top of page

An Alibaba security analyst discovered the Log4j flaw. Now, China is punishing the company

According to the Chinese regulator, the company broke the law by not immediately reporting the vulnerability to local authorities

AliCloud booth at an expo in Guangzhou city, September 2018. Photo credit: Oriental Image via Reuters Connect
AliCloud booth at an expo in Guangzhou city, September 2018. Photo credit: Oriental Image via Reuters Connect

On November 24th, 2021, an Alibaba Cloud Security Team engineer named Chen Zhoujun discovered a vulnarability in the highly popular Java-based logging utility, Log4j, and notified its developer, the Apache Software Foundation. On December 9th, the flaw (well, the first of several) was publicly disclosed, and all hell broke loose.

“The most serious vulnerability I’ve seen in my decades-long career,” said CISA director Jen Easterly on a recent NBC interview, adding that it will likely take months, if not years, to work on this, given the software’s ubiquity and ease of exploitation. Indeed, for the past two weeks, it’s been all hands on deck, all over the world, in tireless efforts to mitigate the damage and widespread exploitation by numerous threat actors.

But while most countries would probably appropriate such a major discovery as a national win, badge of honor for the local cybersecurity industry, China chose otherwise.

Yesterday (Wednesday), the Chinese Ministry of Industry and Information Technology (MIIT, the nation’s internet regulator) pulled the plug on an information-sharing and cybersecurity threats platfom partnership with Alibaba Cloud Computing, over accusations it failed to immediately report the vulnerability to China’s telecommunications regulator.

The South China Morning Post, which is owned by Alibaba Group, explains that according to a regulation passed earlier this year, Chinese companies “are obligated to report vulnerabilities in their own software to the MIIT”, but that the “Internet Product Security Loophole Management Regulation, which went into effect in September, only ‘encourages’ companies to report bugs found in others’ software”.

MIIT’s notice said it eventually received a report from a third party about this problem, rather than from Alibaba Cloud, Reuters reports, adding that the cooperation is to be reassessed in six months, and revived depending on the company’s internal reforms.

Cracking down on big tech

This latest act represents yet another step in the Party’s increasing crackdown on the tech industry, which has been in full throttle over the past year. Beijing is interested in curbing the influence of those companies through various measures including massive fines, while at the same time reducing dependence on foreign ones.

A slew of new laws and regulations relating to cybersphere and cyber accountability have taken effect in the last few months. The Data Security Law, which came into force on September 1st of this year, sets standards for all Chinese companies on the classification, storage and transmission of data. It was joined two months later by the Personal Information Protection Law (PIPL), which regulates the protection of personal information.

In Mid-November, the government published Draft Regulations on the Administration of Network Data Security, to implement the new laws.

8 views0 comments
bottom of page