For some time now, CIOs around the world have been busy fixing the Log4j2 vulnerability. From a technical perspective, there are solutions such as patches and system upgrades. However, vulnerability management is not just a technical issue in China; there are also legal requirements that companies must meet.
For example, service providers are required by law to report to the relevant authorities, take remedial action and inform users when vulnerabilities are found or a security-related incident has occurred. On the other hand, network operators are required to have contingency plans ready for network security incidents and to respond in a timely manner to system vulnerabilities, computer viruses, network attacks, network intrusions and other security risks. In the event of a serious incident, network operators must report to the relevant authorities. If they fail to comply, companies will be required to take corrective action. Depending on the severity, fines may also be imposed – plus reputational damage.
On November 24, 2021, an Alibaba software engineer found a bug in the Log4j framework. Following best practice, he informed the Apache open source community of this find. After analysis, Apache announced that it was a vulnerability and patches were released. This has global implications, as almost all companies and organizations use Log4j in their own Java-based business systems. However, Alibaba was penalized by China’s Ministry of Industry and Information Technology (MIIT) for not reporting to authorities in a timely manner.
In January, Walmart in China was also penalized by the authority for discovering 19 security vulnerabilities in Walmart’s network that were not fixed due to a lack of an adequate vulnerability management process. Walmart was ordered to immediately fix the security vulnerabilities.
Alibaba, as a network vendor, did not report to MIIT in a timely manner during the Log4j2 incident and did not effectively assist MIIT in managing network security threats and vulnerabilities. Walmart, on the other hand, as a network operator, did not standardize vulnerability management and did not pay sufficient attention to network security.
Enterprises should review their contingency plans and vulnerability management in China not only from a technical perspective but also from a legal perspective to avoid violations, penalties and reputational damage.