A Most Dangerous Precedent

By Leah WalkerAndrew Jensen on July 19, 2021

In the wake of sweeping data security and cybersecurity legislation passed last month, the Cyberspace Administration of China, alongside police and industry ministries, introduced new regulations this week that prevent zero day vulnerabilities from being shared outside of the Chinese government and the manufacturer of the afflicted system. The announcement was unwelcome in the global security industry, and represents a concerning development for international cybersecurity.

Under the new regulations, as reported by the AP, Chinese citizens may not “collect, sell, or publish information on network product security vulnerabilities.” Instead, people in China who find a zero day vulnerability must notify the government, which will then decide what repairs to make. The rule says no information can be given to “overseas organizations or individuals” other than the product’s manufacturer. The language seems to suggest that while sharing with the manufacturer is permitted, it is not required. Sharing the information with the Chinese government, however, is very clearly required. 

The new regulations mean that private security experts and hobbyist hackers within China will no longer be able to share security vulnerabilities. This means that an important source of global vulnerability information will shut off and almost certainly signifies the end of bug hunting contests and private bounties in China. The loss of information sharing is deeply unfortunate, given that zero day vulnerabilities discovered in China are of course not only going to be exploited in China, but likely worldwide as well. Security researchers benefit from seeing and discussing the findings of their peers, as new details and documented failures can be discovered by researchers by building on existing public research.

It is important to highlight that the regulations specifically target zero day exploits, which are major vulnerabilities in operating systems that have been previously undiscovered. It is most likely that the government specifically implemented these rules to give China an edge when it comes to cutting-edge vulnerability exploitation. Zero day vulnerabilities are also the most devastating, often found in well trafficked software that can be exploited en masse and are difficult to detect. The Stuxnet attack on Iranian’s nuclear program is an excellent example of how damaging, particularly how physically damaging, exploited zero days can be. 

The new regulations also mean that the Chinese government can stockpile zero day exploits and network intrusions, giving Chinese government linked APTs a significant advantage over other groups. Discovering these exploits and subsequently conducting offensive operations could mean that Chinese government sanctioned offensive cyber operations could increase in frequency and sophistication. It is not beyond the realm of reason to believe that the PLA or the CCP would exploit zero days and other vulnerabilities. Cyberattacks with far-reaching implications, like NotPetya and Stuxnet, were initiated by state actors utilizing zero day vulnerabilities to cause significant destruction of both software and physical systems, like energy infrastructure. Chinese APTs have a varied history of using zero days to infiltrate organizations. APT3 and APT18, both suspected Chinese APTs, are well known for exploiting zero days. Most recently, Chinese-suspected threat actors UNC2630 and UNC2717 exploited a zero day vulnerability in the Pulse Secure VPN to infiltrate organizations in the defense, government, technology, transportation, and financial sectors. The affected organizations also included several U.S. government agencies, according to CISA. Stockpiling zero day exploits within the country would allow Chinese APTs to continue launching operations against targets against international industries and governments. 

Most dangerously, the regulations will likely give government-sponsored APT groups within China an edge when it comes to zero day exploits. Unique vulnerabilities could be passed quickly to offensive cyber groups, allowing them to make inroads in systems and networks before individuals, organizations, and governments in other countries have an opportunity to repair the vulnerability. 

Aside from government-sponsored APT groups, other criminal actors within China will also likely have increased access to zero day vulnerabilities. Bug hunters who operate in China, having lost the incentive to sell vulnerability information to overseas organizations or individuals, could skirt the new regulations and continue to make money by selling to cybercrime groups within China. These cybercriminals would undoubtedly take advantage of their improved arsenal and it is likely that Beijing would turn a blind eye to these groups as long as they continue to prioritize targets outside of China. 

A major power outright outlawing the sharing of global vulnerability information is a dangerous precedent which could prove to be a most unfortunate turning point. State cybersecurity policy is a delicate balance between sharing information and gaining leverage over other countries. This change could trigger a domino effect for international collaboration on cybersecurity. As state cybersecurity apparatuses retreat inward, that could mean that tensions between states on cyber issues rise quickly, reducing international cooperation on cybercriminal activity. As we focus on stopping the spread of ransomware, ending information sharing between countries on cybersecurity could mean that a lot of cybercriminals get away with cyber attacks.

International cyber cooperation is especially critical now, as the entire world faces a ransomware epidemic and an increasing onslaught of cyberattacks on all industries and governments. As critical systems have become increasingly digitized around the world, and technology continues to make up an ever more important facet of everyday life globally, malware threatens not only private companies around the world, but increasingly human lives and livelihoods. Given the proliferation of rogue cybercriminals indiscriminately attacking whichever systems are most vulnerable, a degradation in international cybersecurity cooperation would only enable cybercrime.  

As digital authoritarian regimes rise across the globe, the internet has increasingly turned towards balkanization, isolating citizens within digital borders. The same trend mirrored in cybersecurity would be devastating, with crushing blows to international cooperation and the enabling of asymmetric state actors and cybercrime groups. To best secure an increasingly digital world, countries need to be able to work together against cyberattacks and malware. Cyberattacks are not contained by national borders. Their mitigation and prevention must meet the threat and be equally unconstrained.