I would like to thank Chairman Wong and Vice Chairman Glas for extending an invitation to testify today on China’s cyber capabilities. Thank you to the commission members and staff for taking an interest in this important topic and convening three great panels.

China’s cyber capabilities are expanding. Talent cultivation and research are critical to that expansion, and China’s universities support both. Since 2015, China has standardized its cybersecurity curriculum for university degree programs, launched a program to certify qualifying schools as World-Class Cybersecurity Schools, built a National Cybersecurity Center in Wuhan, and continued work with universities on capabilities research. Over the next decade, China’s cyber capabilities are poised to blossom as universities graduate more well-educated cybersecurity degree holders and as research progresses. For the United States to adequately respond to the development of China’s cyber talent pipeline and the role its universities play in a capabilities development, it’s important to first understand the relationship between the Chinese government and some universities.

Recommendations and Conclusions:

In late 2021, a video of a Chinese woman in Australia on the phone with police in China went viral. The woman received a call from her father’s cell phone. When she answered, she found herself face-to-face with a Chinese police officer. The officer pressured her about the content of a twitter account she was allegedly running. Her father sat in the police officer’s office and looked on. The woman’s distress throughout the phone call is, at times, haunting. She is pushed to return to China, asked when her visa will expire, and told to stop her online activity.

The episode highlights a dark reality about China’s authoritarian system and its sweeping claim over Chinese people abroad. Individuals and their families can be subjected to cruel pressure and manipulated to perform tasks against their will. This extends to Chinese companies, too. In cases of scientific cooperation, research and development, and security research, that same pressure can open doors for the Chinese intelligence services and the PLA. In these instances, Chinese citizens are the victims of a deeply repressive system. I want to emphasize my personal feelings of grief and distress for people who live under authoritarian rule without recourse for change.

At the same time, the United States benefits from foreign talent, and China’s graduates are among the best in the world. There are no policy mechanisms that will divorce the relationship between universities and the Chinese state—they are bound together under the CCP’s authoritarianism. But this relationship does not mean the United States must cut itself off from interacting with these universities or hiring their graduates. Instead, policymakers should consider offering visas to family members of individuals immigrating from China. Such a policy could attract high-end, PhD talent that drives research and innovation. Without family members in China that can be subjected to pressure from the CCP, the United States can more assuredly welcome these talented individuals.

The United States should consider listing some universities, such as Shanghai Jiao Tong University or Southeast University, on the Department of Commerce’s Entity List. Listing these schools will not prevent their work on cyber capabilities for the Chinese government, nor will it change their relationship with the government. Their capabilities development will not slow either. But, by listing these universities, policymakers can prevent other departments at these universities from accessing United States talent via collaboration, or some high-end technologies necessary to conduct research. I will emphasize that these actions will not change China’s hacking capabilities, slow their development, or fundamentally change the relationship with the Chinese government. But such actions could have knock-on effects in other areas of research.

In the course of my study of China’s hacking teams, its universities, and its education system, it is clear to me that China has learned many lessons from the United States. China’s university cybersecurity degree programs are based on the standards created by the NIST’s National Initiative for Cybersecurity Education. Its awards for excellence in cybersecurity education are based on the joint National Security Agency/Department of Homeland Security program to certify some universities as centers of academic excellence in cyber defense, cyber operations, and cybersecurity research. China’s Robot Hacking Games, referenced earlier in my testimony, are based on DARPA’s 2016 Cyber Grand Challenge. China has hosted more than a dozen rounds of competitions for Robot Hacking Games. In contrast, the United States has not hosted any since 2016. Time and again, China has studied the U.S. system, copied its best attributes, and in many cases expanded the scope and reach.

Policymakers should be flattered. We are moving in the right direction. But the market for cybersecurity jobs in the United States indicates that we are not graduating enough students with relevant degrees. The resulting increase in wages for cybersecurity professionals as demand goes unmet will help draw students’ attention to the field, but policymakers can do more to encourage interest in the field at the high school level. Supporting existing programs and expanding the opportunity for more rising students is the quickest path to success. Policymakers should look to work with high schools and universities to ensure access to quality computer science education and host public competitions and events that draw attention and interest to the field. Ongoing research by my colleagues at CSET preliminarily indicates that just over 1 percent of high school students in the United States are enrolled in AP Computer Science, with even fewer participating in cybersecurity competitions. Progress at the high school level is starting to take root, however. From 2018 to 2021, the proportion of high schools offering computer science courses lept from 35 percent to over 50 percent.¹ Twenty-three states even require high schools to offer computer science classes.² In the coming months, CSET will provide policymakers analysis and recommendations to support such programs.

In the face of an inadequate solution to separating China’s universities and the government, policymakers should instead focus on infusing the United States’ cybersecurity talent pipeline with vigor, attracting qualified professionals from abroad, and supporting ongoing cybersecurity education initiatives domestically. Xi Jinping is often quoted saying that “Cybersecurity is, ultimately, a competition for talent.” He’s not wrong.

1. “2021 State of CS Report.” Code.org. Accessed January 28, 2022. https://advocacy.code.org/stateofcs
2. “State of Computer Science Education – CS Advocacy.” Accessed January 28, 2022. https://advocacy.code.org/2018_state_of_cs.pdf.