China Raises Private Hacker Army To Probe Foreign Governments

China has inadvertently raised a private army of hackers to help it discover vulnerabilities in overseas computer networks thanks to a cybersecurity law that makes it mandatory to first inform the Chinese government.

In July 2021, China's cyberspace watchdog, its public security ministry, and its industry ministry jointly published the Regulations on the Management of Network Product Security Vulnerabilities, which make Chinese companies report loopholes in their software or the products they use within 48 hours of discovery.

Under the rule, the Chinese state institutions issue rewards for finding the cybersecurity vulnerabilities in software that is often used by foreign governments, in what may be a subtle new form of state-backed cyber warfare. At the same time, China is promoting young cybersecurity engineers in a doubling of its efforts to probe foreign systems for areas the Chinese government can exploit.

The new law has effectively changed the landscape of online network security within China, according to cybersecurity analyst Dakota Cary, who last week told The Record podcast—run by cybersecurity company Recorded Futures—that any business operating within its borders must report coding flaws to the government before taking any further steps to address the vulnerability or make it known to the public.

Cary, who is a non-resident fellow at the Atlantic Council think tank's Global China Hub, believes the requirement has fostered both collaboration and competition among the agencies, leading to efforts to outperform each other. And in an evident shift from the earlier voluntary disclosures to China's cyberspace watchdog or its intelligence services, there is now rivalry in the structure of vulnerability databases, he said.

A "vulnerability" is a loophole in the written code of software or a website that can allow a hacker to remotely access a computer system. Major technology giants such as Google and Facebook pay so-called "white hat," or good faith, hackers to find these points, which have the potential to undermine software companies.

Prior to the enactment of the 2021 law, Chinese researchers were active participants in the global ecosystem for software security, according to Cary. They engaged with the likes of Microsoft and Apple through bug bounty programs and contributed to the identification and resolution of software vulnerabilities.

But the tighter cybersecurity legislation has placed the Chinese government at the forefront of this process, reflecting Beijing's broader strategy of centralizing control of cybersecurity records and other types of information technology data.

China's own burgeoning cybersecurity industry means Beijing must protect its own systems from being targeting by foreign governments, too. But the implications of its legal approach are multifaceted. Chinese white hats who can identify system vulnerabilities could also be directed at overseas networks, making them a private army of hackers who serve a dual purpose.

China had more than 170,000 white hats in 2021, the majority of whom were young men born between 1990 and 2009, according to research conducted by Chinese cybersecurity forum FreeBuf and the internet security companies 360 and QAX.

Cary told The Record that there was considerable overlap in the Chinese industry ministry's vulnerability database and that of companies that service the People's Liberation Army and the country's intelligence agencies.

Wang Qi, CEO of DarkNavy, an independent cybersecurity research institution, told Shanghai news website Sixth Tone this week that software vulnerabilities exist independent of hackers, but it is the act of discovery that can lead to their resolution.

The growing value of the digital industry has increased the cost of security, Wei Tao, chief cybersecurity officer at the Alibaba-affiliated Ant Group, told the website. Wang said insufficient investment in the hacking industry could lead to its negative utilization and the inevitable occurrence of malicious incidents.

"Currently, competition for talents is fierce. In China, for every 100 research and development engineers there are less than 0.5 security engineers. If the traditional security sector can't absorb these talents, some of whom are still students, they will end up in the black and gray industries. That's terrible," Wei was quoted as saying.