An Inside Look at China’s Hacking Competitions

This article is based on a report titled ‘Capture the (red) flag: An inside look into China’s hacking contest ecosystem’ originally published on October 18, 2024, by the Atlantic Council.

China has built a robust capture-the-flag (CTF) hacking competition ecosystem, driven by both government policies and private sector collaboration. CTF competitions are events where participants – ranging from students to seasoned professionals – take on challenges that mimic real-world security problems in two main formats: jeopardy-style contests, which focus on solving challenges like cryptography, reverse engineering, and binary exploitation; and attack-defense competitions, which simulate real-world scenarios requiring teams to protect their own systems while attacking others. The CTF competitions play a critical role in strengthening China’s cybersecurity landscape by identifying talent, fostering innovation, and promoting experiential learning, creativity, and strategic thinking.

This article highlights the core features of China’s CTF ecosystem, while providing insights for policymakers around the world on how to refine their own strategies for promoting hacking competitions. These efforts should align with broader initiatives to advance cybersecurity education and workforce development worldwide.

How China’s CTF Ecosystem Operates

China’s CTF ecosystem thrives on state support and private sector involvement. Government entities, such as the Ministry of Public Security (MPS), the Ministry of State Security (MSS), the People’s Liberation Army (PLA), and the Ministry of Industry and Information Technology (MIIT), organize and sponsor these events, with participation varied across them. For example, the MPS’s Wangding Cup – referred to as China’s “Cyber Security Olympics” – attracts more than 30,000, with most events drawing at least 1,000 participants. Universities, private companies, and government agencies collaborate to run these events, reflecting a robust and interconnected ecosystem.

An overview of China’s main annual competitions can be found on our tracker, which monitors 54 recurring contests, presenting data about their years of activity, numbers of participants, host organizations, as well as links to detailed competition write-ups.

Key CTF competitions examined in our report include the Information Security Ironman Triathlon, CTFWar, Qiang Wang Cup, and Wangding Cup, all of which are linked to the MSS, PLA, and MPS. These contests play a vital role as talent-recruitment channels for China’s security agencies, whereas contests like the RealWorldCTF and GeekCon foster international engagement, with the former attracting foreign hackers to China and the latter connecting with them abroad. The XCTF League – China’s largest and most prestigious CTF event – serves as the nation’s leading talent-development platform, featuring multiple qualification rounds held nationwide throughout the year. Meanwhile, events like X-NUCA focus on helping college students hone their skills.

China also hosts sector-specific contests that cater to industries such as healthcare and law enforcement. The National Health Industry Cyber Security Skills Competition tests participants’ cybersecurity expertise in medical contexts, attracting IT and cybersecurity professionals from hospitals and healthcare organizations. The Blue Cap Cup, focused on law enforcement, features participants from police academies and emphasizes electronic forensics, case investigations, and traditional CTF challenges. These targeted competitions address unique cybersecurity challenges, encourage competition across industry-specific systems, and foster collaboration among professionals.

Talent Development through Policy and Education

China’s policies have played a pivotal role in shaping its CTF ecosystem. In 2018, the government issued a directive encouraging ministries to host CTFs, while mandating that “public security and other relevant departments” collect vulnerability data from competitions. The directive also aimed to curb “profit-seeking” behavior by limiting the use of high-value prizes. This policy followed years of efforts to standardize university curricula for cybersecurity degrees, designate some universities as world-class cybersecurity schools, and establish a National Cybersecurity Talent and Innovation Base in Wuhan.

Websites for China’s hacking contests emphasize alignment with Xi Jinping’s 2014 vision of turning China into a “cyber powerhouse,” referencing goals from the National Congress of the Chinese Communist Party, the Data Security Law, and the five-year plans as core objectives. The integration of competitions into these broader policy goals underscores their strategic importance.

Universities leverage CTFs as practical skill assessments, often rewarding top-performing students with financial incentives and access to specialized training facilities. In September 2023, guided by China’s Ministry of Education, the Discipline Evaluation Group of the State Council’s Academic Degrees Committee released a white paper on cybersecurity talent. The paper found that 63 percent of institutions consider hacking competitions effective for training, with 45 percent of students starting in their freshman year and 32 percent in their sophomore year. Additionally, 75 percent of universities offer financial incentives for top performers, and the same percentage funds attack-defense labs to enhance students’ skills through mandatory courses.

Successful participants in hacking competitions frequently gain entry into national cybersecurity talent databases or secure recruitment offers from prestigious employers. Beyond education, these competitions fuel innovation. The Qiang Wang Cup, for instance, promotes advancements in cyber defense techniques, particularly in the realm of cyber mimicry, which is a key focus for the PLA. Participants refine their skills by exploring new attack methods and defense strategies, which ultimately strengthens China’s overall cybersecurity landscape.

What Fueled the Growth of China’s CTF Ecosystem?

China’s hacking contests have grown rapidly since the mid-2010s, driven by the successes of Chinese teams in international competitions. While the Chinese government has strongly supported the development and prominence of its hacking contest ecosystem, its growth has in fact been organically driven by the country’s highly skilled hacking community.

Teams like Tsinghua University’s Blue Lotus, which was the first team to ever reach the CTF finals at DEF CON – one of the largest global hacking conferences held annually in Las Vegas, Nevada –have inspired several local initiatives such as Baidu CTF, which is China’s first attack-defense competition. In 2014, China’s Keen Team triumphed at the Pwn2Own contest in Vancouver, following a strong performance in the previous year’s Mobile Pwn2Own in Tokyo. Pwn2Own is a high-profile hacking competition held annually in Vancouver, Canada, where security researchers attempt to exploit vulnerabilities in popular software and devices for cash prizes and recognition.

The latter success has inspired the launch of GeekPwn, an event modeled after Pwn2Own (now rebranded as GeekCon). The event emerged at a time when Chinese tech companies and manufacturers were hesitant to engage with hackers, often avoiding competitions out of concern for reputational damage, and faced resistance, including attempts by some hackers to disrupt its inaugural edition. The international success of Chinese teams has, however, begun to challenge such taboos. Companies like Baidu, Tencent, and Qihoo 360 started sponsoring events, acquiring hacking teams, and recruiting top cybersecurity talent, which marked a shift in attitudes toward fostering and leveraging hacker communities. From 2017 to 2023, the number of hacking contests stabilized, with roughly 37 to 56 unique events held annually.

Lessons for Policymakers Around the World

China’s approach offers two main lessons for countries looking to strengthen their cybersecurity capabilities. First, by incorporating competitions into education, policymakers could encourage universities to use CTFs as practical assessments. Afterall, these competitions bridge the gap between theoretical knowledge and real-world application, ensuring that students graduate with industry-relevant skills. Second, by hosting sector-specific contests, national agencies can organize competitions tailored to critical infrastructure sectors. These contests can enhance industry-specific defenses and foster collaboration among professionals.

China’s CTF ecosystem represents a remarkable achievement in strategic coordination and innovation. Its competitions have cultivated a skilled workforce, driven technological advancements, and solidified the country’s cybersecurity capabilities. However, despite its successes, the system faces inefficiencies. The sheer number of overlapping competitions risks resource redundancy, and the restrictive nature of some policies limits international engagement.

Nevertheless, other nations should draw inspiration from China’s successes while tailoring their approaches to local contexts. Incorporating competitions into educational frameworks, fostering collaboration between industry and academia, and promoting international partnerships can enhance cybersecurity talent development worldwide.