China has introduced a number of measures aimed at keeping the discovery and reporting of vulnerabilities in-house, according to the Atlantic Council report. This has included prohibiting security researchers from traveling to software security competitions in other countries and creating its own series of security competitions to promote the development of tools for automating how flaws are discovered and exploited.
At the same time, Cary said that the professionalization of the Chinese intelligence service over the last decade has also played a role in how bugs have been discovered and exploited. In Mandiant’s M-Trends report released last year, researchers said in 2021 the number of Chinese espionage groups in the landscape dropped from at least 244 separate Chinese actor sets, tracked over the last five years, to 36 active groups, pointing to a “more focused, professionalized, and sophisticated attacks conducted by a smaller set of actors.”
“The early twenty-teens are the golden years of Chinese hacking operations - we saw Marriott, Anthem Insurance, OPM - all huge collections,” said Cary. “That was before they implemented policies to standardize their education system, to centralize toolkits, they’ve done so much to professionalize what they do."
Overall, researchers said that China's regulation is creating a "near total collection of software vulnerabilities discovered in China," increasing "the aperture of China's vulnerability collection."
"China’s system for collecting software vulnerabilities is now all encompassing. The PRC system has evolved from incentivizing voluntary disclosure to security services and encouraging disclosure to private-sector firms into mandating vulnerability disclosure to the state," according to the Atlantic Council report.