In the NewsSep 6, 2023
Wired picked up a Global China Hub and Cyber Statecraft Initiative report on how China demands tech firms to reveal hackable flaws in their products. The initial report was written by Global China Hub Nonresident fellow Dakota Cary and Kristin Del Rosso
Andy Greenberg at Wired wrote about the recent Atlantic Council report which “investigates the fallout of a Chinese law passed in 2021, designed to reform how companies and security researchers operating in China handle the discovery of security vulnerabilities in tech products.” The original article report was written by Global China Hub nonresident fellow Dakota […]
ReportSep 6, 2023
Sleight of hand: How China weaponizes software vulnerabilities
By Dakota Cary and Kristin Del Rosso
China's new vulnerability management system mandates reporting to MIIT within 48 hours, restricting pre-patch publication and POC code. This centralized approach contrasts with the US voluntary system, potentially aiding Chinese intelligence. MIIT shares data with the MSS, affecting voluntary databases as well. MSS also fund firms to provide vulnerabilities for their offensive potential.
Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub. Cary is also a consultant at Krebs Stamos Group and previously was a research analyst at Georgetown University’s Center for Security and Emerging Technology on the CyberAI Project. He focuses on China’s efforts to develop its hacking capabilities. His previous reports examine artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline. He has been featured and quoted on his expertise in a variety of outlets, including the Economist, MIT Technology Review, Hill, Breaking Defense, and Defense One. Cary has also testified before the US-China Economic and Security Review Commission.