How China is using network vulnerabilities to boost its cyber capabilities
15 Dec 2022|

When news of China’s new vulnerability reporting regulations broke last year, fears circulated that Beijing would use the law to stockpile undisclosed cybersecurity vulnerabilities, known as ‘zero days’.

A report released last month by Microsoft indicates that these fears have likely been realised.

The Regulations on the Management of Network Product Security Vulnerabilities require that any vulnerability discovered within China be reported to the relevant authorities within two days. For software and products developed outside mainland China, this is particularly problematic because the Chinese government now has access to vulnerabilities before vendors can patch them. This lead time enables Beijing to assess vulnerabilities for its own operational advantage—in other words, to see whether they can be exploited for use in a cyberattack against foreign entities.

By developing a better understanding of the structure of China’s system of cybersecurity governance, we might improve our grasp of the wave of new legislation and reforms occurring in China’s cybersecurity sector. This in turn will enable us to better understand how laws such as the vulnerability reporting regulations contribute to President Xi Jinping’s vision to make China a ‘cyber powerhouse’ (网络强国), and will give policymakers greater insights into the threats posed by Beijing’s cyber capabilities.

China’s cybersecurity landscape comprises a complex system, or xitong (系统), of command structures and organisational bodies that operate with an interwoven network of laws, supporting regulations and guidelines to enforce China’s overarching cybersecurity strategy. Given the opacity of the Chinese system of governance and recent reforms that have dramatically changed the nation’s cybersecurity sector, attributing responsibility and decoding the hierarchical structure of this xitong is difficult. Through careful analysis of primary and secondary sources, ASPI has developed new insights into the major players and the system under which they are organised.

Driven by a desire to better understand how China’s system of cybersecurity governance operates and to discover how entities have access to cybersecurity vulnerabilities, I have mapped the organisational structure and, in doing so, created a resource for others working in this area.

As part of this work, I delved into how the system facilitates China’s exploitation of vulnerabilities for its offensive cyber activities.

Article 7.2 of the regulations states that all vulnerabilities must be reported to the Ministry of Industry and Information Technology’s ‘network security threat information-sharing platform’ within two days of being discovered. However, according to a government-issued infographic, sharing of vulnerabilities with additional entities is also encouraged. These include the National Vulnerability Database of Information Security, which sits under the China Information Technology Security Evaluation Centre. Given that both of these entities are overseen by the Ministry of State Security, it’s reasonable to assume that the ministry has access to all vulnerabilities reported to them.

The Ministry of State Security is China’s foremost intelligence and security agency. It has been found to have routinely conducted cyber-enabled espionage and is linked to at least two advanced persistent threats—APT3 (also known as ‘Gothic Panda’) and APT10 (‘Stone Panda’). In 2017, researchers at Recorded Future concluded that the ministry’s access to vulnerabilities might ‘allow it to identify vulnerabilities in foreign technologies that China could then exploit’. The same group later published a finding that the National Vulnerability Database of Information Security had manipulated the publication dates of vulnerabilities in an effort to cover up China’s process of evaluating high-threat vulnerabilities to see whether they had ‘operational utility in intelligence operations’.

Last month’s Microsoft report indicates that Chinese state has probably taken advantage of the new vulnerability reporting regulations, stating: ‘The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority.’ CrowdStrike’s 2022 global threat report also identified China as a ‘leader in vulnerability exploitation’ and reported a six-fold increase in the number of vulnerabilities exploited by ‘China-nexus’ actors, representing a major shift in the kind of cyberoperations China is conducting.

The picture we are able to build of the cybersecurity governance structure fits with China’s overarching strategy of military–civil fusion (军民融合) in that Beijing has sought to engage civilian enterprises, research and talent in the cybersecurity sector to bolster military objectives. The strategy’s goal is to deepen China’s defence mobilisation so that civil society can be used in both war and strategic competition. Military–civil fusion is not a new strategy for China, but it has been increasingly prominent under the leadership of Xi and is a component of nearly every major strategic initiative since his ascension to the presidency.

The Chinese intelligence apparatus’s exploitation of these vulnerability reporting regulations is one further example of how Beijing has leveraged the civilian cybersecurity sector to advance the state’s offensive cyber capabilities.