Fed offensive fueling hacker underground, report says

The U.S. government is contributing to the Internet's underground economy by scooping up hacker tools to incorporate into offensive cyber weapons, a report from Reuters says.

The feds have become the biggest buyer in a growing gray market where hackers and defense contractors sell tools to compromise computers, the report said.

A major concern about the government's actions is that it's using what it buys for offensive weapons at the expense of not only the country's cyber defenses but the private sector's as well.

That's because cyber weapons typically exploit vulnerabilities in commercial software, vulnerabilities that the government wants to hide behind a veil of secrecy where vendors can't patch the flaws to make their products more secure.

Start-up companies in the offensive exploit field are not wanting for customers in government and the private sector, said Jeffrey Carr, CEO of Taia Global and author of "Inside Cyber Warfare: Mapping the Cyber Underworld."

"It's pretty much if you have the cash and you meet the parameters, you can get an offensive exploit developed for you," Carr told CSO. "That's where the growth industry is for cyber."

"Just as we've created a military-industrial complex for traditional arms," he said. "I believe we'll see a similar development for cyber-related weapons."

While the government may be spending money on cyber weapon research, it's doubtful hackers-for-hire are contributing much to it, said John Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a non-profit research group that studies cyber warfare.

The CIA, NSA and all the major defense contractors have the technical capabilities to uncover software vulnerabilities and write exploits. "Multiple U.S. government agencies have access to extremely large repositories of malware," Bumgarner said. "These agencies can easily dissect and reuse components from any of these malware samples."

[Also see: U.S. rattles preemptive cyberattack saber]

Stuxnet, the cyber weapon attributed to the United States and Israel and used to attack the Iranian nuclear development program, exploited four zero-day, or never before seen, vulnerabilities.

"The U.S. government didn't buy zero-day exploits on the black market to embed in this offensive cyber weapon," Bumgarner said. "These complex zero-day exploits were written by government geeks working in total secrecy."

Carr said thatÃ'Â a problem with paying for vulnerabilities and keeping them on the shelf is you never know when someone else is going to discover the flaw independently.

One researcher may sell a vulnerability to the government for half a million dollars, while another might sell the same vulnerability to a software company for thousands. "In which case, the government that paid six figures for it is out the money because it's useless," Carr said.

The scenarios can get as complicated as a spy novel by John le Carre. An enterprising hacker could decide to do a double dip on a sale -- sell to the government, then turn around and sell to the vendor affected by the vulnerability.

An adversary could also exploit a vulnerability sale by earmarking it. Then, if the nation that bought the vulnerability used it, its origin could be easily identified.

There's an irony in the notion that the federal government may be hiding vulnerabilities from vendors, said Richard Stiennon, chief research analyst at IT-Harvest.

"When the government started US-CERT, its purpose was to disseminate knowledge of new vulnerabilities," Stiennon said in an interview. "Now the government is in a position of purchasing vulnerabilities and then not disseminating them or disclosing them to the vendors."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyberattacksapplicationsData Protection | Malwarelegalsoftwaredata protectioncybercrime

More about CERT AustraliaCSOCyber WarfareNSAReuters Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts