When you hear about weapons sales on the black market, you usually think about AK 47s, grenade launchers or Glocks. Piles of ammo in wooden crates sitting on a dark dock. Most of us are not as likely to think “computer code!” Yet the market for code that allows for the exploitation of computer hard and software design vulnerabilities is climbing rapidly. Independent hackers might sell their code ‘exploits’ for anywhere between $500 to $500,000. Some sell only to ‘legitimate’ buyers, but others are less selective about their customers. The notion that a terrorist could get his hands on sophisticated, malicious code that could take down or take over something important is a scary notion.
Global uber dependence on all things digital has prompted the creation or expansion of military cyber commands in many countries. The US Cyber Command has been officially active since 2009. Its stated mission is that it “plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” What is new and potentially controversial is that the director of the NSA, Gen. Keith Alexander, has stated that 13 offensive cyber warfare teams, analogous to battalions or squadrons, will be ready by 2015.
Some question the timing and purpose of the announcement, given that this capacity surely already exists within the U.S. military. Others are concerned about the legal ramifications of such cyber war forces who would presumably be obliged to notify (or get approval from) the president or congress before acting. Will these units be acting covertly or overtly? What operational procedures will guide this command’s engagement, especially when crossing international boundaries?
The motivation for supporting cyber warfare activities in-house is pretty clear, given the alternatives. No one prefers to depend on independent hackers to finds flaws and supply exploits, and rely on those hackers not to sell the exploit to multiple buyers or, sell to terrorist groups or other corrupt enemies. Although a large percentage of exploits are purchased from legitimate firms in the code business, it’s a tricky business.
What’s more, who wants to pay $200K for some code that may be rendered obsolete at any time? Unlike a well-maintained rifle that can continue to work for decades, code has a potentially short shelf life. A piece of code that exploits a yet unknown bug or defect is known as a “zero day.” Once discovered, the code becomes “one day”, “two day”, until the day that bug is plugged. Obviously, once the hole which it takes advantage of is discovered, the code more or less ceases to be useful. For example, Stuxnet was quietly doing its work for many years before being discovered but once it was brought to light, it was naturally shut down.
Not surprisingly, the largest buyers of exploits, for the best prices, are from the West in the form of government agencies and large defense contractors. China apparently has in place such a huge number of internal hackers and conducts espionage on such a large scale, that prices for Chinese code are depressed. The Chinese seem to be managing well enough with their in-house operation. That’s why trying to ban the sale of exploits, or enact laws to restrict this market are met with pessimism. One security researcher notes that trying to ban code exploits would have the same success as banning drugs has had on the war on drugs. Cyberspace is starting to look to me a bit like the lawless, freewheeling Dodge City of the Wild West. Here’s hoping we can avoid a cyber shootout at the OK Corral.