Prakash Nanda
CHINA’S hack-for-hire ecosystem essentially works as follows: The contracted hackers execute cyber operations, while the elite researchers focus on vulnerability research and cybersecurity startup creation. This helps the contracted hackers meet immediate mission requirements and sustains China’s broader offensive cyber ecosystem in the medium and long run. This setup effectively saves prominent or elite researchers from professional or reputational risks because of their non-direct involvement in malicious state-sponsored activities.
This setup is also said to reflect China’s Military-Civil Fusion (MCF) initiative. The MCF initiative seeks to harness the synergy between commercial and defence advancements, leveraging civilian talent to enhance and support the Chinese military. China’s cybersecurity ecosystem is bolstered by expanding professional and educational opportunities in the domestic offensive cyber sector. According to statistics from the China Cybersecurity Industry Alliance (2023), the cybersecurity sector is poised for sustained growth in the coming years, with a projected market size exceeding $11 billion by 2025.
Hacking competitions
Cybersecurity education in China has also gained momentum, with over 200 domestic universities offering cybersecurity or information security majors as of March 2023. Hacking competitions have become integral to the cybersecurity curriculum. Since the early 2010s, Chinese teams from a limited number of universities and companies have emerged as leading contenders in the most challenging and prestigious international hacking competitions, including the famous DEFCON CTF (a hacker convention held annually in Las Vegas, Nevada) and Pwn2Own (the computer hacking contest organised by the CanSecWest Applied Security Conference; it is now held twice a year in Vancouver).
Bug bounty programmes
At DEFCON, one such team, the Blue Lotus, first reached the finals in 2013. From then until 2023, between one and four Chinese teams have consistently reached the finals each year, representing the only significant challenge to US dominance. Similarly, at Pwn2Own, the winnings of Chinese participants increased from 13 per cent in 2014 to 79 per cent in 2019 of the total prize money awarded to all participants.
Chinese hackers have also been top contributors to the bug bounty programmes of prominent US-based companies. From 2017 to 2023, China alone contributed 27 per cent of all vulnerabilities submitted to the bug bounty programmes of Apple, Google, Android, and Microsoft combined, while the rest of the world accounted for 59 per cent. Individual Chinese researchers and teams have garnered numerous recognitions, frequently figuring among the top spots in these programmes’ rankings of best researchers and teams for both the calibre and quantity of the vulnerabilities they have uncovered. These achievements led to the establishment of China’s own worldclass hacking competitions, the creation of influential startups, and the development and expansion of some of today’s top Chinese security research teams and laboratories.
Systematic utilisation
In alignment with China’s MCF policy, the Chinese Government has systematically utilised the above cyber-related civilian resources for strategic purposes. Various entities, including universities and companies, collaborate with the Chinese Government across a spectrum of cyber activities. On the private sector and academic side, the collaborations can range from a single individual hacker or professor to entire teams comprising both students and seasoned cybersecurity professionals. In other words, “the demarcation line separating China’s military and civil domains in cyberspace has become particularly fluid or has entirely vanished,” argues Benincasa. China’s civilian hackers are getting increasingly “weaponised.”