MERICS Blog, European Voices on China, Header


The Chinese government’s decision to pull Chinese nationals from international hacking contests should worry international IT companies. They stand to lose valuable information about security vulnerabilities in their devices and run the risk that exploits will be reported to the Chinese government instead.

The logo of Apple is pictured in the Apple Store in front of the Oriental Pearl TV Tower in the Lujiazui Financial District in Pudong, Shanghai

Chinese IT specialists are developing the applications of the future in the outskirts of Guangzhou and in Beijing’s start-up-district Zhongguancun. Chinese hackers are also among the best of their craft internationally. For years, international IT companies from Apple to SAP have relied on Chinese nationals’ reports on vulnerabilities as the basis for software patches in products like MacOS, the iPhone Operating System iOS or business software like SAP. This may change soon.

The Chinese government is eager to develop Chinas IT sector and to promote domestic Chinese companies – sometimes through unfair means and at the expense of Western competitors. This includes a recent move to keep Chinese hackers from helping Western tech companies identify their vulnerabilities.

In a rather cryptic announcement, the organizers of the popular hacking-contest Pwn2Own let it be known that, "There have been regulatory changes in some countries that no longer allow [their citizens’] participation in global exploit contests, such as Pwn2Own and Capture the Flag competitions." They later clarified this statement applies to Chinese citizens.

Chinese teams used to dominate international hacking contests

Hacking contests like Pwn2Own or CanSecWest are an opportunity for security researchers to earn considerable prize money. Some of these contests offer reward money of up to two million USD in total and take place in different cities around the world. Payouts for individuals who detect vulnerabilities can be up to 200,000 USD. They also offer a big international stage for hackers to show off their skills and recommend themselves for employment to international IT companies. This chance will be denied to Chinese hackers under the new rules. Chinese hackers are now expected to serve China.  In that sense, one could say that they are treated as a national strategic reserve.

Chinese teams dominated Pwn2Own in previous years – among them Tencent’s security team, Qihoo 360 as well as individual researchers. Another Chinese team of international prominence is Pangu, a group of hackers specialized in analyzing the iOS-System and publishing jailbreaks. An exploit is a piece of software code created to demonstrate a vulnerability to hacks. With a jailbreak, iPhone users can unlock more powerful features of their phone and install illegal copies of software. It should be noted, however, that applying a jailbreak tremendously lowers the security of iPhones.

It should worry international IT companies that the Chinese government no longer lets its citizens participate in these contests. It could be a sign that China plans to oblige hackers to share knowledge of previously unknown security problems (often called 0-day-exploits, as there are 0 days to prepare for an attack) with the Chinese government and its agencies instead of the vendor, who could fix the flaw for everybody through security updates. This would leave all users vulnerable to the attack, should criminals discover the same problem. And it would allow the Chinese government to use this knowledge in hacking operations against foreign or domestic targets.

Security exploits sell for huge sums in shadowy market

Many governments around the world buy exploits from a shadowy market with almost no regulation and questionable ethics. Most hackers don’t sell directly to governments though. Instead, they relay their findings through exploit dealers like Zerodium, a US-firm. Companies like Zerodium buy knowledge about weaknesses and sell them to the highest bidder. Some are sold to makers of spyware tools, and many are sold to government-agencies like the NSA, UK-based GCHQ or the newly formed German agency Zitis. These companies pay up to 1.5 million USD for a reliable iOS-exploit that can be triggered from afar. Vulnerabilities in the Android operating system are easier to come by and sell for considerable lower price tags. This is due to Android’s more open ecosystem and a need to support a much broader set of hardware and devices.

This is considerably more money than so-called “white hat” (i.e. responsible) hackers can gain from sharing that knowledge with vendors directly, allowing the latter to fix the flaw and secure all users. Some companies pay ethical hackers for disclosing problems in their software through so-called bug bounty programs. Many hackers are not primarily motivated by money, however but want to share their knowledge for ethical reasons. Some can, however, make a nice living off of reporting these problems. Hacker One, a famous platform for listing bug bounty programs, reported that 14 percent of registered researchers hack full-time, and among these there are a few who make more than 100,000 USD a year.

IT nationalism is a big market risk for companies

There may be another motivation for the Chinese government to hold back hackers. If less skilled talent looks at Western-made software, fewer bugs will be found. This will result in an overall decrease in security. This helps China in two ways: First, the government can argue that companies should buy more domestic software as it is more secure and free from international influence. This notion is not necessarily true, however and requirements to buy only domestic hardware, software and services have been met with a pushback from Chinese IT companies and financial institutions in the past. Secondly, it lowers the bar for Chinese hacking attempts against internationally used software. 0-day exploits will usually be used in targeted espionage attempts against governments as well as companies.

For now, the Chinese government is not keeping researchers from disclosing problems directly to vendors, a process usually called responsible disclosure. But the recent move shows that it views hackers as a national asset and as a strategic reserve in cyberspace.

International IT-companies should be aware that the software they use is viewed as more than a business decision by some governments. Where China tries to ban Windows and Western anti-virus software, the United States retaliates against China’s Huawei and ZTE or against Russia’s Kaspersky. This IT nationalism is a significant market risk for companies, as it adds additional costs, complexity and insecurities.