Capture The (Red) Flag: An Inside Look into China's Hacking Contest Ecosystem

China has developed the world’s most comprehensive ecosystem for capture-the-flag (CTF) competitions, a popular format in hacking contests that test cybersecurity skills. These competitions range from direct team-versus-team events to Jeopardy-style challenges that focus on knowledge and problem-solving. This report shows that many of China’s government ministries are deeply involved in supporting these events, following a 2018 government policy. Over the past three years, China has hosted between forty-five and fifty-six competitions annually, with some, like the Ministry of Public Security’s Wangding Cup, attracting over thirty-five thousand participants. This extensive support has resulted in a multi-layered CTF ecosystem where both collegiate and professional hacking competitions thrive. China’s ecosystem is massive, resembling multiple overlapping national collegiate systems, but for cybersecurity. These events often serve as talent-scouting opportunities for government security agencies, with many high-profile competitions used as recruitment platforms. The diversity of competitions, each backed by various government bodies, has created an unmatched environment where students and professionals alike can hone their cybersecurity skills, fostering an unrivaled talent pool in the field. While China’s CTF model is highly successful, policymakers elsewhere should be cautious about imitating it directly, as having numerous national-level competitions might be inefficient. Nonetheless, it provides a benchmark for strengthening CTF ecosystems in other nations, tailored to each country’s needs.