Nicole Perlroth

And just so there was no ambiguity here, the CCP formalized this practice into law, banning the unauthorized disclosure of vulnerabilities. These laws forced Chinese citizens to give the state right of first refusal on any zero day they found. Over the previous five years, I'd watched Chinese hacking teams dominate the big annual hacking competitions.

And just so there was no ambiguity here, the CCP formalized this practice into law, banning the unauthorized disclosure of vulnerabilities. These laws forced Chinese citizens to give the state right of first refusal on any zero day they found. Over the previous five years, I'd watched Chinese hacking teams dominate the big annual hacking competitions.

But after these laws passed, they stopped showing up on states' orders. If they wanted to attend an international hacking competition, now they had to apply for a waiver with the Chinese police. But they were welcome to compete at hacking competitions inside China, albeit with a new sponsor, the Ministry of State Security.

But after these laws passed, they stopped showing up on states' orders. If they wanted to attend an international hacking competition, now they had to apply for a waiver with the Chinese police. But they were welcome to compete at hacking competitions inside China, albeit with a new sponsor, the Ministry of State Security.

China's hackers had been forced into conscription, and penalties for noncompliance were severe.

China's hackers had been forced into conscription, and penalties for noncompliance were severe.

In December 2021, a Chinese security engineer at Alibaba went rogue. He disclosed a serious zero-day that would have proved mighty useful to Chinese spies. What that Alibaba engineer found was a zero-day in an open-source library called Log4J. Here's Jenn Easterly, formerly the director of the U.S. Cyber Defense Agency, CISA.

In December 2021, a Chinese security engineer at Alibaba went rogue. He disclosed a serious zero-day that would have proved mighty useful to Chinese spies. What that Alibaba engineer found was a zero-day in an open-source library called Log4J. Here's Jenn Easterly, formerly the director of the U.S. Cyber Defense Agency, CISA.

Log4j was used in millions of applications. In terms of severity, this was a 10 out of 10. Hair on fire, drop everything and find a patch situation. Using this zero day, you could take full remote control of potentially millions of systems around the world. For cyber criminals, that meant you could have used it to steal banking credentials or deployed ransomware on God knows how many systems.

Log4j was used in millions of applications. In terms of severity, this was a 10 out of 10. Hair on fire, drop everything and find a patch situation. Using this zero day, you could take full remote control of potentially millions of systems around the world. For cyber criminals, that meant you could have used it to steal banking credentials or deployed ransomware on God knows how many systems.

For spies, it would have made the digital world their oyster. In cybersecurity circles, what that Alibaba engineer did was heroic. But for Beijing, it was a slap in the face. And they made his employer pay a steep price, suspending Alibaba's government contracts for six months. Just long enough to send its stock in a free fall and send a clear message to every Chinese hacker and their employer.

For spies, it would have made the digital world their oyster. In cybersecurity circles, what that Alibaba engineer did was heroic. But for Beijing, it was a slap in the face. And they made his employer pay a steep price, suspending Alibaba's government contracts for six months. Just long enough to send its stock in a free fall and send a clear message to every Chinese hacker and their employer.

Play by state rules or prepare to go through some things. By 2019, we caught glimpses of where all these zero days were going. That year, security researchers discovered a Chinese hacking operation that was as slick as any I'd seen. Just as a lion waits for its prey to come to water, Chinese hackers had pulled off what's known as a watering hole attack.

Play by state rules or prepare to go through some things. By 2019, we caught glimpses of where all these zero days were going. That year, security researchers discovered a Chinese hacking operation that was as slick as any I'd seen. Just as a lion waits for its prey to come to water, Chinese hackers had pulled off what's known as a watering hole attack.

They'd infected a slew of Uyghur websites with a string of zero-day exploits. Anyone who navigated to these websites would have been immediately infected with spyware that turned their iPhone or Android phone into a CCP portal. These were zero days that on the gray market would have easily fetched $10 million. But Beijing was now getting them for free.

They'd infected a slew of Uyghur websites with a string of zero-day exploits. Anyone who navigated to these websites would have been immediately infected with spyware that turned their iPhone or Android phone into a CCP portal. These were zero days that on the gray market would have easily fetched $10 million. But Beijing was now getting them for free.

And not long after they turned up on Uyghur phones, researchers discovered a parallel effort hacking Tibetans and then Chinese activists. the five poisons. But inevitably, they turned up here, against us. China's zero days started popping up in our most widely used technology.

And not long after they turned up on Uyghur phones, researchers discovered a parallel effort hacking Tibetans and then Chinese activists. the five poisons. But inevitably, they turned up here, against us. China's zero days started popping up in our most widely used technology.

At one point, researchers uncovered a string of zero days in a Microsoft Exchange email system used by everyone from US military contractors, state and local governments, to small businesses. These zero days allowed Chinese hackers to invisibly read emails. Once those zero days were discovered, Microsoft raced to put out a patch. But this time, China's hackers didn't give up.

At one point, researchers uncovered a string of zero days in a Microsoft Exchange email system used by everyone from US military contractors, state and local governments, to small businesses. These zero days allowed Chinese hackers to invisibly read emails. Once those zero days were discovered, Microsoft raced to put out a patch. But this time, China's hackers didn't give up.