A new law issued by the Chinese government makes it illegal to share vulnerability information with any organization except for the government and the maker of the affected product, a restriction that will likely chill research efforts, even among Chinese citizens living overseas, according to security and legal experts.
The Network Security Law of the People's Republic of China, issued on July 13, aims — on its face — to improve the security of Chinese networks and hold network product makers responsible for vulnerabilities in their hardware and software. However, the law also limits how research can be conducted and punishes researchers who share vulnerability information too widely or "exaggerate the hazards and risks of network product security vulnerabilities," according to a translated copy of the law.
Article 9 of the law also restricts researchers from publishing proof-of-concept code, requires that any information about vulnerabilities be disclosed after a patch, and requires details of vulnerabilities be disclosed only to the Chinese government and, optionally, to the maker of the product.
"This particular clause is controversial, to say the least," says Chenxi Wang, a general partner with Rain Capital and former associate professor at Carnegie Mellon University. "It will limit Chinese security researchers' abilities to collaborate with their international peers. ... It may potentially stifle security research in China and isolate Chinese security professionals from the International community."
While the law only pertains to people within China, the Chinese government's approach to enforcement, if strict, could result in chilling security research outside of the country as well, especially among expat Chinese citizens or security companies that are looking to do business in one of the world's largest markets.
There is already examples of companies censoring themselves to please China's government. Hollywood studios and game companies have abandoned topics and plotlines that could be seen as criticism of China or its policies.
Chinese citizens living outside of China and companies aiming to do business in China should worry, says Justin Antonipillai, founder and CEO of data-protection firm WireWheel and the former acting under secretary for economic affairs at the US Department of Commerce during the Obama administration.
"On its face, it is likely to govern people who are operating in China, but if you are a Chinese national and you live outside of China, you obviously don't know how it could be enforced later," he says. "Reporting every vulnerability to the government itself is pretty significant. All of the phrases in the law are pretty broad, and who knows what the government will use the information for."
The concerns come as a multilateral group of nations — including the United States, the United Kingdom, the European Union, and NATO — accused China of collaborating with cybercriminal groups to conduct economic espionage against other governments and industries. The US Department of Justice unsealed indictments against four Chinese nationals, who the agency claims are working with China's Ministry of State Security to steal intellectual property and business secrets.
While how China intends to implement the law is not clear, and neither is whether the government will reserve the information for use by its military for cyber operations, the lack of clarity should cause concern, says Chris Levendis, program leader for MITRE's Common Vulnerabilities and Exposures (CVE) program. "I don't think this is a positive development for transparency or software security," he says. "As a general rule with vulnerability disclosure, the more transparent the better. ... This opens up the possibility of hiding vulnerabilities."
In 2018, threat intelligence firm Recorded Future released a report accusing China of systematically delaying the disclosure of the most critical vulnerabilities so its Ministry of State Security could assess the flaws for use in surveillance and intelligence operations.
The law also muddies the relationship between independent bug bounty hunters, penetration testers, and their clients. A Chinese vulnerability researcher taking part in a bug bounty may be forced to choose between violating a nondisclosure agreement to notify the Chinese government of vulnerabilities or running afoul of the Network Security Law by failing to notify the Chinese government.
"It is super problematic and super messy when you are talking about people who are finding defects for hire for a particular manufacturer," says Chris Wysopal, chief technology officer and founder at application security firm Veracode. "We have NDAs with our customers, and we exchange all sorts of information that we don't want public."
The law could also have a significant impact on MITRE's CVE program as well. Currently, about 40% of vulnerability submissions are from Chinese researchers, but the law makes it illegal to share vulnerability information with international organizations.
"I'm certain the numbers will take a hit, but I do not know how much," says MITRE's Levendis. "We don't know what the unintended consequences will be, nor China's motivations ... so you can derive themes and theories, but until it plays out, we will have to see how it develops."