Should the US government follow China’s lead and be more proactive in how it works with hackers?
Kara Sprague, incoming CEO of HackerOne, argues that there are some aspects of the Chinese system the West could emulate.
“I have not seen North America or even the United States organize that level of defense activity, so to speak, or try to proactively identify those vulnerabilities and fix them,” Sprague told IT Brew. “And so I think there is something to be learned from how different nations are addressing these issues.”
Locked down. There are some government-sponsored hacking contests in the US. Hack the Pentagon, a competition to break through Department of Defense protections, has been running since 2016. In 2023, the White House launched an AI-based hacking challenge with the Defense Advanced Research Projects Agency, commonly known by its acronym, DARPA.
But these efforts pale in comparison to China’s government hacking contests and the integration of the state with the country’s cybersecurity sector. A June report from ETH Zurich University’s Center for Security Studies, “From Vegas to Chengdu: Hacking Contests, Bug Bounties, and China’s Offensive Cyber Ecosystem,” detailed the way the Chinese government works with—and controls—the country’s civilian hackers. Hackers in the country are barred from participating in competitions overseas.
“Chinese hacking competitions have transitioned from being mere student training ground and recruitment platforms to serving as tools for internal trainings within government-contracted companies and as mechanisms for transferring vulnerability knowledge to Chinese security agencies,” the report explained.
Country side. Changing how the US manages talent would mean a shift in acquisition tactics at the federal level. To Daniel Schwalbe, CISO at DomainTools, the central issue is related to a difference between governments.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
In China, the motivations for people working with the state are varied—they may be related to the possibility of government retribution or the ability to hack with impunity outside of the country. The US, on the other hand, has a less controlling state apparatus and government jobs that pay far less than the private sector. And then there are regulations.
“The US government specifically still has a pretty high barrier to entry,” Schwalbe said, referring to how difficult it can be to get a clearance with a criminal record. “So, let’s just say there is an individual who maybe runs into some trouble with the law early on—as a teenager or as a young adult, when it starts counting—they’re not eligible for most of these jobs in government because they require [security] clearances, and depending on what your conviction was, you’re not getting a clearance, and so you’re not eligible for that job.”
Threat detector. Sprague is calling for more government involvement in the US in hacking contests and working with security researchers, in part because of her concern over how adversary governments could work with hackers to find vulnerabilities and threats.
“It would be very scary to me to think that there’s a bad actor, or even a nation state, which has details about vulnerabilities…and [is] using that to the disadvantage of other customers or other nations,” Sprague said. “That’s very scary.”