U.S. Cyber Vulnerability Data Base Lags Chinese Counterpart by Two Weeks — Inadvertently Broadcasting U.S. Vulnerabilities

U.S. vulnerability reporting lag adds to vulnerabilities. According to the Recorded Future research report copied at bottom, ”

  • The U.S. National Vulnerability Database (NVD) trails China’s National Vulnerability Database (CNNVD) in average time between initial disclosure and database inclusion (33 days versus 13 days) — China isn’t directly integrated in managing CVEs, but are still able to report vulnerabilities more rapidly than the U.S.”
This is something you can study directly by looking yourself at the U.S. and Chinese databases.

Cyber security web links:

 U.S.:

U.S. National Vulnerability Database NVD   https://nvd.nist.gov/   at U.S. Department of Commerce National Institute of Standard and Technology

China:

国家信息安全鼠洞库 [Chinese National Vulnerability Database of Information Security  CNNVD]  http://www.cnnvd.org.cn/ 
After running the home page of the CNNVD website through Google Translate (it may take a minute for the translation to come up)
国家信息安全鼠洞库
I notice that if I clicked on headings and subheadings on the page, I would often automatically get an English translation.  On individual items, often not, so those URLs would need to be entered separately into Google Translate to get a translation from Chinese of those pages.
If this report is correct (I haven’t done my own comparison)  perhaps some companies in the U.S. and elsewhere might want to watch the Chinese database using Google Translate or other machine translation tool if their technical people don’t read Chinese?   Watching the Chinese database could help them reduce their own vulnerabilities by getting warnings as much as two weeks earlier. 

Two other national cyber security response units at the U.S. and Chinese Computer Emergency Readiness Teams
  U.S. Computer Emergency Readiness Team            https://www.us-cert.gov/
Chinese National Computer Emergency Readiness Team  (English language page)  http://www.cert.org.cn/publish/english/index.html

Read the October 23, 2017 Bloomberg Businessweek story

The U.S. Lags Behind China in Spotting Cyberthreats

 Hackers have a head start in exploiting system flaws.
 
In March, the Apache Software Foundation announced it had discovered a critical flaw in its software, one now famous as the unpatched Achilles’ heel of Equifax Inc. that allowed hackers to make off with sensitive information on 145 million Americans. We don’t yet know who got into Equifax, but we do know Chinese hackers looking to exploit the bug, and Chinese companies defending against attacks, had a head start. Details of the flaw were published to China’s National Vulnerability Database within a day of Apache’s announcement. It didn’t show up in the official U.S. database for three days. By then, researchers were already documenting a wave of global attacks exploiting the faulty code.
Read the rest of the story on the Bloomberg Businessweek website at

The  Recorded Future report on which the Bloomberg story is based is on the Recorded Future Blog at https://www.recordedfuture.com/chinese-vulnerability-reporting/

The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting

Click here to download this article as a PDF.

Key Takeaways

  • Organizations need access to the latest vulnerability (CVE) information to manage their exposure to risk.
  • The U.S. National Vulnerability Database (NVD) trails China’s National Vulnerability Database (CNNVD) in average time between initial disclosure and database inclusion (33 days versus 13 days) — China isn’t directly integrated in managing CVEs, but are still able to report vulnerabilities more rapidly than the U.S.
  • CNNVD actively gathers vulnerability information across the web. NVD should do this but instead waits for voluntary submission by vendors.
  • NVD’s mission should aim to be truly comprehensive, and the U.S. could improve by simply incorporating content from China’s CNNVD — 1,746 CVEs are currently in CNNVD and absent in NVD.

Executive Summary

Vulnerabilities are continuously found in all software and organizations need access to the latest vulnerability information to manage their exposure to risk. Because organizations use systems provided by dozens of software vendors, they require access to a centralized source of vulnerability information across all vendors to prioritize which to address next.

Background

In prior research we took a close look into software vulnerability (CVE) disclosure and learned that there were unexpectedly large gaps between public disclosure of a vulnerability and inclusion in the U.S. National Vulnerability Database (NVD). Concerned about this performance, we compared NVD CVE reporting times to what we observe on China’s National Vulnerability Database (CNNVD).

 

Read the rest of the report on the Recorded Future blog.

Advertisements

About 高大伟 David Cowhig

Worked 25 years as a US State Department Foreign Service Officer including ten years at US Embassy Beijing and US Consulate General Chengdu and four years as a China Analyst in the Bureau of Intelligence and Research. Before State I translated Japanese and Chinese scientific and technical books and articles into English freelance for six years. Before that I taught English at Tunghai University in Taiwan for three years. And before that I worked two summers on Norwegian farms, milking cows and feeding chickens.
This entry was posted in Economy 经济, Science, Technology and Academic 科技学术 and tagged , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s