The China Information Technology Security Evaluation Center (; CNITSEC, ) is the cover identity of the 13th Bureau of the Ministry of State Security, the information technology component of China's civilian spy agency which houses much of its technical cyber expertise. The bureau manages much of the conduct of

cyberespionage Cyber espionage, cyber spying, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers th ...

for the agency, and provides aid to the many

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...

s (APTs) run directly by the agency, by its semi-autonomous provincial State Security Departments (SSD) and municipal State Security Bureaus (SSB), and by contractors. In support of provincial state and party leadership, the bureau also runs its own semi-autonomous provincial Information Technology Security Evaluation Centers (ITSEC) in collaboration with provincial counterparts. In the past these ITSECs have been identified collaborating with APTs run by provincial state security units. The bureau also manages the

Chinese National Vulnerability Database The China National Vulnerability Database (CNNVD) is one of two national vulnerability databases of the People's Republic of China. It is operated by the China Information Technology Security Evaluation Center (CNITSEC), the 13th Bureau of China's ...

(CNNVD), where it has been found to selectively suppress or delay public reporting of certain zero-day vulnerabilities.

Operations

CNITSEC is used by the MSS to "conduct vulnerability testing and software reliability assessments." Per a 2009

U.S. State Department The United States Department of State (DOS), or simply the State Department, is an executive department of the U.S. federal government responsible for the country's foreign policy and relations. Equivalent to the ministry of foreign affairs ...

cable, it is believed China may also use vulnerabilities derived from CNITSEC's activities in intelligence operations. Many believe that government requirements for CNITSEC to conduct "security reviews" of all foreign tech imports are intended to allow the MSS to identify zero-day vulnerabilities in the technology for use in intelligence operations, and force foreign companies to transfer proprietary technology and

intellectual property Intellectual property (IP) is a category of property that includes intangible creations of the human intellect. There are many types of intellectual property, and some countries recognize more than others. The best-known types are patents, co ...

to the MSS in exchange for access to Chinese markets.

Chinese National Vulnerability Database

CNNVD is one of two national

vulnerability database A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potent ...

s operated by the PRC. According to Kristin Del Rosso of

Sophos Sophos Limited is a British security software and hardware company. It develops and markets managed security services and cybersecurity software and hardware, such as managed detection and response, incident response and endpoint security s ...

, "they have a history of strategically hoarding vulnerabilities."

Recorded Future Recorded Future, Inc. is an American cybersecurity company founded in 2009, with headquarters in Somerville, Massachusetts. The company was acquired by MasterCard in 2024. History In 2007, co-founders Christopher Ahlberg and Staffan Truvé, bo ...

uncovered more than 200 vulnerability disclosures that had their original publication dates altered in a "sloppy coverup" following their discovery that vulnerabilities disclosure dates lagged reporting.

Advanced persistent threat involvement

In November 2016, a

US Department of Defense The United States Department of Defense (DoD, USDOD, or DOD) is an executive department of the U.S. federal government charged with coordinating and supervising the six U.S. armed services: the Army, Navy, Marines, Air Force, Space Force, ...

report leaked, exposing the clients of Boyusec, a

Guangzhou Guangzhou, Chinese postal romanization, previously romanized as Canton or Kwangchow, is the Capital city, capital and largest city of Guangdong Provinces of China, province in South China, southern China. Located on the Pearl River about nor ...

-based company responsible for the

known as APT3. According to the Pentagon's report, Boyusec was actually a

front Front may refer to: Arts, entertainment, and media Films * ''The Front'' (1943 film), a 1943 Soviet drama film * '' The Front'', 1976 film Music * The Front (band), an American rock band signed to Columbia Records and active in the 1980s and ...

for the MSS, who was working with

Huawei Huawei Technologies Co., Ltd. ("Huawei" sometimes stylized as "HUAWEI"; ; zh, c=华为, p= ) is a Chinese multinational corporationtechnology company in Longgang, Shenzhen, Longgang, Shenzhen, Guangdong. Its main product lines include teleco ...

to produce compromised security products with built-in backdoors that would allow Chinese intelligence "to capture data and control computer and telecommunications equipment." The front's other client was Guangdong ITSEC, the

Guangdong State Security Department The Guangdong Provincial State Security Department (GSSD; ) is a division of China's Ministry of State Security (MSS) responsible for intelligence collection and secret policing in the province of Guangdong. Established as one of the original 1 ...

's affiliate office of CNITSEC.

Professional Certifications

The China Information Technology Security Evaluation Center (CNITSEC) administers a series of nationally recognized cybersecurity certifications. These are designed to standardize professional capabilities and improve the skills of practitioners working in information and cybersecurity across China.

Certified Information Security Professional (CISP)

The CISP certification framework covers a broad range of topics in information security governance, management, and technical implementation. It's a mid-to-senior-level certification program administered by CNITSEC. Candidates must complete formal training and pass a written exam. Some tracks also include a practical test to evaluate real-world technical skills. * CISP – Certified Information Security Engineer (CISP-CISE): Focuses on the design and maintenance of secure systems. It covers network architecture, system hardening, intrusion detection, and security engineering practices. * CISP – Penetration Testing Engineer (CISP-PTE): Certifies skills in offensive security and hands-on penetration testing. The exam includes both theory and practical tasks in a lab environment, covering vulnerability scanning, exploitation, and web security. * CISP – Data Security Governance (CISP-DSG): Addresses data protection and compliance. It includes topics such as data classification, privacy policy, and Chinese regulations like the Personal Information Protection Law (PIPL). * CISP – Incident Response Engineer (CISP-IRE): Covers cyber incident detection and response. It includes incident handling, digital forensics, and malware analysis. Some exam versions include a practical component in addition to the written test.

Certified Information Security Member (CISM)

The CISM certification (not to be confused with ISACA's CISM) is an entry-level cybersecurity credential issued under the CNITSEC system. It is designed for personnel engaged in basic information security tasks such as system monitoring, compliance documentation, and routine security operations.

References

External links

* {{Authority control Bureaus of the Ministry of State Security (China) Cyberwarfare by China One institution with multiple names