June 7, 2012

Cyber Warfare, the 0-Day Exploit Market, and the Rest of Us: Part 2

In the last post, I discussed some of the recent revelations about the current cyber warfare landscape.  Earlier this spring, Business Week wrote about the market for 0-day exploits, and how government agencies in Europe and the US are actively participating as buyers.  This follows about 2 years after the floodgates opened on HBGary emails indicating that they were involved in selling 0-days to the government as well.

The reason that governments are interested in 0-day exploits should be fairly obvious.  A 0-day exploit is a method for exploiting a vulnerability which has not been patched yet.  The most coveted exploits are for vulnerabilities which have not yet even been identified and reported to the vendor.  This means that whomever has the exploit can attack systems with it while no one else even knows there is a possible attack vector.  It provides the holder of the information with a great advantage in being able to compromise systems.

The reason that governments are interested is that they too can use these for attacking systems.  They may want to use the exploit as the basis for an attack on systems belonging to a foreign government in order to be able to deploy espionage-focused malware like the Flame virus.  Or perhaps they are interested in a more broad attack on the citizens of a foreign nation in order to wreak havoc on their daily lives- a form of terrorism in essence.

The Business Week article focuses only on the interest of and sales to the US and European governments.  I assume that this is driven mainly by the reporter's access to people within that market.  I can imagine that gaining access to the middle-man dealing for the Chinese is more difficult.  However, I believe that this is also partially because the Chinese are not as involved in buying exploits simply because they have less of a need.

That is not to say that the Chinese government does not go after the exploits, but just that their mode of operations is much different.  China has such a huge population that when we talk about an industry where smart individuals are the key, they simply have a lot more smart people than anyone else.  Pure numbers are not the end of the story though.  These people have to be given the right education, the right motivation, and the means to earn a living as security researchers.  In an authoritarian regime like China, those sorts of things need not be left to chance.  They can implement programs to identify individuals with technical acumen, steer them into an advanced training and education program, and eventually coerce them into working for their nation's cyber warfare unit.  National pride as much as any coercion can have the desired effect.

In addition, there are some fundamental realities, that as Americans, we must face.  First, I'm not going to get into specific rankings, but there are a number of studies that show that the US education system is not the best in the world.  While we generally have a very strong post-secondary education system, primary and secondary education is generally rated as average.  Compound that with the fact that the US government is not in the business of directing people towards certain careers.  No one in this country would ever support having the government interfere in our lives to that extent, nor should we.  However, the ability of the Chinese government to coerce its best and brightest cyber security talent into working for its cyber warfare initiatives certainly provides them with an advantage.

So, a number of governments throughout the world are collecting the information necessary to exploit commonly used software such as:

  • Microsoft Windows OS
  • Apple iOS
  • Apple MacOS
  • Adobe Acrobat
  • Java

All this information can be used in support of some of the types of attacks mentioned in the last post.  Instead of relying on an individual carrying a USB stick into a nuclear facility, a remote exploit for which no patch is available can be implemented against government officials in another country allowing something like the Flame virus to be deployed to their system.  From there the cyber attack team which deployed the virus can spy on the official, and gather intel on their activities.  

In the realm of cyber warfare, these 0-day exploits amount to the weapons of war.  The fact that Western governments have created a market for these is a clear indicator that there is currently an arms race underway.

Continue reading

cybersecurity newsletter
The MPG newsletter

Get great curated articles into your inbox.

Our semi-regular newletter is a great source of information.
No spam!