Chinese Firms in Microsoft's Inner Circle: A National Security Threat?

AI-created, human-edited.

In a recent episode of Security Now, hosts Steve Gibson and Leo Laporte dove deep into a concerning security issue that has significant implications for global cybersecurity: Chinese companies' participation in Microsoft's Active Protections Program (MAPP) and the potential national security risks it creates.

Steve Gibson opened the discussion by referencing a detailed analysis from NATO Thoughts, a geopolitical and cybersecurity analysis publication. The central concern revolves around Microsoft's longstanding practice of providing early access to vulnerability information to trusted security partners - a practice that made sense in a more cooperative global environment but raises serious questions in today's geopolitical climate.

"How can it possibly remain rational for Microsoft to be willfully providing Chinese researchers and, indirectly, the Chinese government, with the very means to attack us, perhaps devastatingly?" Gibson asked, highlighting the fundamental tension at the heart of this issue.

Microsoft's Active Protections Program, launched in 2008, was designed with good intentions. The program provides trusted security vendors with early access to vulnerability details before patches are released, enabling them to create protective measures like antivirus signatures and intrusion detection rules that can be deployed simultaneously with Microsoft's monthly updates.

As Gibson explained, this approach minimizes the critical window of vulnerability between when a patch is released and when organizations actually implement it - a gap that attackers frequently exploit.

The analysis reveals a troubling conflict of interest for Chinese security firms participating in MAPP. Under China's 2021 Regulations on the Management of Network Product Security Vulnerabilities (RMSV), any organization doing business in China must report newly discovered zero-day vulnerabilities to government authorities within 48 hours.

This creates a scenario where Chinese MAPP partners face competing obligations:

• Microsoft's non-disclosure agreements requiring secrecy

• Chinese law mandating disclosure to state authorities

Perhaps most concerning is the revelation about China's National Vulnerability Database of Information Security (CNNVD), overseen by the Ministry of State Security. Chinese cybersecurity firms participate as Technical Support Units (TSUs), receiving financial compensation and prestige for submitting vulnerabilities to the database.

The system creates troubling incentives:

• Tier 1 TSUs must submit at least 20 vulnerabilities annually, including three classified as critical risk

• Financial rewards and prestige motivate increased submissions

• Early warning requirements mandate sharing intelligence with state security

Gibson noted the cultural implications: "I imagine that everyone listening appreciates how traditional Chinese culture could factor into both the financial compensation and the prestige aspects of this."

The research reveals concerning statistics:

• 19 Chinese firms currently participate in MAPP (the largest national representation after the US)

• 12 of these are classified as CNNVD Technical Support Units

• 10 Tier 1, 1 Tier 2, and 1 Tier 3 CNNVD contributors are Microsoft MAPP members

The discussion highlighted two major incidents that demonstrate the real-world impact of these vulnerabilities:

2021 Microsoft Exchange Campaign: After MAPP distributed proof-of-concept code on February 23, mass exploitation began just five days later, with multiple China-linked threat groups rapidly deploying similar code.

2024 SharePoint Vulnerabilities: Chinese hackers exploited SharePoint vulnerabilities before patches were released, compromising over 400 organizations worldwide, including the US National Nuclear Security Administration.

Leo Laporte acknowledged the gravity of the situation, expressing hope that Microsoft would pay attention to these concerns. Gibson emphasized that while Microsoft's global mission of empowerment is admirable, the current approach may be fundamentally incompatible with national security interests.

The hosts discussed Microsoft's plans to move some operations out of China, but noted that this addresses only part of the problem - the MAPP partnership issue remains separate and equally concerning.

The Security Now analysis suggests that Microsoft should consider temporarily suspending Chinese companies from MAPP pending investigation. However, this approach raises complex questions about global cooperation, business relationships, and the future of international cybersecurity collaboration.

As geopolitical tensions continue to escalate, this issue represents a broader challenge: how can global technology companies balance their mission to protect all users while acknowledging the reality of state-sponsored cyber warfare?