The importance of cyber capabilities is appreciated by people at the highest levels of power in China. The CEO of the country's biggest cybersecurity company criticized Chinese researchers doing work outside the country and urged them to stay in China. His company was linked to a hacking campaign against the country's Uyghur minority.
The state's security and intelligence agencies were prioritized over the companies whose software is not secure, as a wave of stricter regulations followed.
Dakota Cary is an analyst at Georgetown's Center for Security and Emerging Technology.
Chinese cyber researchers have been banned from attending international hacking events. A hacking contest pits some of the world's best security researchers against one another in a race to find and exploit powerful vulnerabilities in the world's most popular tech. Prizes worth hundreds of thousands of dollars are given to people to identify security flaws.
Chinese researchers need approval if they want to go to international competition. They have to submit all their information to government authorities, including any knowledge of software vulnerabilities they might be planning to exploit. No other country has such tight control over such a large and talented class of security researchers.
This mandate was expanded with regulation requiring all software security vulnerabilities to be reported to the government first, giving Chinese officials unparalleled early knowledge that can be used for defensive or offensive hacking operations.
The Chinese government gets right of first refusal when it comes to vulnerability research, according to the senior vice president of intelligence at CrowdStrike.
The Log4j vulnerability was reported to developers at Apache by an employee of the Chinese cloud computing giant. The result was a public punishment and implicit warning for anyone else who was thinking of doing the same thing.
China's policies have an impact outside the country.
Over the last decade, the bug bounty model has provided millions of dollars to build a global community of researchers who find software security vulnerabilities and are paid to report them. American companies host marketplaces where any tech firm can put its own products up for close examination in exchange for bounties.
China is near the top in alerting American firms to vulnerabilities in their software. Cary said in his testimony that an American firm had told him that Chinese researchers would get $4 million in 2021. The Chinese researchers help the American companies. The companies can fix a bug if the researchers report it. Since the bounty programs began booming in popularity a decade ago, that has been the status quo.
As the Chinese government tightens control, this multimillion-dollarecosystem is now delivering a steady stream of software vulnerabilities to Chinese authorities at no cost to Beijing.
Cary says that the policy that researchers must submit vulnerabilities to the Ministry of Industry and Information Technology creates an incredibly valuable pipeline of software capabilities for the state.
The Cyber Grand Challenge was a competition held by the US Defense Advanced Research Projects Agency.
The Pittsburgh company ForAllSecure won by exploiting software security vulnerabilities. The technology is being used in all military branches. The defensive and offensive possibilities were obvious to everyone watching.
Since 2016 the program has not been run by DARPA. According to Cary's research, China has put on at least seven robot hacking games competition in the last year. The Chinese military has drawn teams from all over to compete. There are official documents that tie automated discovery of software vulnerabilities to China's national goals.
The CEO of the company said that vulnerability discovery tools were for China.
Whoever masters the automatic vulnerability mining technology will have the first chance to attack and defend the network. He claimed that his company had developed a fully automated vulnerability mining system.
Chinese officials at the highest level have been able to see an American success and then make their own, like the robot hacking games.
Cary says that China has studied the US system, copied its best attributes, and expanded the scope and reach.
The US-China rivalry continues to function as the defining relationship of the 21st century, and cyber will play an outsize role in what China's leaders call a new era.
In that new era, Xi’s stated goal is to make China a “cyber superpower.” By any measure, he’s done it.