China Halts Alibaba Cybersecurity Cooperation For Slow Reporting of Threat

682

Chinese regulators on Wednesday suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group (9988.HK), over accusations it failed to promptly report and address a cybersecurity vulnerability, state media reported.

China’s ministry in charge of technology said its cybersecurity threat and information platform would be stopping its cooperation with Alibaba Cloud for six months, as the company had failed to report the Log4j2 flaw to relevant authorities in a timely manner, the state-run China Daily reported on Wednesday, citing unnamed ministry officials. Alibaba declined to comment.

The flaw in Apache Log4j software, a free bit of code that logs activity in computer networks and applications, was made public this month and is being exploited by hackers in an attempt to gain access to retail and government sites, among others.

Distributed free by the nonprofit Apache Software Foundation, Log4j has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications.

Alibaba is part of a national cybersecurity-threat database, which requires members to promptly report information about such glitches, according to the China Daily report. The Hangzhou-based company’s failure to report the issue quickly hindered efforts by the Ministry of Industry and Information Technology to handle the threat effectively, the report said.

The ministry, also known as MIIT, said it would reassess Alibaba’s corrective measures before resuming its current partnership, the paper wrote. MIIT didn’t respond to a faxed request for comment sent after office hours.

The MIIT released a statement on its website on Friday about the software flaw, adding that it had received reports of the Log4j vulnerability eight days earlier and called in cybersecurity experts, including those from Alibaba Cloud, to assess the cybersecurity threat. In the statement, the ministry said the Log4j flaw was a high-risk vulnerability, that it could lead to equipment being controlled remotely and could result in sensitive information being stolen.

MIIT added that Alibaba Cloud had discovered the Log4j vulnerability and had informed the Apache Foundation about its existence.

Alibaba, the first Chinese technology provider to make a foray into cloud computing, is China’s largest cloud provider and had 34% of the country’s market in the second quarter of the year, according to researcher Canalys.

Source: The Wall Street Journal