China’s vulnerability disclosure regulations put state security first

On 1 September, new regulations will come into effect in China that tighten the requirements for reporting security vulnerabilities in network products (pertaining to ‘weaknesses or flaws’ in ‘software, hardware, or organizational processes’) to the government. When they were first published in July, the Regulations on the Management of Network Product Security Vulnerabilities incited a flurry of commentary about Beijing’s intentions. For example, some posited that the regulations would enable the government to ‘stockpile zero-days’, while others said the party-state might seek to ‘weaponize any discovered security vulnerabilities’.

The regulations do create space for opportunistic offensive action, but they also have a defensive intent that has been largely overlooked. Understanding the multiple purposes the regulation can serve helps us better understand the implications for entities that are subject to the law, including potential conflicts of interest for businesses with operations in China and elsewhere.

President Xi Jinping and China’s leadership espouse the view that ‘without network security there is no state security’. The internet has become central to all facets of national development, including politics, economics and military affairs. In this context, the new regulations are directed at ensuring that vulnerabilities are identified and fixed quickly to prevent a situation that, as one People’s Daily Online commentary put it, ‘threatens state security’, including through the leakage overseas of ‘public data and information’.

Network vulnerabilities are seen as strategic resources that can be used by foreign adversaries against China. The regulations emphasise preventing malicious activities that target Chinese networks; articles 3 and 4 specifically prohibit actions that enable activities harmful to network security and other internet-based crimes. The scope of such activities is left intentionally vague; named concerns include fraud and extortion, but foreign espionage was almost certainly on the minds of the regulation’s creators, and they also understood that activities ‘harming network security’ can be political in nature.

In 2019—the year the first draft of the vulnerability regulations was issued—China’s principal civilian intelligence service, the Ministry of State Security, asserted that just one out of nearly 100 advanced persistent threat groups targeting China initiated almost 4,000 attacks, including on major political events such as the ‘two sessions’, the Belt and Road Forum, and the 70th anniversary of the founding of the People’s Republic of China. Chinese cybersecurity firm Qihoo 360 alleged that a group affiliated with the US Central Intelligence Agency conducted a years-long cyber campaign against Chinese government agencies and critical sectors from 2008 through 2019.

In the years prior to the draft regulation being put forward, China’s cybersecurity was generally weak. In 2015, Qihoo 360 found that 43.9% of more than two million websites had vulnerabilities, 13% of which were high threat. More worrisome, the fix rate was just 4.7% after notification—‘more than 95% of website vulnerabilities went unrepaired for a long time’. The situation appears to have improved some since, based on a much smaller sample taken in 2019. Yet market research that year suggested that investment in network security as a proportion of all informatisation expenditure was still lagging (1% compared with 15% in the United States). As of 2020, China’s National Computer Network Emergency Response Technical Team reported that China’s cybersecurity apparatus continued to face increasing threats.

The regulations are also a part of an expanding Chinese legal framework governing network security, ranging from the 2016 cybersecurity law to the new data security law, which also takes effect on 1 September. Both lay the groundwork for enhancing state security by addressing perceived weaknesses. Article 23 of the new data security law is particularly relevant. It calls for the state to establish an emergency response mechanism for data security incidents that requires relevant departments to activate emergency response plans to prevent further harm and security gaps as well as, where required, warn the public.

The new vulnerability regulations are in line with the data security law and appear to create a framework for implementing a data security emergency response mechanism when a network vulnerability is discovered. It places a number of obligations on network product vendors (this term is not defined in the regulation; it likely refers to any developer of network hardware or software, including servers, web applications and websites) that operate in China, and on other parties in China that discover vulnerabilities. These obligations include reporting vulnerabilities to China’s Ministry of Industry and Information Technology within two days. Vendors now also have a legal obligation to fix known vulnerabilities.

Despite addressing real security concerns, the state security environment created by the Chinese government gives rise to unique political risks for any entity subject to the law. China’s state security interests are explicitly defended before the interests of any other affected party. The vulnerability regulations apply to all relevant actors operating within China, including Chinese companies that have a global footprint and international companies with operations in China. Any vulnerability in their products would likely affect systems and users beyond China, yet Article 9 states that vulnerabilities cannot be disclosed publicly until Chinese authorities have undertaken assessments. Article 9 also explicitly prohibits sharing vulnerability information with anyone overseas, unless the vendor itself is overseas. The Chinese government, therefore, is to be given access to information on vulnerabilities before any other interested party.

There’s also a real likelihood that the regulations will facilitate China’s cyber espionage efforts opportunistically in the gaps between reporting, patching and disclosure. Research by cybersecurity company Recorded Future has shown that network vulnerabilities known to the government are very likely evaluated for espionage utility.

The Ministry of State Security’s vulnerability database, which is separate from Ministry of Industry and Information Technology’s vulnerability database, typically publishes vulnerabilities in an average of 13 days. Yet ‘high threat’ vulnerabilities are consistently published much later. In one instance, Chinese hackers actively exploited one of these high-threat vulnerabilities during the delay period. In another example, the winning hack from China’s 2018 Tianfu Cup—the first major domestic hacking competition since Chinese white hats were banned from international competitions—was reported to the vendor as is convention, but was used for espionage almost from the moment of discovery until Apple issued a fix.

The new vulnerability regulations, coupled with all of the government’s other cybersecurity-related legislation in recent years, is partly meant to ensure China is capable of withstanding a major adversarial confrontation from abroad. China-headquartered technology companies with global operations are increasingly put in a difficult position.

Global companies with a footprint in China will also be challenged by the tightening restrictions. It is becoming increasingly difficult for a company to navigate the regulatory requirements of operating in China while not undermining the national security of other countries in which it may have business operations. Under Xi, the state security apparatus has more explicitly placed responsibility on everyone to maintain and guarantee China’s state security, which prioritises the party’s power over all else.