The Chinese government has taken steps to discourage its country’s security researchers from sharing their knowledge at some foreign cybersecurity events, especially those organized in Western countries, sources tell CyberScoop.
A popular hacking competition that’s taking place March 14-16 in Vancouver, Canada, titled “Pwn2Own,” will be impacted by this recent shift in Chinese policy, event organizers say.
“There have been regulatory changes in some countries that no longer allow participation in global exploit contests, such as Pwn2Own and Capture the Flag competitions,” explained Brian Gorenc, director of Trend Micro’s Zero Day Initiative, which manages the Pwn2Own event. A spokesperson for Trend Micro clarified that Gorenc’s comment referred to China.
There will be no Chinese research teams at Pwn2Own this year. The change will be especially obvious, past attendees told CyberScoop, because for the last several years Chinese teams have dominated the competition.
At Pwn2Own, teams compete to discover critical flaws in popular software products. Prizes for each individual discovery range from $15,000 to $150,000. Information about these vulnerabilities is usually turned over to vendors, which this year is set to include Google, Mozilla, Microsoft Oracle and others.
Adam Segal, director of the Digital and Cyberspace Policy Program at the Council for Foreign Relations and an expert on Chinese cybersecurity policy, told CyberScoop the restriction was recently introduced. It appears focused on events where researchers are either disclosing vulnerabilities to an audience or hacking programs in realtime; meaning that it may affect other exploit competitions or presentations where so-called zero day vulnerabilities are also revealed.
“People were told that they could not attend and could not report vulnerabilities to third parties, but could still report back/sell to vendors,” Segal said. “It will probably cut the income for a lot of white hats.”
Broadly speaking, the Chinese government strongly exerts influence over the country’s private sector in a different manner than Western governments. The apparent pressure is not only coming from Chinese government officials, according to foreign policy experts, it is also likely spreading inside private Chinese technology companies.
CyberScoop attempted to contact 10 Chinese security researchers, some of which have competed in past Pwn2Own competitions. The researchers currently work as full-time employees of Chinese technology giants including Qihoo 360 Technologies, Tencent and Alibaba, among others. Of the 10 contacted, few responded and most declined to comment on whether the Chinese government or their employer had ever pressured them to not attend a Western cybersecurity conference.
Qihoo 360 CEO and co-founder Zhou Hongyi spoke out last year against independent Chinese security researchers traveling to foreign conferences to share their insights. Zhou, one of China’s most powerful executives, stated in an interview with a Chinese news outlet that knowledge of undisclosed software vulnerabilities “should remain in China.”
Around the world, governments are increasingly chasing after elusive software exploits that can be used for targeted cyber espionage or cybercrime. With these secrets becoming ever more valuable, some countries are attempting to keep disclosures within their own borders.
The shift in Chinese mindset also comes at a time when the U.S. government is actively attempting to arrest and extradite foreign hackers with alleged ties to adversary governments.
Last year, the FBI arrested a Chinese cybersecurity expert with alleged ties to the Chinese government while he was attending a U.S.-based conference. Law enforcement claim the man was responsible for developing a malware variant that had been used in multiple breaches of American companies and organizations, including the Office of Personnel Management.
In addition, the Justice Department announced a series of indictments in December against multiple Chinese nationals for their role in hacking and stealing intellectual property from U.S. companies. These individuals appeared to be contractors that took orders from a Chinese intelligence service.