Archived version

Hackathons are common, but Chinese hacking competitions are different.

In 2017, Zhou Hongyi, the founder of Chinese cybersecurity giant Qihoo 360, publicly criticised the practice of sharing vulnerability discoveries internationally, arguing that such strategic assets should stay within China. His sentiments, supported by the Chinese government, gave birth to the national hacking competition called the Tianfu Cup. The contest is focused on discovering vulnerabilities in global tech products like Apple iOS, Google’s Android, and Microsoft systems.

How is Tianfu Cup different?

A 2018 rule mandates participants of the Tianfu Cup to hand over their findings to the government, instead of the tech companies.

Dakota Cary, a China-focused consultant at the US cybersecurity company SentinelOne, said, “In practice, this meant vulnerabilities were passed to the state for use in operations.”

This approach effectively turned hacking competitions into a government pipeline for acquiring zero-day vulnerabilities — software flaws unknown to vendors and extremely valuable for cyber-espionage.

In recent years, China’s hacking competitions have increasingly shifted focus toward breaching domestic products, including Chinese-made electric vehicles, phones, and security software.

  • xrun_detected@programming.dev
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    13 hours ago

    nice try derailing the conversation with a “quick question”, let’s ignore it.

    you are correct, it is cyber warfare, and china sees the US as their enemy. however it is not “ABSOLUTELY” defense.

    i guess the conventional warfare equivalent would be to place explosives on the territory of your enemy to set it off in case of war. which smells way more like preparing active warfare than some kind of defense.

    it brings it’s own set of problems as well. let’s say they get triggered by accident, either by incompetency or a third conflict party.

    it will be very hard to explain why they were there in the first place, and “yes we deployed the <insert ‘defensive’ measure> on your soil, but it wasn’t us who triggered it.” might just not cut it.