Inside China’s State-Sponsored Hacking Competitions: Talent Spotting and Global Outreach
A new report by the Atlantic Council sheds light on China’s sophisticated and highly structured Capture the Flag (CTF) competition framework, which is helping the country become a global leader in cybersecurity talent cultivation. With government backing and industry-wide support, China’s CTF ecosystem has developed into a cornerstone of national cybersecurity strategy.
Each year, China hosts a staggering number of CTF competitions, with the country averaging between 45 and 56 events annually, out of a total of 129 unique competitions identified by researchers. These competitions attract tens of thousands of participants, from high school students to seasoned cybersecurity professionals. One of the most significant events, the Ministry of Public Security’s Wangding Cup, saw over 35,000 participants, demonstrating the vast scale and appeal of these challenges.
The CTF competitions are varied, targeting not only national but also sector-specific needs, with events focusing on industries such as medicine, defense, and manufacturing. Government organizations like the Ministry of Education, the Cyberspace Administration of China, and the Academy of Sciences play critical roles in developing and promoting these competitions, using them to identify top talent and drive advancements in cybersecurity.
One of the unique aspects of China’s CTF framework is its role in recruitment. Competitions such as the Wangding Cup have become a gateway for identifying and fast-tracking individuals into China’s national cyber talent pool. Winners often find themselves placed on recruitment lists for key national projects and sectors, giving China an edge in cultivating the next generation of cybersecurity professionals.
Private initiatives also play a vital role in the ecosystem. The XCTF League, the largest hacking league in Asia, integrates teams from around the world, combining both domestic and international competitions. Events such as RealWorldCTF draw global talent to China, helping to establish international collaboration and forge new connections. Outside of China, private events like GeekCon extend this influence, providing Chinese participants with a broader platform to showcase their skills.
However, some of these competitions are shrouded in secrecy. Events like the Zhujian Cup are tightly controlled, with participants often required to erase any trace of their involvement once the competition concludes. This level of confidentiality underscores the national security importance of these contests and hints at their potential use in gathering intelligence or developing critical cybersecurity strategies.
Government support for CTF competitions is also underscored by policy. In 2018, China implemented legislation aimed at bolstering its cybersecurity talent pipeline. The policy not only incentivizes participation in domestic events but also regulates international participation. Additionally, it mandates that any vulnerabilities discovered during competitions be reported to government agencies, ensuring that the country maintains a tight grip on its cybersecurity landscape.
The report suggests that China’s CTF model could serve as an inspiration for other nations looking to enhance their cybersecurity capabilities.