Various vulnerability research by Chinese-language information security researchers has fallen sharply, according to an analysis by The Atlantic Council, a hypothetical tank, which also found strange, corresponding improvements in vulnerability research from unknown sources.
The committee reviewed the state of Chinese information security analysis in relation to the introduction of the Community Commodity Vulnerability Management Act (RMSV) of 2021, which will require local researchers to report any vulnerabilities they find to local authorities.as registry The laws may reportedly be designed to allow Chinese authorities to hoard loopholes that could be used for strategic or offensive operations. Chinese researchers are allegedly banned from collaborating in the global information security competition for similar reasons.
In a paper titled “Dragon’s Tail: An Analysis of Maintaining Global Cybersecurity,” the Council noted that China’s information security researchers are prolific and successful, and that Alibaba’s discovery of the Log4J vulnerability is a first-class example of their active work.
Storing all of its community’s zero-day exploits in a huge database that no one will break into is a form of China
continue reading
Still, the document noted that Alibaba was sanctioned by Chinese language authorities for disclosing the vulnerability. Because of this fact, Council staff decided to decide whether China’s need to curb shared vulnerability research is harming its global neighbors.
To this end, the researchers examined bug studies from organizations such as Microsoft, Apple, VMware, F5, and Pink Hat, as these companies confirmed the source of the vulnerabilities they reported by title.
This approach found a significant decrease in vulnerability research from China to Microsoft, but additionally “comparable dimensions and importance increased in posts tagged as people, companies with no identified country code, or no confirmation in any way. rise.”
The committee researchers suspect that Chinese researchers may have uncovered the error anonymously as a surrogate.
At Pink Hat, vulnerability research from China dropped significantly until 2021 and has remained low since then. The authors of the paper believe this may be because China is splitting open source missions and spending less time dealing with offshoring initiatives.
One pattern of transparency seen among distributors and engineers is that Chinese security agency Qihoo 360 nearly disappeared from vulnerability research after July 2020 — when the U.S. Department of Commerce added the company to the subject of its entity records for Imposing commercial sanctions.
Once again, anonymity research surged shortly after Qihoo 360 was approved.
The paper concludes that RMSV has a measurable impact, and that if similar laws had been enacted elsewhere, it could potentially insulate a large subset of the analytical neighborhood from vulnerability disclosure provided by the wider world Come”.
“Such concerns and divisions only add to the dangers of an already intractable panorama,” the paper provides.
Because of this fact, the council needs to move.
“The United States and its allies should consider the disclosure of Log4Shell as the name of a motion to enhance the scope and resiliency provided by global vulnerability disclosure,” the paper states. “Domestic legislative changes to strengthen individual country-specific vulnerability analyses are helpful, but they are insufficient to address the strategic implications that could provide shocks.”
Because of this fact, the authors recommend harmonizing vulnerability disclosure legal guidelines to allow cross-border sharing, global funding of open source vulnerability analysis tools, and monitoring disclosure trends to establish gaps. Different strategies include establishing global processes to make it easier to report bugs anonymously, and leveraging nationwide bug bounty applications to incentivize analysis of basic software programs.
The report concludes with an upbeat comment that information security researchers generally behave ethically, as evidenced by Alibaba’s findings and report on Log4J “regardless of RMSV and different licensing impacts, and not clearly profitable”.
“A form of relationship that is well-utilized throughout the security ecosystem is preservation of value.” ®
Information security researchers in China may have skirted the bug reporting ban. ` • The Register