Chinese Regulator Suspends Contract With Alibaba Over Failure to Report Security Threat

By Ashok Ramprasad | December 27, 2021
42
Chinese-regulators-suspend-contract-with-Alibaba-Over-Failure-to-Report-Security-Glitch
MIIT cancels deal with Alibaba Cloud for six months over failure to report security glitch. (Image: https://pixabay.com/illustrations/cloud-network-website-computer-6515064/> CC0 1.0)

China has been tightening its grip on the tech sector by imposing a number of new regulations over the past year. Failure to comply with the new regulations could result in large fines and compel regulators to take stringent actions against firms. According to reports from Chinese media, Alibaba Cloud Computing, a division of e-commerce giant Alibaba Group, has been suspended by Chinese regulators from an information-sharing deal for six months.

The 21st Century Business Herald, referring to a notice issued by the Ministry of Industry and Information Technology (MIIT), reported that Alibaba Cloud did not notify China’s telecommunications regulator of a security loophole in the well-known, open-source logging framework Apache Log4j2 fast enough.

Apache Log4j is a Java-based logging utility used in a wide range of enterprise systems and web applications. It is a project of the Apache Software Foundation (ASF) and part of the Apache Logging Services. It is a common practice in the cybersecurity industry to first notify vendors about security issues.

However, The Protocol reported that a new regulation called “Provisions on Security Loopholes of Network Products” requires Chinese companies to report vulnerabilities within two days.

Alibaba Cloud discovered the remote code execution (RCE) vulnerability in the Apache Log4j2 component recently and brought it to the attention of the ASF. According to reports, MIIT learned about the issue from a third party and not from Alibaba cloud.

Tracked as CVE-2021-44228 and codenamed Log4Shell, the security loophole allows hackers to remotely execute code. Chen Zhaojun of Alibaba cloud security team discovered the flaw and emailed ASF on Nov. 24. 

A patch for the Log4j bug was released by Apache on Dec. 6 and publicly disclosed on Dec. 9. However, the ubiquitousness of Log4j means that the impact of the bug will be widespread. Many people may not even know that their systems may have been attacked. 

“This vulnerability may lead to remote control of equipment, which may lead to serious harms such as the theft of sensitive information and interruption of equipment services. It is a high-risk vulnerability,” MIIT said in a statement according to Reuters. 

MIIT’s suspension of the Alibaba contract highlights China’s growing desire to tighten its grip on critical online infrastructure. State-owned companies have been ordered by Beijing to shift their data from private dealers to state-backed cloud service providers by next year.

Liu Dingding, a Beijing-based independent analyst, told the Global Times on Dec. 22, that Alibaba should have brought this to the attention of the authorities first so that regulators could take necessary precautions. The MIIT notice added that the partnership would be assessed by the ministry after six months and reinstated if the cloud unit made appropriate internal reforms

The reputation and credibility of Alibaba Cloud have taken a hit due to this incident. Experts also said that it would serve as a warning to other tech firms to prioritize network security. In a recent report from the South China Morning Post (SCMP), Alibaba mentioned that it was not aware of how large a threat the security glitch was and acknowledged that it did not inform the government in a timely manner.

It is not just China that is concerned with the Log4j2 vulnerability. Many organizations like the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and governments across the world are also alarmed over the threat.