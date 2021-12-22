The Ministry of Industry and Information Technology of the People’s Republic of China has announced the suspension for half a year of a public-private partnership agreement that it had with Alibaba Cloud, Alibaba’s cloud computing subsidiary, to work in the field of cybersecurity and information exchange.

But the strange thing about this decision is the reason behind it: that Alibaba “did not immediately report the vulnerabilities from the popular open source logging system Apache Log4J to the Chinese telecom regulator“according to Reuters.

To understand this, we must go back a bit: a couple of weeks ago, the existence of vulnerability zero-day known as Log4Shell… And the fact that it affected thousands of online platforms, including the most popular web applications, allowing remote code execution attacks.

He was quickly assigned a 10/10 on the CVSS (Common Vulnerability Scoring System), a standard for measuring the severity of vulnerabilities, and more than 24,600 attacks were detected per minute, mainly from computers on the Tor network that incessantly scanned the Internet for vulnerable sites.

An Alibaba security researcher behind the vulnerability discovery

But who and when was the existence of Log4Shell known? The honor goes to Chen Zhaojun, precisely a researcher from the Alibaba Cloud Security Team, who immediately notified the Apache Foundation during the Thanksgiving holiday in the US, asking for a quick response.

The existence of the vulnerability was made public a little over a week later., unleashing chaos due to the impossibility of immediately patching all affected systems… and giving rise to new investigations that have revealed new vulnerabilities in the Apache component.

Chen Zhaojun acted according to the usual procedures of the cybersecurity communities and open source developers, but …

The Chinese regime wants to make it clear to its technology companies what their order of priorities should be

… A few months earlier, in your country, the government had approved new vulnerability disclosure regulations that oblige software and telecom providers affected by critical vulnerabilities to disclose them to authorities first governmental.

In fact, last September, Beijing publicly presented the websites that should be used to report these incidents and thus keep China’s technological infrastructures safe from cybercriminals.

So the Chinese regime, which has been applying a ‘strong hand’ against Big Tech for some time to strengthen its control of the national economy, has decided to make clear with the suspension of its agreement with Alibaba what the order of priorities should have been of your cybersecurity team.

Remember that Alibaba’s founder himself has already suffered punishment for standing up to the CCP, and that ByteDance (the owners of TikTok) had to recently abort its US IPO in order not to violate China’s Data Security law, which prevents the country’s companies from undergoing foreign audits or legal proceedings without first having the approval of Beijing.

