近日，美国商务部出台了一项新网络安全法规：未经审批禁止向中国分享安全漏洞

(资料图)

5 月 26 日，美国商务部工业与安全局（英文简称 BIS），正式发布了针对网络安全领域的最新的出口管制规定，根据新规的要求，各实体在与 D 类国家和地区的政府相关部门或个人进行合作时，必须要提前申请，获得许可后才能跨境发送潜在网络漏洞信息。该规定将全球国家分为 A、B、D、E 四类，限制措施和严格程度逐步递增。

而中国就被分在 D 类，即受严格限制的国家和地区。像微软、谷歌、苹果、甲骨文、SAP这些在美国注册或上市的公司，在发现软件系统中存在漏洞和安全问题，对外公布之前需要进行审批，并且未经许可不得擅自向中国客户或合作方进行分享。

二、影响

去年12月份，阿里云发现了一个名为Log4j2的超级漏洞，按照国际惯例向美开源基金会Apache进行了汇报，使得各大软件商第一时间去检查漏洞、采取规避措施，避免给自己的客户和IT行业带来了巨大的损失。但是因为没有按照工信部的要求，及时向我国政府汇报，被工信部通报批评。详情可见数字化转型网文章（点击蓝字可读）：史诗级安全漏洞先上报美国基金会，隔了半个月工信部才知道，阿里云被工信部暂停合作单位称号

在美国新规未制定前，美企在发现漏洞的同时，也会及时向中国客户和合作方提供相关漏洞信息，并确保中企能够第一时间解决漏洞，或者美企会直接提供补丁及时将漏洞修复。

很多人日常工作和生活中遇到最多的就是微软提供的Windows产品的漏洞修复，定期修复安全漏洞基本是各大传统杀毒软件的功能之一。

新规意味着，当我们在等待美国政府审批期间，我们的手机和电脑的一些软件将经历一段空窗期，这也将面临着“裸奔”和被攻击的风险。

三、霸王条款

该项政策出台前招致了微软等软件公司的反对，但并未被采纳。

毕竟涉及到自己的商业利益，微软等软件公司在卖给客户产品时，很难分辨客户是否和政府有关系？客户到底会用到什么地方？这里面界限很模糊，尤其是未来参与中国的国企，政府单位招标的时候，由于这项新规，微软等公司可能无法参与招标，失去相应的机会。

美国发布此规定是基于贸易战背景下，也是中美科技竞争在IT领域的产物，本质上是不利于IT行业发展的霸王条款。随着政治摩擦愈演愈烈，信息安全和IT技术正在变得越来越有国界。

翻译：

First, new rules

The US Department of Commerce has introduced a new cybersecurity rule that prohibits sharing security vulnerabilities with China without approval

On May 26, the Bureau of Industry and Security of the US Department of Commerce (BIS) officially issued the latest export control regulations in the field of cyber security. According to the new regulations, entities must apply in advance to cooperate with government departments or individuals in Category D countries and regions. You need permission to send information about potential cyber vulnerabilities across borders. The regulation divides countries into four categories: A, B, D and E, with progressively increasing restrictions and stringency.

China, on the other hand, falls into category D, or severely restricted countries and regions. Companies incorporated or listed in the United States, such as Microsoft, Google, Apple, Oracle and SAP, are required to approve vulnerabilities and security problems in their software systems before making them public, and are prohibited from sharing them with Chinese customers or partners without permission.

Ii. Influence

In December last year, Ali Cloud found a super vulnerability named Log4j2, and reported IT to Apache, the American open source foundation, in accordance with the international practice, so that all major software vendors immediately checked the vulnerability and took evasive measures to avoid bringing huge losses to their customers and IT industry. However, he was criticized by the Ministry of Industry and Information Technology for failing to report to the government as required by the ministry. Details can be seen in the digital transformation website article (click the blue word to read) : The epic security breach was first reported to the US foundation, and only after half a month did the Ministry of Industry and Information Technology know that Ali Cloud was suspended by the Ministry of Industry and Information Technology

Before the new regulations were formulated in the United States, American enterprises would provide relevant information to Chinese customers and partners in a timely manner when discovering vulnerabilities, and ensure that Chinese enterprises could solve the vulnerabilities in the first time, or American enterprises would directly provide patches to fix the vulnerabilities in time.

In daily work and life, many people encounter the vulnerability repair of Windows products provided by Microsoft. Regular repair of security vulnerabilities is basically one of the functions of traditional anti-virus software.

The new rules mean that while we are waiting for US government approval, some software on our phones and computers will go empty, exposing us to the risk of “streaking” and being attacked.

Iii. Overlord clause

The policy was opposed by software companies such as Microsoft, but was not adopted.

After all, when it comes to their own business interests, it is difficult for software companies like Microsoft to tell whether customers have ties to the government when they sell their products. What exactly do customers use? The line is very blurred, especially in the future when participating in the bidding of state-owned enterprises and government units in China, because of the new regulation, companies like Microsoft may not participate in the bidding and lose the corresponding opportunity.

This regulation issued by the US is based on the trade war background, and is also the product of Sino-US technological competition in the IT field. In essence, IT is not conducive to the development of the IT industry. As political friction intensifies, information security and IT technology are becoming more transnational.

CXO联盟（CXO union）是一家聚焦于CIO，CDO，cto，ciso，cfo，coo，chro，cpo，ceo等人群的平台组织，其中在CIO会议领域的领头羊，目前举办了大量的CIO大会、CIO论坛、CIO活动、CIO会议、CIO峰会、CIO会展。如华东CIO会议、华南cio会议、华北cio会议、中国cio会议、西部CIO会议。在这里，你可以参加大量的IT大会、IT行业会议、IT行业论坛、IT行业会展、数字化论坛、数字化转型论坛，在这里你可以认识很多的首席信息官、首席数字官、首席财务官、首席技术官、首席人力资源官、首席运营官、首席执行官、IT总监、财务总监、信息总监、运营总监、采购总监、供应链总监。