China’s spy agency has ordered local hackers to abstain from global hacking contests and instead report any vulnerabilities to the security ministry or the affected company, according to cyber security experts, as Beijing seeks to tighten its control over technology and information.
网络安全专家表示,中国的间谍机构已指示本国黑客不要参加全球黑客大赛,而要向安全部或涉事公司报告其发现的任何漏洞。北京方面目前正试图收紧对科技和信息的控制。
The guidance from the Ministry of State Security, which comes as China is taking an increasingly isolationist approach to technology, was aimed at boosting its stash of intelligence, experts said.
中国国家安全部下达这一指示之际,中国正在采取一种日益孤立主义的科技路线。专家表示,这一指示意在扩大中国掌握的情报储备。
“Clearly this is about local control,” said Christopher Ahlberg, co-founder and chief executive of US-based cyber intelligence firm Recorded Future. “Vulnerabilities could be problems in software but are also an opportunity to get backdoors into them.”
“显然这与本地控制有关。”美国网络情报公司Recorded Future联合创始人、首席执行官克里斯托弗?阿尔伯格(Christopher Ahlberg)说,“漏洞可能是软件中的问题,但它们也是在软件身上安后门的机会。”
The move is the latest bid by China to secure control of technology and information. It follows initiatives such as Made in China 2025 — a scheme to restructure China’s industrial policy — and last year’s cyber security law that requires foreign companies to store data locally and allow data surveillance by China’s security apparatus.
此举是中国为确保对科技和信息的控制所采取的最新尝试。此前,中国还出台了一些措施,包括《中国制造2025》(一项调整中国产业政策的计划),以及去年出台的、要求外国企业在本地存储数据和允许中国安全机构监控数据的网络安全法。
The guidance also eliminates some of the key players from what has become a globally popular way of discovering vulnerabilities, so that vendors can fix them before cybercriminals jump in.
这一指示还使得一些重要的参与者缺席一种全球流行的发现漏洞的方式。借助这种方式,软件供应商可在漏洞遭网络犯罪分子利用前修补它们。
Tencent Keen Labs, part of Chinese technology titan Tencent, prompted Tesla to fix vulnerabilities after hacking into its cars. Chinese hackers have also been credited with discovering vulnerabilities at US-based tech multinationals including Google, Apple and Microsoft, according to FireEye, a cyber security company. Tencent did not respond to request for comment.
腾讯科恩实验室(Keen Security Lab of Tencent)隶属于中国科技巨头腾讯(Tencent),曾成功入侵特斯拉(Tesla)的汽车,促使特斯拉修复漏洞。此外,据网络安全公司FireEye称,谷歌(Google)、苹果(Apple)、微软(Microsoft)等美国跨国科技公司的一些漏洞也是由中国黑客发现的。腾讯没有回应置评请求。
While no formal edict has been issued on relevant Chinese state websites, Chinese participants were absent from the annual Pwn2Own hacking contest this month and the Black Hat event in Singapore last week. “They’ve been given guidance that they should no longer participate in events where vulnerabilities are publicly disclosed,” said Bryce Boland, chief technology officer at FireEye.
尽管中国政府相关网站上并未发布任何正式命令,但中国选手缺席了本月举行的一年一度的Pwn2Own黑客大赛和上周在新加坡举行的“黑帽网络安全大会”(Black Hat)。FireEye首席技术官布赖斯?博兰(Bryce Boland)说:“他们接到指示,要求他们不再参加公开披露漏洞的赛事。”
“Pwn2Own used to be basically flooded with Chinese who won all the competitions, but this time there were more or less no Chinese there,” added Mr Ahlberg. Now Chinese hackers could only take a discovery to the vendor or the Ministry “who might notify the vendor or might not”.
“过去Pwn2Own大赛上基本上全是中国人,他们赢得了所有的竞赛,但这一次几乎没有中国人参赛,”阿尔伯格补充称。现在中国黑客只能把发现的漏洞上报给软件供应商或安全部,而安全部“可能会通知供应商,也可能不通知”。
MSS has already offered clues on its stance with its National Vulnerability database, CNNVD, a repository of known vulnerabilities in different software products. Analysis by Recorded Future showed it had altered publication dates for at least 267 vulnerabilities — a lag, the group said, that highlighted identities the MSS was “likely considering for use in offensive cyber operations”.
从中国国家信息安全漏洞库(CNNVD)可以在一定程度上看出安全部的立场。国家信息安全漏洞库收录了各种软件产品的已知漏洞。Recorded Future的分析表明,国家信息安全漏洞库改动了至少267个漏洞的发布日期——该公司表示,这一滞后凸显出安全部“很可能会考虑将(这些已查证的漏洞)用于攻击性网络行动”。
Mr Boland said that if the block on attending public contests was designed to have hackers report directly to the CNNVD it would create a “significant threat” because of the scope for Chinese hackers to exploit a huge pool of vulnerabilities.
博兰表示,如果阻止黑客参加公开赛事的目的是让黑客直接向国家信息安全漏洞库上报,这将造就出一个“重大威胁”,因为中国黑客将拥有利用大量漏洞的空间。
“It’s like putting a vulnerabilities database with the CIA,” said Mr Ahlberg, referring to the US intelligence agency. “You’re really putting the hen in with the foxes. That’s the policy problem here but they’ve done it for a very good reason: they want total control.”
“这就像是把漏洞库放在美国中央情报局(CIA)一样。”阿尔伯格拿美国的情报机构打比方说,“你这实际上是把母鸡放在狐狸堆里。这就是这里面存在的政策问题,但他们已经这么做了,理由很充分:他们想要完全的控制。”