Crash (exploit) and burn: Securing the offensive cyber provide chain to counter China in our on-line world 

Uncover insights within the Crypto area. This article dives into: “Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace “.

Report

June 25, 2025 • 12:01 am ET

Crash (exploit) and burn: Securing the offensive cyber provide chain to counter China in our on-line world 

By
Winnona DeSombre Bernsen

Table of contents

Executive abstract

If the United States needs to more and more use offensive cyber operations internationally, does it have the availability chain and acquisition capabilities to again it up—particularly if its adversary is the People’s Republic of China?   

Strategic competitors between the United States and China has lengthy performed out in our on-line world, the place offensive cyber capabilities, like zero-day vulnerabilities, are a strategic useful resource. Since 2016, China has been turning the zero-day market in East Asia right into a funnel of offensive cyber capabilities for its army and intelligence companies, each to make sure it could actually break into essentially the most safe Western applied sciences and to disclaim the United States from acquiring comparable capabilities from the area. If the United States needs to compete in our on-line world, it should compete towards China to safe its offensive cyber provide chain.   

This report is the primary to conduct a comparative examine throughout the worldwide offensive cyber provide chain, evaluating the United States’ fragmented, risk-averse acquisition mannequin with China’s outsourced and funnel-like strategy.   

Key findings:  

1. Zero-day exploitation is turning into tougher, opaque, and costly, resulting in “feast-or-famine” contract cycles.  

2. Middlemen with prior authorities connections additional drive up prices and create inefficiency within the US and Five Eyes (FVEYs) market, whereas eroding belief between consumers and sellers.   

3. China’s home cyber pipeline dwarfs that of the United States. China can be more and more transferring to recruit from the Middle East and East Asia.  

4. The United States depends on worldwide expertise for its zero-day capabilities, and its home expertise funding is sparse – targeted on protection reasonably than offense.   

5. The US acquisition processes favor massive prime contractors, and prioritize extraordinarily excessive ranges of accuracy, belief, and stealth, which might create market inefficiencies and overly index on high-cost, beautiful zero-day exploit procurements.  

6. China’s acquisition processes use decentralized contracting strategies. The Chinese Communist Party (CCP) outsources operations, shortens contract cycles, and prolongs the lifetime of an exploit via extra resourcing and “n-day” utilization.     

7. US cybersecurity objectives, coupled with “Big Tech” market dominance, are strategic counterweights to the US offensive functionality program, demonstrating a strategic trade-off between financial prosperity and nationwide safety.  

8. China’s offensive cyber {industry} is already closely built-in with artificial intelligence (AI) establishments, and China’s non-public sector has been proactively utilizing AI for cyber operations.  

9. Given the opaque worldwide marketplace for zero-day exploits, choice amongst authorities clients for full exploit chains leveraging a number of exploit primitives, and the rise in bug collisions, governments can virtually by no means be certain they honestly have a “unique capability.”    

Recommendations:  

1. Strengthen the availability chain by creating Department of Defense (DOD) vulnerability analysis accelerators, funding home hacking golf equipment and competitions, increasing the National Security Agency’s (NSA) Centers of Academic Excellence in Cyber Operations (CAE-CO) program, and offering authorized protections to safety researchers.  

2. Improve acquisition processes by establishing a government-sponsored vulnerability dealer in a federally funded analysis and growth middle (FFRDC) to decentralize and simplify exploit purchases whereas growing cyber functionality budgets and increasing analysis on automated exploit chain technology.  

3. Adjust coverage frameworks to contemplate counterintelligence methods within the zero-day market (burning capabilities of malicious actors whereas recruiting prepared ‘responsible’ actors right into a extra formal pipeline), funding n-day analysis via US Cyber Command (USCYBERCOM) the place acceptable and leveraging alliances just like the Pall Mall course of to counter China’s rising cyber dominance.  

Without significant reforms, the United States dangers ceding to China no matter strategic benefit it has left in our on-line world. By fostering a extra deliberate offensive cyber provide chain and adjusting acquisition methods, the US can retain a gradual provide of offensive cyber capabilities to take care of its edge within the digital battlefield. 

Background

Securing the zero-day provide chain (and its non-public sector market) is essential to US-China battle in our on-line world 

“America has incredible offensive cyber power. We need to stop being afraid to use it.” 
– Alexei Bulazel, incumbent particular assistant to the president and National Security Council senior director for Cyber.

“Geopolitical conflicts are increasingly shifting to cyberspace, including tensions between the U.S. and China. Technology is therefore no longer just an area for opportunity, but also a battleground for control, values and influence.” 
– Jeremy Fleming, former GCHQ director. 

China and the United States are engaged in strategic competitors in our on-line world. While cyber operations are sometimes an missed space of geopolitical energy, each international locations’ militaries, intelligence communities, and legislation enforcement businesses conduct cyber operations. They accomplish that to acquire intelligence essential to nationwide safety, help typical army operations, and even create kinetic results to attain strategic objectives. To make a cyber operation attainable, one should have the capability to interrupt into a specific system: offensive cyber capabilities (and significantly zero-day vulnerabilities) are the required strategic sources required to conduct such operations. 

The United States clearly needs to additional leverage its cyber prowess within the worldwide area, significantly towards the People’s Republic of China (PRC). Doing so would assist the United States shield its important nationwide safety and financial pursuits, worldwide partnerships, and norms. However, to operationalize a “cyber power” technique, the United States should purchase sufficient high-end capabilities to make sure it could actually obtain such strategic objectives. Moreover, the timeline for implementing these insurance policies is pressing, given the growing potential for battle with China within the coming years. Thus, given the worldwide privatized offensive cyber functionality market, how can the United States and its allies proceed to make sure the provision of offensive cyber capabilities (specializing in zero-day vulnerabilities), whereas limiting China’s entry to those self same capabilities? 

“China remains the most active and persistent cyber threat to US Government, private-sector, and critical infrastructure networks.” 
– ODNI, 2024 Annual Threat Assessment. 

“The era of network security has arrived, and vulnerabilities have become a national strategic resource.” 
– Qihoo360 CEO Zhou Hongyi, Remarks on the 2017 China National Cyber Security Summit.  

Cyber operations encompass a wide range of offensive cyber capabilities — most of the most vital cyber capabilities contain the exploitation of “zero-day” vulnerabilities (also referred to as zero-days or 0days). Zero-day vulnerabilities are points or weaknesses (“bugs”) in software program or {hardware}, sometimes unknown to the seller and for which no repair is obtainable— in different phrases, the seller has had “zero days” to repair the problem. Some of those vulnerabilities are exploitable: an actor with information of the vulnerability may write code that takes benefit of mentioned vulnerability. This ends in a “zero-day exploit”—code enabling a variety of behaviors that would embrace establishing entry into the pc system the software program is put in on, escalating privileges on these techniques, or remotely issuing instructions. 

The work of discovering vulnerabilities and writing exploits, due to its strategic necessity to governments worldwide, has develop into a billion-dollar worldwide companies {industry} within the final 20 years. Private companies now usually create cutting-edge offensive cyber capabilities for governments. Given the sensitivity round supporting authorities cyber operations, many of those companies don’t brazenly promote their companies, shrouding the {industry} in secrecy. Between this secrecy and the variation in merchandise supplied (i.e., governments goal totally different expertise techniques, and no two zero-days are similar), the availability chain for such capabilities will not be solely opaque to outsiders, but in addition to governments and even amongst gamers within the {industry}. 

Within this extremely fragmented and opaque market, massive companies, just like the United States’ L3Harris or ManTech, incessantly maintain multi-million greenback valuations. Notably, Israel’s NSO Group’s price reached $1 billion at its peak. Meanwhile, particular person US authorities businesses obtain hundreds of thousands of {dollars} to acquire offensive instruments. Such firms’ instruments have clearly been bought by such authorities businesses and put to make use of in modern-day cyber operations. Notably, of all of the zero-day vulnerabilities discovered exploited “in-the-wild” in 2023 and 2024 by Google, round 50 % of them have been attributed to business distributors that promote capabilities to authorities clients. While this statistic solely encompasses detected zero-day exploits, that is nonetheless a major set of capabilities being supplied by non-public sector actors. 

The offensive cyber functionality {industry} itself is worldwide and ranges in professionalization relying on the area; firms in Russia, Israel, Spain, Singapore, and the United States all have various relationships with their residence governments, different companies (together with middlemen and brokers), worldwide authorities clients, and even cyber-criminal teams. However, the examine of offensive cyber capabilities has largely over-indexed on companies primarily based in Israel and Europe reasonably than the United States’ biggest geopolitical rival: China. This is shocking, because the Chinese hacking and cybersecurity ecosystem is powerful. Chinese firms have, on a number of events, are immediately linked to Chinese government-sponsored cyber operations towards the United States. Moreover, the event of offensive cyber capabilities within the United States stays largely unstudied or examined in a approach that does a disservice to the home hacker group. 

Why is that this query essential? 

At first look, it may be troublesome to see why the non-public sector zero-day exploit market—a sequence of obscure firms promoting code that may allow governments to interrupt into widely-used software program—could be essential in preserving nationwide pursuits in our on-line world, significantly towards China. A easy clarification of this relationship is as follows: the United States and its allies depend on an more and more digital world, and China is each a savvy adversary and hardened goal in our on-line world. When any nation’s intelligence group needs to infiltrate high-value, hard-to-access digital targets, it doubtless should use zero-day exploits or different bespoke (i.e., custom-made or tailor-made) offensive cyber capabilities. Intelligence organizations from each the United States and China, as a consequence of lowering inside provide and rising demand for such capabilities, have more and more relied on buying such exploits from the non-public sector zero-day exploit market. However, the non-public sector zero-day market is murky and extra worldwide than policymakers count on; even when the United States and China are actually getting into a “New Cold War,” each international locations nonetheless supply capabilities from an overwhelmingly opaque worldwide market of offensive cyber functionality companies, and have no idea if they’re being provided with probably overlapping capabilities. In quick, any cyber operation that depends on an acquired functionality, performed by the United States, China, or anybody else, carries a counterintelligence and operational safety threat, with no assure that they’ll supply the same functionality sooner or later. Thus, securing the cyber provide chain (understanding the {industry}, constraining malicious actors, and making certain availability from trusted events) is essential to deal with such dangers. 

While former President Joe Biden’s administration sought to constrain non-public sector actors with extra regulation and inserting unhealthy actors on the entities record, these insurance policies have been framed round human rights issues largely out of Europe and Israel. President Donald Trump’s administration is transferring away from this strategy, specializing in China as a geostrategic risk over transnational digital repression framings, in addition to signaling willingness to have interaction with non-public sector actors within the area. The Trump administration, as of 2025, has accelerated plans for a US Cyber Command (USCYBERCOM) 2.0, specializing in working higher with non-public {industry} companions. This is a continuation of the primary Trump administration’s insurance policies: Trump was the primary president to delegate the authority for offensive cyber operations right down to the secretary of protection (via National Security Presidential Memorandum–13) permitting USCYBERCOM extra leeway to conduct operations with out presidential approval, albeit nonetheless with a strong interagency evaluate course of.

If the United States needs to additional leverage its cyber prowess within the worldwide area by leveraging non-public sector companions, does it have the availability chain and acquisition capabilities to again it up—particularly if its adversary is the People’s Republic of China? Although the creator doesn’t condone normal analogies between cyber and different domains, provide chain and acquisition evaluation within the cyber area may be much like nuclear or different arms proliferation questions. For instance, to reply whether or not a rustic has the aptitude to assemble a nuclear weapon, one should perceive how a lot enriched uranium the nation can simply purchase. Similarly, to reply whether or not a rustic can develop into a cyber energy that may entry the toughest of digital targets, one should ask how simply it could actually supply and purchase zero-days and different offensive cyber capabilities. 

Methodology 

This report combines quantitative information evaluation and interviews of specialists from throughout the offensive cyber functionality ecosystem. The underlying analysis—performed over ten months, from June 2024 to March 2025—occurred in three levels. It has since been revised and up to date. The first was a complete literature evaluate of US-China cyber battle, how the offensive cyber capabilities {industry} works, and up to date insurance policies on combating the proliferation of spy ware from the Biden administration (which has impacted zero-day exploit acquisition and gross sales). The second then analyzed information scraped from the open web, largely from the web site “CTFTime” (well-known for monitoring Capture the Flag (CTF) competitions internationally), in addition to secondary sources containing anonymized and aggregated info on the cybersecurity ecosystem. This report contains statistics from this dataset—the complete dataset is obtainable upon request. The third stage concerned interviewing specialists from throughout the nationwide safety and offensive cybersecurity ecosystem. The interviews, which started in December 2024 and concluded in March 2025, comprise essentially the most vital elements of this analysis. The roughly thirty specialists consulted, each just about and in individual, got here from a number of of the next backgrounds: 

• Business leaders and senior staff of offensive hacking or vulnerability analysis firms within the United States, United Kingdom, Australia, New Zealand, and Canada; 

• Senior protection acquisition and innovation officers within the US authorities; 

• Security researchers internationally who concentrate on China or wider Asia-Pacific cyber points; 

• Current and/or former US and Five Eyes (FVEYs) intelligence officers; and 

• Current and/or former US nationwide safety coverage officers. 

To slim the venture’s scope, and given the international intelligence and army issues China poses, this paper focuses totally on buying zero-days for international intelligence and army clients, reasonably than for home legislation enforcement. Although among the evaluation and supreme coverage suggestions could also be relevant to legislation enforcement, the evaluation was performed with intelligence and army finish makes use of in thoughts. Because of the shortage of publicly obtainable reporting on this subject, the interviews are a serious a part of the paper’s findings. An inventory of interviewees may be present in Appendix B. For safety causes, many interviewees requested to stay unattributed. Anonymous interviewees are usually not individually cited within the textual content to keep away from figuring out them primarily based on their mixture feedback. 

The creator’s background as a scholar, cybersecurity practitioner, assume tank fellow, and founding father of a Washington DC-based hacking convention closely contributed to sourcing interviews with the hacking and cyber coverage group. However, the creator acknowledges that, given the extremely fragmented nature of the offensive cyber functionality {industry}, the findings on this paper are doubtless solely a part of the broader reality, and replicate her biases and affiliations. Many sources are former and present {industry} colleagues. One of the interviewees is her husband, Derek Bernsen, whose DARPA program, Intelligent Generation of Tools for Security (INGOTS), is talked about within the paper. Any omissions, errors, or factual inaccuracies are the creator’s alone. 

The majority of the paper consists of an evaluation of the US provide and acquisition funnel of offensive cyber capabilities, adopted by an evaluation of China’s provide and acquisition funnel, from which the creator makes conclusions and proposals for US coverage transferring ahead. There are loads of dangers to this strategy, two of that are mirror imaging bias and “whataboutism” (justifying an strategy as a result of one other occasion has performed comparable exercise). The creator has tried to, wherever attainable, search to take away such fallacies from her evaluation. She justifies the general strategy via the next (considerably compulsory) Sun Tzu quote: 

知己知彼，百战不殆.” 

(“Know yourself and your enemy, and you will not know defeat in battle”). 

Analysis

This part addresses the relative provide chains for offensive our on-line world operations to the United States and China, constructing round a tripartite mannequin to embody a set of {industry} and authorities relationships characterised by vital levels of inside complexity, opacity, and fragmentation. This mannequin addresses (1) what the underlying worldwide market of offensive cyber capabilities seems like, (2) what components of this worldwide market provide China and/or the United States with offensive cyber capabilities, and (3) how the United States and China purchase such capabilities. 

A. The worldwide offensive cyber provide chain 

Source: Emma Schroeder. Adapted from {photograph} by Basma Alghali (Unsplash license) and picture by Gordon Johnson (Pixabay content material license).

All software program is constructed by individuals, and there are three sorts of bespoke software program usually utilized in a cyber operation: (1) exploit code that takes benefit of a software program vulnerability, (2) a malware payload, and (3) technical command and management. All three are “offensive cyber capabilities.” While particular person governments with the correct experience can construct their respective capabilities in-house, many rely closely on business distributors. In a 2024 report, the Atlantic Council recognized forty-nine business distributors together with thirty-six subsidiaries, twenty-four associate companies, twenty suppliers, and a mixture of thirty-two holding firms, ninety-five traders, and 100 and seventy-nine people, together with many named traders. Despite over-indexing on companies in Italy, Israel, and India, firms and people named on this dataset hailed from each main continent apart from Antarctica, suggesting that every continent doubtless has hackers that present offensive cyber capabilities to governments. While solely a small subset of those companies can and do promote zero-day exploits, these named distributors are doubtless simply the tip of the iceberg. Top-tier vulnerability analysis expertise exists worldwide, hailing not simply from the FVEY international locations (the United States, Canada, United Kingdom, New Zealand, and Australia) and China but in addition from smaller nations like Egypt, Vietnam, and Cyprus (see Figure 1).

Figure 1: Heatmap of main recognized business distributors for offensive cyber capabilities, suppliers, and traders, 2024

Source: Jen Roberts et al., Mythical Beasts and Where to Find Them: Mapping the Global Spyware Market and Its Threats to National Security and Human Rights, Atlantic Council, September 4, 2024,

Moreover, the above dataset excludes expertise not but plugged into the federal government cyber market. CTF competitions (hacking contests in a simulated surroundings), Live hacking competitions (the place hackers hack into techniques stay on stage), and bug bounty packages (normally company-run reward packages that encourage hackers to search out and report system vulnerabilities) allow hackers to develop comparable ability units as these required for government-sponsored hacking. These packages and competitions are each widespread recruiting pipelines for defensive cybersecurity firms and offensive distributors alike.  

The variety of people that take part in such packages globally is staggering. In 2020, HackerOne, a well-respected bug bounty platform, reported round 600,000 customers spanning 170 international locations. A 2024 survey by Bugcrowd, one of many largest bug bounty and vulnerability disclosure firms on the web, revealed most of Bugcrowd’s over 200,000 hackers hailed from India, Egypt, Nigeria, Pakistan, Nepal, Vietnam, Australia, and the United States; 78 % of them are self-taught, and 58 % of them have been below twenty-five years previous. While not all of those people possess the abilities to search out zero-day vulnerabilities and write code to take advantage of them, a number of safety specialists interviewed estimated that there are doubtless 1000’s of worldwide people in a position to take action, with numbers within the low tons of that may be skilled to take action effectively.

What is required to create and promote a zero-day exploit? 

Finding a vulnerability in a expertise product or system is a extremely handbook, labor-intensive course of that requires in-depth information of how the goal product works. Vulnerability researchers normally purchase such information by studying via a goal’s codebase and dependencies for small idiosyncrasies and errors. Depending on the dimensions of the codebase (starting from tons of to hundreds of thousands of strains of code), this generally is a time-consuming course of. 

However, discovering a vulnerability (or “bug”) is just step one to making a zero-day exploit. Once a bug is discovered, there are a sequence of follow-up questions that want solutions. Is the bug exploitable (i.e., can or not it’s used to do something helpful)? If so, can or not it’s exploited reliably, or may it alert the goal that one thing is incorrect? Does the exploit work on just one model of the goal or throughout a number of variations? These complicated questions normally require extra high quality assurance (QA) testing to provide a field-ready exploit, with the QA’s rigor relying on the chance aversion of the top buyer. Any extra time spent conducting QA assessments carries a threat that the expertise agency producing the product finds the underlying vulnerability within the meantime and patches it, lowering the worth of the exploit.

Instead of promoting a single exploit, it’s normally extra profitable and impactful to hyperlink the person exploit (generally known as an “exploit primitive”) with others to create an “exploit chain,” utilizing a number of exploit primitives along side each other to attain a specific impact, akin to gaining full management over a system. As of 2025, exploit chains are not simply an choice for better influence; now, they’re usually obligatory to attain any impact on a contemporary, enterprise-grade system. Many current offensive safety talks at main conferences, alongside safety advisories from dominant expertise companies, have moved away from analyzing primitives and towards analyzing exploit chains for that reason. However, not each exploit primitive can be utilized in the identical chain. When attempting to create a functioning full exploit chains (“full chains”), an organization may match with middlemen (or “brokers”) to buy primitives for the exploit chain they need to construct. This comes with extra dangers. Since middlemen work with different middlemen, the unique supply of a zero-day exploit is usually troublesome to establish. This additionally raises the potential that a number of events have entry to the identical exploit, which, in flip, results in a better probability of discovery. 

Because solely a small variety of huge expertise companies create many of the merchandise used globally at present, bug collisions (i.e., the parallel unbiased discovery of a vulnerability by a number of researchers) are additionally rising more and more widespread. This dynamic will increase the chance for consumers and sellers, as a bug collision means an exploit is extra doubtless for use by a number of events, leading to a better threat of discovery or false attribution by the non-public sector. This additionally erodes belief between the consumers and sellers of a functionality, as the customer can solely take the vendor’s phrase that the bug was concurrently found reasonably than resold. 

While promoting offensive cyber capabilities (and significantly zero-day exploits) to governments is a profitable occupation, it’s a dangerous {industry}. Creating a zero-day exploit to leverage towards a broadly used expertise product might require between six and eighteen months of full-time engineering and analysis work. Unless an offensive cyber functionality agency has a number of engineers engaged on totally different merchandise or makes use of totally different cost schemes, this timeline can result in lengthy downtimes between exploit gross sales. This “feast-or-famine” payout schedule carries dangers for firms that depend on one or two windfalls a yr to pay their overhead and engineering prices.

In addition, discovering a buyer to promote exploits to is tougher than it first appears. In normal, potential sellers should discover an current authorities contract via which to promote their exploits or know the correct authorities particular person to talk with. Unless an offensive cyber functionality agency has employed staff who’ve not too long ago left a authorities taken with such capabilities, precise consumers could also be extraordinarily onerous to search out. Thus, worldwide hackers with out former authorities connections usually promote their merchandise to middlemen, lots of whom function internationally. Even then, the exploit might undergo a number of ranges of middlemen to get to a authorities buyer, irritating each consumers and sellers. Buyers know that exploits bought to them have extraordinarily excessive mark-ups, given the variety of middlemen concerned, and sometimes won’t know who the unique bug producers are. Meanwhile, sellers are doubtless conscious of the acute markups, however have no idea whether or not their bugs have been bought to a number of governments.

Throughout each the event and sale of an exploit, offensive cyber functionality companies are additionally topic to counterintelligence dangers by adversary governments. Since 2022, North Korea has persistently focused vulnerability researchers globally to steal their instruments and exploits. Vulnerability researchers additionally incessantly report being solicited by international intelligence at safety conferences, falsely claiming to work for FVEYs governments. On the U.S. facet, authorities response to this counterintelligence risk has been half-hearted at finest. While the Cybersecurity and Infrastructure Security Agency (CISA) reportedly introduced initiatives to guard high-risk communities towards cyber risk actors in 2024, safety researchers who’ve tried to contact CISA haven’t discovered this system useful. As a consequence, the offensive cyber functionality {industry} doesn’t understand that the US authorities is taken with defending this group, even from one of many world’s most unpopular and totalitarian nation-states. 

As a consequence, most vulnerability researchers don’t spend greater than a decade within the occupation, as a substitute selecting to pivot into much less dangerous segments of the cybersecurity {industry}. The people who keep available in the market have a tendency to take action for some mixture of three causes. First, they firmly consider within the mission—this largely describes both doubtless former authorities staff who’ve moved out to the non-public sector or people who want to have their work “used for good.” Second, they’re profit-motivated. The “feast” component of the feast-or-famine mannequin supplies an unbelievable windfall for sure extremely expert people. Third, they merely benefit from the problem. A big portion of the vulnerability analysis group, and the hacker group writ massive, displays a considerable amount of awe for his or her vocation (i.e., the one one who hacks textile looms, or the primary individual to “pop,” or exploit, the latest iPhone can really feel like a superpower). This vocational awe creates camaraderie among the many most passionate vulnerability researchers worldwide. For some researchers, exploitation is artwork, and they’re going to usually attempt to put the artwork above the artist. In that sense, some people within the international market, significantly those that work together extra with the worldwide group on-line or take part on worldwide CTF groups, understand geopolitics as an inconvenient reality. Chinese and Russian researchers can admire the work accomplished by American researchers, and vice versa, whereas understanding that they may doubtless by no means work collectively. 

B. The US acquisition pipeline

The DEFCON (DEF CON) hacking convention in Las Vegas, Nevada, in 2014. Source: Tony Webster, Wikimedia Commons,

“An individual researcher who isn’t informed on what bugs are selling for may sell a good bug for 100k. By the time it makes it to a customer, an individual bug could go for 750k to 1 million dollars.” 
– Former ONCD Official. 

“The system by which zero day vulnerabilities are acquired is horrendously inefficient and broken.” 
– Senior DOD official engaged on offensive cybersecurity analysis packages. 

Given this worldwide sphere of personal sector hackers with the aptitude to search out and exploit capabilities, how does the United States develop and leverage this group to produce its offensive cyber operations? The sections beneath—and people mirrored within the following part on China—concentrate on sources of provide (firms that present capabilities and expertise swimming pools that assist them) and acquisition strategies (contracts, regulations, and casual roadblocks or enablers). 

Supply—International, opaque, and loosely affiliated networks. 

Companies—Prime and subcontractor ecosystem. 

While the US authorities has extremely subtle cyber capabilities developed in-house, it more and more purchases offensive cyber capabilities from a large community of prime and subcontractors. Many of the big companies that promote offensive cyber capabilities to the US authorities are the identical protection contractors that promote it different types of software program and even weapons. Large, conventional prime contractors like Raytheon (rebranded RTX) and L3Harris, in addition to extra technology-focused companies like Peraton, compete for multi-million greenback authorities contracts to assist cyber operations and supply capabilities to the federal government. Many people who work for these companies are former DOD or Intelligence Community staff.

When massive prime contractors can not fulfill contract necessities, they usually portion out the work to subcontractors. Some prime contractors are closely reliant on small companies, boutique analysis companies, and even particular person researchers to fulfill contracts. Many of those subcontractors entice high-end vulnerability researchers and exploit builders worldwide, who’re in search of versatile hours, excessive pay, and an organization tradition that higher displays the hacker group. Some contractors, to spice up obtainable capital, are funded or partially owned by enterprise capital, non-public fairness, or different funding companies, which might form the corporate construction and technique. For instance, AE Industrial, a personal funding agency, acquired Israeli agency Paragon in 2024, and sought to merge it with US subcontractor RedLattice, which it additionally owns. The United States additionally doubtless sources its tooling via its intelligence-sharing relationship with the FVEYs. Given its current shut cooperation between the 5 international locations’ indicators intelligence (SIGINT) businesses and emphasis on “cooperative security”, this cooperation doubtless interprets to functionality sharing as effectively. 

The companies and merchandise such companies present (whether or not because the subcontractor or the prime contractor) differ primarily based on their authorities contract automobile. Internal analysis and growth companies contracts allow authorities analysis groups to interrupt into more durable targets by offering complement workers. Procurement contracts for zero-day exploits exist in numerous kinds, and subscription fashions for an organization’s full catalog (i.e., a flat payment for year-long entry to the whole lot the corporate finds) are usually not unusual. For much less subtle authorities shoppers, non-public sector companies might present Access-as-a-Service fashions (i.e., black-box and end-to-end options) the place the contractor ensures product upkeep for a specified timeframe.  These Access-as-a-Service fashions mix zero-day exploits with different tooling into an all-in-one spy ware resolution, akin to NSO Group’s Pegasus spy ware. Many prime contractors and subcontractors within the United States and FVEYs expertise comparable points and dangers listed within the earlier part (i.e., feast-or-famine timeframes, middlemen, counterintelligence dangers, and normal problem of the sector), which impacts recruitment. 

Some firms that present capabilities on to the US authorities have been innovating within the nexus between artificial intelligence (AI) and cyber operations. However, whereas particular person researchers use AI to help with code auditing and fuzzing, many targeted on this area affiliate with tutorial establishments or massive US expertise (“Big Tech”) companies reasonably than authorities contractors. Open, unclassified offensive initiatives do exist. For instance, the Intelligent Generation of Tools for Security (INGOTS) program, throughout the Defense Advanced Research Projects Agency (DARPA), seeks to automate the creation, modification, modeling, and evaluation of exploit chains. However, INGOTS is an exception to the norm. Most of the US intelligence group experiments with AI in-house, and US policymakers presently spend far more cash to encourage firms to make use of AI for defensive functions (e.g., DARPA’s AIxCC partnership with Anthropic, Google, Microsoft, OpenAI, the Linux Foundation, and the Open Source Security Foundation to design, take a look at, and enhance novel AI techniques to robotically discover and repair vulnerabilities in code).

The DOD’s AI technique (originating in 2018 with updates in 2020 and 2023) has revolved round “Responsible AI”—creating and utilizing AI capabilities in accordance with the DoD AI Ethical Principles whereas delivering higher, quicker insights and improved mission outcomes. While the Trump administration has been transferring away from “Responsible AI” methods, its new Project Stargate, an injection of $500 billion over the subsequent 4 years constructing new AI infrastructure within the United States, is giving vital funding to OpenAI, whose investments in cybersecurity have been largely defensive in nature.

Domestic expertise—Decentralized, defense-forward. 

Feeder techniques into US and US-affiliated offensive safety companies come from a free conglomerate of internship packages, cybersecurity conferences, and hacking competitions. Technology firms sponsor many of those conferences and competitions  to encourage expertise to enter defensive cybersecurity careers (a worthwhile however orthogonal area for the needs of this paper’s evaluation). The bug bounty {industry}, in addition to the defensive cybersecurity {industry} within the United States, hires loads of hackers and former authorities cyber engineers (who would possibly in any other case apply to work in offensive functionality growth) into defensive or extra IT-focused roles.“SkillBridge and CSP Coordinators,” Microsoft: Military Affairs, accessed March 16, 20 Some packages have formal relationships with the federal government, just like the CyberCorps Scholarship for Service program, Hack the Pentagon, or University-based NSA Centers of Excellence. However, many of those packages funnel college students into defensive jobs. Notably, of the 461 NSA cyber facilities of excellence, solely twenty-one are licensed to coach college students in cyber operations.

Few universities have utilized (i.e., non-theoretical) offensive cyber packages that feed immediately into the non-public vulnerability analysis {industry}. Many college students who study how to hack in school accomplish that via extra-curricular safety golf equipment or CTF groups. In 2024, amongst all registrants, the United States had essentially the most registered tutorial groups competing in CTFs on widespread platforms. Many CTFs that US groups compete in are at cybersecurity conferences, hosted by tutorial establishments, or sponsored by expertise firms. However, with out constant funding, alumni engagement, and professor buy-in, these golf equipment and groups usually threat disappearing completely as a consequence of lack of overt assist from their residence universities.

Moreover, few college packages produce engineers prepared to write down totally functioning exploits. Multiple vulnerability analysis companies interviewed referenced a “training valley of death,” the place entry-level engineers out of college nonetheless require a yr or extra of expertise growth earlier than they’ll produce a marketable product. While some intermediate-level trainings exist in firms or at conferences, they’re presently inadequate—in both technical depth or timeframe.

The US authorities has created extra assist for hacking contests, however at a a lot smaller scale than in different international locations. The US National Institute of Standards and Technology (NIST) printed a report on cyber competitions in 2016, suggesting that components of the US authorities have traditionally understood the significance of such contests in creating offensive expertise. NIST presently helps the US Cyber Games to recruit, practice, and develop the workforce representing the United States in worldwide cybersecurity competitions, this program engages with 2,000 people in a single contest, the US Cyber Open, and yearly trains roughly 150 college students. Unfortunately, it’s removed from the lofty, nationwide efforts pitched in NIST’s preliminary paper and is dwarfed by the sheer dimension of Chinese sponsored competitions (as proven in later sections). 

Undermining all these efforts is the anti-government sentiment that is still robust throughout the US cybersecurity and hacking group, which doubtless contributes to problem in sustaining an offensive expertise pipeline. Much of the unique US hacking group emerged from countercultural actions like cellphone phreaking (i.e., bypassing Pacific Bell phone strains to make long-distance cellphone calls with out paying). Law enforcement responses from the Nineteen Sixties to the early 2000s handled many hackers as criminals reasonably than innovators. In 1990, the Secret Service’s Operation Sundevil seized greater than forty computer systems and 23,000 information disks from youngsters in fourteen American cities and charged people who managed hacker journal “Phrack” with interstate transport of stolen property. The cost was primarily based on info printed by Phrack that later proved to have been already publicly obtainable. The arrests and subsequent court docket circumstances resulted within the creation of the Electronic Frontier Foundation. While the US authorities has made vital strides towards repairing the connection with home hackers in recent times, anti-government sentiment nonetheless persists.

Reliance on and integration with the broader worldwide hacking group 

The US hacking group depends on and interacts closely with the worldwide hacking group. Multiple FVEYs vulnerability analysis firm staff and founders interviewed claimed to rent people from different FVEYs international locations, Europe, and South America to supply companies. This worldwide nature of US expertise is most publicly obvious on the higher echelons of vulnerability analysis and exploitation competitions. Pwn2Own, sponsored by the American-Japanese cybersecurity software program firm Trend Micro, is the epitome of Western live-hacking competitions for vulnerability analysis firms. While initially beginning at a safety convention in Canada, the competitors has expanded to occasions within the United States, Canada, Japan, Ireland, and Germany. While the United States had essentially the most collaborating groups by nation at Pwn2Own Ireland in 2024, they numbered solely 4 groups out of seventeen, which included international locations just like the Netherlands, France, Vietnam, Taiwan, and South Korea (see Figure 2). 

Figure 2: Number of groups collaborating in Pwn2Own Ireland 2024, by nation

Source: Dustin Childs, “Pwn2Own Ireland 2024: Day Four and Master of Pwn,” Trend Micro, Zero Day Initiative, October 25, 2025,

The expertise pipeline for offensive safety within the United States additionally corroborates this declare, significantly when CTF competitions. CTFs function expertise growth and recruitment for each vulnerability analysis companies and the broader cybersecurity {industry}. Data from the CTFTime web site (used broadly within the West for monitoring CTF competitions) reveals the United States, as a rustic, has essentially the most registered groups (16,774 as of August 19, 2024). However, there are simply as many groups which might be “international” in nature—over 16,000 both don’t align with a single nation, or have members competing and collaborating on the identical workforce from a number of international locations (see Figure 3). 

Figure 3: Teams on CTFtime by nation, as of August 2024 (1000’s)

Notes: Far left column represents “unaligned” or “international” groups.
Source: Winnona DeSombre Bernsen, information from CFTtime.com.

The most well-known CTF competitors on the earth additionally corroborates this development. DEF CON CTF, held yearly in Las Vegas throughout DEF CON – the world’s largest hacker convention, attracts each college college students and seasoned {industry} professionals alike. Of the highest twelve scoring groups in 2024, none of them got here solely from the United States. All the highest groups with US gamers have been both worldwide groups who practiced remotely with one another to qualify as a workforce, or a number of single-country groups that merged with one another to compete (see Figure 4). For instance, the 2024 winner was Maple Mallard Magistrates, a joint Canadian and US workforce fashioned by contributors at Carnegie Mellon University, Korean-American Vulnerability Research Company Theori, Inc., and the University of British Columbia. Notably, joint Chinese and Russian groups, in addition to single-country groups out of China positioned inside DEF CON CTF 2024’s high twelve. 

Figure 4: Top scoring groups on the 2024 DEF CON CTF, and their international locations of origin

Source: Winnona DeSombre Bernsen, from an preliminary CFTtime scoreboard for DEF CON CTF 2024, accessed April 5, 2025,

US offensive cyber functionality acquisition strategies 

Organizations that contract capabilities for cyber embrace federal intelligence businesses, army, and legislation enforcement—such because the NSA, USCYBERCOM, and the Federal Bureau of Investigation (FBI). Contract necessities differ by company. Some organizations can ingest single exploits, whereas others wouldn’t have the in-house expertise to independently weaponize capabilities. Normally, the latter organizations require end-to-end, black-box options that necessitate extra engineering work and safeguards.

Government contracts for offensive cyber are compliance-heavy and favor massive primes 

The contracting ecosystem, with its many compliance necessities, inherently favors massive prime contractors regardless of the sooner famous heavy reliance on small companies, boutique analysis companies, and even particular person researchers to satisfy contracts.

Put merely, small cyber companies discover it extremely troublesome to navigate DOD acquisition processes. Little reporting on the specifics of US offensive cyber functionality acquisitions is brazenly obtainable. Yet, the overall US software program contracting necessities provide beneficial perception. The feast-or-famine timelines of zero-day exploit contracts require an organization to have current capital to resist lengthy downtimes between gross sales (like a big prime contractor), through which smaller firms could also be one defective bug away from going bankrupt. Any prime contractor on a authorities contract (i.e., a contractor bidding immediately on a authorities contract) should additionally meet the extremely stringent requirements throughout the Federal Acquisition Regulations, together with having cleared people for labeled authorities contracts, assembly cybersecurity and different regulatory necessities, and getting monetary techniques audited.

Clearance necessities are additionally a big ache level for small exploit companies, as many exploit contracts are labeled. Businesses should undergo the complicated and dear Facility Clearance course of to bid and even carry out on such contracts, which is troublesome for smaller distributors. Moreover, sure contracts have lively clearance conditions, which requires a vulnerability analysis firm to have the sources to acquire worker clearances (or discover one other vendor to sponsor the wanted clearances). This may exclude international firms from the bidding course of (as foreigners, on the whole, can not maintain US safety clearances).

Despite the hacker group’s worldwide nature, some clients additionally informally limit the nationalities of staff who may match on contracts, limiting the flexibility of firms who want to rent hackers overseas. Despite all these regulations, interviewees confirmed that many of those smaller companies and foreigners might, in impact, really be engaged on such contracts anyway, through the gross sales of their companies and merchandise to added layers of contractors (or middlemen) at, after all, an extra expense to the federal government.

On the federal government facet, extra targeted regulations and insurance policies set off primarily based on the product or company’s threat aversion 

Aside from the procurement course of, extra regulations set off (and place added burdens on the federal government purchaser) relying on the kind of offensive cyber functionality acquired. If an exploit is bought to the federal government individually, the federal government group should ship the exploit via the Vulnerabilities Equities Process (VEP). All vulnerabilities bought to the United States authorities undergo the VEP. Effectively, it’s an interagency course of that balances whether or not to disseminate vulnerability info to the seller/provider within the expectation that it is going to be patched or to make use of the vulnerability for nationwide safety and legislation enforcement functions. It is feasible to get a waiver to bypass the VEP, however provided that the federal government company can assert a deeply urgent nationwide safety want for quick use.

If the exploit is bought as a part of an end-to-end spy ware resolution (or through an Access-as-a-Service mannequin), different regulations additionally set off. The US authorities, below Executive Order 14093, should be sure that an answer doesn’t pose “significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.” Biden signed the order in 2023 to stop the US authorities from supporting companies that additionally allow human rights abuses overseas whereas mitigating the chance of such companies to US authorities pursuits. Because end-to-end spy ware options allow much less subtle shoppers to conduct cyber operations, distributors offering such options have been caught promoting to authoritarian international locations, lots of whom had not but constructed high-end cyber operations organizations in-house and didn’t have regulations to discourage authorities spying on civil society organizations, political opposition teams, or journalists. The most well-known instance of a vendor partaking in such exercise was the Israeli firm NSO Group, whose sale of its Pegasus spy ware to the Saudi authorities resulted within the spying on and subsequent assassination of Washington Post journalist Jamal Khashoggi.

The US army and intelligence communities even have extra inside necessities for procured zero-day vulnerabilities, significantly within the title of stealth and risk-aversion. Zero-day exploits present the bottom threat of detection in a our on-line world operation (as they don’t depend on beforehand recognized “n-day” vulnerabilities) and might provide preliminary entry to a system by exploiting pre-existing weaknesses reasonably than having to by some means manufacture weaknesses in an adversary system. However, to additional reduce the invention threat of an operation, a authorities purchaser might additional require a vendor to submit its product to QA testing for reliability to see whether or not and the way usually an exploit fails. Failure signifies that the exploit doesn’t reach triggering the specified exercise and probably leaves suspicious artifacts on the goal gadget. The reliability requirement provides price and time, and it could actually additionally create threat of mental property and commerce secret theft if the third occasion conducting QA is a competitor of the unique vendor.

0-days v. n-days: What’s the distinction? 

The concentrate on zero-day exploits as capabilities on this paper might counsel that zero-day exploits are the dominant strategies of exploiting techniques. The reverse is true: zero-day exploits are usually not the dominant approach to exploit techniques and get info within the offensive ecosystem. Oftentimes, the only strategies of acquiring entry are the simplest, even when they might get attributed, or “burned.” While easy strategies can embrace phishing emails or social engineering, they’ll additionally embrace “n-day exploits”—exploit code that makes use of recognized vulnerabilities to attain a sure aim, successfully counting on a goal not usually updating their techniques. 

A zero-day exploit, when in comparison with an n-day, or different extra widespread functionality, is much like evaluating an F-35 fighter jet to a commercially-made drone: one is an beautiful, extremely tailor-made functionality, whereas the opposite may be made cheaply and at scale—nevertheless, whereas there are extremely essential issues an F-35 can try this drones can not, each can fly from level A to level B and ship a payload. 

A authorities purchaser’s curiosity in stealth can, at instances, create market inefficiencies. Various distributors interviewed claimed that sure authorities clients might not inform a vendor what kind of goal or exploit they need, resulting in an inefficient course of, the place distributors would possibly work on an exploit {that a} authorities buyer has no intent to buy. Alternatively, distributors mentioned that different authorities clients buy an organization’s complete catalog of exploits to cover the precise exploit they’re after. However, that is doubtless a lowering apply given the growing price of zero-day exploits. Both of those practices doubtless search to extend operational safety and keep away from the chance that anybody outdoors the federal government purchaser learns of any meant targets in our on-line world, particularly when coping with a market of more and more worldwide companies. 

Given the growing prices of exploits and stagnating budgets, US authorities clients may develop into territorial towards others throughout the interagency. Some distributors interviewed famous that authorities clients can develop into possessive and fully unwilling for his or her distributors to share exploits with different clients. This may cause distributors to keep away from promoting even fully distinct merchandise to different authorities businesses, for worry of damaging the connection with a present purchaser. While shopping for bugs collectively is a possible interagency choice, it’s uncommon. Coordinating the motion of funding between businesses is time-consuming, requiring forethought that’s not in keeping with the traditional market tempo. Throughout this relationship, belief between the provider and finish shopper is vital. There is a threat that the federal government shopper will lower into the provider’s backside line by being too risk-averse and territorial. There can be the chance that the provider has labored with untrustworthy components of the worldwide provide chain, leading to an untrustworthy product for the federal government shopper. In this area, belief is forex. 

International and regional insurance policies round exploit gross sales affecting authorities purchasers are additionally on the horizon. In 2024, the United Kingdom and France initiated the Pall Mall Process as a global dialogue meant to determine guiding rules for the “development, facilitation, purchase, and use of commercially available cyber intrusion capabilities.” The course of emerged from worldwide outrage over NSO Group’s gross sales to quite a few authoritarian international locations worldwide, alongside extra revelations that the offensive cyber capabilities market was rising quickly. This mission, in principle, is way broader than “end-to-end” spy ware: it encompasses growth, gross sales (from brokers or firms), and use of spy ware– which incorporates the acquisition, growth, and upkeep of zero-day exploits. The session abstract report initially included laudable proposals round zero-day exploitation, akin to encouraging VEP packages internationally and creating clear tips for distributors within the area. However, a number of follow-on studies on Pall Mall have targeted primarily on making use of worldwide legislation frameworks towards authorities use of such capabilities or state-by-state insurance policies guides. This suggests not solely a divergence in stakeholder curiosity for what subject Pall Mall ought to deal with first but in addition a divergence in understanding of how to translate worldwide norms to an operational degree throughout international locations.

US Big Tech firms as a strategic counterweight 

Because using zero-day exploits in cyber operations inherently takes benefit of weaknesses in non-public sector software program merchandise, US home expertise firms’ cybersecurity measures are a strategic impediment to US offensive cyber objectives. In some ways, it is a strategic impediment by design. The public outcry over US intelligence group’s efforts to affect the distribution of intentionally insecure merchandise, or mandating backdoors into current expertise merchandise has shifted US coverage away from built-in eavesdropping instruments and in the direction of making certain that US merchandise are safe by design. However, firms like Google, Apple, Meta, Microsoft, or Cisco are frequent targets for vulnerability analysis and exploitation as a result of their merchandise are so prevalent. Any non-public sector vendor, with or with out insider information, can simply assume {that a} zero-day exploit towards a broadly used utility will doubtless be extra enticing to a possible authorities buyer, and thus are incentivized to take advantage of these functions. This is especially apparent within the cell market, the place Android (developed by Google) is on 71 % of all cellphones globally, and iOS (developed by Apple) is on 28 %—in different phrases, 99 % of worldwide cellphones run US Big Tech software program. As a consequence, loads of offensive cyber functionality companies worldwide have been discovered promoting merchandise with iOS and Android exploits.

US Big Tech firms, to guard towards exploitation and authorities operations towards their customers, have invested closely into cybersecurity defenses, taken steps to make their merchandise safe, and thwarted authorities makes an attempt to make their merchandise much less safe via regulation. The complexity and robustness of cybersecurity mitigations (akin to sandboxing, logging crashes, and different exploit mitigations) have extended growth cycles for exploits (from days or even weeks within the early 2000s to six to 18 months or extra) and have additionally pushed up costs.

The actions by US Big Tech firms have made zero-day exploitation extremely troublesome over the past decade for 5 causes. First, safety measures have resulted in hyper-specialization throughout the offensive cyber capabilities {industry}. As product codebases develop into ever extra complicated, studying how a product works to search out vulnerabilities turns into extra time consuming, and vulnerability researchers have fewer incentives to have a look at multiple product. Second, due to layered safety measures, most vulnerability analysis outlets now should not solely discover single exploits (i.e., exploit primitives), but in addition be capable of chain them into exploit chains to efficiently acquire entry to the latest iOS or Android cellphone. Third, the act of chaining exploits collectively and sustaining the chain for a authorities buyer has additionally develop into more and more difficult, with massive expertise companies using fast turnarounds to repair vulnerabilities (i.e., “quick-patch cycles”). Fourth, some US Big Tech firms have created threat-hunting groups, like Google’s Project Zero, devoted to researching zero-days discovered “in-the-wild” (i.e., being actively exploited by an attacker) and conducting novel analysis to immediately thwart efforts made by offensive companies to take advantage of any units. 

Finally, Western Big Tech companies have begun suing offensive cyber functionality companies in US federal courts. While the lawsuits don’t but contain US companies, the precedent set in these circumstances might open US contractors to dangers of future lawsuits. In 2019, WhatsApp sued NSO Group for violating the Computer Fraud and Abuse Act (CFAA), the first US anti-hacking legislation, and the WhatsApp platform’s phrases of service. This case was broadly thought to be a win for human rights. Namely, a big firm with a large historical past of offering merchandise to human-rights-abusing governments, who primarily used the platform to spy on home civil society teams and even towards US authorities personnel, was compelled to stop their actions exploiting WhatsApp software program and to pay vital fines. However, as a result of the argument specified by the case relied on a proof of how NSO’s exploits labored, each distributors and authorities officers alike have issues in regards to the ripple results it might trigger within the zero-day analysis group. In specific, NSO Group was present in violation of the CFAA as a result of their Pegasus spy ware used a WhatsApp exploit to ship Pegasus to WhatsApp customers throughout all main working techniques, even even supposing they have been doubtless doing so on behalf of a authorities buyer. While, in contrast to with the Israel-based NSO Group, the nationwide safety carve-out within the CFAA may shield most US companies, this specific a part of the anti-hacking legislation has not but been examined in US courts.

C. China’s acquisition pipeline 

Chinese offensive cyber functionality agency No Sugar Tech’s web site. Source: No Sugar Tech, accessed April 5, 2025,

“This market [for offensive cyber] is basically land reclamation. Look at the legion model of Huawei and Qi Anxin – they’ve got 10,000 people, and we have a team of 100.” 
– Leaked dialogue between co-founders of Chinese cyber mercenary firm iSoon, January 14, 2022.

“Why would the PLA want to work with us? We are a non-Chinese party … they cannot control what we tell people. [But] the PLA could always go through a third party, or go through someone else … I [would] not have a problem selling something to the Chinese government.” 
– Thomas Lim, former founding father of Singaporean Exploit Firm COSEINC (Risky Business podcast, 2014).

Supply—Well established, complete feeder techniques 

Companies—Prime and subcontractor ecosystem, with outsourcing of each functionality and operations to the non-public sector. 

China’s offensive cyber capabilities companies are additionally a mixture of each massive prime contractors and smaller bespoke firms. However, in contrast to US protection primes, prime contractors for China’s offensive cyber tasks are sometimes the identical Chinese huge tech companies that promote merchandise within the international market. China’s main cybersecurity companies, akin to QiAnXin, Huawei, Qihoo360, and NSFocus present companies on to the Chinese army—Qihoo360, China’s main antivirus firm, assisted with China’s hack of the US medical insurance firm Anthem. Many of the big expertise companies even have inside bespoke groups that concentrate on offensive safety work. However, in contrast to the Google Project Zero mannequin, such inside groups immediately present analysis on exploitation to the federal government reasonably than making government-funded zero-day analysis onerous. Chinese massive expertise companies additionally immediately fund or subcontract work to small- and medium-sized offensive safety start-ups. Cofounders of such offensive safety start-ups are normally serial entrepreneurs, who additionally encourage households to enter the {industry}. For massive tech companies that wouldn’t have embedded offensive safety groups or bid for presidency contracts immediately, China’s 2021 Vulnerability Disclosure Law forces engagement with the general offensive pipeline regardless (as defined within the sections beneath). 

Chinese offensive cyber capabilities companies (each prime and subcontractors), akin to No Sugar Tech seen within the picture above, present a number of offensive-cyber companies without delay. These can embrace numerous choices, promoting concentrating on platforms, numerous hacking companies, and even entry to victims’ units and information on to the Chinese authorities—an outsourcing of each functionality and operations to the non-public sector. This is a wider remit than US companies, which regularly solely present the capabilities. When Chengdu-based offensive safety firm iSoon’s advertising and marketing supplies and inside chat logs have been leaked on-line in 2023, researchers found that iSoon bought all three companies (hack-for-hire, promoting sufferer information gained by immediately hacking targets, and concentrating on platforms for such hacking) to a wide range of Chinese authorities shoppers. iSoon additionally subcontracted for the most important Chinese cybersecurity firm Qi An Xin, whereas sourcing vulnerabilities and different capabilities from different companies after they couldn’t supply companies in-house. For instance, iSoon cooperated with Chengdu 404 on analysis relating to “software vulnerability of information systems”—Chengdu 404 was beforehand indicted by the US Department of Justice (DOJ) for conducting laptop intrusion campaigns towards greater than 100 international victims.

Chinese researchers additionally experiment closely with altering the underlying cyber panorama through the use of AI, with authorities assist. As early as 2017, the Chinese authorities started to combine “intelligentization” into its armed forces and contractors: the idea of incorporating quite a few rising applied sciences—together with decentralized computing, information analytics, quantum computing, AI, and unmanned or robotic techniques—into the PLA’s conceptual framework. Chinese cyber actors have been utilizing massive language fashions since 2024 to create deepfakes for disinformation campaigns, however this doubtless solely scratches the floor. Researchers consider China already makes use of much more cutting-edge AI analysis in cyber operations. Since 2021, not less than six Chinese universities with hyperlinks to recognized Chinese state-sponsored cyber operations have been conducting cutting-edge AI analysis. Moreover, China’s AI {industry} has deep connections with its offensive cyber {industry}. Since 2021, an AI software created by Huawei, a sanctioned Chinese firm, has been a dominant contributor to the Linux kernel. A majority of contributions from Huawei’s AI software, generally known as “HULK bot,” are fixing beforehand unknown vulnerabilities (the software is a machine-learning enabled fuzzer). Despite Western-led efforts to stop Chinese companies from acquiring semiconductors capable of assist the coaching of high-end massive language fashions, this has not impacted Chinese AI companies as deeply as initially anticipated and means that Chinese cyber operators will more and more be capable of make the most of AI analysis sooner or later.

Domestic expertise—Large, centralized, state-sponsored 

While the United States depends on a global expertise pool to safe these capabilities, China largely depends on its home expertise however is transferring to seize extra of the market in East Asia. China has an extremely sturdy home expertise pool of offensive hacking expertise: the Chinese hacking ecosystem, as judged by their CTF competitions alone, is immense. Government sponsorship ensures large-scale funding, intensive participation, and steady profession pipelines for high opponents—China’s high ten CTF nationwide competitions entice over 11,000 contributors on common. This is in stark distinction to the two,000 people collaborating within the US Cyber Open, the highest contest throughout the US’s relative handful of government-sponsored contests. By sheer numbers alone, it’s unsurprising that China every year has extra graduates within the science, expertise, engineering, and arithmetic (or “STEM”) fields than the United States produces in complete school graduates. 

Of course, the Chinese CTF ecosystem is just a part of a complete and deliberate feeder system from universities, cybersecurity conferences, and hacking competitions into the Chinese offensive cyber equipment. Chinese army universities and high-end science and engineering faculties produce high-caliber graduates in deeply utilized offensive cybersecurity analysis, a few of whom are inspired to develop last tasks that contain hacking into US firms. Many of them, upon graduating, both work on offensive groups of current offensive safety companies, discovered an offensive cyber start-up, or work immediately for high-end groups in China’s Ministry of State Security (MSS) or People’s Liberation Army (PLA). Talent swimming pools from China’s larger schooling are additionally supplemented by a big selection of government-sponsored hacking competitions and conferences. The Chinese authorities has hosted tons of of official CTF and different {industry} normal hacking competitions, usually in partnership with lots of its ecosystem’s offensive safety firms and with universities that present monetary incentives for college kids to take part. Many different CTF competitions have been immediately based by high Chinese groups that used to compete internationally, whereas different competitions have concerned breaking into actual international expertise merchandise and even enterprise techniques. The Chinese authorities and its main offensive companies search to recruit immediately from these competitions.Interview with Dakota Cary, Fellow, Atlantic Council Global China Hub, January 8, 2025.  

Unlike the United States, the People’s Republic of China (PRC) has the distinctive benefit of getting a hacking group that originated in specific, patriotic alignment with state pursuits, making such hackers simpler to recruit. One of China’s first hacker teams was the Hongke Union who, in 2001, famously took down the White House web site and defaced web sites of US companies in retaliation for the collision between a US spy airplane and a Chinese fighter jet off of Hainan Island. In the early to mid-2000s, as China was experiencing unprecedented financial progress, China’s hackers both professionalized and created expertise firms, have been co-opted immediately into China’s rising cyber forces, or each. For instance, the pinnacle of the Green Army, Jiye Shen (a.okay.a. “Goodwill” on hacker boards), created the web safety firm NSFocus in 2000.

Meanwhile, the PLA, in 2005, immediately recruited Tan Dailin (谭戴林, a.okay.a. Wicked Rose), a scholar from the Sichuan University of Science and Engineering, to design hacking instruments for the Chinese army. Wicked Rose then fashioned a patriotic hacking group to interrupt into DOD laptop techniques in 2006. MSS, China’s international intelligence group, additionally started recruiting expertise each immediately and not directly throughout the early 2000s. This group has suited the various hackers much less capable of conform to bodily health assessments or different inflexible necessities the PLA sometimes requires of its army recruits, with simply as many advantages. 

The Chinese authorities has spent the final decade successfully closing off its home expertise pool from outdoors affect. From 2016 to 2021, China successfully started to stop hackers from sharing analysis with the worldwide hacking group. In July 2016, Wooyun, a vulnerability disclosure platform created by the Chinese “ethical hacking” group, which had engaged incessantly with Taiwanese and different worldwide hackers, was out of the blue taken down, and its founding members have been arrested by Chinese authorities with out costs. Some China researchers speculate that the takedown was an motion taken on the behest of the MSS, China’s major intelligence service, who wished to manage the vulnerability market. In 2018, China introduced a regulation (“Regulating the Promotion of Cybersecurity Competitions”) successfully banning hackers from travelling overseas to take part in hacking competitions, in addition to requiring any vulnerabilities discovered via home competitions to be immediately reported to the Ministry of Public Security (MPS), China’s legislation enforcement group, and different related departments. Chinese hacker participation at contests like Pwn2Own dropped to zero, and the variety of displays given by Chinese researchers at Taiwanese conferences fell precipitously.

More not too long ago, China has expanded its attain into East and Southeast Asia via hacking competitions and partnerships with regional researchers, searching for to safe extra expertise by itself phrases. Academics from the Harbin Institute of Technology and Beijing University of Posts and Telecommunications have advocated for actively partaking with hacking communities in East Asia searching for to affect future worldwide requirements for the way vulnerabilities are found and managed. While Chinese hackers can not take part in most Western hacking competitions, Chinese CTF occasions usually entice and even outright invite expertise within the wider East and South Asian areas to take part. The QiangWang Cup and ActualWorldCTF (respectively, linked to the PLA and MSS) are two Chinese hacking contests that traditionally have had contributors from Vietnam, Japan, Russia, Ukraine, and even the United States. Moreover, China prolifically sponsors and hosts worldwide hacking conferences to attract in worldwide expertise. Chinese researchers, whereas unable to take part in most outdoors hacking competitions, nonetheless have a big presence at “Hack in the Box” Dubai and different conferences, which displays the coordination and sharing that China and the United Arab Emirates have in our on-line world. Chinese convention “GeekCon” (lively in China from 2014 to 2021) re-established itself in Singapore from 2021 onwards, soliciting worldwide talks and insinuating that they nonetheless abided by China’s vulnerability disclosure legal guidelines. Elite Chinese and South Korean offensive safety analysis firms (Pangu Team and POCSecurity, respectively) persistently collaborate to recruit worldwide expertise to MOSEC, a convention on cell safety hosted in Shanghai yearly.

It is evident that China, whereas limiting the actions of its home hackers, already sources some vulnerabilities from international hackers dwelling overseas. COSEINC, a Singaporean vulnerability analysis firm run by Thomas Lim (a Singaporean nationwide with ties to China), was placed on the US entities record in 2021, doubtless for promoting exploits to the Chinese authorities. Lim, a recognized entity in East Asia’s vulnerability analysis circles, publicly said that he was not towards promoting his merchandise to the Chinese authorities. China might also be tricking researchers into handing over bugs to the Chinese state. In 2021, Taiwanese vulnerability researcher Orange Tsai reported a vulnerability to Microsoft that impacted its alternate servers two days after a Chinese Advanced Persistent Threat (APT) group started exploiting the identical vulnerability in its operations. This means that both two separate people (one Chinese and one Taiwanese) independently found the vulnerability, or details about the vulnerability was by some means obtained from the researcher by a Chinese entity. 

China’s offensive cyber functionality acquisition strategies. 

Government contracts for offensive cyber care much less about stealth than entry and supply extra sources to companies. 

The Chinese system accepts larger operational threat for the sake of pace and adaptability. China’s acquisition system has decentralized mechanisms, such that even provincial and municipal authorities entities contract immediately with native cyber companies. iSoon’s former web site listed over fifty-six totally different shoppers, starting from the MPS to all kinds of varied provincial, metropolis, and municipal public safety bureaus—successfully the equal of FBI area places of work. Based on the leaks, iSoon held particular person contracts for items and companies with a number of municipal and provincial degree bureaus (comparable in dimension to the Cincinnati or Pittsburgh police departments) buying hack-for-hire capabilities. Chinese authorized students have additionally bemoaned China’s nationwide intelligence equipment’s lack of clear pre-, mid-, and post-supervision buildings for intelligence operations extra broadly. This means that decentralization is a characteristic of the general system reasonably than an exception. 

Unlike within the United States, the place authorities acquisition is gradual and risk-averse, Chinese companies can function opportunistically, generally combining cybercrime with state-sponsored exercise, with minimal worry of reprisal so long as they align with state pursuits. Internal discourse from throughout the Chinese hacker group means that, regardless of China’s cybersecurity legal guidelines and ancillary laws on regulating vulnerabilities, there’s a gray zone for what exercise is permitted, versus what might get a patriotic Chinese hacker “invited to tea” at MPS or MSS places of work.One well-known instance is Wicked Rose, who, after creating the NCPH hacker group and defacing a number of US web sites, was arrested by the MPS in 2009 for partaking in home cybercrime. He doubtless obtained a commuted sentence in alternate for an settlement to contract for the MSS simply two years later (which resulted in Wicked Rose founding Chengdu 404, an organization indicted by the DOJ in 2020), and was doubtless permitted to proceed his felony actions so long as they focused victims outdoors China. China researchers interviewed have additionally steered that the Chinese authorities offers hackers vital leeway, whereas underpaying them for companies and dealing with its most delicate issues in-house. While the Chinese authorities intentionally depresses costs and workout routines monopsony energy, its decentralized mannequin and allowance of a “grey zone” permits a extra versatile contracting surroundings that permits smaller gamers. Small and medium-sized firms like iSoon, Chengdu 404, and others have been proven to acquire contracts via a mixture of “guanxi” (networking and relationship constructing) and formal contracting processes. 

Most importantly, the PRC’s total contracting course of, together with the free leash on its company hackers-for–rent, largely doesn’t penalize organizations when they’re caught or attributed. In 2013, the safety agency Mandiant printed a report on APT1, the primary publicly-outed Chinese risk group, and attributed it to the Chinese PLA Unit 61398. While the report initially despatched shockwaves via the Chinese state safety equipment, many shortly realized that naming and shaming didn’t lead to strategic degree or division degree ache. Rather, most US insurance policies that resulted from “naming and shaming” risk teams fell into two teams: DOJ indictments of particular person Chinese hackers (who doubtless weren’t planning on leaving China for a US-extradition pleasant state anyway) or financial sanctions on Chinese offensive safety firms that didn’t plan on doing a lot enterprise with Western companies. Thus, whereas center managers of China’s safety companies doubtless should prioritize each operational tradecraft and acquiring intelligence of strategic worth to the Chinese Communist Party, the aim of acquiring such intelligence considerably outweighs the requirement to stick to tradecraft and professionalism, as there are few actual prices of attribution on the managers of such operations. Of course, just like the gray zone, there are doubtless exceptions to this rule, akin to if a single Chinese firm causes the broader CCP intelligence equipment to “lose face.”

China’s obvious choice for outcomes over attribution additionally permits Chinese organizations to make the most of riskier capabilities (akin to noisier, easier-to-detect n-day vulnerabilities) and to reuse infrastructure, even when it permits Western organizations to higher detect them. In that sense, actually “burning” (or disposing of) a functionality is way rarer in China. Moreover, this choice supplies room for private-sector hackers to experiment. Some Chinese offensive cyber functionality outlets may observe what different international locations’ offensive groups are doing “in-the-wild” and try to echo the methods of different international locations’ APT teams. For instance, Chinese APTs have been capable of exploit a vulnerability linked to NSA hacking instruments leaked on-line in 2017, prior to the leak itself, suggesting that both an elite Chinese workforce discovered the identical bug because the NSA throughout the same timeframe, or they have been capable of detect the NSA exploit, reverse engineer it, after which use it themselves. 

Finally, CCP intelligence and legislation enforcement mechanisms clearly present constant resourcing to their offensive companies, doubtless to assist shorten the feast-or-famine cycles. Experts following the Chinese cyber capabilities market largely agree that the Chinese authorities doubtless has a way of vulnerability sharing amongst each their non-public sector and authorities operators, with tiers of entry and privileges. The sources of vulnerabilities doubtless vary from hacking competitions just like the Tianfu Cup, acquisitions from current contractors (each international and home), and vulnerability studies into the MSS-operated China National Vulnerability Database (CNNVD), and different authorities vulnerability databases. 

China’s mixture of revealed results-forward choice over stealth, and dedication to useful resource sharing with its non-public sector, ends in a singular vulnerability resourcing course of, the place small subsets of extra elite hacking “A-teams” get early entry to the zero-day vulnerabilities. However, as soon as the vulnerability is found, the Chinese authorities opens the aptitude to different teams. This was famously evidenced within the 2021 Microsoft Exchange assaults, the place a Chinese APT group exploited a vulnerability concentrating on Microsoft Exchange two days earlier than the vulnerability was reported to Microsoft on January fifth. Before Microsoft may concern a patch for the vulnerability, a number of different Chinese APT teams started utilizing the identical exploit of their campaigns. Microsoft launched a patch for the vulnerability on March 2nd – sooner or later later, Chinese risk teams started exploiting the vulnerability en-masse. However, whereas the Microsoft Exchange vulnerability is essentially the most infamous instance, Chinese risk analysts have seen this sample play out for even non-critical vulnerabilities in different public-facing companies, akin to net servers, digital non-public networks (VPNs), and different edge units. This speedy weaponization of each 0day and n-day vulnerabilities additionally explains why sure campaigns use comparatively new vulnerabilities or entry factors to realize entry into targets which might be comparatively low-hanging fruit—at this level, the “D-teams” have obtained entry to the capabilities beforehand utilized by “A-teams.” In some senses, this ends in an infinite capacity to effectively weaponize offensive cyber capabilities—this technique permits organs of the PRC authorities to effectively construct, purchase, and weaponize capabilities starting from the mediocre to the beautiful. It additionally stands in stark distinction to the US mannequin, successfully extending the shelf-life of a bought functionality. 

Currently, China has but to have interaction with the Pall Mall course of or different worldwide codes of apply to control the acquisition and use of offensive cyber capabilities. 

China makes use of its CTF and regulatory ecosystem to solicit bugs informally from hackers for nationwide safety use; its main expertise firms are strategic allies in sourcing exploits. 

As said beforehand, China successfully prevented its home vulnerability analysis expertise pool from sharing analysis with the broader group between 2016 and 2021. During this time, China started ramping up hacking alternatives and vulnerability disclosure packages domestically: the CNNVD (the beforehand talked about MSS-run vulnerability database) grew its partnerships from fifteen technical assist models and associate firms in 2016 to 151 firms in 2023. This enlargement drew in Chinese Big Tech companies like Tencent, Huawei, and Hikvision, which might report vulnerabilities in their very own merchandise. Other companions additionally included specialised offensive functionality companies. Moreover, hackers who may not compete internationally have been inspired to compete in Chinese live-hacking competitions, just like the well-known Tianfu Cup, based in 2018 as a “Chinese Pwn2Own.” However, each the Tianfu Cup and the CNNVD have ties to the Chinese intelligence and legislation enforcement equipment. In 2017, researchers discovered that if a vulnerability was reported to the CNNVD that had worth to MSS cyber operations, the CNNVD would delay publishing the vulnerability, write an exploit for the vulnerability, and use it in operations. Meanwhile, the Tianfu Cup was (and stays) a vulnerability feeder system for the MPS, China’s nationwide police. Vulnerabilities submitted as a part of the Tianfu Cup competitors are despatched straight to the MPS, which might be utilized in legislation enforcement operations towards Uighurs and different minority teams. If the vulnerabilities weren’t already full exploit chains (i.e., ready-to-use), the MPS would disseminate the proof-of-concept code to personal companies to additional exploit.

In addition to its home researchers, China has even built-in its respective heavyweight  tech companies into its offensive cyber packages. Unlike US Big Tech firms, which act as a strategic blocker towards the US vulnerability ecosystem, Chinese expertise firms (and even international tech firms working in China) are much more beholden to the Chinese authorities and have largely been co-opted into the CCP’s vulnerability acquisition funnel. This is unsurprising. While Chinese expertise companies have comparable market caps to their Western counterparts, their major shoppers are nonetheless home Chinese customers. For instance, Huawei, the main smartphone firm in China, solely makes up 4 % of the worldwide smartphone market.

China started integrating “civil-military fusion” ideas into its cybersecurity {industry} beginning in 2017, embedding army models into its home cybersecurity firms. Setting up a PLA military-civil fusion middle in an organization permits the Chinese army to attach with {industry} friends and sources virtually seamlessly by embedding army members into firms to work side-by-side with inside workers. Various entities, together with universities and personal firms, use this mannequin to collaborate with the Chinese authorities to submit zero-days, co-partner on protection analysis labs, and arrange non-public IT infrastructure for state-sponsored hacking operations.

PRC’s integration of expertise firms into its offensive pipeline doesn’t finish with staffing decisions. State insurance policies demand compelled disclosures of vulnerabilities. Since 2021, the PRC has required all software program firms working in China to (reluctantly or in any other case) report vulnerabilities that influence any techniques, no matter supply, on to the PRC authorities. In 2021, China launched new regulations on vulnerability administration, the Regulations on the Management of Network Product Security Vulnerabilities (RMSV), which mandates reporting all industry-wide discoveries of vulnerabilities to the Chinese authorities inside 48 hours. This impacts all expertise firms working in China, together with international software program companies. In the disclosure, firms are inspired to add proof-of-concept code and directions on how to replicate the vulnerability, which might undoubtedly be useful to Chinese offensive missions. It additionally has impacted US crucial infrastructure companies: one of many firms discovered to adjust to the Chinese legislation is Schneider Electric, a US industrial management techniques and power firm, whose merchandise (and subsequent vulnerabilities) are doubtless supplied with minimal alteration in each the US and Chinese markets. 

Companies that don’t adjust to the legislation are penalized. In 2021, an engineer in Chinese firm Alibaba discovered and disclosed a crucial zero-day vulnerability impacting Apache Log4j (a broadly used software program utility) to the US Apache Foundation (maintainers of Log4j) as a substitute of notifying Chinese regulators. As a consequence, Chinese regulators suspended a cooperative partnership with Alibaba relating to cybersecurity threats and information-sharing platforms for six months. It is essential to notice that this RMSV course of is separate from and, in some ways, fully counterproductive to the internationally accepted bug bounty and coordinated vulnerability disclosure course of. Instead of interfacing immediately with the producer of a expertise product and inspiring them to be safer, China’s RMSV regulation circumvents this course of by (1) mandating that the Chinese authorities be notified first as a substitute of the corporate and (2) persuading the sharing of exploit code, however solely with the federal government. 

Despite this, Chinese expertise companies nonetheless contribute to discovering bugs in Western expertise companies. Chinese researchers accounted for 27 % of all vulnerabilities reported to the bug bounty packages of Apple, Google Android, and Microsoft from 2017 to 2023. Many of those contributions are additionally from safety firms which have hyperlinks to the Chinese intelligence equipment. These contributions are incessantly linked to a small handful of people inside these firms, and an organization’s contributions to such bug bounty packages fall when a number of Chinese hackers transitions between safety firms. Given the strict chokehold the CCP holds on these companies and their vulnerability reporting pipelines, researchers within the US speculate that the CCP’s safety companies acknowledge that some slackening of restrictions is important to retain a very sturdy expertise pool, particularly for hackers which might be motivated by worldwide recognition reasonably than mission or cash. It can be doubtless helpful to the PRC that its hackers and firms are seen as accountable stakeholders within the international cybersecurity market. 

Key findings 

During the literature evaluate, information evaluation, and skilled interviews (as specified by the above sections), 9 key findings emerged: 

1. Zero-day exploitation is turning into tougher, opaque, and costly. The international hacking ecosystem is very worldwide and fragmented. The period of time and capital required to develop an impactful functionality has escalated dramatically within the final decade, resulting in riskier feast-or-famine contract cycles. The rising variety of publicly found zero-day threats doesn’t detract from this market development, actually, the rise suggests a concurrent rising variety of gamers within the worldwide market. Multiple sources interviewed estimate the variety of people persistently producing zero-day exploits is within the low tons of globally. 

2. Middlemen create market inefficiency and erode belief available in the market. Given the shortage of transparency within the zero-day market, middlemen with prior authorities connections additional drive up prices and create inefficiency within the US and FVEYs market, whereas eroding belief between consumers and sellers. 

3. The United States depends on worldwide expertise, whereas China depends on home would possibly. The US offensive cyber workforce depends closely on worldwide expertise swimming pools in South America, Europe, and different FVEYs international locations. China’s home cyber pipeline dwarfs that of the United States, however China can be more and more transferring its provide community out to the Middle East and East Asia. 

4. Talent funding in US offense is missing. US authorities funding into the offensive expertise pipeline, nevertheless sparse, has targeted on defensive jobs, whereas China has effectively established and complete feeder techniques inside its offensive equipment. US expertise in exploit growth additionally experiences a “Training Valley of Death” between junior and intermediate ranges. 

5. US acquisition favors massive prime contractors, slows acquisition in pursuit of stealth, and provides extra threat via opacity. US cyber functionality acquisition favors massive protection contractors, who tackle heavy compliance burdens whereas shifting venture necessities to smaller companies. The US authorities internally prioritizes extraordinarily excessive ranges of accuracy, belief, and stealth, which might create market inefficiencies and a reliance on high-cost, beautiful zero-day exploit procurements. Certain US authorities clients intentionally lengthen the contract cycle by refusing to share details about desired capabilities with companies, resulting in an inefficient course of the place companies may match on an exploit {that a} buyer has no intent to buy. 

6. China’s acquisition makes use of decentralized contracting strategies, outsources operations, shortens contract cycles via extra resourcing, and prolongs the lifetime of an exploit via “n-day usage.” While China additionally depends on massive prime contractors, authorities ministries have decentralized authorities procurement processes, such that even provincial authorities places of work concern contracts to companies. China’s regulatory surroundings actively encourages vulnerability reporting to the state, usually integrates company analysis with authorities offensive methods, and broadly permits non-public sector hack-for-hire operations. China has additionally shortened the feast-or-famine contract cycle for exploits by offering extra sources to its non-public sector companies, and it continues to make use of exploits after their discovery. 

7. US cybersecurity objectives, coupled with Big Tech’s dominance, are strategic counterweights to the US offensive functionality program. Because zero-day exploits in cyber operations make the most of weaknesses in non-public sector software program merchandise, the worldwide market dominance of the US Big Tech firms ensures that, as such, they act as a strategic impediment to US offensive cyber objectives. This demonstrates a strategic trade-off between financial prosperity (and international belief in US merchandise), and nationwide safety. In distinction, China’s tech companies have a far much less international market share, and they’re a strategic enabler of China’s offensive cyber program. 

8. International partnerships for distinctive offensive cyber capabilities try to leverage totally different circles, however the opaque market presents no ensures. The United States leverages worldwide alliances, significantly throughout the FVEYs intelligence-sharing community, to bolster its cyber capabilities. In distinction, China focuses on cultivating regional affect and integrating offensive cyber capabilities from East Asia and the Middle East. However, given the opaque worldwide market, choice for full chains leveraging a number of exploit primitives, and the rise in bug collisions, there isn’t any one hundred pc assure of distinctive functionality. 

9. China leans ahead on AI in cyber operations. China’s offensive cyber {industry} is already closely built-in with AI establishments, and China’s non-public sector has been proactively utilizing AI for cyber operations. The US authorities’s major efforts with each AI and cyber have largely been defensive in nature, or throughout the intelligence group internally, though some DARPA packages have inspired open offensive innovation. 

Recommendations

“We are not going to deter the adversary with defenses only… I will work to strengthen our offensive cyber capabilities to ensure the President has the options. He needs to respond to this growing threat.”Katie Sutton, Nominee for Assistant Secretary of Defense for Cyber Policy (2025).

It is unimaginable for the United States to match China’s provide of zero-day exploits by sheer numbers alone, and adopting the Chinese insurance policies for acquisition and provide is the equal of stooping to the extent of an authoritarian state. However, there are myriad methods to materially and shortly bridge this hole. Informed by evaluation from over 30 skilled interviews and open-source information gathering, this report concludes by providing ten suggestions throughout provide, acquisition, and operations to shut this functionality hole. Each of those suggestions have to be filtered via a consideration of timeline (swift motion is required given the growing potential for battle with China within the coming years), feasibility (cyber is without doubt one of the final bipartisan domains however with implications for contentious nationwide points and cross-cutting networks of civil society, authorities, and {industry} stakeholders), buy-in from the hacker group (alienation or acceptance from this group will decide failure or success), and sustaining Western values (to study from CCP cyber fashions with out adopting them wholesale). 

Supply 

1. The United States authorities ought to create vulnerability analysis accelerators via current funding autos. 

The United States struggles to acquire capabilities from expert smaller companies, counting on prime contractors with burdensome overhead prices. Creating Vulnerability Research Accelerators (VRAs) via the DOD’s Strategic Capabilities Office (SCO), In-Q-Tel, or the Defense Innovation Unit (DIU) may considerably bolster the availability of zero-day exploits by fostering the expansion of small, specialised analysis groups. This would circumvent the de facto requirement for a small enterprise to undergo a first-rate contractor to promote offensive capabilities to the federal government. These accelerators would concentrate on supporting small companies (these with not less than 5 devoted vulnerability researchers), making certain that funding and sources are directed towards these producing the unique analysis reasonably than prime contractors with current relationships with the federal government. The VRAs would assist these firms navigate the complicated federal contracting course of, get Small Business Administration certifications, maintain and pay for safety clearances, and join firms on to authorities contracts. By doing so, the accelerator would considerably decrease the barrier to entry and cut back administrative burdens that always deter small however extremely expert groups from partaking with authorities contracts immediately. 

2. The NSA ought to develop its CAE-CO program, present grants to personal organizations that assist current CTFs and offensive safety conferences, and immediately fund CTF groups at high universities. 

Domestic CTF groups at universities die with out satisfactory funding and assist. The NSA ought to bolster the pipeline of expert vulnerability researchers whereas demonstrating that the US authorities values and invests in offensive safety expertise. It may accomplish that by offering grants to personal organizations or tutorial establishments that assist CTF competitions, offensive safety conferences, and university-based CTF groups. Directly sponsoring CTFs and hacker golf equipment at main universities would nurture expertise on the supply, as CTFs have lengthy been a testing floor for among the world’s finest exploit builders and safety researchers. Government funding, paired with sources and mentorship, would encourage college students to view vulnerability analysis as a viable profession path, finally fostering a brand new technology of expert researchers. The NSA, via these grants, may additionally encourage extra tutorial establishments to create packages that adjust to CAE-CO accreditations or postgraduate packages that clear up the “Training Valley of Death,” taking apprentice vulnerability researchers to cyber “journeymen” standing. 

This program must also pair with grants amongst FVEYs and different allies to fund firms that conduct “cyber journeyman”-like coaching, host worldwide CTFs and safety conferences, or rent worldwide researchers at larger charges than Chinese or different companies, increasing the pool of expertise whereas strengthening partnerships overseas. This strategy would assist domesticate each home and worldwide pipelines of vulnerability researchers, making certain that the United States and its companions stay aggressive in offensive safety innovation. This is most essential to do inside worldwide fora outdoors the US sphere of affect. For instance, offensive conferences in South Korea, Thailand, and Singapore may present ample networking alternatives with hackers who threat of getting pulled into China’s vulnerability acquisition orbit. The worldwide hacker group tends to view the US authorities with skepticism, however it’s notably extra receptive to personal firms which might be perceived as supporting the group—even when these firms work carefully with the federal government. By positioning itself as an enabler reasonably than a direct participant, the US authorities can construct belief whereas supporting the event of offensive safety expertise. 

3. DOD and Congress should develop packages on AI-enabled vulnerability analysis and contemplate n-day exploitation the place attainable. 

Investing in applied sciences that cut back dependency on zero-days—akin to automation, AI-driven vulnerability discovery, and novel exploitation methods—would future-proof US cyber capabilities, successfully “intelligentizing” DOD’s cyber organizations. As software program safety continues to advance, conventional exploit chains have gotten more durable to develop and preserve. While protection is essential, the DOD should additionally prioritize analysis into next-generation exploitation strategies that may assist maintain offensive capabilities in the long run—significantly for different, more durable targets in East Asia. Expanding authorities packages, like AIxCC and INGOTS, whereas encouraging offensive companies to create extra instruments, like Google’s OSSFuzz, would allow companies already conducting vulnerability analysis to take action in a extra scalable method whereas additionally aiding defensive efforts. Alternatively, creating a bit below the National Defense Authorization Act (NDAA) for “automated code auditing” or “exploit chain generation for both n-day and 0day” for the armed companies may ship a requirement sign to the broader protection innovation ecosystem, encouraging enterprise capital and different funding companies to search out methods to scale the labor-intensive strategy of vulnerability analysis. 

To fight extra slowdowns as a consequence of threat aversion, in addition to to increase the lifetime of an acquired functionality, USCYBERCOM must also contemplate extra insurance policies round n-day exploitation and use. This may lengthen the lifecycle of an acquired functionality, stop extra waste and time in contract cycles, and likewise present extra resourcing to junior-level expertise in offensive cyber companies (who can doubtless exploit n-days however are usually not but capable of reliably conduct zero-day exploitation). USCYBERCOM is a perfect group to attempt new insurance policies round n-day acquisition as, whereas stealth is essential in army operations, it’s not required for all of them. 

4. DOJ ought to present authorized steerage and counter-intelligence safety to vulnerability researchers. 

Vulnerability researchers within the non-public sector, significantly those that take part in bug bounties, usually depend on their firms or entities just like the Security Research Legal Defense Fund to defend themselves from lawsuits that search to relax their analysis. The authorized challenges are solely extra quite a few for people promoting these capabilities for nationwide safety functions, particularly if the person is promoting capabilities for labeled functions, which can’t be disclosed in court docket with out greymail issues. While the US authorities has clear pursuits in defending safety analysis (e.g., via DOJ insurance policies not criminally prosecute good religion safety analysis and the CFAA’s subsection for a nationwide safety carve out to hacking), in addition to defending people from counterintelligence threats, there isn’t any centralized job power actively seeking to shield hackers (particularly ones with out clearances), and no coverage precedence to make sure that civil lawsuits are settled with a watch on how they influence non-public sector hacking provide chains. 

One potential resolution is to empower the DOJ’s Civil Division to intervene in civil lawsuits via current procedural mechanisms if an offensive functionality companies’ researcher faces a lawsuit by a expertise firm (significantly if the researcher works for presidency pursuits). This would doubtless want pairing with a publication on clear standards for how to outline “government interest” for CFAA functions, and the way companies can search safety below these phrases (much like how the DOJ’s “good-faith security research” coverage printed in 2022 clarified what circumstances DOJ would or wouldn’t prosecute towards hackers). Another strategy could be to determine a federally funded authorized protection fund modeled after the Security Research Legal Defense Fund, offering unbiased authorized assist to safety researchers engaged on US authorities contracts. Additionally, a job power might be created throughout the FBI or the Office of the Director of National Intelligence’s (ODNI) National Counterintelligence and Security Center (paired with the primary “demand” choice beneath) to deal with counterintelligence issues raised by hackers and supply a transparent level of contact for researchers dealing with international threats or authorized retaliation. These measures would assist foster a safer and extra dependable surroundings for the non-public sector provide chain supporting US cyber operations. 

Demand

1. Create a government-sponsored vulnerability dealer for the US intelligence group inside a federally funded analysis and growth middle. 

On the demand facet, establishing a government-sponsored dealer for vulnerability acquisition may streamline the fragmented and opaque market, significantly for firms with out current connections into the US federal contracting system and particular person researchers who might attain out to personal sector middlemen. The present panorama depends closely on non-public brokers, who usually inflate costs and obscure the true worth of particular person exploits. A government-backed middleman may enhance effectivity, provide extra predictable cost buildings, and cut back the dangers related to counting on third-party brokers. While this effort might be coordinated at a National Security Council (NSC) degree, a Federally Funded Research and Development Center (FFRDC) would doubtless be one of the best place to implement such a program. This is as a result of, due to interagency equities and Title 10 / Title 50 issues, there’s doubtless no single company throughout the Intelligence Community or DOD {that a} government-sponsored intermediary may work with out spawning duplicate buildings throughout the ecosystem, inflicting a drain of presidency sources. 

Such a program would doubtless want a person on the helm with expertise in exploit acquisition, one who would perceive the wants of the varied businesses and likewise be capable of interface immediately with the hacker group. Any bug would nonetheless have to undergo the VEP, after which funnel vulnerabilities to current contracts primarily based on want. This intermediary program must also be capable of solicit bugs no matter origin, immediately contracting with pleasant worldwide suppliers past even the FVEYs. This program may additionally provide extra insights into the zero-day provide chain for future coordination amongst the FVEYs and extra regional allies. 

2. Decentralize, internationalize, and simplify the method for buying bugs. 

Government acquisition strikes at a glacial tempo, even for cyber capabilities. The US authorities should discover methods to decentralize buying authority away from prime-heavy authorities contracts. Secretary of Defense Pete Hegseth, in March 2025, started transferring in the direction of extra environment friendly software program acquisition mechanisms. However, this effort is basically tailor-made to business software program options (which zero-day exploits are usually not). The DOD may create an acquisition automobile particularly for cyber capabilities utilized in assist of SIGINT or defensive efforts, significantly for cheaper capabilities bought immediately from researchers or small companies. This might be within the type of making a Software Acquisition and Practices (SWAP) for offensive cyber particularly, or by increasing packages for offensive cyber acquisitions below Other Transaction Authorities. Any acquisition mechanism, to succeed, can not comprise US individual or clearance necessities, permitting firms the flexibleness to rent worldwide expertise. 

Congress may additionally alter the US authorities’s Simplified Acquisitions Program to allow the US authorities to buy offensive cyber capabilities. All merchandise that assist abroad contingency operations or that facilitate protection towards or restoration from a cyber-attack can already be bought through the micro-purchase program (if the price is lower than $20,000) and may be acquired via the Simplified Acquisitions Program (if the price is lower than $800,000 domestically or $1.5 million overseas). It is way extra doubtless that lower-tier vulnerabilities will fall below the Simplified Acquisitions program than the micro-purchase program, however the micro-purchase program may present for one-off technical tasks or extra sources given to offensive cyber capabilities companies, which may complement authorities operations and reduce the burden of feast-or-famine cycles. 

3. Resource such processes accordingly. 

Raising the funds for zero-day acquisition throughout the federal government can be important to make sure firms don’t exit of enterprise when making unique gross sales to the federal government. Increased funding would enable the US authorities to safe higher-quality vulnerabilities and cut back issues {that a} single buy of a crucial exploit doesn’t break the acquisition funds for the remainder of the fiscal yr. Additionally, whereas big-ticket iOS and Chrome vulnerabilities garner widespread consideration, actual cyber operations usually depend on lower-profile however extremely specialised exploits tailor-made to area of interest units and environments. These require not solely technical sophistication but in addition partnerships, belief, and deep operational information—particularly when concentrating on software program particular to a specific area or {industry}. Policymakers should acknowledge this complexity and useful resource the ecosystem accordingly, making certain each intelligence-gathering and operational effectiveness whereas holding stakeholders accountable for outcomes. Expanding cyber-specific pathways of the Simplified Acquisitions Program (which exist already for “facilitating defense against or recovery from cyber [attacks]”) and elevating the cap for cyber capabilities as much as $3 million that fall below a simplified acquisitions program would additional help this effort to purchase larger high quality, more durable goal exploits. 

Policy

1. Identify extremely expert international researchers and rent them wherever attainable. 

When zero-day exploits and bespoke cyber capabilities are created by a finite pool of worldwide expertise (and particularly if the variety of extremely expert vulnerability researchers globally is certainly within the low tons of), expertise recruitment turns into a zero-sum sport. To preserve a aggressive edge, the United States and its allies should focus not solely on buying superior capabilities but in addition on attracting and retaining high expertise—each international and home—whereas actively countering adversary developments via a mix of acquisition, disruption, and strategic expertise recruitment. Many top-tier vulnerability researchers would possibly qualify for the “Gold Card” visa program by decreasing the tier requirement (e.g., $500,000 as a substitute of $5 million). Moreover, many non-public sector expertise companies would additionally doubtless be taken with recruiting this expertise for defensive functions. US companies can rent vulnerability researchers to make the ecosystem safer. 

US alliances additionally develop into significantly helpful on this regard. As China makes an attempt to develop its offensive hacking expertise pool to researchers in East Asia, South Asia, and the Middle East, encouraging firms that present cyber capabilities to the FVEYs to rent international expertise, work with international companies, and invite international researchers to cybersecurity conferences will doubtless be a obligatory counter technique to stop this from occurring. While recruiting tons of of hackers via the FVEYs looks like a frightening job, that is far lower than the over 1600 German nuclear and rocketry scientists introduced over to the United States alone from the Cold War-era program, Operation Paperclip.

2. Catch and burn capabilities. 

Not each researcher will need to work for the US authorities or its allies. While some researchers want to concentrate on the work, many Chinese researchers benefit from the mission of working for his or her residence governments. This doubtless contains a major pool of potential vulnerabilities in China yearly. The MSS presently has 324 associate firms, who’ve disclosed virtually 4,000 vulnerabilities to the CNNVD. Thus, the US intelligence group ought to actively establish offensive capabilities not simply leveraged by adversary states, but in addition offensive capabilities doubtless being bought to adversary states, to both disclose them to distributors who can repair them or use them in false flag operations. This will help US firms in making their merchandise safer, whereas additionally imposing prices on an adversary. 

3. Deepen offensive cyber collaboration amongst allies. 

Replicating these insurance policies amongst US companions and allies is essential to shaping and sustaining the bottom of offensive expertise and functionality. Shielding up-and-coming abilities from the Chinese sphere of affect shall be important to sustaining a long-term aggressive benefit. If the FVEYs can not persuade people to return on to FVEYs international locations, getting them out of China’s sphere of affect would suffice. Creating diplomatic packages via the US State Department specializing in technical expertise alternate and industry-wide collaboration (which might profit each defensive and offensive vulnerability analysis expertise) could be splendid to take action. While key international locations in Europe and South America would doubtless be an essential begin past the FVEYs, deepening cyber relationships with South Korea and Thailand (two treaty allies) would doubtless be key international locations to have interaction. 

However, the extra international locations that the US companions with, the upper the chance that the United States funds a functionality that could be used to commit human rights abuses or to spy on US individuals. The Pall Mall initiative, which makes an attempt to determine international norms round moral hacking and accountable offensive cybersecurity practices, represents a step towards addressing this complexity, if the coalition focuses on precise acquisition of capabilities reasonably than use. Encouraging the Pall Mall course of to create higher steerage on hiring international and uncleared expertise to deal with counterintelligence dangers and making a coalition of nations prepared to promote exploits to 1 one other with correct human rights safeguards (significantly with the aim of stepping away from China’s sphere of affect) could be essential steps in the direction of creating a coalition with correct guardrails in place. 

Conclusion 

Given the finite worldwide zero-day market, it’s crucial that the United States and its allies proceed to make sure the provision of such capabilities (understanding the {industry}, rooting out malicious actors, and creating trusted sources) whereas limiting China’s entry to those self same capabilities. If the United States fails to take action, it dangers dropping its aggressive edge to adversaries—most notably China—who’re investing closely in cultivating their home cyber expertise pipeline and enabling a extra versatile, market-driven strategy to acquisition. China’s permissive regulatory surroundings and government-backed assist for private-sector hacking firms have allowed it to scale its capabilities quickly. Without a corresponding funding within the US ecosystem—each by way of expertise growth and acquisition reform—the United States may face long-term strategic disadvantages. 

The present panorama is bleak. China has a bigger provide of hackers than the United States, and its offensive pipeline has grown extremely sturdy within the final decade. If, from an operational perspective, China is already a peer adversary in our on-line world, China’s hacking capabilities will doubtless exceed these of the United States very quickly, if it has not already. 

However, this second additionally presents a chance. The United States can strengthen its place by embracing insurance policies that nurture a strong home expertise pipeline, cut back obstacles to entry for small vulnerability analysis companies, and streamline the federal government’s acquisition course of to work extra successfully with the non-public sector. Investing in authorized protections, increasing assist for hacker communities, and fostering worldwide partnerships can safe the availability chain whereas constructing belief between the federal government and researchers. 

Ultimately, the United States should not solely preserve parity with China but in addition be sure that it stays on the forefront of offensive cybersecurity capabilities. Choices made at present will decide whether or not the United States can maintain its cyber benefit or whether or not, when referred to as upon to do extra, the US offensive cyber provide chain crashes and burns itself. 

About the creator

Winnona DeSombre Bernsen is nonresident fellow with the Cyber Statecraft Initiative, a part of the Atlantic Council Tech Programs, and a Master of Public Policy/Juris Doctor candidate at Harvard Kennedy School and Georgetown Law.

She was previously a safety engineer at Google’s Threat Analysis Group, monitoring focused threats towards Google customers, and he or she is the founding father of the offensive safety convention DistrictCon, held in Washington DC. In current years, Winnona has organized coverage content material at DEF CON and authored a number of items on offensive cyber functionality proliferation. 

Acknowledgements 

This paper couldn’t have been written with out the help of my many mentors and colleagues in hacking and cyber coverage. Thank you for fielding my tireless questions, vouching for me to potential interviewees, and reviewing my copious notes. A particular thanks to the Atlantic Council, Trey Herr, and Nikita Shah for giving me the chance to pursue this venture, to Margin Research for his or her partnership and help with information gathering, and to Mark Griffin and the native Washington DC hacker group for his or her interview corroboration help. 

This paper is devoted to my husband Derek (who has tirelessly supported my four-year odyssey via graduate and legislation college), Sophia d’Antoine, and all of the members of our shared Book Club. While this thesis was produced over the past yr, our discussions over the past half-decade have deeply influenced the ultimate product. 

Appendices

Appendix A: Abbreviations and key phrases 

Access-as-a-Service: a type of offensive cyber capabilities service that gives black-box technological options to clients seeking to break into units.  

artificial intelligence (AI): the flexibility of computer systems or machines to carry out duties that historically require human intelligence, akin to studying, reasoning, problem-solving, and notion 

Advanced Persistent Threat (APT): a complicated, sustained cyber marketing campaign through which an intruder establishes an undetected presence in a community to steal delicate information over a chronic time period. 

bespoke: This time period refers to tailor-made or custom-made entities, companies, or merchandise throughout the info safety surroundings. 

bug bounty packages: Programs run by firms to encourage hackers to search out and report safety vulnerabilities of their software program. Hackers obtain financial rewards (“bounties”) for legitimate studies, enabling firms to establish and repair points earlier than malicious actors exploit them. 

bug collision: The parallel, unbiased discovery of a vulnerability by a number of researchers. 

Capture the Flag (CTF): Hacking competitors in a simulated surroundings the place contributors clear up safety challenges, like exploiting vulnerabilities, reverse engineering, or cryptography, to “capture flags” (hidden tokens representing profitable completion). 

China National Vulnerability Database (CNNVD): A nationwide vulnerability database of the PRC, operated by the MSS, China’s international intelligence service. 

Chinese Communist Party (CCP): China’s, or PRC’s, ruling political occasion. It holds final authority over the state, army, and society. 

Computer Fraud and Abuse Act (CFAA): United States federal legislation that criminalizes and supplies for civil penalties for numerous types of computer-related fraud and abuse. 

Cybersecurity and Infrastructure Security Agency (CISA): part of the United States Department of Homeland Security liable for cybersecurity and infrastructure safety 

Defense Advanced Research Projects Agency (DARPA): analysis and growth company of the United States Department of Defense liable for the event of rising applied sciences to be used by the army. 

Exploit Broker: An middleman firm or intermediary that purchases vulnerabilities and exploits from researchers and sells them to authorities businesses or different shoppers.  

exploit chain: A sequence of a number of exploit primitives used along side each other to attain a specific impact, akin to gaining full management over a system. 

exploit primitive: a primary exploit that, by itself, will not be sufficient to compromise a system however may be leveraged together with different primitives to attain a extra vital impact. 

Federal Bureau of Investigation (FBI): the home intelligence and safety service of the United States and its principal federal legislation enforcement company. 

Federally Funded Research and Development Center (FFRDC): public-private partnerships that conduct analysis and growth for the United States Government—well-known examples embrace Lawrence Livermore National Laboratory, MIT Lincoln Laboratory, and MITRE. 

Five Eyes (FVEYs): An intelligence-sharing alliance comprising 5 international locations: the United States, United Kingdom, Canada, Australia, and New Zealand. 

stay hacking: Live onstage demonstrations of hackers exposing system bugs or hacking into techniques. 

Ministry of Public Security (MPS): China’s nationwide police company, liable for legislation enforcement, home safety, and sustaining public order. 

Ministry of State Security (MSS): China’s major civilian intelligence and safety company, liable for international intelligence, counterintelligence, and inside safety. 

National Security Agency (NSA): The US intelligence company below the DOD tasked with SIGINT collection and cybersecurity. 

n-day exploit: A software or piece of code that exploits an n-day vulnerability (a recognized safety flaw), sometimes concentrating on techniques that haven’t but utilized the seller’s patch. 

n-day vulnerability (n-day): A publicly disclosed software program vulnerability that’s recognized to the seller, and a patch is probably going obtainable. Yet, it’s nonetheless exploitable if techniques stay unpatched. 

National Defense Authorization Act (NDAA): U.S. federal legislation that units the annual funds and authorizes appropriations for the U.S. Department of Defense, nuclear weapons packages of the Department of Energy, and different defense-related actions. 

National Institute of Standards and Technology (NIST): company of the United States Department of Commerce whose mission is to advertise American innovation and industrial competitiveness. 

People’s Liberation Army (PLA): The armed forces of the PRC, managed by China’s ruling occasion, the CCP. 

People’s Republic of China (PRC): The official title of mainland China, ruled by the CCP. 

Proof of Concept (PoC): Sample code exhibiting {that a} specific vulnerability is exploitable. It proves an assault is possible however will not be a completely dependable exploit. 

high quality assurance (QA): systematic efforts taken to guarantee that the product delivered to buyer meet with the contractual and different agreed upon efficiency, design, reliability, and maintainability expectations of that buyer. 

Regulations on the Management of Network Product Security Vulnerabilities (RMSV): a set of regulations in China that mandate community product suppliers to promptly report any safety vulnerabilities of their merchandise to the CCP. 

indicators intelligence (SIGINT): intelligence derived from digital indicators and laptop techniques utilized by international targets. 

Strategic Capabilities Office (SCO): speedy prototyping group throughout the DOD to deal with excessive precedence operational and strategic challenges. 

US Cyber Command (USCYBERCOM): The unified combatant command of the DOD liable for conducting our on-line world operations. 

US Department of Defense (DOD): United States Department in cost with coordinating and supervising the U.S. armed companies. 

US Department of Justice (DOJ): United States Department that oversees the home enforcement of federal legal guidelines and the administration of justice. 

Vulnerabilities Equities Process (VEP): course of utilized by the U.S. federal authorities to find out on a case-by-case foundation the way it ought to deal with zero-day vulnerabilities. 

zero-day vulnerability (0day / zero-day): A software program vulnerability that’s unknown to the software program vendor and has not but been patched. 

zero-day exploit: A software or piece of code that takes benefit of a zero-day vulnerability to compromise a system. 

Appendix B: List of cited interviewees 

1. JD Work, Professor at National Defense University. 

2. Ian Roos, VP of Intelligence, Margin Research.  

3. Mei Danowski, Natto Thoughts. 

4. Dakota Cary, Fellow, Atlantic Council Global China Hub. 

5. Adam Kozy, CEO of SinaCyber. 

6. Derek Bernsen, DARPA Program Manager. Note, Mr. Bernsen’s feedback don’t replicate the opinions of DARPA, the DOD, or the US Government. 

7. Chi-en (Ashley) Shen, Security Researcher. 

8. Former US Intelligence Community Official (Background Interview) 

9. Founder of Vulnerability Research Company 1 (Background Interview). 

10. Founder of Vulnerability Research Company 2 (Background Interview). 

11. Founder, Vulnerability Research Company 3 (Background Interview). 

12. Founder, Former Vulnerability Research Vendor (Background Interview). 

13. Former ONCD Official (Background Interview). 

14. U.S. Government China Cyber Analyst (Background Interview). 

15. Founding Member of Vulnerability Research Company (Background Interview). 

16. Pwnie Award Organizer (Background Interview). 

17. Member of Defense Science Board, Study on Cyber as a Strategic Capability (Background Interview). 

18. China Area Specialist within the Vulnerability Research Space (Background Interview). 

19. Security Researcher with Experience in Collection and Cyber Operations (Background Interview). 

20. CTO of Defense Contractor within the DOD / IC area (Background Interview). 

21. USG China Analyst (Background Interview). 

22. DOD Cyber Official (Background Interview). 

23. Senior DOD Cyber Official 1 (Background Interview). 

24. Senior DOD Cyber Official 2 (Background Interview). 

25. USG Cyber Official (Background Interview). 

26. Independent Security Researcher (Background Interview). 

27. Former Senior Intelligence Official (Background Interview).  

Explore this system

The Atlantic Council’s Cyber Statecraft Initiative, a part of the Atlantic Council Technology Programs, works on the nexus of geopolitics and cybersecurity to craft methods to assist form the conduct of statecraft and to higher inform and safe customers of expertise.

Image: Govanify weblog submit, December 23, 2019. 

More to Explore

Uncover crucial developments within the NFT area. This article explains: “Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace “.

• Blockchain & Crypto Trends — keep forward with international adoption, tech shifts & improvements
• DeFi & Web3 Innovations — discover the way forward for finance and web decentralization
• NFT, Gaming & Metaverse — dive into digital economies and digital asset revolutions
• AI & Blockchain Integration — uncover how AI enhances trustless blockchain ecosystems
• Regulations & Global Tech — observe legal guidelines, compliance, and international tech coverage impacts
• Tokenomics & Coin Analysis — decode venture worth, utility, and investor metrics
• Security & Blockchain Hacks — shield your crypto with risk and exploit insights
• Mining & Validator Ecosystem — study staking, block rewards, and consensus

Explore Our Crypto Network

• Explore BlockTrend for skilled takes on blockchain developments & developments
• Visit CryptoCoil for stay market information, altcoin insights & sentiment monitoring
• Check i-News for recent international crypto headlines & breaking tales
• Claim & earn with trusted drops on i-Coin — your faucet & incomes hub
• Learn crypto the sensible approach on i-VIP — sensible tutorials, guides & suggestions for rookies
• Discover curated crypto insights on SFBNEWS — automated crypto updates & skilled curation

[ad_3]

Source & Attribution

This article is tailored from www.atlanticcouncil.org. We’ve restructured and rewritten the content material for a broader viewers with improved readability and search engine marketing formatting.

Stay Updated with BLOCKTREND

Check out BLOCKTREND to remain forward in crypto.