Chinese Hacking Competitions Fuel the Country’s Broad Cyber Ambitions

Dustin Childs can still describe the best demonstration of a winning hack at an international tournament he’s ever seen. It happened almost a decade ago. The participants had to find a way to break into a Windows workstation that was hardened with firewalls and up-to-date software to make it more secure. One member of a team from China typed an IP address into the Windows browser, he said, “and took their hands off the keyboard and that was it.”

The top title at the tournament was called “Master of Pwn,” said Childs, who has been affiliated with the tournament since 2009 and is part of the Zero Day Initiative that runs it. “We implemented that title in 2016. The Chinese companies won it at every competition until they stopped participating,” he said. That international acclaim also drew the attention of critical eyes back home.

In 2017, the billionaire founder of Chinese cybersecurity firm Qihoo 360, Zhou Hongyi, publicly criticized Chinese participation in overseas hackathons, arguing that vulnerabilities discovered by Chinese experts should remain within that country’s borders. The criticism from Zhou, a member of a political advisory board to the Communist Party government, didn’t go unnoticed.

The following year, there were no Chinese teams competing at Pwn2Own. Instead, China started its own hacking tournament, called the Tianfu Cup. Participants were encouraged to hack into Apple operating systems, Google phones and Microsoft networks, according to media reports. But there was a difference. At Pwn2Own and other hacking competitions, the findings are reported to the companies that make the software or devices so they can fix them before hackers take advantage.

Participants in Chinese hacking competitions are required to report them to the government first, according to a 2018 regulation. “In practice, this meant vulnerabilities were passed to the state for use in operations,” said Dakota Cary, a China-focused consultant at the US cybersecurity company SentinelOne. One example, cybersecurity experts said, occurred in 2019, when Google reported that a flaw uncovered at the inaugural Tianfu Cup was used to attack a major telecommunications company.

China's Policy on Vulnerability Disclosure

China’s policy of requiring researchers to disclose computer bugs they find to the government distinguishes it from the US and other Western countries, experts said. “The NSA doesn’t force us to disclose anything along those lines to them,” said Childs, referring to the US National Security Agency.

While it doesn’t force vulnerability disclosure, the NSA, the leading cryptology and signals intelligence organization in the US government, does its fair share of vulnerability hoarding, said Greg Austin, who has consulted with governments on China’s cyber and foreign policy for more than a decade. In one incident in 2016, a group called the Shadow Brokers released a cache of secret software exploits — essentially hacking tools — that were allegedly stolen from the NSA.

“We’re talking about agencies like the Central Intelligence Agency and the National Security Agency who have discovered vulnerabilities that they don’t want to reveal so that they can attack systems in other countries,” he said. “China’s the same.” Since the data laws have come into effect, China’s hacking breakthroughs have slipped further behind a wall of secrecy, experts said.

Evolution of Chinese Hacking Competitions

Chinese hacking competitions have also evolved in recent years. Along with challenging participants to break into a Tesla or security software, now the events include Chinese electric vehicles, phones and computers, said Eugenio Benincasa, a senior cyber defense researcher at the Center for Security Studies at ETH Zurich, who closely monitors online reporting of these contests for clues about the challenges and what, if any, results are publicized.

The increased focus on Chinese domestic products aligns with Beijing’s broader policy objective known as “Delete America,” aiming for self-sufficiency in advanced technologies and reducing reliance on foreign suppliers, Benincasa said. It also comes as the US and China continue to restrict exports of key technology components to each other.

“It highlights the goal of fully domesticating China’s IT infrastructure, and replacing foreign-made core components, such as semiconductors, software, and databases, with Chinese-made ones,” Benincasa said. As a result, experts are concerned about the potential risks and implications of this trend for global cybersecurity.