In Perspective | China had a hacking tournament. And India should be worried

What the hackers got

The newly launched iPhone 13, as well as Windows 10, Google Chrome, and Microsoft Exchange were successfully breached at the Tianfu Cup, the fourth edition of the cybersecurity contest that the organisers say is open to participants around the world.

The largest piece of the pie was bagged by Kunlun Lab, a Beijing-based cybersecurity company that hacked most of the devices in the shortest time, winning $654,000. Kunlun’s CEO, who tweets as @mj0011, said the iPhone hack took only 15 seconds (this itself was worth $120,000).

Zero-day flaws give bad actors the opportunity to break into devices and spy on or steal data from their targets. For instance, notorious Israeli cyberweapons company NSO Group used such flaws — known as an exploit — in iOS to deliver the Pegasus spying tool on the phones of targets. Apple rushed a fix in mid-September, urging people with iPhones to immediately install it.

The hacks of the other software are no less serious. For instance, the successful breaches of Windows 10, Chrome, and Safari will allow attackers to target people on PCs and laptops. A 0-day exploit in the Microsoft Exchange Server can compromise the security of thousands of corporate entities that use it as their work email service provider.

Is this worrying? Yes

The Tianfu Cup largely follows in the footsteps of a similar hacking competition known as Pwn2Own, which has of late been held in the United States. Such competitions have clear rules on vulnerability disclosure, as white hat hacker conferences typically do.

The most common principle is that these vulnerabilities have to be first notified to the companies that made these tools and devices, so that the flaws can be fixed before their details are released.

All vendors that were hit are expected to soon release their patches.

But it is a little complicated with the Tianfu Cup. Recorded Future threat analyst, Devin Thorne, and Australian Strategic Policy Institute (ASPI) senior researcher, Samantha Hoffman, said in an Op-Ed published earlier this year that there is a real risk that the vulnerability disclosure rules instituted by the Chinese government put the country’s national interest first.

This is not merely a fear. In 2018, the winning iPhone hack from the Tianfu Cup that year was used to hack into the phones of Uyghur activists and spy on them. Beijing has not acknowledged it. Researchers said the signs of the targeting of Uyghurs began almost immediately after the Tianfu Cup, and until Apple had a chance to plug the flaw. Even then, many who did not upgrade their device’s software continued to be targeted.

Uyghurs are a religious minority that China has been — by all independent accounts — accused of persecuting on a systemic scale, an allegation that the State denies.

More recently, there have been concerns that China’s new Regulations on the Management of Network Product Security Vulnerabilities, which came into effect on September 1, will help Beijing’s security apparatus get its hands on 0-day vulnerabilities before it can be notified to anyone (except the company impacted) overseas. This includes a ban on notifying private bug bounty companies (they coordinate vulnerability disclosure and help white hat hackers secure a payout from companies for helping them secure their products).

This ties in with previous fears of surveillance tied to the laws and regulations in China. In July 2020, cybersecurity researchers told HT that China’s national intelligence law, put into force in 2017, allows the government to access any data Chinese companies and citizens collect.

Why should India pay attention?

India is not considered a top cyber power. The Harvard Kennedy School’s Belfer Center for Science and International Affairs ranks China as the second-most powerful cyber actor in the world, behind the United States.

India does not figure in the top 10 — it ranks 21, behind countries such as Malaysia and Vietnam — according to the Belfer Center’s National Cyber Power Index 2020.

The ranking takes into account both capacity and intent, and India’s ranks in the quadrant of countries with both low capability and low intent.

This is where Tianfu Cup can be a lesson for India. The origin of the Chinese hacking tournament lies in nationalism. China in 2017 banned its security researchers from taking part in competitions like Pwn2Own, months after the co-founder of Qihoo 360 (one of China’s largest IT companies), Zhou Hongyi, stated in an interview with a Chinese news outlet that knowledge of undisclosed software vulnerabilities “should remain in China.”

Like China, India needs to foster a talent pool in the domain and incentivise cybersecurity research through prizes and recognition — in a way the Tianfu Cup does.

After that will lie decisions on doctrine that need careful calibration. Recent high-profile hacks, such as the SolarWinds breach that went to the heart of the American government, demonstrate that doctrinal questions are complex and even the world’s highest rank cyber power, the United States, may not yet have the perfect answer.

China is a significant potential adversary for India, and the asymmetry in capabilities is too great to keep on existing in an era where the next state-on-state offensive will likely involve a significant cyber component.

The views expressed are personal