Hacking competitions in China have surged over recent years, supported by strong government backing and rising public interest, raising alarm in the U.S., where officials are warning that the widening cyber skills gap is placing America at a strategic disadvantage and posing national security risks.
China has made great strides since President Xi Jinping's call for the nation to become a "cyber powerhouse" a decade ago. University programs in cybersecurity have been standardized, a National Cybersecurity Talent and Innovation Base capable of certifying 70,000 cybersecurity experts per year was established, and hacking competitions—many touting their alignment with Xi's "powerhouse" ambition—have proliferated.
"China has built the world's most comprehensive ecosystem for capture-the-flag (CTF) competitions—the predominant form of hacking competitions, ranging from team-versus-team play to Jeopardy-style knowledge challenges," the Washington, D.C.-based Atlantic Council think tank observed in a recent report.
In cybersecurity, CTF competitions are games where participants solve security challenges to capture hidden pieces of data (the "flags") in systems, websites, or applications. They provide a controlled environment for hackers to practice problem-solving, reverse-engineering, and secure coding.
The Atlantic Council noted that China has held over 120 unique CTF competitions since 2004 with 54 recurring annually, including XCTF, Spring and Autumn Cup, GEEKCON/GeekPwn, CTFWar, ISCTF, and Qiang Wang Mimic Defense International Elite Challenge.
Many CTF events are organized by universities or private companies yet some are sponsored by one or more government institutions and believed to serve as a talent pipeline for government cybersecurity agencies.
The Ministry of Public Security's Wangding Cup boasts the most participants with an average annual attendance of 36,310. That ministry is known to have sponsored 13 unique competitions since 2015, with participants totaling nearly 308,000.
The Ministry of Education leads the pack with 22 sponsored contests involving nearly 311,000 participants. China's top spy agency, the Ministry of State Security, has been a sponsor at four events totaling over 49,000 attendees since 2016.
"China's CTF ecosystem is unparalleled in size and scope—something akin to four overlapping National Collegiate Athletic Associations, each with a primary government sponsor just for cybersecurity students to exercise their skills," the Atlantic Council stated. "Many of these marquee competitions include talent-spotting mechanisms for recruitment."
Civil-Military Fusion
Jessica Ruzic, deputy associate chief of policy at the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), pointed out during an Atlantic Council event streamed on Saturday that the long-term focus of China's authoritarian, one-party state model has afforded it more continuity than the short-term approach seen in democracies like the U.S.
"China's mentality is that they are building something structural, and the U.S. mentality is that we are trying to solve a problem that's right in front of us," Ruzic said during an online event hosted by the Atlantic Council's Global China Hub. "The U.S. government as a whole is not set up for long-term strategic thinking. That's just not the way that term limits work, right?"
"Frankly the time to establish a foundational strategy for countering PRC [People's Republic of China] malicious cyber activity was 20 years ago," she added.
She noted that China also benefits from its strategy of civil-military fusion, blurring the lines between civilian and military resources to integrate technology and expertise that benefit both sectors. However, she pointed out Washington cannot "copy and paste" this strategy given the U.S.'s "guard rails" and emphasis on private sector innovation.
Bridging the Cybersecurity Gap
One strength the U.S. can leverage is its worldwide network of partnerships, both with friendly governments and with companies in the private sector to "fund capacity re-building programs, exchange information and develop solutions."
Ruzic said that requires the government to adopt a new, more collaborative approach than the current one, which she described as: "You, private sector, give us, government, the information. The end."
The U.S. government is already taking some steps toward narrowing the gap, she observed, such as the 60-page strategy drafted by the Office of the National Cyber Director to boost the country's cyber workforce.
"It includes goals like making cyber education more open source and available and facilitating applied or experiential learning a la Chinese hacking competitions," she said.
China's Capture-the-Flag Prowess
Eugenio Benincasa, co-author of the Atlantic Council report and senior researcher at ETH Zurich's Center for Security Studies, echoed concerns about China's rapidly expanding CTF ecosystem.
"I was surprised not only by the size of the CTF ecosystem but, more importantly, by its integration into academic curricula and the professional sector, with a strong focus on Attack-Defense CTF contests," Benincasa told Newsweek.
He noted that China's first attack-defense competition, Baidu CTF, was modeled after the CTF contest held at the annual DEF CON competition in Las Vegas.
"Since then, China's attack-defense CTF ecosystem has grown to be larger and more comprehensive than ours," he said. "We should prioritize funding and expanding access to similar competitions to strengthen our own ecosystem."
He pointed out this would not only forge a stronger cybersecurity community in the U.S. but also increase awareness of emerging threats.
Benincasa also noted the civilian-military fusion risks of exploiting competitions, which differ from capture the flag in that they focus on finding and demonstrating real-world vulnerabilities in specific software or systems.
These vulnerabilities "are likely funneled to China's security agencies for potential use in offensive operations, said Benincasa, who has also worked at the New York City Police Department as a crime analyst.
Benincasa said much could be learned from China's CTFs, which focus on challenges unique to a given sector, for example law enforcement, healthcare, apps, and cryptography
"In particular, attack-defense CTF contests have sparked innovation and market growth in offensive cyber capabilities by encouraging the creation of cybersecurity startups in areas like vulnerability scanning and cyber ranges, as well as contributing to the development of vulnerability research labs," he said.
U.S. Falling Behind?
Dakota Cary, co-author and nonresident fellow at the Global China Hub and co-author of the Atlantic Council report, pointed to a difference in focus between Chinese and American CTF competitions.
"The U.S. CTF ecosystem generally hosts defensively oriented competitions designed to assess participants' ability to secure their systems against attack. For many of China's CTFs, offensively oriented skills are tested and prioritized," he said.
When asked about the U.S.'s cyber capabilities since whistleblower Edward Snowden revealed the National Security Agency's global surveillance programs, Cary said perceptions of U.S. dominance are outdated.
"Large-scale, back-end collection is now incredibly difficult due to pervasive encryption," he said. "The U.S. system was previously unparalleled, but many in the field now admit that China is the more capable actor. The scale of its research community dwarfs other nations, both due to China's size and its focused effort over the last decade."
The rise of these competitions has accompanied increased campaigns by state-associated hacking groups such as Flax Typhoon, which the FBI disrupted in September after it compromised more than 200,000 home routers, cameras and other consumer devices nationwide.
FBI director Christopher Wray and other intelligence officials have warned Chinese hackers seek to lay the groundwork for the country to disrupt critical infrastructure when the moment is right, as well as engage in intellectual property theft.
"The PRC has a bigger hacking program than every other major nation combined," Wray said in a Congressional hearing earlier this year. He warned that hackers are laying the groundwork to "wreak havoc" on American infrastructure when doing so would benefit China.
Beijing has dismissed such warnings as invalid and hypocritical, citing its own reports of U.S. cyber campaigns.
"It is normal to strengthen technical exchanges and promote scientific and technological innovation. This report is full of malicious speculation about China, and China firmly opposes it," Liu Pengyu, a spokesperson for the Chinese embassy in the U.S., told Newsweek.
Liu accused the U.S. of spreading disinformation on the threat of Chinese hackers. "The Chinese government's position on cyber security is consistent and clear. Chinese law prohibits hacking attacks and any other acts that undermine Internet security, and resolutely cracks down on related criminal activities."
Newsweek reached out to the National Security Agency, Cybersecurity and Infrastructure Security Agency, and the Chinese embassy in Washington D.C., with written requests for comment.
Update 11/12/24, 1:15 p.m. ET: This story was updated with additional information.
Update 11/13/24, 5:37 a.m. ET: This story was updated with a comment from the Chinese embassy.
