Over the last decade, the Chinese government has established an efficient pipeline of capture-the-flag (CTF) tournaments both as a way to attract cyber-savvy citizens to cybersecurity, and as part of its cybersecurity curriculum and training regimen.
The efforts have paid off.
Today, the nation has more than 50 annual competitions used as part of the training of tens of thousands — and possibly, hundreds of thousands — of cybersecurity specialists, while creating stronger connections to government and industry, according to a research report published by the Atlantic Council on October 18. Moreover, sector-specific contests — targeting mobile, autonomous vehicles, and smart cities, for example — help deepen the technical expertise of participants and address the specific needs of each industry.
Overall, the Chinese government has successfully marshaled the nation toward solving its cybersecurity shortages and the goal of becoming a cyber superpower, says Eugenio Benincasa, senior cyber defense researcher at the Center of Security Studies at ETH Zurich and a co-author of the report.
“China, like the West, has a scarcity of talents, and addressing that scarcity through a system that can help you to evaluate talent is definitely a better way of addressing the problem,” he says. “If you look at the entire ecosystem, there are many ways in which hacking contests can bring better allocation of resources, both in the short and also in the long term.”
In 2014, Chinese President Xi Jinping called for the country to become a “cyber great power,” aiming to strengthen its technology industry, while at the same time, embarking on a domestic effort to restrict its reliance on foreign technology. Cybersecurity has become a key element of that effort: The Chinese government has successfully created a pipeline for training future cybersecurity specialists, restricted the dissemination of vulnerability information, and established its own cybersecurity providers. These include hacking firms and cyber-range operators — such as Beijing Integrity Tech and Cyber Peace — which act both as hosts for legitimate infrastructure and for some nation-state actors, such as Flax Typhoon.
Critical Curriculum for Cybersecurity Studies
Hacking contests are a key component of the nation’s efforts. At least 129 unique cybersecurity events, including 54 annual contests, were identified by the report’s authors, Benincasa and Dakota Cary, a strategic advisory consultant at Sentinel One.
China’s Ministry of Education accounts for the most competitions — a total of 22 — identified by the researchers, compared to 14 associated with the Cyberspace Administration of China, and 13 sponsored by the Ministry of Public Security, according to the report. About two-thirds of universities considered hacking contests to be an important part of the curriculum for cybersecurity specialists, with more than three-quarters of students (77%) participating in at least one event by the end of their sophomore year.
Since the early 2010s, China’s CTF competitions have taken off. Source: “Capture the (red) flag” report, Atlantic Council
Among other benefits, the competitions allow the Chinese government to gain important information on new strategies and techniques, as well as collecting exploit techniques used by participants, which the government mandated since 2018. Hacking contests can also attract younger participants, such as high schoolers, into the field of cybersecurity, and help professionals keep up their skills.
Compared to China’s comprehensive approach, Western nations continue to fall short, Benincasa says.
“There are contests that are organized by the private companies or universities, but they do not go into the detail or scale that we see in China, nor they are part of university degrees,” he says. “They do not count as part of the evaluation to your grades, and so that practical-skill, direct-confrontation component is absent compared to the Chinese ecosystem.”
China’s Reversal of Cyber Fortunes
The effort is a reversal of the situation before 2015, when Chinese CTF teams struggled in international contests and met with social condemnation domestically for profiting from vulnerability awards. China’s CTF ecosystems — especially the inter-collegiate competitions, which bring together hundreds of teams — are now the best in the world, according to the researchers. Major contests include the Information Security Ironman Triathlon, Qiang Wang Cup, Wangding Cup, and National University Cyber Security League.
The events all have government support, with the Ministry of Public Security, the People’s Liberation Army, the Ministry of State Security, and the Ministry of Education all sponsoring at least one of the university-based events each.
Western governments could learn from the approach, says Benincasa. Currently, the US and Europe face a scarcity of cyber talent because of a lack of a pipeline for funneling technically minded students into cybersecurity roles.
“We are behind when it comes to, specifically, the hacking-contest ecosystem,” he says. “We need to integrate CTF contests into academic curricula, so we can have a better, more direct correlation between hacking classes and the graduation of talent.”
China was able to turnaround its cybersecurity picture, and the lesson is, focusing on practical experience through hacking contests and CTF tournaments — as well as creating deeper pipelines between universities, the government, and industry — could go a long way to solving the problems.
“This was very much a bottom-up, organically driven process that at some point the state recognized and encouraged,” he says. “They started seeing these successes abroad and recognizing — because of geopolitical events like Stuxnet and [Edward] Snowden — recognizing how important [cybersecurity] is and that contributed to the breaking of taboos and … a big change in the culture.”
Source: www.darkreading.com