Security News
The Cyberspace Administration of China has issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to mandatorily disclose them first-hand to the government authorities within two days of filing a report. The "Regulations on the Management of Network Product Security Vulnerability" are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks.
US and allies, including the European Union, the United Kingdom, and NATO, are officially blaming China for this year's widespread Microsoft Exchange hacking campaign. The Biden administration attributes "With a high degree of confidence that malicious cyber actors affiliated with PRC's MSS conducted cyber espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.".
Russian cybersecurity firm Kaspersky, which first spotted the infections in October 2020, attributed them to a threat actor it tracks as "LuminousMoth," which it connected with medium to high confidence to a Chinese state-sponsored hacking group called HoneyMyte or Mustang Panda, given its observed victimology, tactics, and procedures. About 100 affected victims have been identified in Myanmar, while the number of victims jumped to nearly 1,400 in the Philippines, although the researchers noted that the actual targets were only a fraction of the initial numbers, including government entities located both within the two countries and abroad. The goal of the attacks is to affect a wide perimeter of targets with the aim of hitting a select few that are of strategic interest, researchers Mark Lechtik, Paul Rascagneres, and Aseel Kayal said.
Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year. Though the rules are a little ambiguous in places, judging from the spirit of them, they throw a spanner in the works for Chinese researchers who work with, or hope to work with, zero-day vulnerability brokers.
China is making sure that all newly discovered zero-day exploits are disclosed to the government. Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make.
Hong Kong's Office of the Government Chief Information Officer has revealed that the territory is investigating the use of its digital ID in mainland China. In a Q&A, Secretary for Innovation and Technology, Mr Alfred Sit, said "The OGCIO is exploring with relevant authorities in the Mainland and Macao the collaboration opportunities between their identity authentication systems and iAM Smart."
Infosec concerns have led China's government to apply closer scrutiny to Chinese companies that list and send data offshore, according to a document written by China's State Council cabinet and the Communist Party's General Secretary. "For a long time, the low cost of illegal securities has plagued the development of the market," states the Opinions on Strictly Cracking Down on Illegal Securities Activities in Accordance with the Law document in state-sponsored Xinhua News.
Theft of U.S. IP is a fundamental part of China's stated intention to be the world leader in science and technology by 2050. The Safeguarding American Innovation Act is designed to prevent foreign powers - and especially China - from stealing or unlawfully acquiring U.S. federally funded research.
Chinese ride hailing app DiDi Chuxing was on Sunday removed from local app stores on on grounds that it did not comply with data protection laws. In its notice of its actions the CAC wrote: "The DiDi Travel App has serious violations of laws and regulations in collecting and using personal information."
The United States is comfortably the world's most powerful nation when measured on "Cyber capabilities that make the greatest difference to national power," according to British think tank The International Institute for Strategic Studies. The report says America's "Capability for offensive cyber operations is probably more developed than that of any other country, although its full potential remains largely undemonstrated".