Governance & Risk Management , Vulnerability Assessment & Penetration Testing (VA/PT)

Capture-the-Flag Contest Ecosystems Pitched to Policymakers

Payoffs From China's Hacking Contests Feed Recommendations to Western Governments
Capture-the-Flag Contest Ecosystems Pitched to Policymakers
Image: Shutterstock

Western governments should take a page from Beijing's talent-development playbook and sponsor numerous capture-the-flag competitions to do a better job of fostering domestic cybersecurity hacking skills.

See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction

So recommends a report from Atlantic Council, "Capture the (red) flag: An inside look into China's hacking contest ecosystem," which details the People's Republic of China's world-leading use of hacking competitions.

"The system the PRC created is unparalleled with some competitions attracting hundreds of universities and tens of thousands of students," report co-author Dakota Cary, a nonresident fellow at Atlantic Council, said in a post to X. "The U.S. and other governments should be inspired by China's CTF ecosystem. They've earned it."

Chinese CTFs aid in spotting, recruiting and nurturing the next generation of talent "for both regulatory and standard-settings roles," as well as "for offensive and defensive missions," the research says.

"In contrast to exploit competitions, which center on discovering and exploiting zero-day vulnerabilities, CTFs present challenges in simulated environments across areas like reverse-engineering, web security, binary exploitation and cryptography," report co-author Eugenio Benincasa, a senior researcher in the Cyberdefense Project with the Risk and Resilience Team at the Center for Security Studies at Switzerland's public research university ETH Zurich, told Information Security Media Group.

The new report builds on his previous research into China's strategic use of hacking competitions (see: China Using Hacking Competitions to Develop Domestic Talent).

"We are not aware of formal mechanisms adopted by Western governments for recruiting through CTF competitions akin to those developed by China," he said. While CTFs likely do serve as talent-spotting opportunities in the West, China stands apart thanks to "the scale, integration and coordination of its CTF initiatives" that are developed in consultation with industry, backed by the government and included in educational curricula, he said. "This creates a robust, structured pipeline that channels emerging talent toward national security objectives - an approach that Western countries have yet to formalize."

Benefits Galore

Benincasa said hacking competitions have a number of direct and indirect benefits to China's cybersecurity talent ecosystem. Many of the country's hacking contests are very sector-specific, such as for healthcare. Since 2020, the government has run a National Health Industry Cyber Security Skills Competition, which "is considered China's largest and most influential hacking contest in the health industry," he said in a post to X.

Other contests focus on sectors such as law enforcement, smart cities and digital forensics skills. "We recommend Western countries develop comparable ecosystems," he said.

Beyond the accolades individuals and the CTF teams they comprise stand to gain, the competitions also help foster "informal relationships" between aficionados - and oftentimes in very useful, very sector-specific ways, researchers found.

"Competitions help build communities and social bonds between hackers," researchers said, which is even more true at sector-specific competitions, including ones devoted to public security or healthcare. "The social connections that result from these competitions can help participants coordinate quickly across organizations," such as finding and quickly disseminating a new threat vector being used to target healthcare organizations.

The same is also true for offensive operations, as "hackers struggling to hit a certain target might find a friend with access to the right tools to complete the job," they said. This applies not just to government agencies, but also what Benincasa has described as the "multifaceted 'hack-for-hire' ecosystem for offensive purposes" China has developed, which "heavily taps into the talents of the country's civilian hacking community." In short, China appears to regularly outsource cyberespionage and cyber operations to private firms (see: iSoon Leak Shows Links to Chinese APT Groups).

The researchers' report includes a China CTF Competition Tracker that details more than 50 annual Chinese CTF contests, including lists of sponsors, the average number of attendees and links to participants' conference write-ups.

"In addition to our data analysis of the ecosystem, we also highlight 11 competitions for their ties to the security services for recruitment or technology development," co-author Cary said.

For example, the report notes that Real World CTF is sponsored by Beijing Chaitin, which is a private company that serves as a "tier 2 technical support unit" of China's Ministry of State Security.

As previous research from Atlantic Council has detailed, China's National Information Security Vulnerability Database, or CNNVD, run by the MSS, maintains three tiers of partnerships for private businesses applying to serve as technical support units. For example, the highest - tier 1 - requires that a company's vulnerability analysis and discovery team employ more than 20 people.

Lessons Learned

China didn't develop its approach to CTFs in a vacuum. Rather, the researchers said that Chinese teams' success at foreign hacking competitions, such as the DEF CON CTF finals in Las Vegas and the Pwn2Own contest in Canada, "began to challenge previous taboos at home and highlight the strategic importance of cybersecurity talent."

Starting in 2014, the number of Chinese hacking competitions hosted surged from just three per year, to lately anywhere between 40 and 50, the report says. More than a few have apparent ties to the military or security services, including CTFWar, Infosec Ironman Triathlon and the National Collegiate Cybersecurity Attack and Defense Competition.

Some competitions draw international visitors and seem to have been used by China's security services to approach foreigners. One case study featured in the report detailed how an American security researcher named "Matt," who attended the Real World CTF, was asked for his contact information at a restaurant, during the conference, by women involved in running the event. He gave the equivalent of a burner number, in the form of a Google Voice number.

The report details what happened next: "After the competition and back home in the United States, Matt checked his VoIP number on his laptop. The phone number had received an MMS image file. He never opened it and deleted the number from his Google account."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.