一、新规
近日,美国商务部出台了一项新网络安全法规:未经审批禁止向中国分享安全漏洞
5 月 26 日,美国商务部工业与安全局(英文简称 BIS),正式发布了针对网络安全领域的最新的出口管制规定,根据新规的要求,各实体在与 D 类国家和地区的政府相关部门或个人进行合作时,必须要提前申请,获得许可后才能跨境发送潜在网络漏洞信息。该规定将全球国家分为 A、B、D、E 四类,限制措施和严格程度逐步递增。
而中国就被分在 D 类,即受严格限制的国家和地区。像微软、谷歌、苹果、甲骨文、SAP这些在美国注册或上市的公司,在发现软件系统中存在漏洞和安全问题,对外公布之前需要进行审批,并且未经许可不得擅自向中国客户或合作方进行分享。
二、影响
去年12月份,阿里云发现了一个名为Log4j2的超级漏洞,按照国际惯例向美开源基金会Apache进行了汇报,使得各大软件商第一时间去检查漏洞、采取规避措施,避免给自己的客户和IT行业带来了巨大的损失。但是因为没有按照工信部的要求,及时向我国政府汇报,被工信部通报批评。详情可见数字化转型网文章(点击蓝字可读):史诗级安全漏洞先上报美国基金会,隔了半个月工信部才知道,阿里云被工信部暂停合作单位称号
在美国新规未制定前,美企在发现漏洞的同时,也会及时向中国客户和合作方提供相关漏洞信息,并确保中企能够第一时间解决漏洞,或者美企会直接提供补丁及时将漏洞修复。
很多人日常工作和生活中遇到最多的就是微软提供的Windows产品的漏洞修复,定期修复安全漏洞基本是各大传统杀毒软件的功能之一。
新规意味着,当我们在等待美国政府审批期间,我们的手机和电脑的一些软件将经历一段空窗期,这也将面临着“裸奔”和被攻击的风险。
三、霸王条款
该项政策出台前招致了微软等软件公司的反对,但并未被采纳。
毕竟涉及到自己的商业利益,微软等软件公司在卖给客户产品时,很难分辨客户是否和政府有关系?客户到底会用到什么地方?这里面界限很模糊,尤其是未来参与中国的国企,政府单位招标的时候,由于这项新规,微软等公司可能无法参与招标,失去相应的机会。
美国发布此规定是基于贸易战背景下,也是中美科技竞争在IT领域的产物,本质上是不利于IT行业发展的霸王条款。随着政治摩擦愈演愈烈,信息安全和IT技术正在变得越来越有国界。
翻译:
First, new rules
The US Department of Commerce has introduced a new cybersecurity rule that prohibits sharing security vulnerabilities with China without approval
On May 26, the Bureau of Industry and Security of the US Department of Commerce (BIS) officially issued the latest export control regulations in the field of cyber security. According to the new regulations, entities must apply in advance to cooperate with government departments or individuals in Category D countries and regions. You need permission to send information about potential cyber vulnerabilities across borders. The regulation divides countries into four categories: A, B, D and E, with progressively increasing restrictions and stringency.
China, on the other hand, falls into category D, or severely restricted countries and regions. Companies incorporated or listed in the United States, such as Microsoft, Google, Apple, Oracle and SAP, are required to approve vulnerabilities and security problems in their software systems before making them public, and are prohibited from sharing them with Chinese customers or partners without permission.
Ii. Influence
In December last year, Ali Cloud found a super vulnerability named Log4j2, and reported IT to Apache, the American open source foundation, in accordance with the international practice, so that all major software vendors immediately checked the vulnerability and took evasive measures to avoid bringing huge losses to their customers and IT industry. However, he was criticized by the Ministry of Industry and Information Technology for failing to report to the government as required by the ministry. Details can be seen in the digital transformation website article (click the blue word to read) : The epic security breach was first reported to the US foundation, and only after half a month did the Ministry of Industry and Information Technology know that Ali Cloud was suspended by the Ministry of Industry and Information Technology
Before the new regulations were formulated in the United States, American enterprises would provide relevant information to Chinese customers and partners in a timely manner when discovering vulnerabilities, and ensure that Chinese enterprises could solve the vulnerabilities in the first time, or American enterprises would directly provide patches to fix the vulnerabilities in time.
In daily work and life, many people encounter the vulnerability repair of Windows products provided by Microsoft. Regular repair of security vulnerabilities is basically one of the functions of traditional anti-virus software.
The new rules mean that while we are waiting for US government approval, some software on our phones and computers will go empty, exposing us to the risk of “streaking” and being attacked.
Iii. Overlord clause
The policy was opposed by software companies such as Microsoft, but was not adopted.
After all, when it comes to their own business interests, it is difficult for software companies like Microsoft to tell whether customers have ties to the government when they sell their products. What exactly do customers use? The line is very blurred, especially in the future when participating in the bidding of state-owned enterprises and government units in China, because of the new regulation, companies like Microsoft may not participate in the bidding and lose the corresponding opportunity.
This regulation issued by the US is based on the trade war background, and is also the product of Sino-US technological competition in the IT field. In essence, IT is not conducive to the development of the IT industry. As political friction intensifies, information security and IT technology are becoming more transnational.
本文由数字化转型网(www.szhzxw.cn)公开资料整理撰写而成,作者:数字化转型网木铎;编辑/翻译:数字化转型网默然。
免责声明: 本网站(http://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
