From the early 2000s to 2015, China’s hacking teams caused havoc for private companies and U.S. and allied governments. In a series of high-profile breaches, they poached government databases, weapon system designs and corporate IP. From the breach of the Office of Personnel Management, to Marriott, to Equifax, to many, many others, the People’s Republic of China’s digital warriors demonstrated the full potential digitally mediated espionage.
But if Chinese President Xi Jinping has his way, this litany of breaches represents only the beginning of China’s digital prowess.
A year after coming to power in 2013, Xi began to prioritize cybersecurity as a matter of government policy, focusing the bureaucracy, universities and the security services on purposefully cultivating talent and funding cybersecurity research. During his time in office, the Chinese state has systematized cybersecurity education, improved students’ access to hands-on practice, promoted hacking competitions, and collected vulnerabilities to be used in network operations against China’s adversaries.
These investments are now coming to fruition, and, as a result, China’s hacking teams are poised to reap the benefits of a nearly decade-long cultivation of cyber talent and capabilities. These better resourced and trained teams put companies at risk of further compromise and create an additional imperative for U.S. and allied nations to improve defenses of government networks.
China’s hacker bootcamps
In the 2000s, Chinese policymakers talked about hackers as “the talented few.” Finding the talent government officials needed was “like finding flowers in a field of wheat,” as one policymaker put it. U.S. indictments of hackers operating during this period illustrate the point. The professor who managed APT40 out of his Hainan University office hosted cybersecurity competitions to find hackers that could be brought onto the team — even using them to find software vulnerabilities. The notorious APT41 includes one of these talented few —Tan Dailin — whose career stretches back all the way to the early 2000s. Tan started out as a patriotic hacker working out of his Sichuan dorm room, standing up the Network Crack Program Hacker outfit. His career eventually blossomed to a full-time hacker for the PRC government.
Tan’s skills and entrepreneurial spirit launched his career, but self-starting success doesn’t scale. China wanted more. According to Xi, “competition in cyberspace is, ultimately, a competition for talent,” His policies — aimed at ending the government’s hunt in vast fields for hard to spot flowers — show just how serious he is about this.
Xi established his leadership on the issue of cybersecurity by forming in 2014 the Cybersecurity and Informatization Leading Small Group. The group quickly demanded that the Ministry of Education evaluate and standardize the content of China’s cybersecurity college degrees. Inspired by the United States’ National Initiative for Cybersecurity Education, a board of academics from universities across China created a list of core competencies that students should have when they graduate with a cybersecurity degree. In typical PRC fashion, they gave the cybersecurity degree a numbered code: 0839. By 2015, the Ministry of Education rolled out the standards nationwide, and universities adjusted their curriculums accordingly.
In 2016, Xi promoted his Leading Small Group — originally designed as a sort-of temporary committee—to the Cybersecurity and Informatization Committee of the CCP Central Committee (CIC). Upon launch, it was one of about 25 such committees within the core of the Party. Xi retained his leadership of the body.
Concurrently, Xi launched a formal government agency in 2016, the Cyberspace Administration of China (CAC), to represent the CIC’s work to other governments and businesses. The CAC’s composition and offices are the same as the CIC but is presented to foreign audiences as a government agency. This structure allows decisions made by the CCP Central Committee — such as launching China’s crackdown on technology firms and forced the delisting of Didi Chuxing from U.S. stock markets — to appear as the actions of a government regulatory agency, rather than the Party.
One of the CAC’s first acts was to publish a National Cybersecurity Strategy for China. Focused on moving away from looking for flowers and toward cultivating a crop of talent, this strategy outlined nine “strategic tasks” for policymakers to undertake. These ranged from increasing cybersecurity awareness to improving talent cultivation. As with many central government policies, the public strategy document isn’t particularly prescriptive about how to achieve these tasks, allowing provincial and municipal governments to innovate and compete on policy ideas.
Shortly after the strategy was published, two provincial policy ideas caught the central government’s attention. Modeled on North Carolina’s Research Triangle Park, China’s National Cybersecurity Talent and Innovation Base in the central city of Wuhan sits at the confluence of railway lines that make it easily accessible by high-speed rail to people across China. Here, provincial officials built what would become a sprawling 15 square mile campus, with a quarter of it dedicated to the National Cybersecurity School, the Offense-Defense Laboratory, the Combined Cybersecurity Research Institute, and supporting computational, data storage and cyber range facilities. The remainder of the campus offered tax incentives to people and businesses wishing to set up shop next to the base. Central government policymakers got wind of the project and made it a national asset, with the CAC holding a signing ceremony for the base’s construction at the end of 2016.
The following year, Guiyang’s Big Data Cyber Range suffered a similar fate. Begun as a provincial project in 2015, the Guiyang range now hosts cybersecurity competitions, industrial hardware for OT hackers, and apparently enough server space to count as “big data” (likely a low bar). Much like the base in Wuhan, policymakers in Beijing liked what they saw and adopted the range as a national effort by the central government, christening it as the Guiyang National Big Data Cyber Range in 2017.
The same year, this effort to improve training infrastructure expanded beyond co-opting physical assets, as a new education initiative took root. Just as China modeled reforms of its cybersecurity degrees on the U.S. National Initiative for Cybersecurity Education, policymakers in Beijing also drew on the United States’ designation of some schools as Centers for Academic Excellence in Cybersecurity to shape cybersecurity education. In 2017, China rolled out its designation of some schools as World-Class Cybersecurity Schools (WCCS) offered to those perceived as providing the best educational offerings.
Besides signaling to other universities the qualities and content that should be replicated, the designation also allows potential employers to quickly assess a graduate’s competencies by association. The WCCS designation does not apparently confirm any additional funding or resources, only prestige. The program mirrors the Center for Academic Excellence-Cyber Operations certification awarded by seven U.S. agencies, including the National Security Agency and Department of Homeland Security. China’s first tranche of awardees in 2017 included seven universities. Four more schools received the award two years later.
To attract students and fill these programs, China hosts thousands of capture the flag hacking competitions every year. In 2016, China’s best hackers were leaving the country to burn software vulnerabilities at competitions aboard — and collecting eye-watering sums to do it. Nowadays, China runs hundreds of cybersecurity competitions, sometimes with thousands of teams.
Growing the availability of domestic competitions serves at least two purposes for Beijing. First, these competitions provide China’s security services with a steady stream of vulnerabilities to be used in hacking operations. Industry titans, like the founder of the security firm Qihoo360, have gone on the record claiming that software vulnerabilities represent a “national resource” — akin to timber and coal. By 2017, China’s Ministry of Public Security rolled out a drastic new policy to control this resource: Software vulnerability researchers could only travel abroad for foreign competitions with express approval of the ministry.
But the CCP also wanted the country’s best hackers to show off their prowess at home and inspire others to do the same. To attract college students, the Ministry of Education collaborated with the China Information Technology Security Evaluation Center — the 13th Bureau of the Ministry of State Security, which is responsible for some MSS hacking operations — to launch the Information Security Ironman competition in 2016. The competition spans every province in China, includes hundreds of universities, and tiers the competitors so only the best schools compete with one another. To capture the magic — and compensation — of the international software security competitions that Chinese vulnerability researchers can no longer travel to, like Pwn2Own, China’s infosec community launched Tianfu Cup in 2018. Other hacking competitions have sought to bolster China’s capabilities in automated software vulnerability discovery and exploitation — like the DARPA Cyber Grand Challenge they are modeled on.
To facilitate the success of China’s hacking teams, the PRC began requiring software vulnerability researchers to first disclose any vulnerability they find to the Ministry of Industry and Information Technology within 48 hours of discovery. Microsoft’s 2022 Digital Defense Report concluded that the policy had led to the PRC collecting and deploying more 0-days. A more wholistic view of China’s policy environment may conclude that policies against researchers traveling abroad, mandating vulnerability disclosure to the government and investments in technologies to automatically find ever more software vulnerabilities combined to create this trend.
The state of play
So, where do China’s state hackers stand now? A recently released report, authored by several of the World-Class Cybersecurity Schools in partnership with the Chinese Academy of Sciences, the Ministry of Education and the cybersecurity firm Beijing Integrity Technology describes the current landscape. The authors expect China’s deficit of cybersecurity experts to fall to 370,000 by 2027 — likely seen as a big success since 2017 estimates put the then-deficit at around 1.4 million. (The drastic drop likely reflects better survey and market data, rather than the sudden education of a half-million cybersecurity practitioners.) Still, the paper reports aggregate “production” of new cybersecurity experts to exceed 30,000 per year. Overall, the authors find the education system to be producing more, better prepared cybersecurity experts and continue to advocate for students to get more hands-on experience.
The report’s principal purpose is to lay out what the authors call the “4+3 Method” of cyber confrontation skills and development — an approach that harmonizes the preceding seven years of public policy in China. The “4” represents four key competencies for cybersecurity professionals: actual confrontation, software vulnerability discovery, “combat impact assessment” (likely a euphemism for security evaluation), and engineering and development skills. The “3” represents three methods of demonstrating the 4 capabilities: cybersecurity competitions (confrontation, defensive exercises, and vulnerability discovery), “confrontation practices” (cyber range practice and actual network confrontation), and “crowd testing and incident response” (open security testing, software vulnerability awards, security competitions and technology sharing).
In coming years, the policies that led to the report’s 4+3 Method will likely produce the harvest of hackers that Xi aimed to produce when he first came into power. This means that China’s hacking teams, when considered in whole, will no longer be dominated by the gun slingers of the past like Tan Dailin. Instead, defenders will have to contend with masses of nameless civil servants, each specializing in any one particular skillset, managed by a bureaucracy that has matured over the last decade. As such, we may see many fewer clusters of activities and IOCs successfully emanating from China clustered into APTs, Pandas, or elements of the periodic table. They will be replaced by an ever-growing collection of uncategorized actors, as the agencies managing these operations are able to promote stealth at scale, implemented by well-trained hackers.
For all the effort China has put into its hacking teams, fundamental truths about conflict dynamics in the cyber domain still constrain its operations. The exploitation of a vulnerability may impact one country more than another — just compare the U.S. government’s exposure to the compromise of Solar Winds compared to China’s exposure from the same system. Shared dependencies — such as the widespread use of Microsoft Windows — may constrain some operations. PRC policymakers have long hoped to foster a competitive operating system for the Chinese market. None are forthcoming. Even Huawei’s attempts at a domestic mobile operating system are — from my personal experience — are quite glitchy.
But if China delivers on its ambitions for a more self-contained computing ecosystem, that could change the landscape of competition. Free of mutual dependencies in hardware and software, operations could increase in speed and persistence, as compromise would no longer mean risk of operational blowback. We’re maybe a decade off from seeing these dreams come to fruition. But it wasn’t much less than a decade ago that Xi came into power and made cyber capabilities one of China’s priorities.
Dakota Cary is a consultant at Krebs Stamos Group where he provides insights to clients on China’s hacking teams, their capabilities and research and the industrial policies that drive their behavior.