Sleight of hand: How China weaponizes software vulnerabilities
Table of contents
- Executive summary
- Introduction
- China’s software vulnerability disclosure ecosystem
- Before the RMSV
- China National Vulnerability Database (CNVD)
- China National Vulnerability Database of Information Security (CNNVD)
- China’s New Vulnerability Management System under the RMSV: The NVDB
- Few good options
- Conclusion
- Key recommendations
Executive summary
The Cyberspace Administration of China (CAC), the Ministry of Public Security (MPS), and the Ministry of Industry and Information Technology (MIIT) published the “Regulations on the Management of Network Product Security Vulnerabilities” (RMSV) in July 2021. Even before the regulations were implemented in September 2021, analysts had issued warnings about the new regulation’s potential impact.1Dakota Cary, “China’s New Software Policy Weaponizes Cybersecurity Research,” The Hill, July 22, 2021, https://thehill.com/opinion/cybersecurity/564318-chinas-new-software-policy-weaponizes-cybersecurity-research; Brad D. Williams, “China’s New Data Security Law Will Provide It Early Notice of Exploitable Zero Days,” Breaking Defense, September 1, 2021, https://breakingdefense.com/2021/09/chinas-new-data-security-law-will-provide-it-early-notice-of-exploitable-zero-days. At issue is the regulations’ requirement that software vulnerabilities—flaws in code that attackers can exploit—be reported to the MIIT within forty-eight hours of their discover by industry (Article 7 Section 2).2It seems that when researchers discover vulnerabilities in other companies’ codebases, they are also required to share that information with the MIIT. Jonathan Greig, “Chinese Regulators Suspend Alibaba Cloud over Failure to Report Log4j Vulnerability,” ZDNet, December 22, 2021, https://www.zdnet.com/article/log4j-chinese-regulators-suspend-alibaba-partnership-over-failure-to-report-vulnerability. The rules prohibit researchers from: publishing information about vulnerabilities before a patch is available, unless they coordinate with the product owner and the MIIT; publishing proof-of-concept code used to show how to exploit a vulnerability; and exaggerating the severity of a vulnerability.3宋海新 and 张功俐. “敲黑板 !《网络安全漏洞管理规定》逐条解读-中伦律师事务所.” archive.ph, February 8, 2023. https://archive.ph/xzbZq. In effect, the regulations push all software-vulnerability reports to the MIIT before a patch is available. Conversely, the US system relies on voluntary reporting to companies, with vulnerabilities sourced from researchers chasing money and prestige, or from cybersecurity companies that observe exploitation in the wild.
Software vulnerabilities are not some mundane part of the tech ecosystem. Hackers often rely on these flaws to compromise their targets. For an organization tasked with offensive operations, such as a military or intelligence service, it is better to have more vulnerabilities. Critics consider this akin to stockpiling an arsenal.4Brad Smith, “The Need for Urgent Collective Action to Keep People Safe Online: Lessons from Last Week’s Cyberattack,” Microsoft on the Issues, May 14, 2017, https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack. When an attacker identifies a target, they can consult a repository of vulnerabilities that enable their operation. Collecting more vulnerabilities can increase operational tempo, success, and scope. Operators with a deep bench of tools work more efficiently, but companies patch and update their software regularly, causing old vulnerabilities to expire. In a changing operational environment, a pipeline of fresh vulnerabilities is particularly valuable.
This report details the structure of the MIIT’s new vulnerability databases, how the new databases interact with older ones, and the membership lists of companies participating in these systems. The report produces four key findings.
- The RMSV (Article 7, Section 3) requires the MIIT’s new database to share vulnerability and threat data with the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Ministry of Public Security (MPS). Sharing these data with CNCERT/CC allows them to reach organizations with offensive missions. CNCERT/CC’s partners can access vulnerability reports through its own China National Vulnerability Database (CNVD). The CNVD’s Technology Collaboration Organizations with access to reports submitted to MIIT include: the Beijing office of the Ministry of State Security’s (MSS) 13th Bureau (Beijing ITSEC, 北京信息安全测评中心), Beijing Topsec—a known People’s Liberation Army (PLA)-contractor connected to the hack of Anthem Insurance, and a research center responsible for “APT [advanced persistent threat] attack and defense” at Shanghai Jiao Tong University, which houses a cybersecurity school tied to PLA hacking campaigns.5Ellen Nakashima, “Security Firm Finds Link between China and Anthem Hack,” Washington Post, February 27, 2015, https://www.washingtonpost.com/news/the-switch/wp/2015/02/27/security-firm-finds-link-between-china-and-anthem-hack; Dakota Cary, “Academics, AI, and APTs: How Six Advanced Persistent Threat-Connected Chinese Universities are Advancing AI Research,” Center for Security and Emerging Technology, March 2021, https://cset.georgetown.edu/publication/academics-ai-and-apts. The vulnerability sharing with the MSS 13th Bureau’s Beijing office is particularly concerning. Experts note that the bureau spent the last twenty years getting early access to software vulnerabilities.6China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States, testimony before the U.S.-China Economic and Security Review Commission hearing. Statement by Adam Kozy, CEO and founder, SinaCyber, former FBI and CrowdStrike, 2022, https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf.
- There are likely bureaucratic issues involved in implementing the RMSV among relevant entities. Mandatory disclosure of vulnerabilities to MIIT undercuts other, government-run, voluntary databases in China. CNVD disclosed fewer vulnerabilities after the regulation went into effect, and its publication of vulnerabilities for industrial control systems ground to a halt in 2022. This decline is likely the result of CNVD waiting for a patch before publishing. With no reporting requirement, and the inability to publish without a patch, the value of the voluntary database is unclear. One benefit may be collection. CNCERT/CC has incident-response contracts with thirty-one countries.7Xinhua. “Full Text: Jointly Build a Community with a Shared Future in Cyberspace” archive.ph, May 23, 2023. https://archive.ph/AqhdW. It is unclear if these contracts allow CNCERT/CC to collect vulnerability information.
- Besides just collecting software vulnerabilities, the MIIT is funding their discovery through research grants to improve product security standards.
- An MSS vulnerability database requires its private-sector partners to produce software vulnerabilities. These 151 cybersecurity companies provide software vulnerabilities to the MSS 13th Bureau. This report finds that these companies employ at least 1,190 software vulnerability researchers. Each year the researchers provide at least 1,955 software vulnerabilities to the MSS, at least 141 of which are “critical” severity. Once received by the MSS, they are almost certainly evaluated for offensive use.
The mandates to disclose vulnerabilities to the Ministry of Industry and Information Technology, not to publish vulnerability information without also simultaneously releasing a patch, not to release proof-of-concept code, and not to hype up the severity of a vulnerability, among other things, stands in stark contrast to the United States’ decentralized, voluntary reporting system.
Introduction
Software vulnerabilities are like raspberries—they go bad fast.8Thanks to Chris Rohlf for this metaphor. For intelligence services and militaries that seek to hack an adversary’s systems, having vulnerabilities on hand is key. Software vulnerabilities are flaws that allow an attacker to exploit the software and achieve a desired effect. Knowing which software vulnerabilities operators will need in advance is challenging, so having many on hand is incredibly useful to support operational tempo. But because companies are usually quick to patch their products, a trove of software vulnerabilities, however well-stocked, is quickly rendered useless if not replenished regularly.9Kathleen Metrick, Jared Semrau, and Shambavi Sadayappan, “Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation—Intelligence for Vulnerability Management, Part Two,” Mandiant, April 13, 2020, https://www.mandiant.com/resources/blog/time-between-disclosure-patch-release-and-vulnerability-exploitation.
Over the last six years, China has taken significant steps to collect more vulnerabilities. China’s Ministry of Public Security prohibited cybersecurity experts from traveling to foreign software security competitions in 2017, where they would burn vulnerabilities in commonly used tech for hundreds of thousands of dollars.10Lucian Armasu, “Pwn2Own 2018: Focus Changes to Kernel Exploits as Browsers Get Harder to Hack,” Tom’s Hardware, March 16, 2018, https://www.tomshardware.com/news/pwn2own-2018-kernel-exploits-focus,36679.html; Violet Blue, “When China Hoards Its Hackers Everyone Loses,” Engadget, March 16, 2018, https://www.engadget.com/2018-03-16-chinese-hackers-pwn2own-no-go.html. Preventing researchers from attending international competitions that made everyday products more secure was not only a loss for defenders; China explicitly gained more vulnerabilities for offensive use. One company, Beijing Chaitin, told a media outlet that it would prioritize submitting vulnerabilities to the MSS-run CNNVD database instead of participating in foreign competitions.11Yingzhi Yang, “China Discourages Its Hackers from Foreign Competitions so They Don’t Help Others,” South China Morning Post, March 21, 2018, https://www.scmp.com/tech/article/2138114/china-discourages-its-cybersecurity-experts-global-hacking-competitions. China’s top cybersecurity policymakers and corporate executives share the “collect them all” attitude. The chief executive officer (CEO) of Qihoo360 remarked in the same year that software vulnerabilities are “important strategic resources” that “should stay in China.”12Karen Chiu, “Chinese Hackers Break into Chrome, Microsoft Edge, and Safari in Competition,” South China Morning Post, November 19, 2019, https://www.scmp.com/abacus/tech/article/3038326/chinese-hackers-break-chrome-microsoft-edge-and-safari-competition. Also in 2017, China launched a series of competitions to promote the development of technology that could automate the discovery, exploitation, and patching of software vulnerabilities.13Dakota Cary, “Robot Hacking Games,” Center for Security and Emerging Technology, September 2021, https://cset.georgetown.edu/publication/robot-hacking-games. The same Qihoo360 CEO called the technology an “assassin’s mace”—or in Department of Defense (DOD) jargon, a strategic offset.14网络传播杂志, “360: 自觉担当责任维护网络安全,” 中共中央网络安全和信息化委员会办公室, November 6, 2018, https://perma.cc/ENA2-WZ3F. Together, the policies prevented China’s strategic resource from being leaked overseas and invested money in technology to make finding vulnerabilities more efficient. Still, the government could only ever receive vulnerabilities that were voluntarily provided to it.
China developed a system to collect software vulnerabilities that previously escaped its reach. Under the old system, the government did not collect vulnerabilities found by, or reported to, companies. Companies often find vulnerabilities in their own products. Many firms also receive external reports from researchers, sometimes in exchange for money. The 2021 RMSV—written by the CAC, the MPS, and the MIIT—expanded the government’s collection to include these sources. The new rules require companies doing business in China to report software vulnerabilities in their products or products they use to the MIIT within forty-eight hours of discovery. The regulations stop independent researchers from publishing information about vulnerabilities without coordinating a patch with the company, releasing proof-of-concept code that shows how to exploit a vulnerability, and hyping up the severity of a vulnerability. The requirement to coordinate the vulnerability disclosure with the business pushes the vulnerability into the MIIT’s new system, because the company must report it within two days. At some point after the Cybersecurity Threat and Vulnerability Information Sharing Platform receives the vulnerability, MIIT shares it with the MPS and CNCERT/CC. The 2021 regulations are aligned with People’s Republic of China (PRC) policymakers’ attitudes toward software vulnerabilities, which began coalescing in 2017.
Three earlier reports contour China’s software vulnerability ecosystem. Combined, they demonstrate a decrease in software vulnerabilities being reported to foreign firms and the potential for these vulnerabilities to feed into offensive operations.
First, the Atlantic Council’s Dragon Tails report demonstrates that China’s software vulnerability research industry is a significant source of global vulnerability disclosures, and that US legislation prior to China’s disclosure requirements significantly decreased the reporting of vulnerabilities from specific foreign firms added to the US entities list, removing an important source of security research from the ecosystem.15Stewart Scott, et al., Dragon Tails: Preserving International Cybersecurity Research, Atlantic Council, 2022, https://www.atlanticcouncil.org/wp-content/uploads/2022/09/AC_DRAGON_TAILS_LAY4_WEB3.pdf.
Second, Microsoft’s “Digital Defense Report 2022” showed a corresponding uptick in the number of zero-days deployed by PRC-based hacking groups. Microsoft explicitly attributes the increase as a “likely” result of the RMSV.16“Microsoft Digital Defense Report 2022,” Microsoft, 2022, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bUvv. Although less than a year’s worth of data do not make a trend, both reports gesture at the impact of the regulation in expected ways, based on China’s past behavior of weaponizing the software vulnerability disclosure pipeline.17Cary, “China’s New Software Policy Weaponizes Cybersecurity Research”; Williams, “China’s New Data Security Law Will Provide It Early Notice of Exploitable Zero Days.”
Third, Recorded Future published a series reports in 2017 with evidence indicating that critical vulnerabilities reported to China’s National Information Security Vulnerability Database (CNNVD, run by the MSS) were being withheld from publication for use in offensive operations.18Priscilla Moriuchi and Dr. Bill Ladd, “China’s Ministry of State Security Likely Influences National Network Vulnerability Publications,” Recorded Future, November 16, 2017, https://www.recordedfuture.com/chinese-mss-vulnerability-influence; Dr. Bill Ladd, “The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting,” Recorded Future, October 19, 2017, https://www.recordedfuture.com/chinese-vulnerability-reporting; Priscilla Moriuchi, “China Altered Public Data to Conceal MSS Influence,” Recorded Future, March 9, 2018, https://www.recordedfuture.com/chinese-vulnerability-data-altered.
This report adds to these findings. Specifically, we find that the 2021 RMSV allows the PRC government, and subsequently the Ministry of State Security, to access vulnerabilities previously uncaptured by past regulatory regimes and policies. In some cases, the regulations also facilitate access to some companies’ internal code repositories.
China’s software vulnerability disclosure ecosystem
The following graphic illustrates the relationships within China’s government-run software vulnerability ecosystem. This report does not cover actors on the black market or their impact on this system.
Before the RMSV
China National Vulnerability Database
The CNVD, run by CNCERT/CC, is meant to help defend computer networks in China and other nations, like the US National Vulnerability Database (NVD).19“《国家信息安全漏洞共享平台章程》全文 – 安全内参 | 决策者的网络安全知识库.” https://web.archive.org/web/20220714014641/https:/www.secrss.com/articles/7474. CNCERT/CC maintains joint incident-response contracts with at least thirty-one other national community emergency-response teams (CERTs), though which countries participate is unknown.20“Full Text: Jointly Build a Community with a Shared Future in Cyberspace,” Xinhua, November 7, 2022, https://www.chinadaily.com.cn/a/202211/07/WS63687246a3105ca1f2274748.html. CNVD users receive advanced warning of software vulnerabilities from the database.21“《国家信息安全漏洞共享平台章程》全文 – 安全内参 | 决策者的网络安全知识库.” https://web.archive.org/web/20220714014641/https:/www.secrss.com/articles/7474. These vulnerabilities are collected from voluntary reporting by individuals or companies, or from a partnering vulnerability database.
The CNVD collects some of its data from three CNVD partner vulnerability databases, each with its own list of contributors: the Higher-Ed Vulnerability Database, Vulbox, and the Bu Tian Vulnerability Database.22国家计算机网络应急技术处理协调中心. “2020 Annual Report,” page 22, September 27, 2022. https://web.archive.org/web/20220927052510/https:/www.cert.org.cn/publish/main/upload/File/2020%20Annual%20Report.pdf.
Shanghai Jiao Tong University operates the Higher-Ed Vulnerability Database.23“关于教育漏洞报告平台” 教育漏洞报告平台 In Archive.vn, 2023. https://archive.vn/f4BHI. The database collects vulnerability reports on products used by institutions under the Ministry of Education. Researchers, professors, and students voluntarily submit vulnerabilities. The products have a variety of national origins and are not just education-related software. The university organization operating the vulnerability database also teaches defense-industry and government employees “secrets theft and anti-secrets theft” skills on another platform.24“From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations,” Recorded Future, November 23, 2022, https://www.recordedfuture.com/from-coercion-to-invasion-the-theory-and-execution-of-china-cyber-activity. SJTU has supported PLA hacking campaigns and is home to a center that conducts research on “APT attack and defense.”25Cary, “Academics, AI, and APTs.”
The other two databases feeding the CNVD rely on the private sector. Vulbox is a for-profit vulnerability disclosure marketplace.26“项目大厅 – 漏洞盒子.” https://archive.ph/rCpey. Like similar companies in the United States, it connects white-hat hackers to companies looking to secure their products. Companies pay researchers who find vulnerabilities and submit them through the platform. Vulbox shares these vulnerabilities, paid for by corporate incentive, with CNVD. Qi An Xin, a premier cybersecurity firm, maintains the other database.27Jamie Tarabay and Sarah Zheng, “Chinese Firm That Accused NSA of Hacking Has Global Ambitions,” Bloomberg, May 31, 2022, https://www.bloomberg.com/news/articles/2022-05-31/chinese-firm-that-accused-nsa-of-hacking-has-global-ambitions#xj4y7vzkg. The Bu Tian Vulnerability Database is a forum for white-hat hackers to discuss software vulnerabilities. Users can share vulnerability reports, help other users recover from attacks, and join an annual competition.28archive.ph. “奇安信创新服务及研究团队,” May 31, 2023. https://archive.ph/ARSxa. Both databases draw on unique sources of vulnerabilities: Vulbox from software security researchers cashing in on their work; Bu Tian from researchers discussing new findings, recovering from incidents, or discovering new vulnerabilities at the annual Bu Tian Cup software competition.
The CNVD also receives voluntary vulnerability reporting from researchers and cybersecurity companies. Under the 2021 regulations, these companies must also report the vulnerabilities to the MIIT’s new database (see discussion below). CNCERT’s 2020 annual report graded the capabilities of its technical supporting organizations, ranking their capabilities to collect, analyze, and discovery software vulnerabilities.29国家计算机网络应急技术处理协调中心. “2020 Annual Report,” page 222, September 27, 2022. https://web.archive.org/web/20220927052510/https:/www.cert.org.cn/publish/main/upload/File/2020%20Annual%20Report.pdf. The criteria to produce the evaluation and rankings are not in the report, but they can be found online.30“国家信息安全漏洞共享平台,” archive.ph. May 28, 2023. https://archive.ph/3xCQ4. This report reproduces that table below and flags (with an asterisk) seventeen of the twenty-six companies that also support the MSS-run CNNVD with an asterisk. Under the RMSV, CNVD now receives software vulnerabilities from the MIIT’s new database.31工信部联网安. “工业和信息化部国家互联网信息办公室公安部关于印发网络产品安全漏洞管理规定的通知-中共中央网络安全和信息化委员会办公室.” http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm; “Provisions on the Management of Network Product Security Vulnerabilities,” China Law Translate, July 14, 2021, https://www.chinalawtranslate.com/en/product-security-vulnerabilites.
Source: CNCERT/CC 2020 Annual Report32“关于国家计算机网络应急技术 处理协调中心,” September 27, 2022. https://web.archive.org/web/20220927052510/https:/www.cert.org.cn/publish/main/upload/File/2020%20Annual%20Report.pdf.
CNVD distributes vulnerability data to its technology collaboration organizations.33“国家信息安全漏洞共享平台章程” 决策者网络安全知识库. Article 2, Section 8; Article 3, Sections 10, 11, 13 https://web.archive.org/web/20220714014641/https:/www.secrss.com/articles/7474. These organizations are meant to integrate the data into cybersecurity services they provide to customers. Some organizations and companies may use this vulnerability distribution to support offensive operations. These organizations include the Beijing regional office of the MSS 13th Bureau (北京信息安全测评中心), a known PLA contractor tied to the hack of Anthem Insurance called Beijing TopSec, and other prominent government-servicing cybersecurity firms such as Qi An Xin, which runs its own Cybersecurity Military-Civil Fusion Innovation Center (网络空间安全军民融合创新中心).34Nigel Inkster attributes 中国信息安全测评中心 to the Ministry of State Security (Jon R. Lindsay, Tai Ming Cheung, and Derek S. Reveron, China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain, Oxford, UK: Oxford University Press, 2015); Other analysts have tied its provincial bureaus to APTs (“China’s Cybersecurity Law Gives the Ministry of State Security Unprecedented New Powers Over Foreign Technology,” Recorded Future, August 31, 2017, https://www.recordedfuture.com/china-cybersecurity-law; “奇安信创新服务及研究团队,” May 31, 2023. www.archive.ph/ARSxa. Even the Shanghai Jiao Tong University Center (上海交通大学网络信息中心) responsible for “advanced persistent threat attack and defense” research makes this list of integrators.
Separately, another group of thirty-eight CNVD user-support organizations help defenders integrate vulnerability data into their network defenses.35国家计算机网络应急技术处理协调中心. “2020 Annual Report,” page 220-221, September 27, 2022. https://web.archive.org/web/20220927052510/https:/www.cert.org.cn/publish/main/upload/File/2020%20Annual%20Report.pdf. The role of international partners in vulnerability sharing, collection, use, and defense is unclear. A list of CNCERT/CC’s international partners is not available, nor are the contracts that underpin their relationship. CNCERT/CC responded to a request for comment by pointing to the organization’s press-release website.
CNVD also maintains four databases for software vulnerabilities, but these appear to be maintained as a single database, do not require separate accounts to access, and are subdomains of the CNVD website.36China National Vulnerability Database. “电信行业漏洞.” https://telecom.cnvd.org.cn/; “国家区块链漏洞库” https://bc.cnvd.org.cn/; “移动互联网行业漏洞.” https://mi.cnvd.org.cn/. This structure merely sorts the CNVD system, rather than distributing vulnerabilities into unique repositories.
Data from one of these four databases—the industrial control systems (ICS) vulnerability database—make clear how significantly the RMSV decreased public vulnerability disclosure. While a few hundred vulnerabilities were disclosed by the ICS database each year from 2018 to 2020, 2022 saw just ten vulnerabilities published in this system. In the same year, the US Cybersecurity and Infrastructure Security Agency (CISA) recorded 113 exploited ICS vulnerabilities.37“Known Exploited Vulnerabilities Catalog,” Cybersecurity and Infrastructure Security Agency, last visited July 19, 2023, https://www.cisa.gov/known-exploited-vulnerabilities-catalog.
The near total drop-off in publicly reported ICS vulnerabilities was accompanied by a significant decrease in the total vulnerabilities disclosed by CNVD.
The data suggest there is a significant gap between actual and disclosed ICS vulnerabilities. If researchers find a number of ICS vulnerabilities similar to the number before the regulations, and they report them to the new MIIT database for ICS vulnerabilities, then the vulnerabilities would still show up in CNVD data, albeit with a delay. Although the MIIT database does not publish vulnerabilities publicly, the 2021 regulations require the MIIT to pass them along to the CNVD. If the MIIT had reported the vulnerabilities to the vendors, then CNVD would have published the vulnerability data when the company released the corresponding patch—but the data do not show this. Instead, the data suggest that companies, at least ICS companies, are not receiving vulnerability reports from the MIIT.
China National Vulnerability Database of Information Security
China has, in the past, weaponized software vulnerabilities provided to its CNNVD, which is run by the MSS. Statistical analysis by Recorded Future in 2017 demonstrated that the intelligence service likely passed high-criticality vulnerabilities to its hacking teams and delayed their public disclosure.38Moriuchi and Ladd, “China’s Ministry of State Security Likely Influences National Network Vulnerability Publications.” After its operations were burned when another entity publicly disclosed the vulnerability, the MSS would disclose them as well and move on. The reports by Recorded Future made clear the operational value the CNNVD offered to China’s offensive hacking teams.
Unlike the CNVD, the number of CNNVD published vulnerabilities continues to trend upward. This is not because of the goodwill of the MSS. Each vulnerability reported by CNNVD can be tied to other public data, like a GitHub repository or a company’s website, meaning the database is not offering new information. In effect, CNNVD data just reflect what is publicly observable. In a humorous twist, monthly reports from the CNNVD used to compile the chart below stop in November 2017, the same month Recorded Future researchers published their report. After being caught, the MSS wiped its website of historical data and started fresh.
Based on the requirements for firms supporting the MSS-run CNNVD, the exploitation of vulnerabilities provided to the database seems to continue today.39中国信息安全测评中心. “国家信息安全漏洞库(CNNVD)技术支撑单位计划指南,” January 24, 2023. https://web.archive.org/web/20230124204541/https:/www.cnnvd.org.cn/static/download/CNNVD_technical_support_unit_plan_guide.pdf. This assessment is unsurprising, given the MSS 13th Bureau oversight of the database. The clarity of the requirements for members to produce vulnerabilities that can be used in hacking campaigns is surprising, however.
CNNVD technical support units, as the private-sector member companies are called, must meet several requirements. Criteria for tier-one partnership include employing at least twenty software vulnerability researchers, annually submitting at least thirty-five software vulnerabilities—at least five of which are critical according to the CVSS system, responding quickly to CNNVD requests for help or information, and providing early warning of at least ten critical vulnerabilities the company observes being exploited in the wild to the CNNVD.40“国家标准《信息安全技术 网络安全漏洞分类分级规范》”, https://www.tc260.org.cn/file/2018-12-26/0a12e974-9a15-4c64-b62a-5eacfa93c53b.docx. Companies in tiers two and three each have corresponding, though less intensive, requirements. Data on CNNVD’s website do not attribute any vulnerabilities to the firms listed below, instead citing public information. This approach makes it impossible to determine how many vulnerabilities the technical support units supply to the MSS.
Based on these requirements, the technical support unit companies employ at least 1,190 researchers dedicated to software vulnerability discovery, and these researchers provide a minimum of 1,955 software vulnerabilities—at least 141 of which are of critical severity—to the MSS each year.
CNNVD’s team of technical support units grew from just fifteen companies in 2016 to 151 companies in 2023.41“关于CNNVD新增‘技术支撑单位’的公告 – 安全牛.” 国家信息安全漏洞库, https://archive.ph/O9rkW#selection-363.0-363.20;“国家信息安全漏洞库 – 技术支撑单位.” 国家信息安全漏洞库, https://archive.is/Ql46z. A full list of each tier’s membership is available in Appendix A.
China’s New Vulnerability Management System under the RMSV: the NVDB
The MIIT’s Cybersecurity Threat Intelligence Sharing Platform is operated by the MIIT’s Cybersecurity Management Bureau. The platform also receives oversight from four organizations: China Academy of Information and Communication Technology (CAICT), China ICS CERT (国家工业信息安全发展研究中心), China Software Testing Center (CSTC) (中国软件评测中心), and China Automotive Technology and Research Center (中国汽车技术研究中心).42中国政府网 “工业和信息化部网络安全威胁和漏洞信息共享平台正式上线运行_部门政务_中国政府网,” May 10, 2023. https://archive.ph/NS5xf. Notably, the China Software Testing Center, a center under the MIIT, works to advance military-civil fusion (likely by testing civilian hardware and software for security vulnerabilities before adoption by the military), is certified by the MSS 13th Bureau as tier 1 for Security Engineering and hosts a “special laboratory” (特种实验室) whose website cannot be accessed.43“中心简介-评测中心.” https://archive.ph/Ckq32; “国家信息安全测评信息安全服务资质证书(安全工程类一级)-评测中心.” https://archive.ph/h2TvM ; “基础能力实验室-评测中心.” https://web.archive.org/web/20230528191032/https:/www.cstc.org.cn/sdsys1/jcnlsys.htm. The website’s links to the “special lab” do not work and there are few mentions of the lab elsewhere on the internet. CSTC publishes books on security testing for many kinds of systems, including intelligent manufacturing, smart cars, and ICS systems. CSTC’s website makes clear the center is home to immense software security talent. At the bottom of its homepage, the China Software Testing Center lists the Ministry of State Security as one of its many government customers.44“评测中心,” https://web.archive.org/web/20230327191235/https:/www.cstc.org.cn/. It is the only government agency whose name does not also appear in English.
The Cybersecurity Threat Intelligence Sharing Platform includes one organizing platform (the Cybersecurity Threat and Vulnerability Information Sharing Platform; abbreviated NVDB) with five downstream databases. These databases share the same authorization system, and some of the database’s login pages redirect to the NVDB. While each has its own website, some share the same contact information. These findings suggest the five databases are not fully separate from one another, though this may change over time as the bureaucratic structure matures.
The five databases each cover a specific area of technology: general network product devices, industrial-control systems, “innovative information technology” (PRC-made products) used by the government, internet-connected vehicles, and mobile applications. This paper was able to obtain membership lists for four of the five databases. Forty-eight of the 103 companies identified on these membership lists contribute to the MSS-run CNNVD. The full list of companies can be found in Appendix B.
The NVDB does not publish software vulnerabilities, but it shares them with the MPS’ National Cyber and Information Security Information Notification Center and CNCERT/CC (the administrator for CNVD).45“Provisions on the Management of Network Product Security Vulnerabilities.” 工业和信息化部 http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm The Ministry of Public Security conducts offensive hacking on targets within China, suggesting the shared vulnerabilities could be used for law enforcement and surveillance—incident reports could start law-enforcement actions, too.46China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States, testimony by John Chen, lead analyst, Center for Intelligence Research and Analysis, Exovera, before the U.S.-China Economic and Security Review Commission hearing (2022). https://www.uscc.gov/sites/default/files/2022-02/John_Chen_Testimony.pdf.
Access to China’s NVDB is limited to PRC nationals with a Chinese telephone number between 8 a.m. and 8 p.m. Beijing time, so information about the internal functions of the platform is incomplete. However, a “how-to” section of the NVDB website offers information about the platform’s functionality.47工业和信息化. “威胁报送.” https://archive.ph/f0mvi. The resource documents how users can report malicious links, Internet Protocol (IP) addresses, file hashes, and file incident reports—among many other capabilities. The following screenshot shows how users reporting a software vulnerability can indicate the type of vulnerability discovered, and whether the bug is already public.
Other components of the “how-to” page indicate that some vulnerability reports are available to some users. The permissions required to access such reports are unclear. The reports are issued using a custom naming convention, which does not appear to match any other public naming conventions. The reports are deemed sensitive enough that only the example in the first row is not blurred out.
This CSVD vulnerability tag in the first column is only found in one other government procurement document found online. In 2019, CAICT—one of the four organizations that oversees the NVDB—contracted two cybersecurity companies to produce a system now built into the MIIT’s Cybersecurity Threat Intelligence Sharing Platform.50archive.ph. “中国信息通信研究院通信网络安全管理系统网络安全应急能力子平台原型研究与设计项目中标公告,” February 8, 2023. https://archive.ph/vgFdy. LegendSec (网神信息技术) received funding to build a system that would notify users of others’ reports of cybersecurity incidents. EverSec (恒安嘉新)—the company responsible for much of the cloud-computing capabilities at China’s National Cybersecurity Talent and Innovation Base—created a CSVD classification book to automatically validate and score the severity of software vulnerabilities. It is this CSVD scoring-and-tagging system that likely adorns software vulnerabilities submitted to the MIIT databases. The MIIT likely created this new naming convention simply because the use of any other convention (CVE, CNVD, or CNNVD) would require the involvement of an outside organization. A full technical-specifications document for the procurement of the CSVD system is available online.51中国信息通信研究院, https://github.com/D14141414141414/References/blob/8b8fccfec1bd0c0aeaa51d0aa7ad66f69e9f3259/7R01%2B%E5%8F%91%E5%94%AE%E7%89%88.pdf.
The NVDB’s downstream databases offer companies support services. The mobile-application database hosts a team that helps companies remediate software vulnerabilities. The tripwires that cause these MIIT groups to help a firm patch its vulnerable software are unclear.52If reported vulnerabilities are not addressed in a timely fashion, the supporting functions of the MIIT Mobile Application Database will work to support the private company. It is unclear what counts as “too long.” This support mechanism aligns well with PRC technology-development policies that aim to improve security. Other researchers have noted how poor IT security is for many PRC tech companies.53Devin Thorne, “China’s Vulnerability Disclosure Regulations Put State Security First,” Australian Strategic Policy Institute, August 31, 2021, https://www.aspistrategist.org.au/chinas-vulnerability-disclosure-regulations-put-state-security-first. These remediation services will likely raise the floor of performance.
The MIIT’s supporting role suggests that PRC tech companies are subject to far more in-depth oversight, however occasional, at the software-development level than previously known. This raises questions about how, when, and to what extent the state is involved in a company’s code base, and whether such oversight extends beyond mobile applications and PRC-based companies.54In fairness to the MIIT, China’s mobile application stores are notoriously laden with bad software.
The MIIT’s mission to create new, better technology standards incidentally leads it to fund the discovery of software vulnerabilities in foreign products. For example, the MIIT launched the Internet of Vehicles Identity Authentication and Safety Trust Pilot Project in 2021.55Perma | 车联网身份认证和安全信任试点工作启动会召开 齐向东详解车联网安全关键因素_财经_中国网 CAICT oversees a committee for the project.56“车联网身份认证和安全信任试点” 车联网身份认证和安全信任工作专家委员会, December 6, 2022. https://web.archive.org/web/20221206200600/http:/www.caict.ac.cn/xwdt/ynxw/202109/P020210924326795055693.pdf. The pilot project funded at least sixty-one research contracts for improving the security, safety, and trustworthiness of internet-connected vehicles. Qi An Xin, operator of a CNVD partner database mentioned above, hosts the Xingyu Internet of Vehicles Laboratory (星與车联网实验室).57“车联网身份认证和安全信任试点工作启动会召开 齐向东详解车联网安全关键因素.” 中国网财经. https://perma.cc/57HE-E8ZE. Researchers from the lab are likely funded by six of its contracts from the MIIT to improve internet connected vehicles’ security.58奇安信. “2021国家网安周:刘勇谈‘四轮驱动’构建车联网安全体系-奇安信.” https://perma.cc/E4NH-BHQ6. Researchers shared many of their successful attack methodologies online—some posts include foreign brands, such as Tesla.59“车联网身份认证和安全信任试点工作启动会召开 齐向东详解车联网安全关键因素.” 中国网财经. https://perma.cc/57HE-E8ZE.
“Twitter Archive Https://Twitter.Com/Kevin2600/Status/1442860693573668866.” https://perma.cc/N5FP-HEJ9; “车联网安全之侠盗猎车 : 玩转固定码 (上) – FreeBuf网络安全行业门户.” https://perma.cc/6ZC3-DZ8K; “星舆实验室 — ADAS自动驾驶欺骗- FreeBuf网络安全行业门户.” https://perma.cc/4MU8-W8FE. Researchers submit new vulnerabilities to the MIIT’s Internet Connected Vehicles Vulnerability Database (CAVD)—a subset of the NVDB—as required by the RMSV. Xingyu Lab is even listed among the CAVD’s Vulnerability Analysis Experts Working Group in Appendix B. Some of the vulnerabilities are also reported back to the vehicle’s manufacturer—though these data are patchy and disclosure to the manufacturer is voluntary. Although industrial policy is not the focus of this report, it is clear that some of the MIIT’s other work results in software vulnerabilities reported back to its own databases.
Unfortunately, cooperation with the NVDB by foreign firms appears to be to their detriment. The NVDB’s ICS database lists companies that submit vulnerabilities for their own products.60国家工业信息安全发展研究中心. “通知|国家工业信息安全漏洞库(CICSVD)2022年度成员单位名单公示.” https://archive.ph/Yr8HX#selection-105.14-105.50. This list includes a handful of foreign firms complying with the PRC regulation. At least one foreign firm submitting to the database said it was not receiving reciprocal reports of vulnerabilities in its own products found by other researchers, while, at the same time, it saw a significant decrease in vulnerabilities reported from China.61Proprietary insight from authors’ work. In effect, this company lost visibility into vulnerability research published in China, and was simultaneously submitting its own internally discovered bugs to the MIIT without any benefit to the firm besides RMSV compliance. This anecdotal evidence supports the analysis in the CNVD section above regarding missing ICS vulnerabilities. It is unclear whether the firm is proactively submitting its vulnerabilities to other governments.62Microsoft’s MAPP does this. Partners from many countries receive advance warning of significant vulnerabilities to be patched by Microsoft so the patches can be rolled out quickly. “Microsoft Active Protections Program.” https://www.microsoft.com/en-us/msrc/mapp.
Few good options
In contrast to China’s vulnerability collection system, the United States’ disclosure system seems less organized, and its voluntary nature makes the government’s aperture smaller.
In the United States, software vulnerabilities are issued a Common Vulnerabilities and Exposure (CVE) ID by a MITRE-approved CVE Numbering Authority.63“CVE List Home,” CVE, last visited July 19, 2023, https://cve.mitre.org/cve. When one of the nearly three hundred CVE Numbering Authorities—ranging from cybersecurity firms to device manufacturers—issues a CVE, the vulnerability is automatically connected to the National Vulnerability Database run by the National Institute of Standards and Technology (NIST).64“List Of Partners,” CVE, last visited July 19, 2023, https://www.cve.org/PartnerInformation/ListofPartners. Software vulnerabilities can, thus, be reported to any number of companies, at any time the researcher chooses, for compensation or for free, before the CVE Numbering Authority verifies the vulnerability and issues a CVE, thus making the vulnerability public. Like China’s MIIT, CISA also offers services to support vulnerability patching and mitigation.65“Coordinated Vulnerability Disclosure Process,” Cybersecurity and Infrastructure Security Agency, last visited July 19, 2023, https://www.cisa.gov/coordinated-vulnerability-disclosure-process. Most significantly, there are no means to compel companies or researchers to submit vulnerabilities to CVE Numbering Authorities—regardless of whether they participate in China’s system.
Policymakers’ instinct may be to copy some parts of China’s system—say, requiring that firms that provide vulnerability information to China’s government also provide it to CISA. These types of reforms are unnecessary and, ultimately, useless. Nothing is gained if companies are required to submit vulnerabilities to CISA when they submit to the MIIT. The US government does not have the remit, nor capability, to defend private computer networks. The short amount of time between vulnerabilities being reported and patched—just nine days in 2018–2019 according to Mandiant (now part of Google Cloud)—emphasizes the limited value of collection for defensive purposes.66Metrick, et al., “Think Fast.” Without the ability or time to operationalize knowledge about vulnerabilities reported to the PRC for defensive purposes, mandating they be reported to CISA has no clear value.
The lack of value in policy changes to the US system for defensive purposes raises questions about China’s own motives.
The time between vulnerability discovery and patching in China is unknown. It may well be longer than the nine days suggested by Mandiant data on US-issued CVEs (which includes US and many foreign products), but this discounts the considerable talent employed at China’s leading technology companies. Companies may not be prioritizing vulnerability remediation at the pace policymakers prefer, but—in a tech sector with a twelve-hour workday, a six-days-per-week work culture, and significant state emphasis on security—it seems unlikely. Surely the Chinese researchers who dominated Pwn2Own and other international vulnerability competitions before they were blocked from leaving the country are still quite good, and are able to secure companies’ products in China.
However, the MIIT’s Cybersecurity Threat and Vulnerability Information Sharing Platform, which operates the NVDB, likely improves China’s collective cyber-defense capabilities in a different way. Rather than instigating firms to patch known vulnerabilities, the NVDB likely improves cybersecurity companies’ ability to detect cyberattacks by increasing visibility of known vulnerabilities. If cybersecurity firms can access all vulnerability reports submitted into the database—which this report cannot confirm—then the result would be improved cybersecurity. Companies could take these reports and integrate them into their operations, creating new detection rules that make exploiting the vulnerabilities harder even before a patch is available.
This system would offer significant defensive advantages over the US ecosystem. Currently, cybersecurity companies become aware of software vulnerabilities when they are given a CVE by a CVE Numbering Authority, or when the company observes the zero-day vulnerability being exploited on its customer’s systems. This process creates a dynamic in which cybersecurity companies can only defend against what they have observed as a company. Firms with more customers have greater visibility and, if efficient, detect more vulnerabilities being exploited before they are issued CVEs. Mandiant was able to produce its report on the timeline of vulnerability patching precisely because of its visibility into attacks against its customers.
What to do? Creating a database like the one operated by the MIIT could erode cybersecurity companies’ competitive advantages over one another. Hard-fought market share, keen threat intelligence, competitive pricing, and satisfied customers allow companies to compete in the market. Forcing the aggregation of these companies’ data on software vulnerabilities being exploited and intrusions against customers (as the MIIT’s NVDB collects) would significantly upend the cybersecurity market. Besides upsetting the market, creating a shared database of vulnerabilities and intrusions against customers would also create a significant target for foreign intelligence services. The data it held would be valuable counterintelligence information—letting foreign governments know which operations are being tracked by defenders.
A better path would be for policymakers to implore CVE Numbering Authorities to verify vulnerabilities and assign them a CVE quicker. This would push reported vulnerabilities into the public view, and allow for all firms to update defenses without compromising the privacy of their customers or creating a target for intelligence collection. A public leaderboard of all CVE Numbering Authorities with each organization’s average time to complete validation and naming of vulnerabilities could instigate progress. Although a negative externality of this progress may be an increase in vulnerabilities for attackers to exploit (data do show many hackers quickly target vulnerabilities after they are published or after a patch has been released), the spike might be short lived.67Ibid; “Microsoft Digital Defense Report 2022,” 39. Companies would need to respond to the pressure of public disclosure by ramping up efforts to patch software—a positive outcome for everyone.
Conclusion
After changes to policy in 2017, cybersecurity researchers from China were prohibited from traveling abroad to participate in software security competitions. The new rules aligned with China’s thought leaders at the time. The prevailing idea that such vulnerabilities are a “national resource” remains unchanged. China then took steps to set up its own software vulnerability competitions, such as Tianfu Cup. The competition has attracted attention for the number and quality of vulnerabilities furnished by researchers each year.68J. D. Work, “China Flaunts Its Offensive Cyber Power,” War on the Rocks, October 22, 2021, https://warontherocks.com/2021/10/china-flaunts-its-offensive-cyber-power. Also in 2017, China began hosting competitions to spur progress on technologies to automate the discovery, patching, and exploitation of software vulnerabilities.69Cary, “Robot Hacking Games.” This system, however, did not allow the state to collect all vulnerabilities discovered in China. The security services were still only receiving voluntary reports from companies electing to participate in their databases. CNVD seemingly attempted to improve collection by adding its partner databases from higher education and the private sector, but this was only a half measure.
China’s system for collecting software vulnerabilities is now all encompassing. The PRC system has evolved from incentivizing voluntary disclosure to security services and encouraging disclosure to private-sector firms into mandating vulnerability disclosure to the state.
The 2021 RMSV increased the aperture of China’s vulnerability collection. Companies doing business in China are required to submit notice of a software vulnerability within forty-eight hours of being notified of it. Our report shows at least some foreign firms are complying with the regulations—though our limited visibility likely deflates the true number of companies adhering to the rules. Independent researchers, while not expressly required to disclose vulnerabilities to the MIIT, are prohibited from publishing information about vulnerabilities except to the company that owns the product—the same companies required to report the vulnerability to the government. The result is near total collection of software vulnerabilities discovered in China.
Researchers and organizations are now subject to dual reporting structures—mandatory disclosure to NVDB and continued, voluntary disclosure to CNVD or, in the case of technology support units, submission thresholds to meet membership requirements for the MSS CNNVD. A graphic from the “about us” section of the NVDB encourages reporting to the old CNVD and CNNVD databases concurrently.70“一图读懂《网络产品安全漏洞管理规定》.” 工业和信息化部网络安全威胁和漏洞信息共享平台 https://archive.ph/QvFgF. Indeed, many of the CNNVD technology support units are also listed on the MIIT databases’ respective membership lists. The parallel existence of these databases and competition between legal requirements to submit into the new system and incentives to voluntary disclosure into the old systems suggests some squabbling over turf between bureaucracies. For the companies involved in multiple databases, there is a clear incentive to act as an intermediary across bureaucratic boundaries.
This report demonstrates that the mandated vulnerability and threat-intelligence sharing from the MIIT’s new database to the CNCERT/CC’s CNVD facilitates access to reporting by a regional MSS office, a known PLA contractor, and a university research center with ties to PLA hacking campaigns and which conducts offensive and defense research. These organizations with ties to offensive hacking activities would be negligent if they did not utilize their access to CNVD vulnerability reports to equip their operators. The observable increase in the number of zero-days used by PRC hacking teams, as indicated by the 2022 Microsoft “Digital Defense Report,” suggests that these organizations’ access is resulting in vulnerabilities being used by offensive teams.
Other countries’ security services often rely on their own tools to discover, purchase, and observe software vulnerabilities for offense and defense. China’s security services do all of those things, too, but the new pipeline established by the RMSV provides it a clear advantage in accessing software vulnerabilities discovered by the private sector.
Key recommendations
- Policymakers should seek to decrease the time between software vulnerability report submissions to CVE Numbering Authorities and the time it takes for them to be validated, named, and published. Efforts to recreate China’s system in the United States would not succeed in any meaningful sense, and would likely be met with opposition by industry. Instead, improving industry performance within the current system is the best approach. Many of the approximately 300 CVE Numbering Authorities are companies with their own products. Vulnerabilities in products from companies that are not numbering authorities are slower to be validated and published. This creates a bottleneck of unverified and unvalidated vulnerabilities.
- Policymakers should seek to improve US government vulnerability intelligence.71Thanks to Chris Rohlf for this recommendation. Vulnerability intelligence uses the precursors to vulnerability discovery—namely, the people, companies and organizations, their technical competencies and niches, the tools and kit they purchase, and any vulnerabilities they make public—to estimate who might be working to discover vulnerabilities and in which systems. Crucially, this research would create insights into the kinds of vulnerabilities that foreign researchers are discovering, but not publishing. Data found in this report, such as lists of companies in the appendices, could be used to enable further research and collection on this topic.
About the authors
Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub and a consultant at Krebs Stamos Group. He focuses on China’s efforts to develop its hacking capabilities.
Kristin Del Rosso works at Sophos as a product manager focusing on Incident Response, Threat Intelligence, and the SecOps ecosystem. She enjoys threat hunting and learning about new forms of security research.
Editors: Chris Rohlf, Kitsch Liao, Colleen Cottle, Winnona DeSombre, Jonathan Reiter, Stewart Scott, Devin Thorne, and Ian Roos.
Appendix A
Appendix B
Technology Member List72国家工业信息安全发展研究中心. “通知|国家工业信息安全漏洞库(CICSVD)2022年度成员单位名单公示.” https://archive.ph/Yr8HX#selection-105.14-105.50.
Product Member List73国家工业信息安全发展研究中心. “通知|国家工业信息安全漏洞库(CICSVD)2022年度成员单位名单公示.” https://archive.ph/Yr8HX#selection-105.14-105.50.
Technology Support Units74国家工业信息安全发展研究中心. “关注|‘信创漏洞库’第二批技术支撑单位评审合格单位名单公示.” archive.ph, January 24, 2023. https://archive.ph/51Jn4.
Vulnerability Analysis Experts Working Group75车联网产品安全漏洞专业库. “关于新增‘车联网漏洞分析专家工作组’专家成员的公示.” https://archive.ph/ncHPu#selection-749.1-749.26.
Technology Support Units76工业和信息化部软件与集成电路促进中心. “工信部移动互联网APP产品安全漏洞库技术支撑单位新增七家.” https://archive.ph/ixFwo.