This is why for all the fear of China, the country cannot succeed on its current trajectory.
Things look great until the leaders are doing well, but all it takes is for 1 bad set of leadership for all to fall apart.
And Xi Jinping has guaranteed failure by removing term limits. Term limits meant that other ambitious political leaders were willing to wait and try their luck next turn. But with no term limits multiple generations of leaders are locked out of even the possibility of becoming the party leader, which means they have become a threat to Jinping.
And since so many people are now a threat to him, his selection criteria for people to lead different parts of the party and government has to be based entirely on loyalty rather than competence.
Which almost guarantees a lot of counter productive incompetence.
> This is why for all the fear of China, the country cannot succeed on its current trajectory.
I really really really want this to be true, but I don't think it's wise to discount China as a threat to worldwide autonomy just because they're behaving like typical authoritarians, and have the weaknesses that you'd expect from that kind of government.
Personally I think China's demographic issues should be more of a worry for them. The aftermath of the one-child policy, as well as all the selective abortion (under one-child, parents preferred to give birth to a boy) creating a imbalance between the number of men and women, means their population will start shrinking soon. And there will be a lot of only children supporting both of their parents when they start getting older, not to mention a glut of older folks leaving the workforce without equal replacement from the younger generations.
You think of China in american terms. For all they care, the world stops at their borders and having to trade outside is a temporary inconvenience. They re not going to be able to expand, you can already see their cultural gradients on its periphery having a lot of issue.
If China was to deal with French, Japanese or Senegalese people, it would immediately crumble. All they can do is firefight for internal stability, or change enormously to inspire positively, but it's not yet looking that way.
According to machine translation (both Google Translate and DeepL) of the law itself, it seems that this is not actually the case, and that the article is simply wrong. Indeed, it seems that they have a legal responsibility to notify the MIIT within two days, but a legal responsibility to notify upstream immediately (according to another commenter, they do not even have any responsibility to disclose to the government, only to Apache).
Perhaps this translation is incorrect, but Chinese speaking commenters below think that it is accurate, so it's probably just the article being wrong (as usual), leading to incorrect conclusions that China is not a threat and will not succeed because they will shoot themselves in the foot etc, while reality is a lot more reasonable.
The article is correct on all factual grounds; Alibaba has been suspended of its participation as a 网络安全威胁信息共享平台合作单位 (whatever that means), and the agency sources that law as the reason. Now you can argue the law does not actually say Alibaba is obligated to report the incident to the China government, but the government is acting as it should, and Alibaba has no recourse but to accept (you have no chance to get a course ruling to overturn the decision in China anyway so what other choice do they have).
The ease with which the term limits were removed indicates that they were never a real limitation in the first place. What prior leader was actually bounded by them?
This is not how China works. Previous leaders only exited power because they were pretty much ousted, and their power was never really institutionally checked.
Mainland China never been ever close to constitutional rule. It's unbelievably naive to think that term limits would've ever been something other than a decoration, and a propaganda point with communists.
There were emperors in China and many other countries all through the past several thousand years and it is the expectation of the world that they suddenly give up that entire way of life and thinking in one century?
That's just plainly not true. Deng Xiaopeng set the country up for orderly succession, and it did work up through Xi Jinping. Hu Jintao and Jiang Zemin both cycled through office without any of the things we associate with authoritarian rulers. There was no execution of your political opponents, after you beat them to office, or afterwards.
The argument has been that China needed a reset badly. Free-for-all capitalism hasn't been so great for most folks in the U.S. either, has it? That has been the justification for the heavy hand of the government during Xi's rule. There's also the argument that Western-style term limits prevent long-term strategic planning.
All of those are really tempting and solid arguments, especially given how corrupt China had become with capitalism-ruling-all, but one really does wonder.
As far as Alibaba goes, it's to my understanding that there are no real alternatives to Alibaba Cloud in China (unless you want to go for a foreign solution like AWS or Azure). It would seem that the current government thinks they can get away with making an example of the company as they see fit. There may be some geopolitical logic to that, because Xi's government seeks to make China more independent after Trump's trade wars, and if you have a big, wealthy internet company drawing in the country's top talent, then that's fewer that's e.g. going towards the semiconductor companies they now seek to bolster.
Now there may have been a "correct" policy solution to this, a la antitrust, but it seems Xi's government prefers to be heavy-handed. For me, that's setting some scary precedents, because as other commenters have said, it isn't clear how succession will be handled going forward, and it may well be brutal.
> The Communist Party of China proposed amending the Constitution, for the first time after 2004,[3] including writing Scientific Outlook on Development and Xi Jinping Thought into the Preamble,[4] and removing the provision that the President and Vice President "shall serve no more than two consecutive terms" from the Constitution.[5]
The most powerful man in China is the Chairman of the Central Military Commission. “Political power grows out of the barrel of a gun” - Mao. The title President is less important so term limits on that position don’t matter. Recent ”anti-corruption” actions have weighed heavily on Jiang Zemin’s allies
> The most powerful man in China is the Chairman of the Central Military Commission.
It's interesting to me that they allowed that to happen, both the US, with its civilian control of the military, and the Soviets, with their convoluted division of manpower, equipment, and commands, took measures to stop that situation from occurring.
You just look back at China's 5000 years Imperial history. It is no surprise of current development. Chinese history has never had Greek style democracy system. The closest in terms of political development will be Song dynasty which it has a chance to further survive, will likely turn into something like USA. Alas, ask any Chinese scholars, Song dynasty is considered the worst in China as it is "weak". Surprisingly, if you ask the same person, people living during Song dynasty were way better off than Tang or Han dynasty, both golden periods of China before Song. Even if you ask about science
and literarure developments, it too was ahead of previous dynasty. Still, it is consider a failure when in terms of dynasty ranking.
I know about Dr. Sun's republic, Taiwan and "voting politburo" . But these are considered modern development which hasn't really sunk into physche of Chinese race worldwide.
> the country cannot succeed on its current trajectory
What, exactly, is it doing right now? This sounds a lot like "Tom Brady cannot succeed with his current height." Um, he already has, and continues to do so.
This is why for all the fear of America, the country cannot succeed on its current trajectory.
Things look great until the leaders are doing well, but all it takes is 1 Brandon for all to fall apart.
And since so many Americans are now a threat to the Democrats, their selection criteria for people to lead different parts of the party and government has to be based entirely on race and gender rather than competence.
Which almost guarantees a lot of counter productive incompetence.
>Article 7 Network product providers shall fulfill the following security vulnerability management obligations
>(2) Relevant vulnerability information shall be submitted [...] within 2 days
In this case, an Alibaba researcher found a bug in an Apache product, so this policy wouldn't seem to apply as Alibaba is not the vendor of the product.
Plainly the linked policy does not ask Alibaba to do what the article says it should do, ie, notify the government first, as per machine translation.
It seems to say that they should notify the vendor (ie, Apache) as soon as possible, and notify the government within 2 days (according to rfoo they are not at all required to disclose it to the government since it's not their product, but they are encouraged to do so), not that they should notify the government first and then wait for approval to notify Apache.
According to google translate:
(1) After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and the scope of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should Notify the relevant product provider immediately.
(2) The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission shall include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.
So according to machine translation, the article is incorrect, and they do not have to notify the CCP first, instead they should have notified Apache first, and then the government within 2 days.
Sure, Alibaba broke the law. But there is no rule of law in China. If laws were truly enforced the entire system would collapse.
This was using the law as a weapon to keep companies in check. If this had been another company firmly in the pocket of the CCP, this would have been overlooked and never made public.
Why does the Chinese Government need to be told _at all_? You're saying that doesn't seem strange to you? The government busy silently exterminating a people and who employ mass surveillance and other obvious human rights violations, that they ask for cyber vulnerabilities to be specifically delivered to them doesn't register a reaction with you at all?
> The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center.
Let's cut the BS. The fact was that Ali Cloud failed to report the issue to MIIT (required by law, it has to be report cyber security incidents to MIIT immediately) weeks after notifying Apache(a foreign entity).
I'm not sure if such behaviors would be desirable in any country.
> Did they want to protect themselves before alerting anyone?
Probably yes.
> Did they want to use this to infiltrate others?
Also probably yes.
The NSA does the same thing. They stockpile security vulnerabilities and selectively tell the software vendors about some of them. They like to keep the "high value" vulnerabilities to themselves for use in exploits.
Unfortunately all intelligence agencies everywhere will continue to take this cowboy approach. Until we can get these bad actors under control, their constant undermining of internet infrastructure will continue to hinder efforts to improve internet security.
It's not the same thing to develop and keep an exploit for yourself, as it is to require the public companies in your country to report the important bugs they find while effectively also under a temporary gag order. They are super different things.
Probably both? It may not even be so much about this particular vulnerability, but rather just setting the law that any future vulnerabilities must first be reported to the party which can then decide to either defend from it or weaponize it.
Do people really think AWS did not report to the federal agencies about potential risks?
If AWS didn't then their contract for service is deficient. If they had risks which affected their stock price they had obligations to other agencies too. The department of commerce, the federal communications agency, the US Cert, you name it.
Please, no accusations of whataboutery: I am trying to point out that if you are big enough to have economically relevant importance, OR if you supply goods and services to the state, any state, you have obligations in that state relationship.
if I was in government in China and ali baba cloud didn't check in, I might be witholding business too.
>And since so many people are now a threat to him, his selection criteria for people to lead different parts of the party and government has to be based entirely on loyalty rather than competence.
>Which almost guarantees a lot of counter productive incompetence.
This applies to every goverment and public institution regardless of its democratic roots
Readit News
Things look great until the leaders are doing well, but all it takes is for 1 bad set of leadership for all to fall apart.
And Xi Jinping has guaranteed failure by removing term limits. Term limits meant that other ambitious political leaders were willing to wait and try their luck next turn. But with no term limits multiple generations of leaders are locked out of even the possibility of becoming the party leader, which means they have become a threat to Jinping.
And since so many people are now a threat to him, his selection criteria for people to lead different parts of the party and government has to be based entirely on loyalty rather than competence.
Which almost guarantees a lot of counter productive incompetence.
I really really really want this to be true, but I don't think it's wise to discount China as a threat to worldwide autonomy just because they're behaving like typical authoritarians, and have the weaknesses that you'd expect from that kind of government.
Personally I think China's demographic issues should be more of a worry for them. The aftermath of the one-child policy, as well as all the selective abortion (under one-child, parents preferred to give birth to a boy) creating a imbalance between the number of men and women, means their population will start shrinking soon. And there will be a lot of only children supporting both of their parents when they start getting older, not to mention a glut of older folks leaving the workforce without equal replacement from the younger generations.
If China was to deal with French, Japanese or Senegalese people, it would immediately crumble. All they can do is firefight for internal stability, or change enormously to inspire positively, but it's not yet looking that way.
The major difference is their positions in economic transitions.
I think the biggest risk for China would be entering mediocrity and flatlining like Russia. Not growing seems to be their biggest fear.
Perhaps this translation is incorrect, but Chinese speaking commenters below think that it is accurate, so it's probably just the article being wrong (as usual), leading to incorrect conclusions that China is not a threat and will not succeed because they will shoot themselves in the foot etc, while reality is a lot more reasonable.
Deleted Comment
What do dictators do when their policies start failing and popularity declines?
They go to war. Nothing distracts the population as much. This is the biggest risk with China's expanding military power.
Mainland China never been ever close to constitutional rule. It's unbelievably naive to think that term limits would've ever been something other than a decoration, and a propaganda point with communists.
The argument has been that China needed a reset badly. Free-for-all capitalism hasn't been so great for most folks in the U.S. either, has it? That has been the justification for the heavy hand of the government during Xi's rule. There's also the argument that Western-style term limits prevent long-term strategic planning.
All of those are really tempting and solid arguments, especially given how corrupt China had become with capitalism-ruling-all, but one really does wonder.
As far as Alibaba goes, it's to my understanding that there are no real alternatives to Alibaba Cloud in China (unless you want to go for a foreign solution like AWS or Azure). It would seem that the current government thinks they can get away with making an example of the company as they see fit. There may be some geopolitical logic to that, because Xi's government seeks to make China more independent after Trump's trade wars, and if you have a big, wealthy internet company drawing in the country's top talent, then that's fewer that's e.g. going towards the semiconductor companies they now seek to bolster.
Now there may have been a "correct" policy solution to this, a la antitrust, but it seems Xi's government prefers to be heavy-handed. For me, that's setting some scary precedents, because as other commenters have said, it isn't clear how succession will be handled going forward, and it may well be brutal.
> The Communist Party of China proposed amending the Constitution, for the first time after 2004,[3] including writing Scientific Outlook on Development and Xi Jinping Thought into the Preamble,[4] and removing the provision that the President and Vice President "shall serve no more than two consecutive terms" from the Constitution.[5]
https://en.m.wikipedia.org/wiki/2018_National_People%27s_Con...
By eliminating term limits in 2018 Xi Jinping was clearly signaling that he did not intend on relinquishing power.
It's interesting to me that they allowed that to happen, both the US, with its civilian control of the military, and the Soviets, with their convoluted division of manpower, equipment, and commands, took measures to stop that situation from occurring.
I know about Dr. Sun's republic, Taiwan and "voting politburo" . But these are considered modern development which hasn't really sunk into physche of Chinese race worldwide.
Deleted Comment
What, exactly, is it doing right now? This sounds a lot like "Tom Brady cannot succeed with his current height." Um, he already has, and continues to do so.
And since so many Americans are now a threat to the Democrats, their selection criteria for people to lead different parts of the party and government has to be based entirely on race and gender rather than competence.
Which almost guarantees a lot of counter productive incompetence.
Here it is: Verify. Report to 'vendor'. Immediately. Report to government including an analysis within 2 days.
Link to policy: http://www.gov.cn/gongbao/content/2021/content_5641351.htm
Link to past HN comment on this on another story on this topic: https://news.ycombinator.com/item?id=29653352
(archived version of the article: https://archive.md/Yvsca)
From your linked policy (translated by Apple):
>Article 7 Network product providers shall fulfill the following security vulnerability management obligations
>(2) Relevant vulnerability information shall be submitted [...] within 2 days
In this case, an Alibaba researcher found a bug in an Apache product, so this policy wouldn't seem to apply as Alibaba is not the vendor of the product.
It seems to say that they should notify the vendor (ie, Apache) as soon as possible, and notify the government within 2 days (according to rfoo they are not at all required to disclose it to the government since it's not their product, but they are encouraged to do so), not that they should notify the government first and then wait for approval to notify Apache.
According to google translate:
(1) After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and the scope of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should Notify the relevant product provider immediately.
(2) The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission shall include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.
So according to machine translation, the article is incorrect, and they do not have to notify the CCP first, instead they should have notified Apache first, and then the government within 2 days.
Deleted Comment
This was using the law as a weapon to keep companies in check. If this had been another company firmly in the pocket of the CCP, this would have been overlooked and never made public.
Shit HN says. Can we avoid making such blanket statements, please and thank you.
https://amp.scmp.com/tech/article/2138114/china-discourages-...
Dead Comment
Deleted Comment
https://en.wikipedia.org/wiki/CERT_Coordination_Center
> The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center.
Dead Comment
I'm not sure if such behaviors would be desirable in any country.
Deleted Comment
Did they want to protect themselves before alerting anyone?
Did they want to use this to infiltrate others?
Note that the article is misleading as the rule doesn't require the disclosure must be made to the government first.
Probably yes.
> Did they want to use this to infiltrate others?
Also probably yes.
The NSA does the same thing. They stockpile security vulnerabilities and selectively tell the software vendors about some of them. They like to keep the "high value" vulnerabilities to themselves for use in exploits.
The WannaCry ransomware (see https://en.wikipedia.org/wiki/WannaCry_ransomware_attack and https://en.wikipedia.org/wiki/EternalBlue) did worldwide economic damage and was built on an NSA developed exploit. The NSA knew about this vulnerability in Windows for years and never told Microsoft.
Unfortunately all intelligence agencies everywhere will continue to take this cowboy approach. Until we can get these bad actors under control, their constant undermining of internet infrastructure will continue to hinder efforts to improve internet security.
* Google Project Zero researcher: "we found a bug!"
* NSA (internally): "Damnit, scratch that one off the list boys.."
I guess everyone has forgotten wikileaks and Snowden already.
If AWS didn't then their contract for service is deficient. If they had risks which affected their stock price they had obligations to other agencies too. The department of commerce, the federal communications agency, the US Cert, you name it.
Please, no accusations of whataboutery: I am trying to point out that if you are big enough to have economically relevant importance, OR if you supply goods and services to the state, any state, you have obligations in that state relationship.
if I was in government in China and ali baba cloud didn't check in, I might be witholding business too.
>Which almost guarantees a lot of counter productive incompetence.
This applies to every goverment and public institution regardless of its democratic roots