Chinese President Xi Jinping (Kevin Frayer/Getty Images)

WASHINGTON: China’s new Data Security Law, which takes effect today, includes cyber vulnerability disclosure provisions that will provide its government with nearly exclusive early access to a steady stream of zero-day vulnerabilities — potentially to include those discovered in technologies used by the Defense Department and Intelligence Community.

Armed with that information, experts fear, China could exploit cyber vulnerabilities in tech used broadly across the US public and private sectors.

The DSL’s vulnerability disclosure provisions are a concern given both China’s recent behavior and its activities in cyberspace over the past two decades. The Microsoft Exchange hacking campaign earlier this year entailed exploiting four zero-day vulnerabilities in the Redmond, Wash., tech giant’s widely used email server software. Zero-day vulnerabilities are security flaws that are not publicly known and therefore have no available patch.

Microsoft was eventually alerted to the Exchange vulnerabilities, issued patches, and attributed the campaign to a Chinese threat actor dubbed HAFNIUM, but not before 140,000 US organizations were exposed — and some percentage of those compromised by multiple threat actors, prior to and after the vulnerabilities’ disclosure. The Pentagon’s networks were reportedly not affected.

The Exchange campaign — which the US officially attributed to China in July — is just the latest known in a multi-decade Chinese cyberespionage initiative against the US government and American companies, which a congressional commission estimated to cost hundreds of billions of dollars annually and has been characterized by a former National Security Agency chief as “the greatest transfer of wealth in history.”

Now, with the enactment of the DSL, China is poised to collect information on zero days that it can use for both defensive and offensive purposes, with no obligation to share that information with other governments or companies.

DSL’s Vulnerability Disclosure Provisions

The DSL’s provisions require all Chinese security researchers, Chinese businesses, and — most notably — foreign companies with a footprint inside China to report any zero-day vulnerability to the Chinese Ministry of Industry and Information Technology (MIIT) within two days of a vulnerability’s discovery. The DSL also prohibits affected entities from “collect[ing], sell[ing], or publish[ing] information on network product security vulnerabilities” and outlaws sharing vulnerabilities with any “overseas organizations or individuals other than network product providers.”

To spell that out, according to experts: Under this law, China will compel certain security researchers and companies to disclose zero-day vulnerabilities to MIIT, while the sources of those flaws will be severely limited in who else they can share the information with. Meanwhile, China could exploit the vulnerabilities present in US government and American corporate networks.

The law’s provisions are backed by stiff financial penalties for noncompliance and the possibility of further legal actions by the Chinese government against offending entities.

China’s DSL follows other data privacy laws, most notably Europe’s 2016 General Data Protection Regulation, commonly known as GDPR. Similar to DSL, non-European companies that operate in Europe are subject to GDPR’s data restrictions and penalties. However, one goal of GDPR, unlike the DSL, is transparency in how data is used.

Some of the businesses that are affected by the DSL’s disclosure provision — such as Amazon Web Services and Microsoft, to name just two — have a business presence in mainland China while also providing IT to the US public and private sectors. This means that American companies, whose tech is currently used in China and the US, will be required to notify China’s MIIT of any zero-day vulnerability present in their tech.

In addition, any third-party Chinese security researchers and companies in China or that do business in China will be required to report discovered zero-day vulnerabilities in, say, Microsoft’s Azure or AWS’s cloud platforms — both of which are widely expected to be selected as part of DoD’s new Joint Warfighting Cloud Capability. Such disclosures will give the Chinese government a head start on remediating — and potentially exploiting — zero days.

The Pentagon does not publicly disclose its security patch management practices, but the average time it takes companies to patch — a metric security researchers track as the mean time to patch, or MTTP — ranges from 60 days to over 200 days, depending on the source. That metric is calculated from the time a patch is issued.

However, it takes companies time from initial disclosure of a bug to issuing a patch. Approximately 60 days passed between the initial discovery of the Exchange zero days on Jan. 6 and Microsoft issuing patches on March 2, during which exploits increased significantly. Microsoft moved faster than a lot of companies in that case. Even after Exchange patches were released, some companies did not apply the fixes for weeks, prompting the FBI to take the extraordinary action of secretly and proactively patching the servers of some private entities.

To be sure, the DSL is written to be broad and vague, and it’s unclear right now how the Chinese government will enforce the vulnerability disclosure provisions and related penalties. But the mere prospect of the MIIT learning of zero days that are present in US government and private sector tech before practically everyone else knows about or can remediate them has raised concerns among some experts.

US Cyber Command and the NSA — which work with the Pentagon and the Defense Information Systems Agency on securing DoD networks — did not reply to a request for comment.

“Part of this is rooted in the concept of legal warfare, or lawfare,” Dean Cheng, a leading China expert at the Heritage Foundation, told Breaking Defense. “The Chinese concept of legal warfare is much broader” than the Western notion, he said. “It is using all the instruments of legal institutions — some laws, regulations, courts, law enforcement agencies — to help achieve political ends.”

And, in this case, the political ends entail China’s own cybersecurity and its offensive cyber operations. “It puts [China’s] Ministry of State Security, which conducts nation-state hacking and espionage, in a position to evaluate software vulnerabilities and turn those into operational tools so that they can hack other nations,” Dakota Cary, a research analyst at Georgetown University’s Center for Security and Emerging Technology, told Breaking Defense. “That creates a window of opportunity for state hackers to exploit what they know is vulnerable software before that software can be repaired.”

Zero Day Dual Use: Defensive Capability and Offensive Weapon

The cybersecurity community — both good guy “white hats” and bad guy “black hats” — has long valued the discovery of zero days. Through bug bounty programs and hacking competitions, white-hat security researchers find, validate, and often get paid to disclose zero days to governments and companies. Indeed, many US companies pay handsomely for such discoveries and even the US government runs such events, including Hack the Army, which uncovered 238 vulnerabilities this year.

Bug bounties and competitions are meant to incentivize “responsible disclosure” of zero days, so that tech companies can patch security bugs before bad guys can learn about and exploit them. Once patches are developed and released for widespread use, the vulnerabilities are announced to the public. In this way, responsible disclosure is viewed as a way to improve cyber defenses.

Some aspects of the DSL encourage using zero days for defensive purposes in the tradition of bug bounties. In addition to calling for the Chinese private sector to establish financial incentives for bug reports, the DSL holds security researchers and companies to responsible disclosure, forbids “exaggerating” a bug’s severity, and prevents researchers and companies from creating tools to exploit the vulnerabilities. But the law does not place any such prohibitions on the Chinese government exploiting the vulnerabilities in offensive operations.

Chinese military officials on parade. (File)

The National Institute for Standards and Technology maintains a US National Vulnerability Database, while China runs its own, the China National Vulnerabilities Database (CNNVD).

Cary told Breaking Defense his research has revealed that some Chinese authors and academics, who are influential with the Chinese Communist Party, have become suspicious of the US NVD program.

These influential Chinese authors “have misconstrued the US NVD as an NSA run program,” which could be shaping China’s perception of the way the US operates and may be influencing the DSL’s vulnerability disclosure provisions, Cary said. “In their minds, what they put in place doesn’t feel different than how they think we are using our vulnerability database, even though that’s not the case.”

In addition to bolstering defense, zero days can, of course, be potent offensive cyber weapons. Some have suggested China has, in the past, concealed or delayed disclosure of zero days. US cybersecurity company Recorded Future published research showing a pattern of delay in the Chinese government’s disclosure of vulnerabilities, and a separate report found that China manipulates its CNNVD. The DSL provides additional opportunities for China to conceal, delay disclosure, and obfuscate vulnerabilities reported to it.

The NSA has been accused in the past of similar behavior. In April 2017, a mysterious group calling itself the Shadow Brokers leaked vulnerabilities that it allegedly stole from the NSA. One of those vulnerabilities, Eternal Blue, was later exploited by non-NSA threat actors as part of the widespread WannaCry and NotPetya cyberattacks in May and June of 2017, respectively.

Still earlier, the computer worm Stuxnet exploited four zero days in Microsoft Windows as part of a multi-stage hack of the industrial control systems in Iran’s Natanz nuclear enrichment facility. Stuxnet, often called the first cyberwarfare weapon, is widely believed to have been a US-Israeli collaboration, but neither government has ever admitted involvement.

Asked how likely it is that China will use zero days disclosed to it for offensive operations, Cheng called it “100 percent.”

“There’s no evidence that I’ve come up with for some version of Chinese cyber no first use,” Cheng added. “We have seen them do a lot of things. Nobody else really does [economic cyberespionage] on the scale China does, which virtually no one in the world can withstand when you bring that scale of resources. So, why would we assume that, somehow, when it comes to zero-day exploits, the Chinese won’t do that?”

Cary recently characterized China’s approach to vulnerability disclosure in the DSL as “weaponiz[ing] cybersecurity research.” The Chinese, he told Breaking Defense, are “taking resources from labor and capital out of American markets, or foreign markets generally speaking, and using that against other nations to facilitate operations. So, they’ve effectively co-opted a pipeline of research, which costs a great deal of money to do, in order to increase their own offensive and defensive hacking capabilities.”

The DSL is just the most recent in a flurry of cyber-related and other laws meant to counter what China perceives to be “aggressions” by other nations against it. The DSL fits within this broader Chinese legal framework and its underlying themes.

“The problem is that Chinese behavior at play is what I termed informational mercantilism,” Cheng said. “By that I mean, ‘I have a right to know what you know, [but] I am under no obligation to share’.”

Cheng also sees the DSL as fitting within the broader Chinese concepts of “informationization” (xinxihua) and “informationized warfare” (xinxihua zhanzheng). “Why do [the Chinese] care about any of this? Because, if you’re the Chinese, this is part of creating the networked, interlinked, cross-wired society that China wants to be for the 21st Century. And an informationized society, an informationized CCP, has to protect itself from informationized threats, including cyberattacks.”

It also has to provide offensive countermeasures. Cheng added: “The Chinese see themselves as surrounded by enemies, and they’re not necessarily wrong.”