China discourages its hackers from foreign competitions so they don’t help others
Chinese security researchers have dominated global hacking competitions in recent years. This year, they were absent from the annual Pwn2Own competition in Vancouver
China is discouraging its internet security experts from taking part in international hacking competitions because of national security concerns, according to a Beijing-based company that was informed of the decision.
Beijing Chaitin Technology Co. was told by the Chinese government at the end of last year not to participate in such competitions, according to a representative for the network information security company. Chaitin will “shift our focus to keep perfecting our products and build a more secure cyberspace in China,” the representative said.
Cybersecurity firms like Chaitin take part in competitions as so-called white hats, ethical hackers who exploit vulnerabilities in software with the aim of improving their security. By participating in overseas contests that expose weaknesses in software made by Apple to Microsoft, these teams are helping companies detect and fix flaws in their security.
Cyberattacks have been a bone of contention between the US and China for years, with both sides swapping accusations of hacking attempts. The latest move to dissuade Chinese security teams from joining global contests takes place amid heightened tensions between the two countries, with US President Donald Trump reportedly considering imposing tariffs aimed at Chinese technology and telecommunication imports.
Earlier this year, the US government blocked Chinese telecommunications equipment supplier Huawei’s plans to sell its smartphones through AT&T reportedly due to security concerns.
“Some Chinese hackers are among the best in the world, so it makes the competitions less fun,” James Andrew Lewis, a Washington DC-based senior vice-president at Center for Strategic and International Studies. “Keeping the talent at home makes China better at cyberattack.”
Last year, teams from China’s Qihoo 360, Tencent and Chaitin dominated the standings at Pwn2Own, a hacking contest held as part of the CanSecWest Applied Security Conference in Vancouver, Canada. Chaitin did not participate in this year’s event after the government directive.
China’s Ministry of Industry and Information Technology, which oversees cybersecurity, did not immediately respond to a request for comment. Tencent and Qihoo 360 also did not immediately respond.
Chaitin’s vulnerability research team now plans to report its discoveries directly to the government-backed China National Vulnerability Database of Information Security for national recognition and prizes, it said. The China Information Technology Security Evaluation Center, which runs the database, did not immediately respond to a faxed request for comment.
“We understand that there have been regulatory changes in some countries that no longer encourage participation in global exploit contest such as Pwn2Own and Capture the Flag competitions,” Pwn2Own’s organiser, Trend Micro, said in an email, without naming China.
China passed its first Cybersecurity Law in November 2016, with the aim of safeguarding the country’s cyberspace sovereignty and protecting key information infrastructure. The law took effect last June.
“It makes sense if the Chinese government forces security research teams to not compete abroad, just like the US forbidding exports of certain security-related algorithms,” said Wei Xingguo, chief technology officer of Hangzhou-based cybersecurity company MoreSec. “If cybersecurity is a battlefield, then loopholes are munitions.”
It is unclear how long the Chinese restriction on participation in global hacking competitions will last, said Adam Segal, New York-based director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. But long term, without prize money from these contests, white hats may have to turn to the government for funding, he said.
“Competitions would be seriously weakened, given how dominant many of the Chinese teams have been recently,” Segal said. “If it is long term, it would weaken global cybersecurity efforts and reinforce the sense that Chinese cyberspace is doing everything possible to cut itself off from the rest of the world.”