China's New Vuln System

Dakota Cary (Atlantic Council, SentinelOne, US) Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub and a strategic advisory consultant at SentinelOne. His research focuses on China’s efforts to develop its hacking capabilities. He has been featured and quoted on his expertise in a variety of outlets, including the Economist, MIT Technology Review, Associated Press, Financial Times, and Wired. Cary has also testified before the US-China Economic and Security Review Commission. --- In this wide-ranging talk, Dakota will detail the PRC's comprehensive vulnerability collection systems, its rules and regulations, connections to the security services, and its potential for abuse. This paper covers China's system before the 2021 Regulations on the Management of Software Vulnerabilities, detailing the requirements for the intelligence services own vulnerability database; then the paper covers the new post-2021 regulation system. The authors cover new databases, known participants, new vulnerability tagging schema, and connections between the new systems and the security services. Attendees will leave with a thorough understanding of China's government-run vulnerability databases, regulations, and systems.