Behind hacking competitions, the soft power of States
Ethical hacking challenges have many advantages in terms of recruitment and prestige for both private companies and states. Sometimes, however, these events turn into a state demonstration.
Whether they are called Hack in Paris (Paris), GreHack (Grenoble), INS’Hack (Lyon), Botconf (Nantes), LeHack (Paris), Hacking Convention (Toulouse), European Cyber Cup (Lille), SSTIC (Rennes), Insomni’Hack (Switzerland), European Cybersecurity Challenge (Czech Republic), atHack (Saudi Arabia) or Def Con (Las Vegas, United States), ethical hacking competitions offer tremendous visibility to all their participants, be they students, young graduates, employees of private companies, administrations, or even states.
With the current chronic shortage of cybersecurity talent, the first to benefit from this exposure are of course the members of the student teams. Through their scores in various competitions, top performers are able to demonstrate their skill level and technical background to recruiters in their home country, and sometimes even around the world.
The first edition of the European Cyber Cup (EC2)—an eSport competition dedicated to ethical hacking and organised as part of the FIC (International Cybersecurity Forum)—gathered 15 teams, nine of which were students and six professionals. “A team from ‘ESNA de Bretagne’ (Higher School of Applied Digital Sciences) came out on top, ahead of the professional teams,” says Clémence Burette, EC2 Project Manager.
Matthieu Bouthors, president of the HZV association, which organises the event called leHACK, adds: “We’ve been organising ethical hacking challenges for 20 years. We witness a growth of both the enthusiasm and the number of teams. Of course, the prizes to be won are small, but that’s not really what participants come for. What is to be gained is a reputation, the fact of putting one’s name at the top of the bill at the end of the night.”
Companies and administrations organising events
The talent shortage is so critical that a number of companies are organising their own events. “Organisations that are desperate to recruit are creating their own competition. They most often use the CTF (Capture The Flag) challenge format to identify profiles. Competitions are a very effective way to find candidates, because today, publishing an ad and waiting for the CVs to fall in is not enough,” adds Matthieu Bouthors.
The French government, through the ‘Direction générale de l’armement’ (DGA), has thus become an organiser of ethical hacking competitions for the past two years. Its challenge, called DG’hAck, takes place over two weeks. The top-ranked participants are offered a selection interview for an end-of-study internship or a permanent job at the DGA’s “Information Management” centre of expertise, located in Bruz, Brittany, without having to pass a preselection based on a technical test. Four hundred recruitments in the field of cybersecurity are planned between now and 2025.
In the United States, in 2019, the U.S. Air Force called on hackers attending Def Con, the most famous conference in the field. Its goal was to invite them to hack one of its F-15 fighter jets. The following year, the U.S. Air Force launched a bug bounty programme—in the form of a CTF—with the goal of allowing ethical hackers to attempt to hack an orbiting satellite. In both cases, cybersecurity experts were able to penetrate the defences of the flying machines. In addition to the thrill of discovering sensitive vulnerabilities (and earning money in the form of rewards), some participants were offered jobs or contracts with the organising administrations.
For states, prestige also counts
But for states around the world, recruiting talent and finding critical vulnerabilities are not the only issues at stake when participating in hacking challenges. The reputation and brand image of an entire country are also at stake. “This type of event allows us to promote our skills but also, more globally, the excellence of French education, which shapes the engineers of tomorrow. France and Europe need to be put back in the spotlight in these competitions,” analyses Clémence Burette.
Matthieu Bouthors adds: “At state level, each nation’s stake is to show that it has the best resources. The national teams need to see where they stand in relation to each other, and to measure and evaluate themselves on the world stage.”
Sometimes this desire to measure oneself against other nations goes too far. This is particularly true of the Tianfu Cup, a competition organised by the Chinese authorities in Chengdu, capital of Sichuan province. While the Middle Kingdom has banned all its researchers from participating in international bug bounty competitions, Chinese teams set record after record during this event. A show of force that, for some observers, replaces the military parades of the past.
Tianfu Cup: the Chinese demonstration
Since 2017, all software programs have been falling one after another, in less than five minutes (that’s how long participants have to demonstrate their expertise). Linux, VMware, Windows 10, Chrome, Safari, Exchange Server, Ubuntu 20, Adobe PDF reader: the zero day vulnerabilities follow one another, inexorably. In the 2021 edition, valuable findings were uncovered, including an exploit (a remote code execution attack chain without interaction) against an iPhone 13 Pro running iOS 15.0.2.
The Tianfu competition demonstrates the impressive ability of Chinese hackers to compromise major Western systems and networks. It also highlights the depth of China’s offensive cyber inventories. It also implies that the Chinese government has early access to high-value exploit portfolios at every edition.
The Tianfu Cup is helping China develop cutting-edge cyber capabilities and identify talented hackers. However, it is increasingly likely that the exploit opportunities identified at this event are of lesser value in an environment where developers are increasingly seeking to automate vulnerability discovery and exploit generation. Zero-day exploits discovered at the event can only be used for a limited time before vendors are able to patch the underlying vulnerabilities.
- Security and Stability in Cyberspace
- Cyber industrial safety
- Cyber risks
- Operational security
- Antifraud action
- Digital identity & KYC
- Digital Sovereignty
- Digital transition