China intelligence officials are likely delaying the release of information on high-severity vulnerabilities to evaluate the security flaws for operational utility and to benefit the nation’s online espionage efforts, according to an analysis of vulnerability disclosure trends and timing conducted by Recorded Future, a threat- and information-analysis firm.
In a report published on Nov. 16, Recorded Future showed that, while the Chinese National Vulnerability Database (CNNVD) is much faster at documenting vulnerabilities than the U.S. National Vulnerability Database (NVD), the Chinese are noticeably slower to report vulnerabilities that have been used in popular exploit kits and that hold the promise of being useful in attacks.
As a result, while the U.S. NVD reports details of high-severity vulnerabilities faster than low-severity ones, the Chinese database published information on low-severity vulnerabilities faster than that of higher severity.
The analysis strongly suggests that China has a vulnerability evaluation process that slows the release of information for possibly exploitable vulnerabilities, Priscilla Moriuchi, director of strategic threat development for Recorded Future, told eWEEK.
We “saw substantial lag there, which overlapped with possible Chinese intelligence operational use,” she said. “And all of this combined led us to the conclusion that China has their own vulnerability evaluated process, where high-threat vulnerabilities are evaluated by intelligence groups for their operational utility.”
The report comes as the United States evaluates its own process of striking a balance between disclosing vulnerabilities to harden information systems against attack and withholding information on vulnerabilities to be used to investigate criminals’ systems and attack rogue online actors. The Trump administration has vowed to be more transparent in its efforts to strike a balance, known as the Vulnerability Equities Process, and to increase accountability.
“The challenge is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace,” Rob Joyce, the White House Cybersecurity Coordinator, wrote in a statement on Nov. 15.
“Vulnerability management requires sophisticated engagement to ensure protection of our people, the safeguarding of critical infrastructure, and the defense of important commercial and national security interests.”
China seems to skew its own process toward keeping secret any vulnerabilities that could be used for an attack. China took 57 days to release details of the vulnerability exploited in the WannaCry attack by North Korean state-sponsored actors, for example, when the U.S. released details after a single day. The entry in the CNNVD also has much less detail, according to Recorded Future.
In another case, China’s CNNVD took 236 days longer to publish details on a pair of critical vulnerabilities in software for the Android mobile operating system, which essentially constituted a preinstalled back door in many phones.
Finally, in at least three cases, the CNNVD significantly delayed publishing details of the most critical vulnerability disclosed as part of multi-vulnerability advisories—such as Microsoft’s Patch Tuesday disclosures.
“China does not talk about their vulnerability evaluation process,” Moriuchi said, “where the U.S. is trying to make their process more transparent and protect the public to a greater extent.”
Recorded Future did note, however, that—on the whole—the Chinese National Vulnerability Database published details of vulnerabilities in each category of severity more quickly than its U.S. counterpart.