China's strategy in cyber space: civilian hackers and state support

The success of China's offensive cyber ecosystem is based on strategic coordination of civilian hackers, strongly supported by the state. China has created a sophisticated hacker-for-hire system that is globally distinctive. This model allows Chinese security agencies to only use zero-day vulnerabilities, which are software flaws unknown to developers but identified by independent researchers. Thus, Beijing outsources espionage operations through contracts with private entities, enhancing its cyber arsenal.

Hacking competitions as a showcase and testing ground

International hacking competitions and bug bounty programs offer a window into the workings of China's cyber ecosystem. These initiatives allow companies to leverage a global network of experts who compete to discover and fix vulnerabilities in exchange for financial rewards. They are also a less expensive alternative to hiring full-time security analysts, incentivizing the participation of independent researchers. Events like Pwn2Own, which reward those who manage to compromise updated software and operating systems, highlight the speed and expertise of Chinese hackers, protagonists of significant successes until 2018, when the government banned participation in foreign competitions, creating the Tianfu Cup as national alternative.

The crucial role of bug bounty programs

Bug bounty programs are online initiatives that offer rewards to hackers for responsible reporting of vulnerabilities. They are a pillar of the Chinese offensive cyber ecosystem, as they incentivize the discovery of new exploitable flaws. These reports, if sufficiently detailed, allow developers to reproduce and resolve problems. The participation of companies that collaborate with the Chinese government in these programs allows us to fuel a continuous flow of vulnerabilities that can be exploited for intelligence purposes. However, this approach can represent an ethical dilemma for democracies, as it conflicts with principles such as transparency and responsible disclosure.

Future prospects and challenges

Countries must carefully weigh whether to adopt elements of the Chinese strategy, harmonizing them with their own values and needs. It is crucial to ensure that vulnerability reporting is not exploited, to avoid compromising trust in the process and discouraging those who discover critical flaws. Future studies could explore how governments can integrate the best practices of the Chinese approach without derogating from their fundamental principles. The challenge will be to adapt security measures to address new asymmetries in intelligence and cyber defense, maintaining a balance between operational effectiveness and ethics.