Priscilla Moriuchi, Director of Strategic Threat Development at Recorded Future, has undertaken research which shows that China has been altering public vulnerability data to conceal its Ministry of State Security’s influence.
TEISS spoke to Moriuchi about CNNVD’s (China’s National Vulnerability Database) manipulation of its vulnerability publication data and what implications China’s activities could have on the rest of the world.
Also of interest: women in cyber and how to change the pattern
Background to the story
This new research reports that China’s recently instituted Cybersecurity Law (CSL) mandates that companies operating in China adopt a “tiered system of network security protections” and can hold companies both legally and financially responsible for a “network security incident”.
However, for a foreign multinational company to comply with all the provisions of the CSL means that it may simultaneously be violating Western laws or regulations, such as EU GDPR, against cooperating with Chinese security and intelligence services.
Recorded Future’s previous research found that China had a process for evaluating whether high-threat vulnerabilities had operational utility in intelligence operations before publishing them to the CNNVD.
In revisiting this analysis, Recorded Future have discovered that CNNVD had back-dated and altered their initial vulnerability publication dates in what they assess is an attempt to cover-up that evaluation process.
Also of interest: what you need to know about security by design
Why is this significant?
Moriuchi explains that this is significant for businesses or consumers that rely solely on CNNVD's for their vulnerability management. CNNVD is no longer a reliable tool, so they need to diversify to using other NVD's or pulling their own data from vendors or information security professionals.
Moriuchi explains that there is an imbalance existing in institutions across China when it comes to the transparency mandate of vulnerability reporting and secrecy mandate of an intelligence service.
"In China the intelligence, secrecy and control mandate of the party and government have taken precedence over this public service that should be a vulnerability database," she says.
Moriuchi feels this speaks volumes about how China not only treats its own citizens but also businesses and transnational corporations who are conducting business in China.
"It's really a signifier of how they will interact over the next 20-30 years if they become the largest economy and most dominant world player," she adds.
What are the geopolitical implications?
Moriuchi states that China's many mechanisms of control such as CNNVD data, cyber operations, the Great Fire Wall and online trolls, give insight into what China fears and what their concerns are, both with their own population, but also the rest of the world.
"We think this could be a testing ground for them - so they test capabilities on their own population – figure out whether they are useful and then apply them to the rest of the world," she adds.
Also of interest: will data wars threaten globalisation?
"This is just another indicator about how China will seek to control not just its own population, but the information environment about its leadership over the coming decade and what that could mean in terms of the rest of the world and how they try to interact with us," Moriuchi states.
How is China different to other countries?
Moriuchi explains that China is an innovator when it comes to information control and approaches it far more broadly than other countries do.
"While all countries might do similar things on a smaller scale, we see China taking that control and applying to areas like government ministries, organisations with public service missions, as well as abroad," she says.
The fact that China's secret service (MSS) is involved in administering China's cyber security laws, technology review, and cyber operations (domestic and international) concerns Moriuchi.
The Chinese government is slowly heaping on new levels of regulation and forced cooperation with the security services which businesses aren't aware of. "By the time it all adds up it'll be too late for large corporations to do much about it," she warns.
Also of interest: how can retailers protect themselves from cyber attacks?