New Red Tape for Chinese Cybersecurity Competitors (Translation)

Translation by Rogier Creemers; introduction by Paul Triolo.

Cybersecurity competitions have become increasingly prominent in China over the last several years, with Chinese teams competing internationally and a series of new competitions emerging in China. These contests serve as a showcase for an emerging cybersecurity industry and a breeding ground for new cybersecurity talent in China.

Government authorities including the Cyberspace Administration of China (CAC) and its subordinates seek to address a cybersecurity talent gap that is felt in China just as it is around the world, and the CAC-subordinate Cyberspace Security Association (CCSA, 中国网络空间安全协会) plays host to a number of groups and committees that sponsor and promote cybersecurity talent-building activities including competitions.

At the same time, CAC and other authorities have recently made efforts to limit the ability of Chinese cybersecurity researchers to share vulnerabilities or other sensitive knowledge with foreign counterparts, whether through competitions abroad or bug bounty programs within specific companies. Researchers have found indications that China’s National Vulnerability Database (CNNVD) may be manipulating public data to obscure intelligence agencies’ review and potential use of vulnerabilities before disclosure.

The notice translated below was co-issued by the Central Commission for Cybersecurity and Informatization, CAC’s overseer, and the Ministry of Public Security in June and published last month. It makes clear that officials seek to exert control over Chinese cybersecurity competitions and Chinese participation elsewhere with a broadly framed orientation to ensure national security and the public interest. It also underlines the tensions between profit-seeking commercial cybersecurity work and government priorities.

TRANSLATION

[Chinese-language original]

Notice Concerning Standardizing and Stimulating Cybersecurity Competitions

CAC No. (2018) 8

All provincial, autonomous region, and municipal cybersecurity and informatization offices and public security offices (bureaus), the Xinjiang Production-Construction Corps Cybersecurity and Informatization Office, and Public Security Bureau, all relevant departments:

In recent years, enterprises, higher education institutes, and relevant local and departmental organizations have organized cybersecurity competition activities of different kinds and models, which have played an important role in enhancing the entire society's cybersecurity consciousness, stimulating cybersecurity technology exchange, and fostering and discovering cybersecurity talent. Along with the continuous increase in this kind of activity, different degrees of disorderly phenomena have arisen, including excessive commercialization, a dumbing down of competition forms, and the pursuit of material gain by competition winners. In order to give rein to the positive role of cybersecurity competitions in fostering cybersecurity talent and technological and industrial development, and with the agreement of the Central Commission for Cybersecurity and Informatization, hereby, the following matters are notified as follows:

I. Cybersecurity competitions must insist on the priority of cybersecurity and social effect, fairness and impartiality, scientific rigor, healthiness, and orderliness. They must strictly abide by relevant laws and regulations, and not harm national security or damage the lawful rights and interests of enterprises and individuals. It is prohibited to engage in commercial speculation or the pursuit of improper interests under the guise of a competition. Competitions should not encourage the attraction of participants into competitions through offering high-value prize money.

II. Cybersecurity competitions must equally consider specialization and knowledgeability, vigorously forge high-level branded competitions, and pay attention, to organize knowledge-type, skills-type, and popular-type competitions aimed at youth and cybersecurity employees.

III. Cybersecurity vulnerabilities and risks that may endanger national security or the public interest discovered during competitions shall be reported to public security and other such relevant departments in a timely manner and notified to the product vendor; it is prohibited to divulge, transfer, or publish the technical details, exploitation methods, tools, etc., of vulnerabilities and dangers without authorization.

IV. When participating in foreign cybersecurity competitions, it is prohibited to provide sensitive information such as cybersecurity vulnerabilities or dangers that may endanger China's national security or the public interest to foreign bodies or individuals. Work units and individuals participating in major State or military cybersecurity projects or specific tasks must, when participating in foreign cybersecurity competitions, report the matter to public security departments for filing.

V. Cybersecurity competitions and conferences shall, when named “Chinese,” “Nationwide,” “National,” “Global,’ etc., report to national cybersecurity and informatization departments for agreement. Those already using [these words] shall again carry out procedures for approval or cease using that name.

VI. Government departments may not organize, co-organize, or support commercial cybersecurity competitions, and in principle are not to act as a guidance work unit for commercial cybersecurity companies.

VII. Cybersecurity and informatization, education, telecommunications, public security, and other relevant departments must strengthen guidance and standardization of cybersecurity competitions, focus on encouraging and supporting public interest–type cybersecurity competitions, and grant awards and prizes to persons having obtained exceptional achievements in competitions according to relevant regulations and in a suitable manner.

Office of the Central Commission for Cybersecurity and Informatization, the Ministry of Public Security

5 June 2018