The China Information Technology Security Evaluation Center (; CNITSEC, ) is the
cover identity of the 13th Bureau of the
Ministry of State Security, the information technology component of China's civilian spy agency which houses much of its technical cyber expertise. The bureau manages much of the conduct of
cyberespionage
Cyber spying, or cyber espionage, is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information from individuals, competitors, rivals, groups, governments and enemies for personal, ...
for the agency, and provides aid to the many
advanced persistent threats (APTs) run directly by the agency, by its semi-autonomous provincial State Security Departments (SSD) and municipal State Security Bureaus (SSB), and by contractors.
In support of provincial state and party leadership, the bureau also runs its own semi-autonomous provincial Information Technology Security Evaluation Centers (ITSEC) in collaboration with provincial counterparts.
In the past these ITSECs have been identified collaborating with APTs run by provincial state security units.
The bureau also manages the
Chinese National Vulnerability Database
The Chinese National Vulnerability Database (CNNVD) is one of two national vulnerability databases of the People's Republic of China. It is operated by the China Information Technology Security Evaluation Center (CNITSEC), the 13th Bureau of Chi ...
(CNNVD), where it has been found to selectively suppress or delay public reporting of certain
zero-day vulnerabilities.
Operations
CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments.” Per a 2009
U.S. State Department
The United States Department of State (DOS), or State Department, is an executive department of the U.S. federal government responsible for the country's foreign policy and relations. Equivalent to the ministry of foreign affairs of other nati ...
cable, it is believed China may also use vulnerabilities derived from CNITSEC's activities in intelligence operations.
Many believe that government requirements for CNITSEC to conduct "security reviews" of all foreign tech imports are intended to allow the MSS to identify
zero-day vulnerabilities in the technology for use in intelligence operations, and force foreign companies to transfer
proprietary technology
Proprietary software is software that is deemed within the free and open-source software to be non-free because its creator, publisher, or other rightsholder or rightsholder partner exercises a legal monopoly afforded by modern copyright and i ...
and
intellectual property to the MSS in exchange for access to Chinese markets.
Chinese National Vulnerability Database
CNNVD is one of two national
vulnerability databases operated by the PRC. According to Kristin Del Rosso of
Sophos
Sophos Group plc is a British based security software and hardware company. Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. Sophos is primarily ...
, "they have a history of strategically hoarding vulnerabilities."
Recorded Future uncovered more than 200 vulnerability disclosures that had their original publication dates altered in a "sloppy coverup" following their discovery that vulnerabilities disclosure dates lagged reporting.
Advanced persistent threat involvement
In November 2016, a
US Department of Defense report leaked, exposing the clients of Boyusec, a
Guangzhou-based company responsible for the
advanced persistent threat known as APT3. According to the Pentagon's report, Boyusec was actually a
front for the MSS, who was working with
Huawei to produce compromised security products with built-in
backdoors that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The front's other client was Guangdong ITSEC, the provincial affiliate office of CNITSEC.
References
External links
*
{{Authority control
Bureaus of the Ministry of State Security (China)
Cyberwarfare by China
One institution with multiple names