Executive Summary

Robot Hacking Games (机器人网络安全大赛, RHG) are government-backed competitions that China uses to advance automatic software vulnerability discovery, patching, and exploitation technologies.¹ These tools offer both offensive and defensive capabilities that promise to increase the scale and pace of vulnerability discovery. If successful, countries could use these tools to find software vulnerabilities quicker than their adversaries. A fully developed capability would allow defenders to patch vulnerabilities as quickly as they are found; attackers could build new exploits equally fast. The Defense Advanced Research Project Agency’s Cyber Grand Challenge in 2016 spurred China’s interest in this area. The DARPA effort resulted in the creation of state-of-the-art tools in each of these areas, which have since been siloed into separate programs. China, by contrast, has hosted at least seven competitions since 2017.

China’s competition structure embodies its military-civil fusion strategy, attracting a collection of academic, military, and private-sector teams. Just two years after the People’s Liberation Army’s National University of Defense Technology won the first competition in 2017, the military started managing competitions of its own.² By 2021, a laboratory run by the PLA Equipment Development Department hosted its first RHG competition.³ These management and oversight roles situate the PLA in an ideal position to evaluate and attract the best tools and talent. Other state hacking teams, like those of the Ministry of State Security (MSS), will benefit from the technology’s development, too.

Leading Chinese cybersecurity experts and government strategy documents tie automated software vulnerability discovery, patching, and exploitation tools to Chinese President Xi Jinping’s goal for China to become a “cyber powerhouse” (网络强国).⁴ These policy documents create a de facto political mandate for China’s cybersecurity community to develop the desired tools. Although they will not make China a “cyber powerhouse” on their own, their development illustrates one important capability that China has chosen in pursuit of its goal.

1. 系统管理员, “浙江大学phrack战队在首届国际机器人网络安全大赛中荣获三等奖.” 浙江大学电气工程学院, September 26, 2017, https://perma.cc/W5VH-J7F5. The translation to “Robot Hacking Game” from Mandarin is both a direct translation, and the translation used in China’s own translations. Figure 2 shows each server rack embossed with “RHG” in large white letters at the top to drive home the competition’s branding. Although the name evokes thoughts of animated machinery moving about, the more appropriate English-language idea might be a “bot”— used to denote automated bits of software from virtual assistants to automated web scrapers.
2. “国防科技大学电子科学学院‘Halfbit’代表队夺得首届国际机器人网络安全大赛冠军,” 国防科技大学, November 8, 2017, https://perma.cc/ESL5-8YNL; 中共中央网络安全和信息化委员会办公室, “第三届‘强网杯’全国网络安全挑战赛正式启动,” April 23, 2019, https://perma.cc/9E4N-CGY4; 安全419, “RHG赛事平台落地‘纵横杯’ 人工智能自动化攻防演练或成行业常态比赛,” Sohu, March 30, 2021, https://perma.cc/7E53-2FBZ.
3. 奇安信, “冠军！IQ战队夺魁RHG国际机器人网络安全对抗赛,” 奇安信, March 30, 2021, https://perma.cc/93CH-QXNN.
4. Translator’s note: For a more in-depth discussion in English of the Chinese term 网络强国, which can be rendered as “cyber powerhouse” or “cyber superpower,” see Rogier Creemers et al., “Lexicon: 网络强国 Wǎngluo Qiángguó,” New America, May 31, 2018, https://www.newamerica.org/cybersecurity-initiative/digichina/blog/lexicon-wangluo-qiangguo/.