(Long) Dragon Tails – Measuring Dependence on International Vulnerability Research

Presented at Black Hat USA 2022, Aug. 10, 2022, 2:30 p.m. (30 minutes)

<div><span>This talk will present results of a study on the reliance of critical proprietary and open source software on Chinese software vulnerability disclosures. The increasingly difficult environment for Chinese security researchers became acute with the September 2021 passage of a law requiring vulnerabilities also be reported to the MIIT alongside the affected vendor. As yet however, the impact of these restrictions has not been systematically evaluated in public.</span><span></span></div><div><span><br></span></div><div><span>This talk will present results of a quantitative analysis on the changing proportion of Chinese based vulnerability disclosures to major software products from a selection of proprietary vendors as well as several major open source packages. The analysis considers changes over time in response to the evolving Chinese legal environment, significant divergence from data on the allocations of bug bounty rewards, and noteworthy trends in the type and severity of acknowledged vulnerabilities.</span></div><div><span><br></span></div><div><span>Anecdotally, the Chinese research community's prowess is well known, from its bug discovery exploits at the Tianfu Cup to the prominence of enterprise research labs like Qihoo 360. However, recent laws designed to give the Chinese government early access to the community's discoveries—and the government's willingness to enforce those laws even on high-profile corporations as with its recent punishment of Alibaba—demand a more thorough accounting. This talk will address implications for infosec as well as the wider policy environment, including selected recommendations on how to address the 'supply shock' of vulnerabilities from this research community.</span></div>

Presenters:

  • Yumi Gambrill - Former Cyber Statecraft Initiative Young Global Professional, Atlantic Council
    Yumi Gambrill is a Former Cyber Statecraft Initiative Young Global Professional at Atlantic Council.
  • Frances Nettles - Young Global Professional, Atlantic Council
    Frances Nettles is a Young Global Professional at the Atlantic Council.
  • Trey Herr - Director, Cyber Statecraft Initiative, Atlantic Council
    Dr. Trey Herr is the director of the Cyber Statecraft Initiative at the Atlantic Council. His team works on cybersecurity and geopolitics including the security of software supply chains through the Breaking Trust (https://www.atlanticcouncil.org/programs/scowcroft-center-for-strategy-and-security/cyber-statecraft-initiative/breaking-trust/) project. Previously, he was a senior security strategist with Microsoft handling cloud computing and supply chain security policy as well as a fellow with the Belfer Cybersecurity Project at Harvard Kennedy School. He has presented on offensive cybersecurity research and policy at a variety of venues including ShmooCon, USENIX Enigma, Swiss Cyber Storm, and Black Hat USA.
  • Stewart Scott - Assistant Director, Cyber Statecraft Initiative, Atlantic Council
    Stewart Scott works as Assistant Director for the Atlantic Council's Cyber Statecraft Initiative. His work there focuses on policy around software supply chain attacks, resilience, and other systems approaches to cybersecurity. He has also worked at the Atlantic Council's GeoTech Center as an Assistant Director, where he focused on cybersecurity through the lens of federal acquisition processes.

Links:

Similar Presentations: