Key findings
This report presents:
- The Regulations on the Management of Network Product Security Vulnerabilities (RMSV), an extension of China’s 2017 Cybersecurity Law, targeting hardware/software companies as well as cybersecurity researchers.
- The RMSV prohibits the illegal collection, sale or disclosure of vulnerability information « that may endanger the security of information systems ».
- The same regulation requires companies to have a system for communicating discovered vulnerabilities, with an obligation to keep logs for a period of six months.
- The RMSV imposes strict rules on the disclosure and publication of vulnerabilities, prohibiting any detailed public communication without the consent of the Ministry of Public Security during periods of major Chinese activity.
- Companies are obliged to audit, communicate to the government and correct any vulnerabilities discovered within 48 hours.
- Network product providers are encouraged to set up « Bug Bounty » type programmes to encourage the discovery and privatisation of vulnerabilities.
- China is aiming to centralise the collection of vulnerabilities, by prohibiting its researchers from taking part in conferences abroad and by developing public-private partnerships.
- The submission of vulnerabilities to the national database includes the provision of proof-of-concept, i.e. code enabling the existence of the said vulnerability to be demonstrated.
- The entity behind the national database promises rewards proportional to the quality of the information submitted.
- A statistical analysis of data relating to the vulnerabilities submitted reveals a drop in submissions to the China National Vulnerability Database (CNVD) and an obfuscation of data on the side of the China National Vulnerability Database of Information Security (CNNVD), suggesting a strategic exploitation of vulnerabilities by the Chinese government.
Introduction
Since the emergence of the ARPANET project, the world of cybersecurity has been in a constant state of evolution. Its environment – both digital and legal – is not always favourable to the most peaceful development of its ecosystem. The emergence of a more secure and transparent cyberspace is often hindered by aggressive state ideologies. Some of these ideologies – driven by a desire to gain power and economic growth – are very often openly justified by the need to improve national security. Closely interlinked with espionage and intelligence, these state intentions take the form of support for intrusion sets, as well as lawfare actions.
The Chinese Constitution of 1982 – the founding text of the People’s Republic of China (PRC) – defines the Chinese regime as « a socialist state of people’s democratic dictatorship, led by the working class and based on the alliance of workers and peasants« . Its second paragraph explicitly prohibits « any organisation or individual from attempting to undermine it« . This firm stance on preserving the regime will adopt virtually no limits.
Still in the same spirit of national security – at least in appearance – the Chinese government intends to develop the means at its disposal to control and retain control over what happens on its territory. In addition, the development of its legal arsenal with extraterritorial reach will cause some concern on the international scene.
The Chinese administrative apparatus, in particular the Cyberspace Administration of China (CAC – formerly SIIO), the Ministry of Public Security (MPS) and the Ministry of Industry and Information Technology (MIIT), will jointly be developing a wide range of restrictive legislation aimed at individuals and companies.
Intrinsec’s CTI services
Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
-
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
-
- Digital risk monitoring:
-
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
-
For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/.