States have long valued military parades. They allow countries to flaunt their most powerful tanks, aircraft, and missiles. However, what can a country do if it wants to showcase its considerable investments in offensive cyber capabilities? The typical “cyber weapon” entirely lacks the presence of a ballistic-missile launcher or impressively ranked armored vehicles. Even when a state might show off the more prominent footprint of their large-scale data centers, these lack obvious immediate offensive application — and you still can’t put a data center on parade. In addition, disclosing offensive cyber portfolios could allow adversaries to design defenses against them, or make it harder to carry out a cyber attack anonymously. This poses a dilemma for many states, China among them, that may wish to highlight their growing cyber arsenals — to signal readiness, relative advantage in correlation of forces, and commitment — without degrading the future effectiveness of these capabilities.
The Tianfu Cup competition in Chengdu increasingly appears to be the Chinese Communist Party’s way around this dilemma, a means of pursuing these objectives in a manner that has remained largely outside of strategic discourse in recent years. As a result, the remarkable display of capability in the event (which took place this month) deserves further scrutiny, as it conveys several key messages to an international audience. The Tianfu competition demonstrated the continued ability to hold key Western systems and networks at risk, highlighted the substantial depth of China’s offensive cyber inventories, and showed off a talent base of aggressive hackers undeterred by blowback from international exposure of its activities. Taken in total, this signaling also seems to suggest a trajectory towards a surprising future in which China’s offensive cyber power surpasses that of the West.
Reaching for the Cup
On the surface, the Tianfu Cup appears to be just another bug-bounty competition where hackers find new bugs in software code and submit them in return for cash awards. Vulnerability disclosure competitions like these arose in the mid-2000s as a means of disclosing device and…