5 min read

Before You Buy the Weapon, Know Who Made It

Before You Buy the Weapon, Know Who Made It
In the age of AI cybersecurity tools, the creator's ideology isn't a footnote. It's the most important clause in the contract — and with China's Tulongfeng, it leads directly to Beijing.

There is an old principle in arms procurement that has never been more relevant: you do not evaluate a weapon only by what it can do. You evaluate it by who built it, what they believe, who they answer to, and what happens to the intelligence the weapon gathers. For centuries, this was a question about steel, gunpowder, and range. Today, it is a question about algorithms, vulnerability databases, and legal obligations — and the stakes are no less existential.

China's Qihoo 360 has just unveiled Tulongfeng, an AI-powered cybersecurity tool its founder calls the equivalent of a cyber nuclear weapon. The world is debating its capabilities. But before anyone decides whether to engage with it — or adopt tools from the same ecosystem — there is a prior question that almost nobody is asking loudly enough. Who made this? What do they believe? And what are they legally required to do with what your systems tell them?

THE CREATOR

The tool is inseparable from its maker

Qihoo 360 is not a neutral technology company that happens to be based in China. This is a documented, legally established fact — not an allegation. The US Department of Defense has designated it a "Chinese Military Company." The US Commerce Department sanctioned it in June 2020. The US Federal Register, updated in June 2026, confirms it is directly affiliated with China's Ministry of Industry and Information Technology and the Ministry of State Security — the country's domestic intelligence service.

⬛ INTELLIGENCE RECORD · US FEDERAL REGISTER · JUNE 2026360 Security Technology Inc. (Qihoo 360) is directly and indirectly affiliated with the Ministry of Industry and Information Technology (MIIT) and the Ministry of State Security. Qihoo 360 is a military-civil fusion contributor to the Chinese defense industrial base. Its founder sits on the Chinese People's Political Consultative Conference. Its customers have included the People's Liberation Army and at least eight Chinese government ministries.

Qihoo 360's founder Zhou Hongyi has openly claimed that his company helped Beijing identify 54 "overseas, state-level" hacking groups — including alleged CIA and NSA operations targeting China — and that this is the very reason his company was sanctioned by Washington. That is not the profile of a private technology company. That is the profile of a state asset operating under a commercial brand.

"This kind of powerful weapon that can change the landscape of cyber offence and defence cannot be held only by others."— ZHOU HONGYI, QIHOO 360 FOUNDER, ISC.AI 2026 CONFERENCE, BEIJINGTHE LAW

Ideology encoded in statute

The ideology of Chinese technology companies is not simply a matter of a founder's politics. It is written into law — and those laws apply to every product the company builds and every piece of data those products touch. Article 7 of China's National Intelligence Law states that "any organisation or citizen shall support, assist, and cooperate with state intelligence work in accordance with the law." This is mandatory. It is backed by criminal sanction. It applies to Chinese companies operating internationally, to their subsidiaries, and to the data they hold — regardless of where in the world that data was generated.

The 48-hour rule: China's 2021 Cyber Vulnerability Regulations require Chinese companies to report discovered vulnerabilities to the Ministry of Industry and Information Technology within 48 hours of finding them — almost certainly before patching those vulnerabilities or disclosing them to customers. A tool that finds your security flaws is legally required to hand them to a foreign government before it hands them to you.

China's Cybersecurity Law, amended and in force since January 2026, compounds this. It compels network operators to provide technical support to national security organs on demand. International law firms have warned that companies operating in China can be asked to provide source code, encryption keys, and other sensitive proprietary information for government review — creating what one major US government advisory called the risk of "backdoors" disguised as accidental bugs.

THE PRECEDENT

We have done this before — and paid for it

The principle argued here is not new. Huawei and ZTE built telecommunications infrastructure across dozens of countries throughout the 2000s and 2010s. They were cheaper than Western alternatives. Their equipment worked. The question of what obligations they held under Chinese law was treated as secondary to cost and capability. The reckoning came later, slowly, and expensively: the US government launched a multibillion-dollar effort to remove that equipment from American networks — a process still underway in 2026.

Tulongfeng is Huawei for the cybersecurity AI age. The questions we failed to ask about telecoms, we must not fail to ask about tools that scan our most critical vulnerabilities.— ANALYSIS

The lesson of Huawei is that legal obligations travel with products. A company subject to compelled cooperation with a foreign government carries that obligation into every network it touches, whether the customer knows it or not.

THE SPECIFIC RISK

What a cybersecurity AI actually knows about you

With ordinary consumer products, the risks of Chinese legal obligations are meaningful but bounded. A company may learn your browsing habits, your location, your contacts. With a vulnerability-discovery AI like Tulongfeng, the risks are categorically different. Its entire purpose is to map your systems, find their weaknesses, and catalogue what can be exploited. The intelligence such a tool generates is a complete roadmap to your most critical digital vulnerabilities.

⬛ RISK ASSESSMENT SUMMARYIf you deploy a tool with these properties to scan your critical infrastructure, your financial systems, or your government networks — you are, functionally, providing China's intelligence services with a guided tour of how to attack you. The vulnerabilities it finds are reportable to the Chinese state within 48 hours. The company that built it is legally obliged to cooperate with intelligence demands. The tool was built by a firm designated as a Chinese military company with documented ties to the Ministry of State Security.THE COUNTERARGUMENT

The counterargument — and why it falls short

Critics point out, correctly, that Western cybersecurity tools carry their own risks. The US CLOUD Act gives American law enforcement the ability to compel US companies to hand over data stored abroad. The NSA's documented history of mass surveillance and the CIA's use of foreign cybersecurity firms as intelligence cover are not fabrications. All nations pursue their interests through technology and legal compulsion.

But there is a difference — and it is a real one. When the NSA's PRISM programme was exposed by Edward Snowden, it produced congressional hearings, court cases, and legislative reform. When US tech companies misuse data, they face regulatory fines, class actions, and public scrutiny that forces behavioural change. In China, the legal requirement for companies to cooperate with the state is not a secret programme. It is openly written into statute. There is no independent judiciary to challenge it, no free press to investigate it, and no democratic mechanism to repeal it.

The compelled cooperation is not a risk. It is a feature — openly written into statute, non-negotiable, and travelling with the product into every network it touches.— ANALYSISTHE VERDICT

The broader principle

No serious government buys nuclear weapons from a rival power. Not because they doubt the weapons work. Because they understand, with absolute clarity, that the weapon's creator has interests, obligations, and a worldview that do not align with theirs — and that in the architecture of the weapon itself, those interests are embedded and non-negotiable.

A lock built by a locksmith who has a legal obligation to give the government a copy of every key they make is not a lock. It is an illusion of security with a door in the back. A cybersecurity tool built by a company legally required to share discovered vulnerabilities with a foreign state — before telling you — is not a defence. It is a transfer of your most sensitive intelligence to an adversary, wrapped in the branding of protection.

Before you hand your network's deepest secrets to any tool, you should know exactly whose hands you are placing them in. In the case of Tulongfeng, that trail leads directly, by law, to Beijing.

Sources: US Federal Register (June 2026) · US Department of Defense Section 1260H List · US Commerce Department Entity List · China's National Intelligence Law, Art. 7 · China's Cybersecurity Law (amended Jan. 2026) · China's Cyber Vulnerability Regulations (2021) · Carnegie Endowment for International Peace · Tech Transparency Project · Reuters · Anthropic Threat Intelligence Report (Nov. 2025) · The Diplomat (March 2026)