China requires computer companies doing business there to reveal weaknesses in their software, leading to state-supported hacking. (Source: Adobe Stock)

China Demands Computer Backdoor Keys, Revealing Weaknesses in 2021 Law

Computer software and hardware are used in every major business, including the banking sector, the defense sector, medical centers and so on. These companies feed each other data on a nearly incalculable basis. If someone nefarious taps into or hacks any of these business interactions, it can create thorny problems for the company and the victims, while becoming a gold mine for the hacker.

While hacking is against the law in most of the world, according to a Sept. 6 story on wired.com, China’s laws actually make hacking easier.

Revealing the Weakness

For state-sponsored hacking operations, unpatched vulnerabilities are valuable ammunition. Intelligence agencies and militaries seize on hackable bugs when they’re revealed—exploiting them to carry out their campaigns of espionage or cyberwar—or spend millions to dig up new ones or to buy them in secret from the hacker gray market.

But for the past two years, China has added another approach to obtaining information about those vulnerabilities: a law that simply demands that any network technology business operating in the country hand it over. When tech companies learn of a hackable flaw in their products, they’re now required to tell a Chinese government agency—which, in some cases, then shares that information with China’s state-sponsored hackers.

“Today, the Atlantic Council released a report—whose findings the authors shared in advance with WIRED—that investigates the fallout of a Chinese law passed in 2021, designed to reform how companies and security researchers operating in China handle the discovery of security vulnerabilities in tech products. The law requires, among other things, that tech companies that discover or learn of a hackable flaw in their products must share information about it within two days with a Chinese agency known as the Ministry of Industry and Information Technology. The agency then adds the flaw to a database whose name translates from Mandarin as the Cybersecurity Threat and Vulnerability Information Sharing Platform but is often called by a simpler English name, the National Vulnerability Database.

Some manufacturers of the world’s biggest computer chips might be feeding secret data to Chinese authorities. The report points to a  Chinese law passed in 2021.

The law requires, among other things, that tech companies that discover or learn of a hackable flaw in their products must share information about it within two days with a Chinese agency known as the Ministry of Industry and Information Technology. The agency then adds the flaw to a database whose name was translated from Mandarin as the Cybersecurity Threat and Vulnerability Information Sharing Platform but is often called by a simpler English name, the National Vulnerability Database.

“As soon as the regulations were announced, it was apparent that this was going to become an issue,” says Dakota Cary, a researcher at the Atlantic Council’s Global China Hub and one of the report’s authors. “Now we’ve been able to show that there is real overlap between the people operating this mandated reporting structure who have access to the vulnerabilities reported and the people carrying out offensive hacking operations.”

Six on the List

The report has a list of six companies that they asked directly about having to play ball with the Chinese hacking agencies. The report found the companies were given the thumbs up by the Chinese government and that seemed to indicate cooperation with the law.

Of the six non-Chinese firms on the Ministry of Industry and Information Technology’s list of compliant ICS technology firms, Taiwan-based D-Link gave WIRED the most direct denial, responding in a statement from its chief information security officer for North America, William Brown, that it “has never provided undisclosed product security information to the Chinese government.”

German industrial control system tech firm Phoenix Contact also denied giving China vulnerability information, writing in a statement,

“We make sure that potential new vulnerabilities are handled with utmost confidentiality and by no means get into the hands of potential cyber attackers and affiliated communities wherever they are located.”

But it’s no surprise that U.S. companies are leaving China in droves, especially as chip and other computer manufacturing is being moved to the states and other countries. The U.S. State Department issued a warning to its citizens about living or visiting the country in June of 2023 because of “arbitrary enforcement of local laws, including in relation to exit bans, and the risk of wrongful detentions.” The Chinese economy is in dire straits, and what amounts to state-supported blackmail or the demand for monies in exchange for the release of detained business executives is fueling this exodus.

The piece is packed with information regarding the law and recommends ways to stay aware of a possible hacking bonanza originating in China.

read more at wired.com