The following white paper, drafted by the Chinese Ministry of Education in concert with several universities, details China’s system for cultivating homegrown “live-fire” cybersecurity talent. The authors describe the methods China uses to train cyber talent—including formal education, corporate training, certification courses, competitions, and bug bounties—but warn that in spite of these efforts, the country’s supply of cybersecurity professionals remains woefully insufficient. The white paper concludes with policy recommendations designed to ameliorate the mismatch between the skills of newly minted graduates and the actual cybersecurity needs of Chinese companies.

An archived version of the Chinese source text is available online at:    https://perma.cc/34X6-7FRS

2022 White Paper on the Live-Fire Capabilities of Cybersecurity Talents: Attack and Defense Live-Fire Capability Edition

Preface

In the final analysis, cyberspace competition is a talent competition. Cybersecurity talents empower thousands of industries and are the cornerstone of the secure development of the digital economy. In the development of network and information security, the construction of talent teams is key.

While the cyber powerhouse¹ strategy strategy is being further promoted, the huge gap in cybersecurity talents has become one of the main problems facing the cybersecurity industry, especially the serious shortage of live-fire (实战) talents. Data shows that by 2027, China’s cybersecurity talent gap will reach 3.27 million, while the scale of talent training in colleges and universities is only 30,000 per year. In China, there is a serious shortage of cybersecurity talents who have live-fire capabilities and understand attack methods and attack pathways. On the one hand, only 8% of the heads of corporate information departments and security departments believe that their teams are “not lacking in any aspect of live-fire attack and defense capabilities”. On the other hand, the most tangible problem in the cultivation of talents in Chinese colleges and universities is in “internship and practice.” The construction of the live-fire capabilities of cybersecurity talents has become a new proposition of the era that requires an urgent solution.

The White Paper on the Live-Fire Capabilities of Cybersecurity Talents (hereinafter referred to as the “White Paper”) is the first white paper in the industry to focus on the live-fire capabilities of cybersecurity talents. Based on 420 events, used to sample 85,761 pieces of cybersecurity competition information, as well as 889 survey questionnaires, combined with an investigation of the supply side of live-fire talents and the demand side of employers, this white paper comprehensively presents the current supply and demand situation, training status, evaluation methods, and development suggestions for live-fire talents in China. This White Paper was written for Party and government agencies, state-owned enterprises (SOEs), enterprises and public institutions,² and universities. It is hoped that this effort will provide a detailed reference for the formulation of talent strategies by various units.

This White Paper has the following main features:

• The basic concepts are clear and the methodology is clear. First, it defines cybersecurity talent live-fire capabilities and attack and defense live-fire capabilities and proposes the “4+3 Model” of cybersecurity talent live-fire capabilities and “ASK-P Model” of cybersecurity talent training in order to establish standards for the categorization and evaluation of cybersecurity talent live-fire capabilities.
• The content is comprehensive and complex topics are explained in a clear and simple way. The white paper provides a comprehensive comparison of the cybersecurity talent development environment in China and abroad, the supply and demand of cybersecurity talent live-fire capabilities, and cybersecurity talent live-fire capabilities in various industries and various regions throughout China in order to reach a large number of conclusions. The authors try to avoid using obscure language to describe abstract theory and technical knowledge, instead conveying this information with the help of a large number of diagrams.
• This is the work of experts and represents cutting-edge information. The authors have drawn on their many years of teaching and cybersecurity frontline work in colleges and universities and have accumulated many important accomplishments over their long periods of work. Many of the authors have also won awards such as Outstanding Cybersecurity Teacher Awards, Outstanding Cybersecurity Talent Awards, National Technology Invention First-Prize Awards, and Beijing Science and Technology Invention First-Prize Awards. They have integrated their profound teaching philosophies and practical experience into the White Paper.

To view the rest of this translation, download the pdf below.

1. Translator’s note: Alternate English translations for the Chinese term wǎngluò qiángguó (网络强国)—here translated as “cyber powerhouse”—include “cyber superpower,” “network powerhouse,” “network superpower,” and so on. For a more thorough discussion in English of the meaning of the term wǎngluò qiángguó, see: https://www.newamerica.org/cybersecurity-initiative/digichina/blog/lexicon-wangluo-qiangguo/.
2. Translator’s note: “Public institutions” (事业单位) are organizations created and led by Chinese government departments that provide social services. Unlike state-owned enterprises (SOEs), public institutions do not create material products and are non-profit. Public institutions are not considered government agencies, and their employees are not civil servants. Most public institutions are fully or partially government-funded, but some fully privately funded (but still government-led) public institutions exist. Public institutions typically provide services in areas such as education, science and technology, culture, health, and sanitation.