In recent years, China has been ramping up its efforts in the field of cybersecurity. The country adopted a law that requires technological companies to report any vulnerabilities they find in their software. However, the analytical center Atlantic Council has warned that this initiative could have far-reaching consequences for global cybersecurity.
Last year, China passed a law that mandates companies and security researchers to report any vulnerabilities they discover to the Ministry of Industry and Information Technology within 48 hours. The data is then integrated into the national database of vulnerabilities, known as CnCert/CC.
At first glance, it may seem that China is simply strengthening its security measures to protect its national information networks. However, the Atlantic Council points out that undisclosed vulnerabilities can become powerful tools in the hands of government hackers for cyber espionage operations.
This regulatory requirement not only poses risks for China but also for the entire world. The National Vulnerability Database (NVD) becomes a “gold reserve” of exploited vulnerabilities that can be used for hacking systems and users in different countries.
Researchers have found that CNCERT/CC provides access to its partners, including the Beijing Bureau of the Ministry of State Security of China, the well-known contractor of the People’s Liberation Army of China (LLC) Beijing Topsec, and the research center at Shanghai University of Jiao Tong.
For foreign companies operating in China, this law creates a complex dilemma. They must choose between complying with the requirements and risking compromise or leaving the Chinese market altogether. Some companies have already decided to comply with the law despite the risks it poses for global cybersecurity.
This initiative is further intensifying tensions between the United States and China, particularly in light of recent cyber espionage incidents. For instance, in July, it was revealed that Chinese hackers had compromised the email accounts of the Minister of Trade Gina Raymondo and other officials from the State Department and the Ministry of Trade.
In summary, the Chinese cybersecurity law not only aims to protect but also threatens global safety by creating new vectors for cyber attacks and espionage on a global scale.