Nicole Perlroth and David E. Sanger describe in the July 14 New York Times the increasingly global trade in computer vulnerabilities. The recent growth of this hacker market has been fueled by purchases by the U.S. and other governments. Can this market be effectively regulated? And if it is eventually regulated, would it be for the wrong reasons?
Let’s take a step back. Let’s say there is some hacker, call him DarthBorgen, who seeks out holes in company firewalls, e-mail systems, online payment systems, cellphone operating systems, and so on. The most interesting hole to find is a “zero-day exploit,” a vulnerability that the company does not even know about. (“There are zero days between the vulnerability being discovered and the first attack.” ) If DarthBorgen is a “black hat” hacker he may use that exploit to steal from the company himself or he may sell it to a rival company what would use it in some illegal corporate espionage.
However, he may post the exploit to one of the hacker boards and as a means to burnish his reputation as a skilled hacker. His goal would not be to steal but to show off. Once he posts, the company would also probably learn of the exploit and they would patch it. Maybe, when a company was looking for a security specialist down the line, they might contact DarthBorgen, due to his formidable skills and reputation in the hacker community, and offer him a consulting fee. DarthBorgen might even become a computer security consultant who only tests a company’s systems at their request so that they may better understand their own vulnerabilities. (Maybe he changes his tag to ObiWanBorgen.)
Hackers started to increasingly go directly to companies where they found zero-day exploits and offering to sell their information to that company. This meant that exploits began to have a market value based on what the vulnerable company would be willing to pay for the information about the exploit.
At the crux of the Perlroth and Sanger article is how the arrival of government money has transformed the exploits market.
The U.S. government was an early mover in paying increasingly larger sums for exclusive access to exploits. And, importantly, while companies paid for exploits in their own system so that they may patch the holes, the U.S. government paid for exploits so that they could hack computers in intelligence operations or law enforcement investigations. Keep in mind that Internet Explorer and iPhones (to take two examples) are used all around the world by private citizens, governments, and companies.
Other governments followed suit. Perlroth and Sanger report that:
Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore, are buying, too, according to the Center for Strategic and International Studies in Washington.
At a cyberconflict conference that we had at St. Johns in April, Christopher Soghoian of the ACLU spoke about the exploits market. In an interview for Sunday’s New York Times he said:
“The [company-funded] bounties pale in comparison to what the government pays.” The military establishment, he said, “created Frankenstein by feeding the market.”
The March 20 issue of The Economist had an article on the “digital arms trade” that included minimum prices for zero-day exploits for various programs. That article listed Internet Explorer exploits fetching at least $500,000, Windows 8 about $250,000, and iPhone 5 about $200,000 per exploit. The Times article quotes some lower prices, stating that “[t]he average flaw now sells from around $35,000 to $160,000.” Regardless of which figures are more accurate, all this government money is irrigating the hacker economy. Companies have sprung-up to take reap the benefits of the money being poured into the exploits market with a business model around finding exploits and then sending them to the highest bidder (often intelligence agencies).
The Times article noted a 2007 paper on the exploits market by Charlie Miller, a former NSA employee who was offered $80,000 by the U.S. government for a bug that he had found in Linux…