The following regulation, issued in 2018, requires personnel involved in major PRC government or military projects to obtain police approval before participating in overseas cybersecurity competitions. The regulation also compels competitors to disclose national security- and stability-related vulnerabilities they discover during competitions to the police.

The Chinese source text is available online at:  http://www.cac.gov.cn/2018-09/07/c_1123394579.htm

An archived version of the Chinese source text is available at: https://perma.cc/5423-H72X

Notice on Regulating the Promotion of Cybersecurity Competitions

To the cyberspace affairs commission offices (网信办) and public security departments (bureaus) of all provinces, autonomous regions, and province-level municipalities, the Cyberspace Affairs Commission Office and Public Security Bureau of the Xinjiang Production and Construction Corps, and all relevant departments:

In recent years, enterprises, institutes of higher education, and related local governments and departments have organized various forms and scales of cybersecurity competitions, which have played an important role in enhancing the awareness of cybersecurity throughout society, promoting cybersecurity technology exchanges, and cultivating and discovering cybersecurity talent. With the continuous increase in such activities, there have also been various degrees of disorderly development, such as excessive commercialization, simplification of the competition system, and profit-seeking by players. In order to give full play to the positive role of cybersecurity competitions in cybersecurity personnel training and technology and industry development, with the approval of the Central Cyberspace Affairs Commission, notification of relevant matters is as follows.

1. Cybersecurity competitions must prioritize national security and benefit to society and be fair, just, scientifically rigorous, healthy, and orderly. Competitions must strictly abide by relevant laws and regulations and must not endanger national security or harm the legitimate interests of enterprises and individuals. Commercial hype through competitions is prohibited, as is the seeking of illegitimate benefits and the use of high-value prizes to attract participants.

2. Cybersecurity competitions should take into account both professionalism and knowledge, actively build high-level brand competitions, and focus on holding knowledge-based, skills-based, and popularization-based competitions for young people and cybersecurity practitioners in various forms.

3. If cybersecurity vulnerabilities and hidden dangers that may endanger national security and the public interest are discovered in competitions, they should be promptly reported to public security and other relevant departments, and the product provider should also be notified. Disclosure, transfer, or publication of the technical details and use methods of the hidden dangers, tools, and the like is prohibited without authorization.

4. When participating in overseas cybersecurity competitions, overseas institutions and individuals should not be provided with sensitive information, such as cybersecurity vulnerabilities and hidden dangers, that may endanger our national security or the public interest. Businesses and individuals participating in major state and military cybersecurity projects, special tasks, and the like who participate in overseas cybersecurity competitions must report to public security organs.

5. Cybersecurity competitions and conferences that use the terms “China,” “Nationwide,” “National,” “Global,” or the like shall report to national cyberspace affairs (网信) departments for approval. Competitions that have already been named shall perform approval procedures again or discontinue such naming practices.

6. In principle, government departments shall not organize, co-organize, or undertake commercial cybersecurity competitions, nor shall they act as guiding units of commercial cybersecurity competitions.

7. Relevant departments, such as those overseeing cyberspace affairs, education, industry and information technology, and public security, shall strengthen guidelines for cybersecurity competitions, focus on encouraging and supporting public good-oriented cybersecurity competitions, and provide appropriate recognition and rewards to those who have achieved outstanding results in competitions in accordance with relevant regulations.

Office of the Central Cyberspace Affairs Commission, Ministry of Public Security

June 5, 2018