Apache Log4j bug: Alibaba Cloud vows to boost compliance after Chinese ministry pulls support for not first reporting security issue to government
- China’s largest cloud services provider said it would improve compliance after the industry ministry suspended work with the company
- Notifying vendors early about cybersecurity issues is an industry norm, but a new law encourages Chinese companies to first notify the government
In a statement published on Thursday, Alibaba Cloud said that one of its engineers recently notified and sought help from the Apache Software Foundation “according to industry norms” after spotting the bug in Apache’s Log4j, a logging software.
Alibaba Cloud initially did not realise how severe the security flaw was and “did not share the information [to the government] in time”, the company said, without mentioning China’s Ministry of Industry and Information Technology (MIIT) or the follow-up measures taken by the agency.
As a result, the MIIT suspended work with Alibaba Cloud, its cybersecurity threat intelligence partner, for six months because the company did not first report the Log4j bug to Chinese authorities.
The MIIT also said it would reassess whether to resume its partnership, based on measures Alibaba has taken to correct the problem.
Chinese companies are obliged to report vulnerabilities in their own software to the MIIT through its National Vulnerability Database website, according to a new regulation passed this year. However, the Internet Product Security Loophole Management Regulation, which went into effect in September, only “encourages” companies to report bugs found in others’ software.
The MIIT launched a cybersecurity threat intelligence sharing platform in December 2019 to serve as a state-led alliance in dealing with security threats. Membership in the platform is government recognition of the member’s capabilities in spotting and managing threats. The MIIT did not publish a public statement about its decision.