For state-sponsored hacking operations, unpatched vulnerabilities are valuable ammunition. Intelligence agencies and militaries seize on hackable bugs when they're revealed—exploiting them to carry out their campaigns of espionage or cyberwar—or spend millions to dig up new ones or to buy them in secret from the hacker gray market.
But for the past two years, China has added another approach to obtaining information about those vulnerabilities: a law that simply demands that any network technology business operating in the country hand it over. When tech companies learn of a hackable flaw in their products, they’re now required to tell a Chinese government agency—which, in some cases, then shares that information with China's state-sponsored hackers, according to a new investigation. And some evidence suggests foreign firms with China-based operations are complying with the law, indirectly giving Chinese authorities hints about potential new ways to hack their own customers.
Today, the Atlantic Council released a report—whose findings the authors shared in advance with WIRED—that investigates the fallout of a Chinese law passed in 2021, designed to reform how companies and security researchers operating in China handle the discovery of security vulnerabilities in tech products. The law requires, among other things, that tech companies that discover or learn of a hackable flaw in their products must share information about it within two days with a Chinese agency known as the Ministry of Industry and Information Technology. The agency then adds the flaw to a database whose name translates from Mandarin as the Cybersecurity Threat and Vulnerability Information Sharing Platform but is often called by a simpler English name, the National Vulnerability Database.
The report’s authors combed through the Chinese government's own descriptions of that program to chart the complex path the vulnerability information then takes: The data is shared with several other government bodies, including China’s National Computer Network Emergency Response Technical Teams/Coordination Center, or CNCERT/CC, an agency devoted to defending Chinese networks. But the researchers found that CNCERT/CC makes its reports available to technology "partners" that include exactly the sort of Chinese organizations devoted not to fixing security vulnerabilities but to exploiting them. One such partner is the Beijing bureau of China's Ministry of State Security, the agency responsible for many of the country's most aggressive state-sponsored hacking operations in recent years, from spy campaigns to disruptive cyberattacks. And the vulnerability reports are also shared with Shanghai Jiaotong University and the security firm Beijing Topsec, both of which have a history of lending their cooperation to hacking campaigns carried out by China's People Liberation Army.
“As soon as the regulations were announced, it was apparent that this was going to become an issue,” says Dakota Cary, a researcher at the Atlantic Council's Global China Hub and one of the report’s authors. “Now we've been able to show that there is real overlap between the people operating this mandated reporting structure who have access to the vulnerabilities reported and the people carrying out offensive hacking operations.”
Given that patching vulnerabilities in technology products almost always takes far longer than the Chinese law’s two-day disclosure deadline, the Atlantic Council researchers argue that the law essentially puts any firm with China-based operations in an impossible position: Either leave China or give sensitive descriptions of vulnerabilities in the company’s products to a government that may well use that information for offensive hacking.
The researchers found, in fact, that some firms appear to be taking that second option. They point to a July 2022 document posted to the account of a research organization within the Ministry of Industry and Information Technologies on the Chinese-language social media service WeChat. The posted document lists members of the Vulnerability Information Sharing program that “passed examination,” possibly indicating that the listed companies complied with the law. The list, which happens to focus on industrial control system (or ICS) technology companies, includes six non-Chinese firms: Beckhoff, D-Link, KUKA, Omron, Phoenix Contact, and Schneider Electric.
WIRED asked all six firms if they are in fact complying with the law and sharing information about unpatched vulnerabilities in their products with the Chinese government. Only two, D-Link and Phoenix Contact, flatly denied giving information about unpatched vulnerabilities to Chinese authorities, though most of the others contended that they only offered relatively innocuous vulnerability information to the Chinese government and did so at the same time as giving that information to other countries’ governments or to their own customers.
The Atlantic Council report’s authors concede that the companies on the Ministry of Industry and Information Technology’s list aren’t likely handing over detailed vulnerability information that could immediately be used by Chinese state hackers. Coding a reliable “exploit,” a hacking software tool that takes advantage of a security vulnerability, is sometimes a long, difficult process, and the information about the vulnerability demanded by Chinese law isn’t necessarily detailed enough to immediately build such an exploit.
But the text of the law does require—somewhat vaguely—that companies provide the name, model number, and version of the affected product, as well as the vulnerability's “technical characteristics, threat, scope of impact, and so forth.” When the Atlantic Council report’s authors got access to the online portal for reporting hackable flaws, they found that it includes a required entry field for details of where in the code to “trigger” the vulnerability or a video that demonstrates “detailed proof of the vulnerability discovery process,” as well as a nonrequired entry field for uploading a proof-of-concept exploit to demonstrate the flaw. All of that is far more information about unpatched vulnerabilities than other governments typically demand or that companies generally share with their customers.
Even without those details or a proof-of-concept exploit, a mere description of a bug with the required level of specificity would provide a “lead” for China’s offensive hackers as they search for new vulnerabilities to exploit, says Kristin Del Rosso, the public sector chief technology officer at cybersecurity firm Sophos, who coauthored the Atlantic Council report. She argues the law could be providing those state-sponsored hackers with a significant head start in their race against companies’ efforts to patch and defend their systems. “It’s like a map that says, ‘Look here and start digging,’” says Del Rosso. “We have to be prepared for the potential weaponization of these vulnerabilities.”
If China’s law is in fact helping the country’s state-sponsored hackers gain a greater arsenal of hackable flaws, it could have serious geopolitical implications. US tensions with China over both the country’s cyberespionage and apparent preparations for disruptive cyberattack have peaked in recent months. In July, for instance, the Cybersecurity and Information Security Agency (CISA) and Microsoft revealed that Chinese hackers had somehow obtained a cryptographic key that allowed Chinese spies to access the email accounts of 25 organizations, including the State Department and the Department of Commerce. Microsoft, CISA, and the NSA all warned as well about a Chinese-origin hacking campaign that planted malware in electric grids in US states and Guam, perhaps to obtain the ability to cut off power to US military bases.
Even as those stakes rise, the Atlantic Council’s Cary says he’s had firsthand conversations with one Western tech firm on the Ministry of Industry and Information Technology’s list that directly told him it was complying with China’s vulnerability disclosure law. According to Cary, the lead executive for the Chinese arm of the company—which Cary declined to name—told him that complying with the law meant that it had been forced to submit information about unpatched vulnerabilities in its products to the Ministry of Industry and Information Technology. And when Cary spoke to another executive of the company outside of China, that executive wasn’t aware of the disclosure.
Cary suggests that a lack of awareness of vulnerability information shared with the Chinese government may be typical for foreign companies that operate in the country. “If it’s not on executives’ radar, they don’t go around asking if they’re in compliance with the law that China just implemented,” says Cary. “They only hear about it when they’re not in compliance.”
Of the six non-Chinese firms on the Ministry of Industry and Information Technology’s list of compliant ICS technology firms, Taiwan-based D-Link gave WIRED the most direct denial, responding in a statement from its chief information security officer for North America, William Brown, that it “has never provided undisclosed product security information to the Chinese government.”
German industrial control system tech firm Phoenix Contact also denied giving China vulnerability information, writing in a statement, “We make sure that potential new vulnerabilities are handled with utmost confidentiality and by no means get into the hands of potential cyber attackers and affiliated communities wherever they are located.”
Other companies on the list said that they do report vulnerability information to the Chinese government, but only the same information provided to other governments and to customers. Swedish industrial automation firm KUKA responded that it “fulfills legal local obligations in all countries, where we operate,” but wrote that it offers the same information to its customers, publishes known vulnerability information about its products on a public website, and will comply with a similar upcoming law in the EU that requires disclosing vulnerability information. Japanese technology company Omron similarly wrote that it gives vulnerability information to the Chinese government, CISA in the US, and the Japanese Computer Emergency Response Team, as well as publishing information about known vulnerabilities on its website.
German industrial automation firm Beckhoff spelled out a similar approach in more detail. “Legislation in several nations requires that any vendor selling products in their market must inform their authorized body about security vulnerabilities prior to their publication,” wrote Torsten Förder, the company’s head of product security. “General information about the vulnerability is disclosed as further research and mitigation strategies are developing. This enables us to notify all regulatory bodies quickly, while refraining from publishing comprehensive information on how to exploit the vulnerability under investigation.”
French electric utility technology firm Schneider Electric offered the most ambiguous response. The company’s head of product vulnerability management, Harish Shankar, wrote only that “cybersecurity is integral to Schneider Electric’s global business strategy and digital transformation journey” and referred WIRED to its Trust Charter as well as the cybersecurity support portal on its website, where it releases security notifications and mitigation and remediation tips.
Given those carefully worded and sometimes elliptical responses, it’s difficult to know to exactly what degree companies are complying with China’s vulnerability disclosure law—particularly given the relatively detailed description required on the government’s web portal for uploading vulnerability information. Ian Roos, a China-focused researcher at cybersecurity R&D firm Margin Research who reviewed the Atlantic Council report prior to publication, suggests that companies might be engaging in a kind of “malicious compliance,” sharing only partial or misleading information with Chinese authorities. And he notes that even if they are sharing solid vulnerability data, it may still not be specific enough to be immediately helpful to China’s state-sponsored hackers. “It’s very hard to go from ‘there's a bug here’ to actually leveraging and exploiting it, or even knowing if it can be leveraged in a way that would be useful,” Roos says.
The law is still troubling, Roos adds, since the Chinese government has the ability to impose serious consequences on companies that don’t share as much information as it would like, from hefty fines to revocation of business licenses necessary to operate in the country. “I don’t think it’s doomsday, but it’s very bad,” he says. “I think it absolutely does create a perverse incentive where now you have private organizations that need to basically expose themselves and their customers to the adversary.”
In fact, China-based staff of foreign companies may be complying with the vulnerability disclosure law more than executives outside of China even realize, says J. D. Work, a former US intelligence official who is now a professor at National Defense University College of Information and Cyberspace. (Work holds a position at the Atlantic Council, too, but wasn’t involved in Cary and Del Rosso’s research.) That disconnect isn’t just due to negligence or willful ignorance, Work adds. China-based staff might broadly interpret another law China passed last year focused on countering espionage as forbidding China-based executives of foreign firms from telling others at their own company about how they interact with the government, he says. “Firms may not fully understand changes in their own local offices’ behavior,” says Work, “because those local offices may not be permitted to talk to them about it, under pain of espionage charges.”
Sophos’ Del Rosso notes that even if companies operating in China are finding the wiggle room to avoid disclosing actual, hackable vulnerabilities in their products today, that’s still no guarantee that China won’t begin tightening its enforcement of the disclosure law in the future to close any loopholes.
“Even if people aren't complying—or if they are complying but only to a certain extent—it can only devolve and get worse,” says Del Rosso. “There’s no way they’re going to start asking for less information, or requiring less of people working there. They’ll never get softer. They’ll crack down more.”
Updated 9:20 am, September 6, 2023: A previous version of this article incorrectly identified Margin Research's Ian Roos. We regret the error.
