search
HomeTechnology peripheralsAINew U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsoft's objections are invalid

Recently, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) officially released the latest export control regulations for the field of cybersecurity.

Yes, it is the BIS that publishes the "Entity List" and "Trade Blacklist". In recent years, it can be regarded as an "old friend of Chinese netizens".

What is it this time? It is mainly about the management and control of network security and vulnerability information.

To put it simply, when U.S. entities cooperate with organizations and individuals related to the Chinese government, if security vulnerabilities and information are discovered, they cannot be directly announced and must first be reviewed by the Ministry of Commerce.

The reason is the tried-and-tested "national security" and the "need for counter-terrorism."

New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsofts objections are invalid

In fact, the new regulations announced this time are the final confirmation of the interim regulations (draft for comments) in October 2021. This regulation divides countries around the world into four categories: A, B, D, and E, with restrictive measures and strictness gradually increasing.

China is classified in Category D, which is "restricted countries and regions", and Category E is "comprehensive embargoed countries".

This regulation establishes new control methods for certain network security projects for the purpose of "national security and counter-terrorism considerations."

At the same time, BIS also added a new exception to authorize network security exits. The core content is to authorize the export of these cybersecurity items to most destinations, but not with the exceptions mentioned above.

BIS believes that these controlled projects may be used for surveillance, espionage, or other acts aimed at sabotage.

In addition, the regulations also amend the export control classification numbers in the Commerce Control List.

New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsofts objections are invalid

The new BIS regulations divide countries around the world into four categories: A, B, D, and E. Category D is the most concerned and restricted countries and regions.

As shown in the picture above, China is classified in category D.

According to the requirements of the new regulations, when entities cooperate with relevant government departments or individuals in Class D countries and regions, they must apply in advance and obtain permission before they can send potential cross-border Network vulnerability information.

Of course, there are exceptions to the terms. If it is for legitimate cybersecurity purposes, such as public disclosure of vulnerabilities or incident response, no advance application is required.

​As you can see, China’s national security, biochemical, missile technology, and U.S. arms embargo are all marked with an X.

​The document states that licensing requirements for individuals acting on behalf of governments are necessary to prevent those acting on behalf of governments in Group D countries from obtaining "cyber licenses for engaging in activities contrary to the national security and foreign policy interests of the United States." Safety Project".

New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsofts objections are invalid

Without this requirement, it may result in governments in Class D countries having access to these projects.

The requirement adopted by BIS means exporters must in some cases check the government affiliations of individuals and companies they work with.

​However, due to the limited scope and applicability of the licensing requirement, BIS believes that the requirement will protect U.S. national security and foreign policy interests without unduly impacting legitimate cybersecurity activities.

At the same time, BIS also revised clause § 740.22(c)(2)(i), which actually expanded the scope of the exception.

New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsofts objections are invalid

The current terms allow the export of digital products to Group D countries, or the export of any cybersecurity items to Group D countries for police or judicial agencies.

However, BIS actually only intends to allow the export of digital products to police or judicial agencies in Group D countries for the purposes of criminal or civil investigations or prosecutions.

It can be said that these changes reflect the expected opinions.

Microsoft objects, invalid!

Regarding BIS’s new regulations, domestic technology giants in the United States are not monolithic. The software giant Microsoft has clearly expressed its objections.

As early as last year, after this regulation was released for consultation, Microsoft submitted its objections to this document in the form of written comments in the comment section.

New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsofts objections are invalid

Microsoft stated that if individuals and entities involved in cybersecurity activities are restricted due to ties to the government, it will greatly suppress the global cybersecurity market. Capabilities of currently deployed routine cybersecurity activities.

Many times, when companies are unable to determine whether the other party is related to the government, they can only give up cooperation in the face of compliance pressure.

New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsofts objections are invalid

Microsoft’s opposition is not surprising.

The current vulnerability sharing mechanism is very important to Microsoft’s software development ecosystem. Many times, Microsoft needs to analyze vulnerabilities through reverse engineering and other technologies before releasing relevant patches and upgrades. Once the vulnerability sharing mechanism is destroyed, it will directly reduce the speed of Microsoft's discovery and repair of vulnerabilities.

Microsoft proposed that BIS should further clarify the definition of "government end users", or at least clarify which individuals or entities may be covered under this definition.

When BIS released the final draft of the regulation, it mentioned Microsoft's objections but did not name them and stated that "BIS does not agree with this opinion."

BIS mentioned in the document:

"Companies have stated that restrictions on people representing 'government end users' will hinder cross-border cooperation with cybersecurity personnel because of the difficulty in working with these Before communicating with people, check whether they have government connections. The company recommended that this requirement be removed or modified. BIS disagreed with this recommendation."

The final decision, released last week, is consistent with There are no major changes in the content compared to the draft released for comments last October.

However, the regulations adopted some opinions from the research community, further narrowed the scope of security vulnerabilities that need to be verified, and added temporary exceptions.

That is: if it is for legitimate network security purposes, such as disclosing public vulnerabilities or responding to security incidents, no review is required.

New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsofts objections are invalid

#This exception clause is largely to create necessary conditions for the normal operation of the open source community.

While Microsoft thanked BIS for revising the rules, it also stated that it was not sure whether such exceptions could solve the actual problem.

"What is allowed to be directly disclosed and what is not allowed to be disclosed is still in a state of confusion. What activities require a license cannot be determined at this stage. We are worried that for those technologies that cannot be fully classified into specific use categories , the license application will be very cumbersome."

BIS acknowledged Microsoft's concerns, but at the same time insisted that this provision would do more good than harm to U.S. national security.

Similar to the "Wassenaar Agreement"

In fact, as early as October 2021, BIS issued regulations "prohibiting the export of offensive network tools" , preventing U.S. entities from selling offensive cyber tools to China and Russia.

New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsofts objections are invalid

U.S. Commerce Secretary Gina Raimondo said, “Implementing export controls on certain cybersecurity items is an appropriate approach to protect U.S. national security from malicious intent. The infringement of online behavior and to ensure legitimate network security activities."

BIS further stated that the current rules are also within the framework of the "Wassenaar Agreement", that is, the "About Standing Orders" Wassenaar Agreement on Export Controls of Arms and Dual-Use Goods and Technologies.

New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsofts objections are invalid

The "Wassenaar Agreement" stipulates that member states shall decide on their own to issue export licenses for dual-use items of sensitive products and technologies, and on a voluntary basis Notify relevant information to other member states of the Agreement on a basic basis.

In fact, the agreement is actually controlled by the United States to a large extent and affects the export control regulations of other member countries, becoming an important tool for the West to implement high-tech monopoly on China.

The agreement controls the export policy of "military and dual-use technologies". There are 42 agreement countries, including major developed countries such as the United States, Britain, France, Germany, and Japan. Although Russia is also a party to the agreement, it is still one of the embargo targets. ​

The above is the detailed content of New U.S. Department of Commerce rules: Sharing security vulnerabilities to China without approval is prohibited, and Microsoft's objections are invalid. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:51CTO.COM. If there is any infringement, please contact admin@php.cn delete
如何在 Windows 11 上创建移动热点如何在 Windows 11 上创建移动热点Apr 17, 2023 pm 06:22 PM

当然,在Android智能手机和Windows11PC之间共享移动互联网可能很有用,尤其是在Wi-Fi不可用时。因此,当其他选项刚刚出现时,知道如何与Windows设备共享移动互联网会非常方便。就像没有Wi-Fi时iPhone可以连接到Mac一样,Android设备也允许用户通过USB和蓝牙将智能手机的互联网连接与任何Windows笔记本电脑连接。对于我们许多人来说,通过电缆连接手机和PC不是一种选择,而通过蓝牙连接互联网可能会很慢。因此,使用智能手机创建W

实用Word技巧分享:2招轻松解决多图片排版!实用Word技巧分享:2招轻松解决多图片排版!Apr 01, 2023 am 10:57 AM

多图片排版,是Word编辑文档时常见场景之一,几乎每个人都会碰到,对很多人来说仍然是一大难题。当图片数量一多,很多人都不知道图片该怎么摆放,如何快速高效地搞定一组图片? 因为没有掌握系统的套路技巧,每次制作都花费大量时间,做不出满意的效果。今天我就教大家2 招,轻松解决多图片排版!

如何在网络安全中使用AI如何在网络安全中使用AIApr 14, 2023 pm 02:10 PM

Cybersecurity Ventures的报告显示,2021年全球网络犯罪带来的损失为6万亿美元,并预计打击网络犯罪的全球支出在2025年将增至10.5万亿美元,是2015年的三倍之多(3万亿美元)。人工智能,几乎是唯一应对方案。另一家研究机构Statista认为,2020年网络安全领域的人工智能价值已超过100亿美元,并预计到2027年将达到450亿美元。IBM则认为,缺乏人工智能安全的企业,在抵御网络攻击方面的成本是部署了AI自动化防御系统的企业的三倍。来自Meticulous的研究数据

Microsoft Edge 102.0.1245.41 带来安全修复和 PDF 打印错误解决方案Microsoft Edge 102.0.1245.41 带来安全修复和 PDF 打印错误解决方案May 06, 2023 pm 07:37 PM

微软在周末为其Edge浏览器发布了两个小更新。该公司在周五和今天发布了另一个安全更新。虽然周五的更新修复了影响Edge浏览器的安全问题,但今天的更新解决了影响所有基于Chromium的网络浏览器的安全问题。此外,该更新似乎解决了通过Edge浏览器访问PDF文件时无法打印的问题。稳定版本通道的Edge102.0.1245.41被标记为修复了多个漏洞的维护更新。Microsoft尚未更新发行说明。不过,该公司此前已告知Chromium和Edge浏览器存在以下漏洞:

从“微软安全的下一步”数字活动中可以期待什么从“微软安全的下一步”数字活动中可以期待什么Apr 19, 2023 am 10:46 AM

Microsoft数字活动的下一步安全计划将于太平洋时间(UTC-8)时间2月24日上午9:00至上午10:30举行。随着无处不在的威胁不断增长,为他们的公司寻找有效安全解决方案的各种组织希望在这次活动中找到一些有价值的技巧和知识。Microsoft的安全下一步计划将强调全面的安全方法对业务增长的重要性。它将欢迎不同的安全专家讨论最新的创新和技术,以减少最新的威胁风险。一些演讲者包括VasuJakkal(微软公司安全、合规和身份副总裁)和JeffPollard(F

人工智能聊天机器人在网络安全领域的发展趋势如何?人工智能聊天机器人在网络安全领域的发展趋势如何?Apr 22, 2023 pm 11:13 PM

OpenAI公司推出的聊天机器人ChatGPT有很多很好的用途,但就像任何新技术一样,有些人会利用ChatGPT用于罪恶的目的。从编写电子邮件等相对简单的任务,到撰写论文或编译代码等更复杂的工作,OpenAI公司的人工智能驱动的自然语言处理工具ChatGPT自从推出以来就引起了人们的极大兴趣。当然,ChatGPT并不完美——众所周知,当它误解了从中学习的信息时就会犯错,但许多人将它和其他人工智能工具视为互联网的未来。OpenAI公司在ChatGPT的服务条款中加入了禁止生成恶意软件的条目,其中包

Zerodium 宣布为 Microsoft Outlook 零点击 RCE 安全漏洞支付 400,000 美元Zerodium 宣布为 Microsoft Outlook 零点击 RCE 安全漏洞支付 400,000 美元Apr 29, 2023 pm 09:28 PM

<ul><li><strong>点击进入:</strong>ChatGPT工具插件导航大全</li></ul><figureclass="imageimage--expandable"><imgsrc="/uploads/2023041

微软在 Windows 10 和 11 上的 Windows Defender 中引入了易受攻击的驱动程序阻止列表微软在 Windows 10 和 11 上的 Windows Defender 中引入了易受攻击的驱动程序阻止列表Apr 17, 2023 am 11:52 AM

MicrosoftWindowsDefender收到的升级将使Windows10、Windows11和WindowsServer2016或更高版本受益。引入到Defender的Microsoft易受攻击的驱动程序阻止列表功能将允许阻止具有安全漏洞的驱动程序在设备上运行。微软操作系统安全和企业副总裁大卫韦斯顿于3月27日发布了更新公告。Defender的Microsoft易受攻击的驱动程序阻止列表功能对于用户来说是可选的,因为它可以打开和关闭,并且它对于每个人来说都是

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

VSCode Windows 64-bit Download

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!