China's Next Generation of Hackers: A National Security Threat

The Evolving Nexus of Technology and Geopolitics

The TechCrunch Global Affairs Project investigates the deepening connection between the technology industry and the landscape of international politics. This analysis focuses on the evolving strategies employed by China in the realm of cyber operations.

China’s Historical Reliance on Criminal Cyber Actors

For many years, China has leveraged individuals engaged in criminal activities to carry out cyber espionage. These actors, operating with impunity due to their connections to China’s Ministry of State Security (MSS), have been instrumental in numerous espionage endeavors. This practice, while concerning, is not a recent development.

A U.S. Department of Justice indictment from the previous year revealed that the dual criminal and espionage activities of two Chinese hackers extended back to 2009. Furthermore, cybersecurity firm FireEye has asserted that APT41, another MSS-affiliated group, transitioned from purely criminal operations in 2012 to simultaneously conducting state-sponsored espionage beginning in 2014. However, evidence suggests China has been actively preparing for a strategic shift.

Investing in a New Generation of Cybersecurity Professionals

Beginning in 2015, a series of policy initiatives positioned China to replace its reliance on contracted criminals with a domestically trained workforce sourced from universities. The Chinese Communist Party (CCP) initially focused on standardizing university cybersecurity curricula, drawing inspiration from the U.S. National Initiative for Cybersecurity Education – a NIST framework designed to bolster the U.S. talent pipeline.

Subsequently, in 2016, China announced the establishment of a National Cybersecurity Talent and Innovation Base in Wuhan. This facility possesses the capacity to train and certify up to 70,000 cybersecurity professionals annually.

Formalizing Cybersecurity Education and Certification

In 2017, the Central Cyberspace Administration of China introduced an award recognizing World-Class Cybersecurity Schools. Currently, eleven institutions are certified under this program, mirroring the U.S. government’s designation of universities as Centers of Academic Excellence in cyber defense and operations. However, simply cultivating a new talent pool free from criminal associations isn’t the sole driver of this change.

Combating Corruption and Enhancing Operational Security

The drive to professionalize state hacking teams is intrinsically linked to President Xi’s overarching political objective of reducing corruption within the government. President Xi’s recent crackdown on China’s state security apparatus underscores the risks faced by officials who exploit government resources for personal gain.

The patronage networks between contract hackers and their government handlers represent the type of illicit profiteering that Xi’s anti-corruption campaign specifically targets. In an increasingly competitive environment, officials overseeing operations that attract international scrutiny or result in foreign criminal indictments are vulnerable to denunciation by rivals. Those targeted by internal investigations may face detention in unofficial “black jails.”

Consequently, China’s security services are expected to sever ties with underground hackers as they eliminate corrupt officials and directly employ cybersecurity professionals.

Implications for Global Cybersecurity

These measures indicate that the Chinese hackers encountered by companies and intelligence agencies worldwide will be significantly more professional by the end of the decade. A more proficient China will inevitably exhibit different behavior than its current approach.

Due to its dependence on illicit hackers to conceal its criminal and espionage activities, the Ministry of Public Security has historically tolerated certain cybercriminal operations within China, despite the associated problems. Once criminal activity is no longer commonplace, China’s security services will be able to integrate these operations internally, as government espionage is considered an acceptable practice in international relations.

As a result, China’s Ministry of Public Security may increase its focus on operations targeting cybercriminals. Analysts should monitor for a surge in these internally focused, anti-crime operations as a key indicator of evolving operational tactics.

Expanding Espionage and Intellectual Property Theft

This shift in Chinese cyber capabilities will have international repercussions, as the range of targeted countries and entities expands. Espionage priorities that have been historically lower on the list are likely to receive renewed attention as the number of state-sponsored hackers grows. These campaigns will not necessarily be more “sophisticated” than previous operations, given that China’s hacking teams already operate at a high level of skill. However, they will become more frequent.

As China’s security-backed hacking sheds its association with criminality, a decline in cybercrime perpetrated by contract hackers and state-connected individuals is anticipated over the next decade. This trend away from illicit activities will coincide with an increase in espionage and intellectual property theft. Looking back, China’s reliance on criminal hackers will likely be viewed as a relic of a less disciplined era within the MSS.

Indicators of Change and Future Outlook

While this transition will be gradual, certain indicators can be expected, such as reports of crackdowns within the security services or news of disappearing or indicted criminal groups. Over time, a discernible separation of technical indicators between known criminal and espionage hacking teams should emerge.

Strengthening U.S. Cybersecurity Posture

Given that espionage is not inherently illegal, U.S. policymakers must continue to prioritize cybersecurity across all government agencies, the defense industrial base, and critical infrastructure operators. The White House has already begun to address this, rallying NATO allies on cyber policy in August 2021 and identifying 500,000 unfilled cybersecurity positions. The NSA has also launched the Cybersecurity Collaboration Center to enhance systemwide cybersecurity. The United States already utilizes programs like CyberPatriot to encourage students to pursue careers in the well-established cybersecurity talent pipeline. Expanding programs aimed at job retraining through community colleges certified in cyber defense could leverage existing resources and attract students who may have missed the initial K-12 pipeline.

Ultimately, policymakers must remain vigilant. A reduction in China’s reliance on criminals does not signify a diminished threat, but rather a transformed one. The U.S. government should be prepared to comprehensively address the challenges posed by China’s next generation of hackers.