China tips the scale of global cybersecurity by hoarding vulnerabilities

There is little to celebrate for digital rights in China. A seemingly constant stream of developments is putting human rights defenders on high alert, as the Chinese state grows ever more powerful and cultivates its surveillance capabilities, integrates social media monitoring with everyday policing, and appears to be persuading international companies like Apple and Google to comply with Chinese law and practices that harm human rights in order to enter the market. China also runs the largest biometric policing system known to date.

Somewhat hidden under the din of this overtly dystopian discourse are the small yet powerful moves that China is making that are likely to have a long-term negative impact on global cybersecurity, even beyond the Great Wall. These include the government’s strategic withholding of technology vulnerabilities from the international community.

In the simplest terms, a vulnerability is a flaw in the technical design or implementation of information technology products or systems that could be used to exploit or penetrate a product or system, either hardware or software (see the complete CERT definition here). Vulnerabilities of design or implementation are common and will always exist; the important thing is how we respond when we discover them.

Hidden figures: when the numbers give up the game

In November 2017, Recorded Future published research on the publication speed for China’s National Vulnerability Database (with the memorable acronym CNNVD). When they initially conducted this research, they concluded that China actually evaluates and reports vulnerabilities faster than the U.S. However, when they revisited their findings at a later date, they discovered that a majority of the figures had been altered to hide a much longer processing period during which the Chinese government could assess whether a vulnerability would be useful in intelligence operations.

Recorded Future also concluded that this fabrication is most likely on the order of the Chinese Ministry of State Security (MSS), which uses the CNNVD as a shell, and which needs a longer period to evaluate the vulnerabilities for operational utility before the weaknesses are made public. With this process they are delaying the public notification, patching, and remediation guidance that needs to happen.

Strategic use of vulnerabilities by a state agency is not unique or new, but there is now a strong push across the globe for governments to have disclosure policies in place that set out concrete rules to govern the state treatment of this highly sensitive information, like the U.S. Vulnerability Equity Process (VEP).

Pulling apart the security research community

What deepens the concerns about the issues raised by MSS involvement in what should be an independent process is the systematic effort China is making to exert control over vulnerability disclosure inside and outside its national borders.

In March 2018, the news that China would have no team at a hacking competition in Canada, Pwn2Own, made headlines, since security researchers from China previously dominated the space.

In May 2018, the first DEFCON to take place outside the U.S. was held in Beijing, China, in cooperation with Baidu Security. This drew further attention to the government’s evident eagerness to control the flow of information about security vulnerabilities. Despite the “instructions from the state” not to attend international hacking competitions, DEFCON in Beijing was nevertheless heavily attended by Chinese. The order stands in contrast to the effort by Chinese authorities to engage with the global community by agreeing to host such global conferences and inviting international speakers.

There is no law in place explicitly directing this behavior (Article 26 of the problematic Chinese Cybersecurity Law states only that “national provisions” must be followed), but Chinese researchers themselves say that there is immense pressure to report vulnerabilities to authorities or affected companies directly — but not to share them with the international community at large. This appears to be a political decision that could put China at odds with its ambition to maintain global innovation and market dominance.

Politics over security

In July 2018, hearings in the U.S. Congress revealed that the Chinese government knew about the now-infamous Meltdown and Spectre vulnerabilities in microprocessors well before Chinese companies disclosed them to users — which included foreign governments. There is a clear strategic advantage to such a move, but it risks the security of the global digital ecosystem.

There is a reason that vulnerability disclosure is increasingly discussed as an integral part of cybersecurity policies: when vulnerabilities are not patched, they pose a severe security threat that is far-reaching and potentially economically devastating. Best practices for vulnerability disclosure are a way to safeguard against this devastation, spelling out whom should be contacted about security flaws, how soon they should be patched, and when they should be publicly disclosed.

It appears that China wants to choose months of political strategizing at its MSS over speedy disclosure of security flaws to the global community. There is a sizeable hacker community in China, and this heavily tips the global digital security scale in a way that destabilizes and threatens everyone.

Related reading:

Click here to read our previous analysis of the China Cybersecurity Law.