People at the highest levels of power in China appreciate the importance of cyber capabilities. The CEO of Qihoo 360, the country’s largest cybersecurity company, famously criticized Chinese researchers working outside the country and urged them to “stay in China” to understand the “strategic value” of powerful software vulnerabilities used in cyber-espionage campaigns. Within months, his company was involved in a hacking campaign against the country’s Uighur minority.
There has been a wave of stricter rules tightening government control over the cyber security sector and prioritizing state security and intelligence agencies over all other matters – including those companies whose software is insecure.
“The Chinese have a unique system that reflects the party-state dictatorship model,” says Dakota Kerry, an analyst at the Georgetown Center for Security and Emerging Technology.
Chinese cyber researchers are effectively banned from participating in international hacking events and competitions in which they once dominated tournaments. Hacking contests put together some of the world’s best security researchers in a race to discover and exploit powerful vulnerabilities in the world’s most popular technology, such as iPhones, Teslas or even man-machine interfaces that help modern factories operate. Rewards worth hundreds of thousands of dollars encourage people to identify security vulnerabilities so that they can be fixed.
However, now if Chinese researchers want to go to international competitions, they need approval, which is rarely granted. And they must already submit everything to government authorities – including any information on software vulnerabilities they may be planning to exploit. No other country has such tight control over such a large and talented class of security researchers.
The order was extended with regulation requiring all software security vulnerabilities to be reported to the government first, giving Chinese officials unparalleled initial knowledge that could be used for defensive or offensive hacking operations.
“All vulnerabilities go through an equity process where the Chinese government has the right to refuse first,” says Adam Meyers, senior vice president of intelligence at CrowdStrike, a cybersecurity company. “They have to choose what to do with the research that is being conducted and it really increases their visibility in their ability to find usefulness in all of this.”
We’ve seen an exception to this rule: An employee of the Chinese cloud computing giant Alibaba made the famous Log4j vulnerability for developers at Apache before reporting it to Chinese government authorities instead. The result was an implicit warning of Alibaba’s public outcry and its intention to take similar action against anyone else.
China’s tough policies have a positive effect outside the country as well.
Over the past decade, the “bug bounty” model has provided millions of dollars to build a global ecosystem of researchers who seek out and pay for software security vulnerabilities. Multiple American companies host a marketplace where any tech firm can place its own products for close testing in exchange for a reward to researchers.
By any measure, China is at the top or closer to warning American companies about vulnerabilities in their software. In his congressional testimony last week, Kerry said an unnamed major American firm had disclosed to him that Chinese researchers had received $ 4 million in 2021. American companies benefit from the participation of these Chinese researchers. When researchers report a bug, companies can fix it. It has remained the same since the bounty programs began to boom in popularity a decade ago.
However, as the Chinese government tightens controls, this multimillion-dollar ecosystem is now delivering a steady stream of software vulnerabilities to the Chinese authorities-effectively funded by companies and at no cost to Beijing.
“China’s policy that researchers should submit vulnerabilities to the Ministry of Industry and Information Technology creates an invaluable pipeline of software capabilities for the state,” Kerry says. “The policy effectively buys at least $ 4 million worth of research for free.”
Robot Hacking Games
In 2016, a powerful machine called Mayhem won the Cyber Grand Challenge, a cyber security competition organized by the US Defense Advanced Research Projects Agency.
Mayhem, a Pittsburgh-based company called ForAllSecure, won by automatically detecting, patching and exploiting software security vulnerabilities. The Pentagon is now using technology in all military branches. The potential for both defensive and offensive was immediately apparent to everyone who saw it – including Chinese officials.
DARPA has not run a similar program since 2016. On the other hand, according to Kerry’s research, China has hosted at least seven “robot hacking games” competitions since 2017. Chinese academic, military and private-sector teams have all been drawn to competitions supervised by the Chinese military. Official documents link the automatic detection of software vulnerabilities directly to China’s national goals.
As robot hacking games began to unfold, the CEO of Qihoo 360 said that automated vulnerability detection tools were a “killer hammer” for China.
“Anyone who specializes in automated vulnerability mining techniques will have the first chance to attack and defend the network,” he said. Claiming that his company had developed a “fully autonomous automatic vulnerability mining system”, he argued that the technology was a “killer” of network security.
Robot hacking games are an example of how high-ranking Chinese officials are able to see American success and then smartly own it.
“Frequently, China has studied the US system, mimicked its best features, and in many cases expanded its reach,” Kerry says.
As the US-China rivalry continues to serve as the defining geopolitical relationship of the 21st century, cyber will play a huge role in what Chinese leaders aptly refer to as the “new era.” It touches on everything from commercial competition to technological advancement and war.
In that new era, Xi’s clear goal is to make China a “cyber superpower.” By any measure, he has done it.