The researchers found, in fact, that some firms appear to be taking that second option. They point to a July 2022 document posted to the account of a research organization within the Ministry of Industry and Information Technologies on the Chinese-language social media service WeChat. The posted document lists members of the Vulnerability Information Sharing program that “passed examination,” possibly indicating that the listed companies complied with the law. The list, which happens to focus on industrial control system (or ICS) technology companies, includes six non-Chinese firms: Beckhoff, D-Link, KUKA, Omron, Phoenix Contact, and Schneider Electric.
WIRED asked all six firms if they are in fact complying with the law and sharing information about unpatched vulnerabilities in their products with the Chinese government. Only two, D-Link and Phoenix Contact, flatly denied giving information about unpatched vulnerabilities to Chinese authorities, though most of the others contended that they only offered relatively innocuous vulnerability information to the Chinese government and did so at the same time as giving that information to other countries’ governments or to their own customers.
The Atlantic Council report’s authors concede that the companies on the Ministry of Industry and Information Technology’s list aren’t likely handing over detailed vulnerability information that could immediately be used by Chinese state hackers. Coding a reliable “exploit,” a hacking software tool that takes advantage of a security vulnerability, is sometimes a long, difficult process, and the information about the vulnerability demanded by Chinese law isn’t necessarily detailed enough to immediately build such an exploit.
But the text of the law does require—somewhat vaguely—that companies provide the name, model number, and version of the affected product, as well as the vulnerability’s “technical characteristics, threat, scope of impact, and so forth.” When the Atlantic Council report’s authors got access to the online portal for reporting hackable flaws, they found that it includes a required entry field for details of where in the code to “trigger” the vulnerability or a video that demonstrates “detailed proof of the vulnerability discovery process,” as well as a nonrequired entry field for uploading a proof-of-concept exploit to demonstrate the flaw. All of that is far more information about unpatched vulnerabilities than other governments typically demand or that companies generally share with their customers.
Even without those details or a proof-of-concept exploit, a mere description of a bug with the required level of specificity would provide a “lead” for China’s offensive hackers as they search for new vulnerabilities to exploit, says Kristin Del Rosso, the public sector chief technology officer at cybersecurity firm Sophos, who coauthored the Atlantic Council report. She argues the law could be providing those state-sponsored hackers with a significant head start in their race against companies’ efforts to patch and defend their systems. “It’s like a map that says, ‘Look here and start digging,’” says Del Rosso. “We have to be prepared for the potential weaponization of these vulnerabilities.”
If China’s law is in fact helping the country’s state-sponsored hackers gain a greater arsenal of hackable flaws, it could have serious geopolitical implications. US tensions with China over both the country’s cyberespionage and apparent preparations for disruptive cyberattack have peaked in recent months. In July, for instance, the Cybersecurity and Information Security Agency (CISA) and Microsoft revealed that Chinese hackers had somehow obtained a cryptographic key that allowed Chinese spies to access the email accounts of 25 organizations, including the State Department and the Department of Commerce. Microsoft, CISA, and the NSA all warned as well about a Chinese-origin hacking campaign that planted malware in electric grids in US states and Guam, perhaps to obtain the ability to cut off power to US military bases.