The Chinese government appears to use its software vulnerability disclosure rules to preview dangerous zero-day flaws before tech companies can deploy fixes, a top Department of Homeland Security official said Wednesday.
Beijing’s strict vulnerability reporting rules mean government officials could get “early access” to even the most serious vulnerabilities, DHS Under Secretary for Policy Robert Silvers said during the Black Hat cybersecurity conference in Las Vegas.
If the Chinese government is analyzing zero-days, or previously unknown software flaws, before affected companies can deploy a fix, Beijing could gain the upper hand when carrying out cyberattacks against the U.S. or other digital adversaries.
Silvers said that a DHS review board assembled to investigate the recent Log4j software vulnerability, which was initially discovered by the Chinese tech giant Alibaba, concluded its inquiry with “very troubling” questions about Chinese disclosure rules.
In the case of the Log4j vulnerability, however, Alibaba revealed the flaw prior to notifying the Chinese government, according to Silvers.
“Alibaba did the right thing,” he said. But, Silvers said, the review board’s findings suggest Alibaba was likely punished by the Chinese government, raising questions about whether and how Chinese officials use security disclosure information.
Chinese companies are required to report vulnerabilities to the government within two days of discovering them. They are also barred from publicly disclosing vulnerabilities during “major national events.”
Silvers was speaking about the findings of the DHS Cyber Safety Review Board, a group of 15 top public and private sector cybersecurity experts whose inaugural investigation into the Log4j vulnerability wrapped last month. He said that board members are concerned by Chinese news reports that Alibaba was punished for publicly disclosing the vulnerability before alerting the Chinese government.
“We think that this was a good vulnerability disclosure process, and it was troubling to us that there would be some kind of punishment,” Silvers said.
The board found that Alibaba told the Chinese government about the vulnerability on Dec. 13, four days after informing the Apache Software Foundation, said Silvers. The Chinese government talked to the review board but did not address whether Alibaba was penalized in any way, he said.
Silvers called the review board’s work on Log4j “the largest mass scale cyber response in history.” He said that while the board’s work is done, risks from the Log4j vulnerability aren’t going away any time soon. The vulnerability is “so easy to exploit, and so ubiquitous” that organizations should expect the threat to linger for “years to come, maybe a decade or longer.”
Silvers declined to comment on whether the review board plans to examine any other cybersecurity incident in the near term.