Cybersecurity & Tech

The Lawfare Podcast: China’s Approach to Software Vulnerabilities Reporting

Eugenia Lostri, Dakota Cary, Kristin del Rosso
Thursday, October 19, 2023, 8:00 AM
What has been the impact of China's 2021 regulations on network product security? 

Published by The Lawfare Institute
in Cooperation With
Brookings

In July 2021, the Chinese government published its “Regulations on the Management of Network Product Security Vulnerabilities.” These rules require researchers to inform the government of all flaws in code within 48 hours of their discovery, effectively supporting efforts to stockpile software vulnerabilities, which can then be used for offensive cyber operations.

Lawfare Fellow in Technology Policy and Law Eugenia Lostri sat down with two guests who recently authored a report on how China manages software vulnerabilities. Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub and a consultant at Krebs Stamos Group. Kristin del Rosso is a public sector field CTO at IT security company Sophos. They talked about how companies have adjusted to China’s rules, how their system compares to the U.S. voluntary approach, and the incentives to collect vulnerabilities for offensive operations. 


Eugenia Lostri is a Senior Editor at Lawfare. Prior to joining Lawfare, she was an Associate Fellow at the Center for Strategic and International Studies (CSIS). She also worked for the Argentinian Secretariat for Strategic Affairs, and the City of Buenos Aires’ Undersecretary for International and Institutional Relations. She holds a law degree from the Universidad Católica Argentina, and an LLM in International Law from The Fletcher School of Law and Diplomacy.
Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub.
Kristin Del Rosso is the Public Sector Field CTO for Sophos.

Subscribe to Lawfare