Bloomberg Audio Studios, podcasts, radio news.
Okay, let's get started.
Off and why are three?
Two?
Good Guy? As President Trump was preparing to take office earlier this year and the battle for cyber dominance between China and the US was looming large in Tokyo, one of the most prestigious global hacking competitions was underway. They're on the clock and actually attempting to exploit above him called pone to Own, The competition has attracted some of the world's best hackers, or, as the industry likes to
call them, researchers. A hacking competition looks exactly like what you see in the movies, a group of people crowded around a computer, all staring intently at the screen as a main hacker types commands furiously on a keyboard. The aim of these hacking tournaments is to find weaknesses or holes in software in real world devices so that companies can fix them before they're exploited by criminals. For example, researchers would be looking for flaws and bugs, say in
Google Chrome or the Apple Watch. Teams that find the vulnerabilities successfully win a cash prize and share with the tech companies of how they hacked into the systems at the poone to Own tournament in January. The competition was sponsored by Tesla and teams had to discover weaknesses in its wall charger, I.
Think there's a success.
The best hacking team is crown the Master of pone. It's a title that the competition organizers began bestowing on the best hackers in twenty sixteen. That first year, a China affiliated team won. In twenty seventeen, Chinese hackers were Master of pone again, but the year after that, twenty eight there were no Chinese hackers at poone to Own. In fact, since then, there have been barely any hackers from mainland China at any international hackathon anywhere in the world.
In twenty eighteen, Chinese researchers no longer traveled to compete in international hacking competitions. Anyone who wanted to do so had to get special permission from the Chinese government.
That's Bloomberg reporter Jimmy Terrabe, who covers national security in Washington, DC. Because they did not want.
These folks to go overseas and compete, they created domestic hacking competitions to ensure that those vulnerabilities continue to.
Be discovered but remained within China.
The travel and competition restrictions placed on Chinese hackers were all about building what Jimmy calls a cyber army.
China really began in earnest to invest in the cyber sort of population in its country. It invested in the tech, it invested in the talent, and it became a very conservative focus for the regime because in the wars to come, the cyber army in China is going to be a very significant part of its arsenal.
It's a formidable arsenal that China could deploy as tensions between Washington and Beijing continue to ratchet up on everything from trade to rearffs to national security.
It could be something that the Chinese government would leverage.
Everyone knows that.
They have its capability to play with the water supply in America? Would they do that now because of the tariffs?
This is the Big Take Asia from Bloomberg News. I'm Wanha. Every week we take you inside some of the world's biggest and most powerful economies and the markets, tycoons and businesses that drive this ever shifting region. Today on the show, China's hacker army, How are Chinese hacking competitions powering its growing network of cyber soldiers, and what's at stake for the US and the rest of the world if their
knowledge stays inside China. It took Chinese hackers a while to get involved in international hacking competitions like pone to Own, but once they did, Chinese teams from universities and tech companies quickly became a force to be reckoned, with the Chinese committed in.
A way that other teams did not.
When a Western team would come and enter pone to Own one of these hacking competitions, their teams were maybe three to five, five to seven at best. The Chinese was sending twenty to thirty people on each team, and they were having people spend an entire year, like months and months and months researching all the different.
Contests, all the different challenges. It became a real contest.
Of we're going to show everyone how good.
We are, and that's exactly what they did.
For a short time, teams from China dominated, but their achievements abroad soon drew the attention of critical eyes back home. In twenty seventeen, the founder of Chinese cybersecurity firm Chihu three sixty Joe hong Yi publicly criticized Chinese participation in international hackathons.
The billionaire founder came out and said, I don't think that our people should be going and competing in these international contests and everyone getting to see the vulnerabilities that they discover. We should not be sharing these treasures with the rest of the world. These should be staying in China for us to use and for only us to have that knowledge.
From twenty eighteen on, Chinese teams were effectively forbidden from participating in any international hackathons. That same year, China launched its own hacking tournament called the Tanfood Cup. The prizes totaled a million dollars, almost double the prize money awarded in Pune to Own that year. During the Tanfood Cup, participants, mostly Chinese teams, packed into Apple operating systems, Google phones, and Microsoft networks. What was different about the Tanfood Cup
was what participants did after those exploits were discovered. Usually in international hackathons, the bugs are disclosed to the companies that make the software or devices so that they can patch them before criminal hackers exploit them. But in China, contestants are required to report the vulnerabilities to the government first.
The Weston Slash International contests are a place where a lot of people from many different countries, they're competing, they're sharing their learning and reporting their findings in a much more open way, and you contrast that with what's happening in China. A lot of the times, we don't know what vulnerabilities they're investigating, we don't know what the results are, we don't know if the vendor has been notified.
And in twenty twenty one, the Chinese government went a step further. A vulnerability disclosure regulation that came into effect required anyone, whether you're researcher at a tech company or if you discover a flaw during a competition, to report the findings to the government within forty eight hours. Anyone
who doesn't comply could be punished and fined. Outside of China, governments don't force hackers or companies to disclose vulnerabilities, but they also don't publicly share any software flaws that their intelligence agencies have discovered either. It's a practice called vulnerability hoarding, and experts say organizations like the US National Security Agency don't reveal their vulnerabilities because it uses them to spy
on other countries and attack their systems. For the longest time, cybersecurity experts weren't really sure how the Chinese government was using intel about security flaws until an alleged data leak in February last year.
Chinese police are investigating hundreds of files leaked online last week. They purport to show Beijing's government agencies carrying out large scale cyber attacks against foreign governments, companies, and more.
The hundreds of hundreds of internal files from the Shanghai based cybersecurity company i Soon, which works with Chinese government clients, were posted on an online platform called GitHub. Chat Logs and presentations, which industry experts believe to be authentic, appear to reveal successful attacks in twenty twenty one and twenty twenty two. There was a range of targets from the UK Foreign Office to the Royal Thai Army and even
NATO Secretary General Jens Stoltenberg. What was also revealing in these files was a link between the Chinese hacking competitions and these state sponsored cyber attacks.
We saw chats about vulnerability sharing.
The people who were on these chats talking about infiltrating a mail server, trying to get into a system with a vulnerability. We saw people saying, hey, when am I going to get that vulnerability from Tianfu kop and the response was, well, it's gone to the Ministry of Public Security or we've seen the.
Ministry of Public Security has an exploit. It's not fully.
Formed, but see how you go try it out.
So it really kind of revealed a through line.
In March, several employees of i Soon were charged by US authorities for carrying out cyber attacks at the behest of Chinese intelligence agencies. China denies the allegations. I Soon hasn't responded to the charges and didn't respond to requests for comment. With tensions rising between the two superpowers, what are the risks that China's growing hacker army poses to the US and the rest of the world, and can
governments do anything about it? That's after the break. Identifying vulnerabilities in your phone or laptop isn't just important for improving user experience and keeping your data safe. Bloomberg's Jamie Terrabe says they are an important tool for governments to use on the world stage, especially as tensions grow between the US and China, and as China seeks to wield more power and influence abroad.
It's a really important weapon for any government to have. You have the power to go into a device and no one else knows about it, maybe for months, so you can sit on it and use it at your will. Who do you want to target? Do you want to target your domestic population? Do you want to target dissidents? The Chinese have recognized that it is a very useful tool,
and they're spending a lot of money. They're investing a lot of time and talent, and they're growing their technology at a pace that the rest of the world is struggling too much.
And it's not just about stealing data in corporate espionage. Hacking campaigns can target operational technology that controls critical infrastructure, think power grids and water supply systems. One hacking campaign the US is especially concerned about is called vult Typhoon. US intelligence agencies accused Chinese state hackers of compromising critical infrastructure on where the US has a military base.
The volt Typhoon campaign is basically the discovery of Chinese state sponsored actors hiding in critical infrastructure just lurking and waiting for the right moment to flick a switch, to disrupt, to cause chaos or confusion, or to delay responses to possible military action that China might decide to embark on. So that's what.
The cyber army looks like to the Chinese leadership. It is a tool to be used in the event of military action.
It is also a tool to be used.
In intelligence gathering, as they did when they hacked the emails of many of the State Department officials, as well as the most recent campaign where they hacked into the funds of the Trump campaign.
China has repeatedly denied any accusations of malicious hacking, and have also long accused the US and other countries of cyber espionage.
This is all about.
Who's the better spy.
There's always been this idea that we're going to spy on you, you're going to spy on us. But we don't know what the US is doing. We don't know what the French are doing, we don't know what the Australians are doing, we don't know what the British are doing.
But that's the game.
And as we hear more about these cyber attacks. Is there anything the US or other governments can do.
At this point, with the latest administration, we're starting to hear a lot more strident voices about hacking back on the Hill.
The head of the House Homeline Security Committee, doctor Mark Green, wants to hack back, wants to get private companies to carry out hacking offensive cyber campaigns. The thing is, we don't know if they're not already doing that.
You know, we don't know what the NSA is doing.
For the longest time, it was called no such agency because they never wanted to admit that they even existed, let alone tell everyone what they were doing.
And Jamie says, part of the reason why these calls for offensive cyber campaigns are rising is because of the difficulties in holding people accountable for these cyber attacks.
This is the same thing that happens with Russian criminal hackers. They all get indicted and they remain where they are. They stay in Russia or China, or they travel to countries where they won't get extradited and they face no consequences.
One of the things with the ICEN leaks was these people aren't really paid a.
Lot, and they're sort of at the bottom of the ladder, so they're doing someone else's bidding. So even if they were targeted, it doesn't change the apparatus. It doesn't change the fact that this is a policy in the government or within this agency to carry out this kind of behavior.
So what I'm hearing then is you're saying China is basically going to continue to keep doing what it's doing and there's no one that can stop them.
There are sanctions. We see export controls coming in, we see sanctions against individuals, we see.
Sanctions against goods.
Right we start to see Chinese products or companies getting banned from the US. We see people in the US being banned from trading or investing in Chinese companies. But short of being able to bring some of these people in, it doesn't really happen because attribution is always so hard. You know, you can say I have all of the elements that match this Chinese actor, but you're never going to know definitively. We live in a world now where AI is rapidly advancing. A lot of these cyber attacks
can be automated in the future. The more we rely on tech, the more exposure we have, the more opportunities for all kinds of hackers to infiltrade, encrypt sabotage, hold you, transom, disrupt to all the things. So there are going to be more opportunities, not less.
This is The Big Take Asia from Bloomberg News. I'm wanha. To get more from The Big Take and unlimited access to all of Bloomberg dot Com, subscribe today at Bloomberg dot com slash podcast Offer. If you like this episode, make sure to subscribe and review The Big Take Asia wherever you listen to podcasts. It really helps people find the show. Thanks for listening, See you next time.