Policy Explainer

A Full House: China’s Home-Grown Cyber Threat Research Powerhouse

If cybersecurity were a poker game, China has revealed a game-changing hand with its recently rolled out Regulation on the Management of Network Product Security Vulnerabilities (RMSV). This relatively new law is China’s bid to hold the global cybersecurity ace that not only tightens its domestic cyber defenses but also feeds its global offensive operations.

The law essentially creates a “hot leads desk” for Chinese state-sponsored or supported cyber threat actors by requiring its home-grown team of nearly 2,000 cyber researchers to report any vulnerabilities discovered to the government within 2 days. The process mandated by the regulation means that companies and their customers will be vulnerable for a duration of time while the government is able to begin creating exploits for high-value vulnerabilities. 

Under this regulation, researchers must first report the vulnerability with technical detail beyond any other vulnerability reporting systems to the National Vulnerability Database which is shared between the Ministry of Industry and Information Technology, the National Computer Network Emergency Response Technical Teams/Coordination Center (a defensive cyber organization), the Ministry of State Security (China’s foreign intelligence service), Shanghai Jiaotong University (a university known for its cyber coordination with the Chinese military), and Beijing Topsec (known for the same). This means that offensive cyber operation teams are getting real-time leads on unpatched and likely unknown vulnerabilities for all organizations operating in China.

The regulation applies not only to cyber researchers looking at companies across the globe, but also any internal teams in organizations “doing business” in China. This intentionally vague qualifier means that nearly all organizations that operate at all in China are complying and providing information on internal vulnerabilities to the government before they are permitted to alert customers or release patches. 

According to the 2022 Tenable Threat Landscape Report, known vulnerabilities were the number one vulnerability of the year with some exploited vulnerabilities dating back to 2017. Even when companies are able to get ahead of an issue and release a patch, organizations are simply not patching quickly enough or, sometimes, at all. China’s ability to get ahead of these patches and use the database as a great jumping off point for developing operations is a huge advantage.

On this line, the most dangerous part of this new regulation for US companies is that the RMSV essentially creates a repository of zero-days the government does not have to pay for or find itself. By assessing the vulnerabilities that come through the hot leads desk of the National Vulnerability Database, China is able to develop exploits for the most high-value vulnerabilities and put them on a shelf until they’re needed. With the gag order on alerting customers or releasing patches without government approval, China can use the RMSV to develop an arsenal of weapons to use when the time comes.

While this is an issue for companies directly, it is an even greater challenge for global supply chain security. Take SolarWinds or MoveIt as examples. Infiltrating a single company can have incredibly far reaching effects that can bring your malware to targets you never would have been able to reach otherwise. 

Cyber and risk-management teams should take the threat this regulation poses seriously and take a number of steps to best prepare their organizations against Chinese cyber threats. These steps become even more important as tensions between the US and China have thawed slightly over recent months with Chinese President Xi Jinping’s first visit to the United States in six years. As the US-China trade war thaws a bit, companies may become more comfortable working with Chinese companies again, opening a pathway for Chinese cyber threat actors into US companies. Consortium Networks recommends that all organizations enact:

  1. Ensure strong network defense. The exploits China is developing will work. Companies must be ready to handle them by ensuring strong network defense systems including SIEMs, EDR and NDR tools, DNS solutions, and others. 
  2. Strong patch management processes and policies. Companies must stay on top of known vulnerabilities and ensure patches are deployed as quickly as possible to all company assets.
  3. Software Supply Chain Visibility. Prioritizing high visibility and understanding of your organization’s full supply chain is vital to an effective patch management program.

The RMSV is not going to change the game of cybersecurity. It does, however, give Chinese state threat groups a significant hand up that we must be aware of in order to counter quickly and effectively.