Alibaba Cloud, Alibaba’s cloud computing subsidiary, has been suspended for six months from a national network security information-sharing platform by China’s internet technology regulator after failing to report a security glitch.
The incident will be a blow to the company’s credibility and reputation, and also a warning to other technology companies to put network security first, experts said.
Alibaba Cloud, a member company of the network security information-sharing platform under the auspices of the Ministry of Industry and Information Technology (MIIT), has been removed from the platform, 21jingji.com reported on Wednesday.
The removal comes after Alibaba Cloud first detected and reported the serious Apache Log4j 2 security glitch to the US-based Apache Software Foundation, but failed to report the security risk to the Chinese regulator within the two-day reporting timespan as required, failing to effectively support the MIIT to detect network security threats and vulnerabilities.
According to the rule governing the management of security vulnerabilities of network products implemented on September 1, network product providers have the obligation to report any risks to the authorities within two days.
However it was only on December 9, when MIIT’s information-sharing platform received a report from a professional network security monitoring institution that warned of the serious security risks in Apache Log4j 2, which was 15 days after Alibaba Cloud detected its problem, according to a report by Guancha.cn.
The MIIT said it will decide whether to restore the status of Alibaba Cloud based on the company’s response to its recent failure when the six-month suspension expires.
The security glitch of Apache Log4j 2, a Java-based logging utility, which is widely used in business system development, is considered to be a high-risk vulnerability and may lead to remote control of the software, and it may also lead to serious hazards such as sensitive information theft and service interruption.
Alibaba Cloud should first report the glitch to relevant authority so the regulators could take relevant defensive measures. Failure to do so poses a risk to national network security, Liu Dingding, a Beijing-based independent analyst, told the Global Times on Wednesday.
The six-month suspension will impact the credibility and industry reputation of the firm, Li said, especially at a time when the country has been stepping up network security efforts.
“Potential business partners may shift to other cloud service providers such as Tencent Cloud or Huawei Cloud,” Liu said.
The way Alibaba Cloud dealt with the vulnerability could be utilized by other countries as a weapon to launch cyberattacks against China, said Wang Zhantao, an independent analyst on web security, said.
“There should be a fixed process for dealing with such vulnerabilities. Although China has announced regulations on security vulnerability management, there hasn’t been strict compliance by tech companies.
“It is expected that the incident of Alibaba Cloud will serve as a warning for its peers to comply with the rules and take web security seriously,” Wang told the Global Times on Wednesday.
Alibaba Cloud Photo: VCG