Announcement

Collapse
No announcement yet.

Stewart Scott & Trey Herr - Dragon Tails: Supply-side Security and International Vulnerability ...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stewart Scott & Trey Herr - Dragon Tails: Supply-side Security and International Vulnerability ...

    Stewart Scott & Trey Herr - Dragon Tails: Supply-side Security and International Vulnerability Disclosure Law


    Stewart Scott, Assistant Director, Cyber Statecraft Initiative, Atlantic Council, He/Him
    Trey Herr, Director, Cyber Statecraft Initiative, Atlantic Council He/Him

    Presentation Title: Dragon Tails: Supply-side Security and International Vulnerability Disclosure Law
    Length of presentation: 20 minutes


    This talk will present a study of the reliance of proprietary and open source software on Chinese vulnerability research. A difficult political environment for Chinese security researchers became acute when a law requiring vulnerability disclosure to government and banning it to all others but the affected vendor took effect in Sept. 2021. No public evaluation of this law's impact has yet been made. This talk will present results of a quantitative analysis on the changing proportion of Chinese-based disclosures to major software products from Google, Microsoft, Apple, and VMWare alongside several major open source packages. The analysis will measure change over time in response to evolving Chinese legislation, significant divergence from data on the allocation of bug bounty rewards, and notable trends in the kinds of disclosed vulnerabilities. The Chinese research community’s prowess is well known, from exploits at the Tianfu Cup to preeminent enterprise labs like Qihoo 360. However, the recent law aiming to give the Chinese government early access to the community’s discoveries—and the government’s apparent willingness to enforce it even on high-profile corporations as seen in its punishment of Alibaba—demand more thorough scrutiny. This talk will address implications for policy and the wider hacker community.

    SPEAKER BIO(S)
    Trey Herr is the director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council. His team works on cybersecurity and geopolitics including cloud computing, the security of the internet, supply chain policy, cyber effects on the battlefield, and growing a more capable cybersecurity policy workforce. Previously, he was a senior security strategist with Microsoft handling cloud computing and supply chain security policy as well as a fellow with the Belfer Cybersecurity Project at Harvard Kennedy School and a non-resident fellow with the Hoover Institution at Stanford University. He holds a PhD in Political Science and BS in Musical Theatre and Political Science. (https://www.atlanticcouncil.org/expert/trey-herr/)

    Stewart Scott is an assistant director with the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council. His work there focuses on systems security policy, including software supply chain risk management, federal acquisitions processes, and open source software security. He holds a BA in Public Policy and a minor in Applications of Computing from Princeton University. (https://www.atlanticcouncil.org/expert/stewart-scott/)

    ----------------------------------------

    REFERENCES:
    Cary, D. (2021, July 22). China’s new software policy weaponizes cybersecurity research [Text]. TheHill. https://thehill.com/opinion/cybersec...urity-research
    Testimony | China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States, (2022) (testimony of Dakota Cary). https://www.uscc.gov/sites/default/f..._Testimony.pdf
    Testimony | China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States, (2022) (testimony of John Chen). https://www.uscc.gov/sites/default/f..._Testimony.pdf
    Testimony | China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States, (2022) (testimony of Dean Cheng). https://www.uscc.gov/sites/default/f..._Testimony.pdf
    Chinese government lays out new vulnerability disclosure rules. (2021, July 14). The Record by Recorded Future. https://therecord.media/chinese-gove...closure-rules/
    Testimony | China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States, (2022) (testimony of Winnona DeSombre). https://www.uscc.gov/sites/default/f..._Testimony.pdf
    Ikeda, S. (2021, July 21). Is China Looking to Stockpile Zero-Days? New Vulnerability Disclosure Rules Could Create Closed Pipeline From Security Researchers to CCP. CPO Magazine. https://www.cpomagazine.com/cyber-se...rchers-to-ccp/
    Inside the Race to Fix a Potentially Disastrous Software Flaw. (2021, December 13). Bloomberg.Com. https://www.bloomberg.com/news/artic...-software-flaw
    Testimony | China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States, (2022) (testimony of Neil Jenkins). https://www.uscc.gov/sites/default/f..._Testimony.pdf
    McDonald, J. (2021, July 13). China tightens control over cybersecurity in data crackdown. AP News. https://apnews.com/article/europe-bu...909e28cece3f73
    Meinhardt, C. (2020, March 18). Open Source of Trouble: China’s Efforts to Decouple from Foreign IT Technologies. MERICS. https://merics.org/en/analysis/open-...t-technologies
    Moriuchi, P., & Ladd, B. (2018, March 9). China Altered Public Vulnerability Data to Conceal MSS Influence. Recorded Future. https://www.recordedfuture.com/chine...-data-altered/
    Moriuchi, P., & Ladd, D. B. (n.d.). China’s Ministry of State Security Likely Influences National Network Vulnerability Publications. 17.
    Notice of the Ministry of Industry and Information Technology and the State Internet Information Office of the Ministry of Public Security on Issuing the Regulations on the Management of Security Vulnerabilities of Network Products. (n.d.). Retrieved January 13, 2022, from http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm
    Pritchard, S. (2021, July 26). Research Roadblock: Security Pros Weigh in on China’s New Vulnerability Disclosure Law. The Daily Swig | Cybersecurity News and Views. https://portswigger.net/daily-swig/r...disclosure-law
    Reuters. (2021a, August 27). Tianjin asks govt firms to move data out of Alibaba, Tencent clouds-document. Reuters. https://www.reuters.com/technology/t...nt-2021-08-27/
    Reuters. (2021b, December 22). China Regulator Suspends Cyber Security Deal with Alibaba Cloud. Reuters. https://www.reuters.com/world/china/...ud-2021-12-22/
    Testimony | China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States, (2022) (testimony of Schneider). https://www.uscc.gov/sites/default/f..._Testimony.pdf
    Segal, A. (n.d.). U.S. Responses to the China Cyber Challenge: Diplomatic Efforts to Establish Norms in Cyberspace. 10.
    The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China. (2021, July 19). The White House. https://www.whitehouse.gov/briefing-...blic-of-china/
    Thomson, I. (2021, July 15). So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into. The Register. https://www.theregister.com/2021/07/...erability_law/
    Williams, B. D. (2017, July 23). Expert details “centrality of information” to China’s cyber ops, security strategy. Fifth Domain. https://www.fifthdomain.com/home/201...rity-strategy/
    Williams, B. D. (2021, September 1). China’s New Data Security Law Will Provide It Early Notice Of Exploitable Zero Days. Breaking Defense. https://breakingdefense.sites.breaki...ble-zero-days/
    Wormable bugs, NSA-reported 0day land in April Patch Tuesday. (2022, April 12). The Stack. https://thestack.technology/april-pa...y-hyper-v-rce/
    Xu, K. (2020a, May 7). Open Source in China: The Players. Interconnected. https://interconnected.blog/open-sou...a-the-players/
    Xu, K. (2020b, May 10). Open Source in China: The Game. Interconnected. https://interconnected.blog/open-sou...hina-the-game/
    Xu, K. (2020c, May 14). Open Source in China: The Trends. Interconnected. https://interconnected.blog/open-sou...na-the-trends/
    Xu, K. (2021, December 13). Open Source in China: Next Four Years. Interconnected. https://interconnected.blog/open-sou...xt-four-years/






    []
Working...
X