China is looking to introduce rules that could affect the way cybersecurity researchers in the country disclose vulnerabilities, requiring them to report issues to authorities before making them public, according to draft regulations published this week.
Why it matters: The changes limit media from publishing disclosures before they have been reported to authorities, potentially delaying how quickly the affected individuals and companies are notified.
- The regulations, currently open for public comment, form part of China’s 2017 Cybersecurity Law, and specify that disclosures should not endanger “national security and public interests.”
- The move comes following a series of offensives against apps that violate user privacy by over-collecting data, including those from a slew of peer-to-peer lenders.
Details: Vulnerability disclosures cannot contain source code for viruses, trojans, or any form of ransomware, as well as methods of breaking into or disrupting networks, according to internet regulator, the Cyberspace Administration of China.
- In addition, no information that could lead to cyberattacks being copied should be included. No stolen data or information about a compromised network can be published.
- The proposed rules would also limit discussions at cybersecurity conferences, forums, or contests, as it bars public discussion of hacking methods and intrusion tactics before official disclosures are made.
- Organizations cannot publish public disclosures that include “warning” in their titles without getting government approval, the regulator said.
- The draft is open for public comment until Dec. 19.
Context: Vulnerability disclosures are an important part of improving cybersecurity, and prompt warnings to individuals and businesses are integral to containing the damage.
- China has seen a number of high-profile data leaks this year, ranging from open databases containing data about the country’s internet cafe goers to more sensitive lapses in security involving medical information.
- Security vulnerabilities have led to a huge market for illicitly obtained data in China, where it is not only relatively easy to obtain but also comes cheap.