China’s Approach to Software Vulnerabilities Reporting

In July 2021, the Chinese government published its “Regulations on the Management of Network Product Security Vulnerabilities.” These rules require researchers to inform the government of all flaws in code within 48 hours of their discovery, effectively supporting efforts to stockpile software vulnerabilities, which can then be used for offensive cyber operations.Lawfare Fellow in Technology Policy and Law Eugenia Lostri sat down with two guests who recently authored a report on how China manages software vulnerabilities. Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub and a consultant at Krebs Stamos Group. Kristin del Rosso is a public sector field CTO at IT security company Sophos. They talked about how companies have adjusted to China’s rules, how their system compares to the U.S. voluntary approach, and the incentives to collect vulnerabilities for offensive operations. Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

Om Podcasten

The Lawfare Podcast features discussions with experts, policymakers, and opinion leaders at the nexus of national security, law, and policy. On issues from foreign policy, homeland security, intelligence, and cybersecurity to governance and law, we have doubled down on seriousness at a time when others are running away from it. Visit us at www.lawfareblog.com.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.