中國指示本國黑客不要參加黑客大賽

China’s spy agency has ordered local hackers to abstain from global hacking contests and instead report any vulnerabilities to the security ministry or the affected company, according to cyber security experts, as Beijing seeks to tighten its control over technology and information.

網絡安全專家表示，中國的間諜機構已指示本國黑客不要參加全球黑客大賽，而要向安全部或涉事公司報告其發現的任何漏洞。北京方面目前正試圖收緊對科技和信息的控制。

The guidance from the Ministry of State Security, which comes as China is taking an increasingly isolationist approach to technology, was aimed at boosting its stash of intelligence, experts said.

中國國家安全部下達這一指示之際，中國正在採取一種日益孤立主義的科技路線。專家表示，這一指示意在擴大中國掌握的情報儲備。

“Clearly this is about local control,” said Christopher Ahlberg, co-founder and chief executive of US-based cyber intelligence firm Recorded Future. “Vulnerabilities could be problems in software but are also an opportunity to get backdoors into them.”

“顯然這與本地控制有關。”美國網絡情報公司Recorded Future聯合創始人、首席執行官克里斯托弗?阿爾伯格(Christopher Ahlberg)說，“漏洞可能是軟件中的問題，但它們也是在軟件身上安後門的機會。”

The move is the latest bid by China to secure control of technology and information. It follows initiatives such as Made in China 2025 — a scheme to restructure China’s industrial policy — and last year’s cyber security law that requires foreign companies to store data locally and allow data surveillance by China’s security apparatus.

此舉是中國爲確保對科技和信息的控制所採取的最新嘗試。此前，中國還出臺了一些措施，包括《中國製造2025》（一項調整中國產業政策的計劃），以及去年出臺的、要求外國企業在本地存儲數據和允許中國安全機構監控數據的網絡安全法。

The guidance also eliminates some of the key players from what has become a globally popular way of discovering vulnerabilities, so that vendors can fix them before cybercriminals jump in.

這一指示還使得一些重要的參與者缺席一種全球流行的發現漏洞的方式。藉助這種方式，軟件供應商可在漏洞遭網絡犯罪分子利用前修補它們。

Tencent Keen Labs, part of Chinese technology titan Tencent, prompted Tesla to fix vulnerabilities after hacking into its cars. Chinese hackers have also been credited with discovering vulnerabilities at US-based tech multiNationals including Google, Apple and Microsoft, according to FireEye, a cyber security company. Tencent did not respond to request for comment.

騰訊科恩實驗室(Keen Security Lab of Tencent)隸屬於中國科技巨頭騰訊(Tencent)，曾成功入侵特斯拉(Tesla)的汽車，促使特斯拉修復漏洞。此外，據網絡安全公司FireEye稱，谷歌(Google)、蘋果(Apple)、微軟(Microsoft)等美國跨國科技公司的一些漏洞也是由中國黑客發現的。騰訊沒有迴應置評請求。

While no formal edict has been issued on relevant Chinese state websites, Chinese participants were absent from the annual Pwn2Own hacking contest this month and the Black Hat event in Singapore last week. “They’ve been given guidance that they should no longer participate in events where vulnerabilities are publicly disclosed,” said Bryce Boland, chief technology officer at FireEye.

儘管中國政府相關網站上並未發佈任何正式命令，但中國選手缺席了本月舉行的一年一度的Pwn2Own黑客大賽和上週在新加坡舉行的“黑帽網絡安全大會”(Black Hat)。FireEye首席技術官布賴斯?博蘭(Bryce Boland)說：“他們接到指示，要求他們不再參加公開披露漏洞的賽事。”

“Pwn2Own used to be basically flooded with Chinese who won all the competitions, but this time there were more or less no Chinese there,” added Mr Ahlberg. Now Chinese hackers could only take a discovery to the vendor or the Ministry “who might notify the vendor or might not”.

“過去Pwn2Own大賽上基本上全是中國人，他們贏得了所有的競賽，但這一次幾乎沒有中國人蔘賽，”阿爾伯格補充稱。現在中國黑客只能把發現的漏洞上報給軟件供應商或安全部，而安全部“可能會通知供應商，也可能不通知”。

MSS has already offered clues on its stance with its National Vulnerability database, CNNVD, a repository of known vulnerabilities in different software products. Analysis by Recorded Future showed it had altered publication dates for at least 267 vulnerabilities — a lag, the group said, that highlighted identities the MSS was “likely considering for use in offensive cyber operations”.

從中國國家信息安全漏洞庫(CNNVD)可以在一定程度上看出安全部的立場。國家信息安全漏洞庫收錄了各種軟件產品的已知漏洞。Recorded Future的分析表明，國家信息安全漏洞庫改動了至少267個漏洞的發佈日期——該公司表示，這一滯後凸顯出安全部“很可能會考慮將（這些已查證的漏洞）用於攻擊性網絡行動”。

Mr Boland said that if the block on attending public contests was designed to have hackers report directly to the CNNVD it would create a “significant threat” because of the scope for Chinese hackers to exploit a huge pool of vulnerabilities.

博蘭表示，如果阻止黑客參加公開賽事的目的是讓黑客直接向國家信息安全漏洞庫上報，這將造就出一個“重大威脅”，因爲中國黑客將擁有利用大量漏洞的空間。

“It’s like putting a vulnerabilities database with the CIA,” said Mr Ahlberg, referring to the US intelligence agency. “You’re really putting the hen in with the foxes. That’s the policy problem here but they’ve done it for a very good reason: they want total control.”

“這就像是把漏洞庫放在美國中央情報局(CIA)一樣。”阿爾伯格拿美國的情報機構打比方說，“你這實際上是把母雞放在狐狸堆裏。這就是這裏面存在的政策問題，但他們已經這麼做了，理由很充分：他們想要完全的控制。”