In starkly reminiscent behavior of the early COVID-19 cover-up attempt, the Chinese Communist Party has slammed one of its own nation’s leading companies, Alibaba, for reporting a highly threatening software vulnerability to the world.
The latest computer vulnerability known as “Log4Shell” has caused havoc in the world of cyber security over the past few weeks, being described as one of the most severe threats in recent years.
The vulnerability – first discovered by Chinese firm Alibaba’s security researcher on November 24th – allows hackers to gain access to the affected servers or devices and control them remotely. The piece of software affected is used by numerous tech giants like Amazon, Google, Microsoft, and Apple, and is used in many devices such as televisions, cameras, moderns, routers, and more.
Now, Alibaba has been suspended by the Chinese Communist Party’s National Network Security Information Sharing Platform, for not complying with the countries newly drafted rules. The Ministry of Industry and Information Technology appears to be making an example of Alibaba over its transparency by suspending its partnership with the company in the field of cloud technology for six months while reassessing the long-term partnership.
Founded in 1999 by avowed Chinese Communist supporter Jack Ma – now believed to be out of the good graces of the regime – Alibaba is effectively China’s answer to Amazon.
According to the officials, Alibaba was required to report on this incident first to the Chinese state within two days of the discovery, which it failed to do. Instead, the security researcher at Alibaba shared the information with the Apache Software Foundation and ultimately likely saved many companies from substantial damages and financial costs.
China’s Cybersecurity Law, passed in September 2021, introduced strong guidelines on how service providers are expected to report vulnerabilities, using centralized systems and tools. The new framework converts foreign research and vulnerability discovery into a defensive capability since it requires all companies to report exposure incidents within two days to the Ministry of Industry and information Technology (MIIT) – if they want to continue to do business in China.
Not only does this give China a head start over its counterparts, but also force-transfers newly discovered information to the Chinese Communist Party, even before the affected software company could patch any given vulnerability.