[ad_1]
People at the highest power levels in China appreciate the importance of cyber skills. The CEO of Qihoo 360, the country’s largest cybersecurity firm, has famously criticized Chinese researchers working abroad and begged them to “stay in China” to understand the “strategic value” of the powerful software vulnerabilities used in cyberespionage campaigns. Within months, his company was connected to: a hacking campaign against the country’s Uyghur minority.
This was followed by a series of more stringent regulations that tightened government control over the cybersecurity sector and prioritized government security and intelligence agencies above all else, including companies whose software is not secure.
“The Chinese have a unique system that reflects the authoritarian model of the party state,” says Dakota Cary, an analyst at the Georgetown Center for Security and Emerging Technology.
Chinese cyber researchers have been de facto banned from participating in international hacking events and competitions, tournaments that they once dominated. A hacking competition pits some of the world’s top security researchers in a race to find and exploit powerful vulnerabilities in the world’s most popular technology, such as iPhones, Teslas, and even the human-machine interfaces that help modern factories run. Prizes worth hundreds of thousands of dollars encourage people to spot security vulnerabilities so they can be fixed.
Now, however, Chinese researchers need approval, which is rarely granted if they want to participate in international competitions. They should also provide everything to government officials in advance, including information about software vulnerabilities they may plan to exploit. No other country exercises such tight control over such a large and talented class of security researchers.
This authority has been extended requiring regulation All software vulnerabilities are reported to the government first, providing Chinese authorities with unique early information that can be used for defensive or offensive hacking operations.
“All vulnerability research goes through an equity process, where the Chinese government gets the first right of denial,” says Adam Meyers, senior vice president of intelligence at cybersecurity firm CrowdStrike. “They get a choice of what to do with it, it really increases their visibility into the research being conducted and their ability to find benefits in all of it.”
We’ve seen one exception to this rule: an employee of Chinese cloud computing giant Alibaba, the famous Log4j vulnerability to developers at Apache instead of handing it over to Chinese government officials first. The result was a people punishment Implicit warning to Alibaba and anyone considering a similar move.
China’s stricter policies also have an impact abroad.
Over the past decade, the “bug bounty” model has provided millions of dollars to build a global ecosystem of researchers who find software vulnerabilities and are paid to report them. Multiple American companies host markets where any tech firm can put their products under close scrutiny in exchange for rewards for researchers.
By any measure, China is at or near the top in alerting American firms to vulnerabilities in their software. Cary said in congressional testimony last week that a large, unnamed American firm had announced to him that Chinese researchers had received $4 million in 2021. American companies benefit from the participation of these Chinese researchers. When researchers report a bug, companies can fix it. This has been the case since the popularity of rewards programs began exploding a decade ago.
However, as the Chinese government tightens control, this multi-million dollar ecosystem now provides Chinese authorities with a steady stream of software vulnerabilities – effectively funded by companies and at no cost to Beijing.
“China’s policy that researchers must submit vulnerabilities to the Ministry of Industry and Information Technology creates an incredibly valuable line of software capabilities for the government,” Cary says. “Policy effectively bought at least $4 million worth of research for free.”
Robot Hacking Games
In 2016, a powerful machine called the Mayhem won the Cyber Grand Challenge, a cybersecurity competition organized by the US Defense Advanced Research Projects Agency.
Owned by a Pittsburgh company called ForAllSecure, Mayhem won by automatically detecting, patching, and exploiting software vulnerabilities. The Pentagon now uses technology in all military branches. The possibilities of both defense and attack were immediately clear to anyone watching, including Chinese officials.
DARPA has not run a similar program since 2016. China, on the other hand, has at least seven “Robot Hacking GamesContests since 2017, according to Cary’s research. Chinese academic, military and private sector teams were drawn to competitions overseen by the Chinese military. Official documentation directly links the automatic discovery of software vulnerabilities to China’s national goals.
As Robot Hacking Games kicks off, Qihoo 360’s CEO said that automated vulnerability detection tools are an “assassin’s mace” for China.
“The person who masters automated vulnerability mining technology will have the first opportunity to attack and defend the network,” he said. He argued that the technology was a “killer” to network security, claiming that his own company had developed a “fully autonomous automated vulnerability mining system.”
Robot Hacking Games is an example of the way top Chinese officials see an American success and then wisely achieve their own.
“China has repeatedly studied the US system, copying its best features, and in many cases broadening its scope and reach,” Cary says.
As US-Chinese rivalries continue to function as the defining geopolitical relationship of the 21st century, cyber will play a huge role in what Chinese leaders have rightly called a “new era.” It touches on everything from commercial competition to technological progress and even war.
In this new age, Xi’s stated goal is to make China a “cyber superpower.” Whatever it was, he did it.
[ad_2]
Source link