There have been security flaws in software as long as there has been software, but they have become even more critically important in the context of cyberweapons development.
In the past, security researchers who stumbled on a software flaw would typically report the flaw to the manufacturer of the software, so it could be fixed. That changed, however, when cyberweapon designers started looking at these flaws as vulnerabilities that could serve as a back door into a computer network. Most prized of all were "zero day vulnerabilities" — flaws whose existence was previously unknown.
Richard Bejtlich was a cyber specialist for the U.S. Air Force in the 1990s, a time when the U.S. military was going on the offense in the cyberwar. He remembers the day he realized how important a software vulnerability can be to a cyberweapons designer.
"Myself and a couple other guys, we found a zero day vulnerability in Cisco routing equipment," Bejtlich recalls. "And we looked at it, and we said, 'Did we really find this? Can we really get into these Cisco routers?' "
They could, and so Bejtlich and his colleagues reported it to Cisco. The company thanked him and said it would be fixed. Days later, he was talking to some friends who worked on the offensive side of the unit, and they had quite a different reaction to them reporting the bug to Cisco.
"They said, 'You did what? Why didn't you tell us? We could have used this to get into all these various hard targets,' " he says.
To Bejtlich, a software flaw was simply a mistake to be corrected. To a cyberweapons designer, however, it was a potential back door into the computer network he wanted to attack.
"We actually had a standing order after that," Bejtlich says, "that said, if you find something, you don't tell the vendor, you tell the offensive side, and they'll decide what to do about it."
A potential loser here, at least in the short run, is the consumer who may be stuck with a flawed piece of software because the government doesn't want anyone to know about the flaw, seeing it as something that could be exploited for the deployment of a cyberweapon.
ACLU technologist Christopher Soghoian, who is something of a privacy activist, says this is something people should know about.
"I don't think your average small business, medium-sized business or Fortune 500 company realizes what's going on here," Soghoian says. "I don't think they realize that their government knows about flaws that could be fixed, and is sitting on them and exploiting them against other people rather than having them fixed."
A good example would be the Stuxnet worm, used by the U.S. and Israel to attack computers controlling nuclear operations in Iran. The designers of Stuxnet took advantage of a software bug in the Microsoft Windows operating system, without alerting Microsoft to the flaw.
The demand for software vulnerabilities has grown to such an extent that the researchers who discover them no longer need to settle for a software vendor sending them a thank-you note, or even a small cash reward. In the context of escalating interest in cyberwar, there is now a growing global demand for the software vulnerabilities — the back doors — that allow an attacker to get inside his enemy's computer network.
"For every researcher who's doing the right thing [by alerting the vendor] and getting the modest gift," Soghoian says, "there are plenty of researchers who are selling these things for what they deem to be the true market value.
"And the true market value is whatever governments and their middlemen are willing to pay."
'It's Just Business'
Former Airman Bejtlich, now the chief security officer at Mandiant, a cybersecurity firm, is not in the business of selling vulnerabilities to the highest bidder, but he knows other cyber people who are.
"There seems to have been an explosion of interest in the last maybe two years," Bejtlich says, "where the hot thing to do is to found a company with five of your buddies who are all really good at finding vulnerabilities and just start making money."
Given that this interest is spurred by the development of secret cyberweapons research, the vulnerability market by necessity operates mostly in the shadows. When the vulnerability traders make a public appearance, it's usually at a conference where hackers and other cyber researchers gather to discuss their latest work.
A vulnerability seller named Donato Ferrante showed up recently at the "Suits and Spooks" conference in Arlington, Va. In an interview with NPR, Ferrante said he advertises his vulnerabilities through an email list. His clients see what vulnerabilities he has found in which products, but Donato gives only the barest of information about the flaws.
"If the customer wants [to] use the vulnerability, the customer needs to buy the vulnerability," Ferrante said. "This is just a sort of portfolio; then the customer needs to buy the details."
Ferrante's company, ReVuln, is the seller. For them, "it's business," he says.
An Unregulated Market
In the U.S., the National Security Agency and other branches of the U.S. military, law enforcement and intelligence agencies are among the biggest buyers of vulnerabilities. But there are other buyers, including any party with an interest in being able to penetrate an adversary's computer network.
Besides the U.S., other governments are also developing cyberweapons. Some private companies may have an interest in penetrating a rival company's network. For that matter, criminal organizations might be interested in purchasing vulnerabilities, or even groups plotting a cyberterrorist attack.
Not surprisingly, vulnerability sellers don't want to say much about their business. Asked where he is based, Ferrante simply says, "Europe," though in a subsequent email he clarifies that he operates out of Malta. He is not eager to describe the world in which he works.
"I don't see bad guys or good guys," Ferrante says. "It's just business."
After all, Ferrante says, ReVuln is only selling information. "The way the information is used is up to the customer; it's not up to us."
There is no regulation of the vulnerability market in the U.S. There is a law prohibiting the export of software that provides penetration capabilities that would enable the users to attack, deny, disrupt or otherwise impair the use of computer infrastructure or networks. But there is no mandatory reporting of vulnerability sales.
If the sellers are not aware of the use to which their vulnerabilities will be put, they may not be prosecutable.
"I am shocked that this has not been regulated," Bejtlich says. "It would be so easy for a legislator to say, 'We're going to do arms control. We're going to keep this out of the hands of the bad guys. You're going to need a license to have these tools.'
"Who's going to stand up and say, 'No, you have to have cyberweapons!' I mean, if you wanted to look for an easy way to have legislators appear to be doing something, this would be it," he says.
The vulnerability trade is just one example of many that indicates how developments in cyberwarfare, and the development of cyberweaponry, are proceeding so quickly that the thinking about how to manage this new domain of warfare is not keeping pace.
RENEE MONTAGNE, HOST:
Wars have long been fought on land, on sea and in the air. Now there's a new battlefield - cyberspace. Countries, the United States included, are launching attacks on each other's computer networks. Software can be a lethal weapon. This week, NPR's Tom Gjelten is looking at the offensive side of cyber war. Today, the cyber arms market - how computer weapons are developed, bought and sold around the world.
TOM GJELTEN, BYLINE: To understand how a cyber-attack works, think of it like a burglary. First, you have to get inside the place you're going to burgle. You do that by picking a lock or maybe you can sneak in through a back door someone left open. Only then, when you're inside, can you carry out the crime. Technologist Christopher Soghoian says it's the same thing when you attack a computer network.
CHRISTOPHER SOGHOIAN: You need a way of getting in the door. You need a way of getting into the system that you're hacking into, whether it's the computer of a surveillance target or the computer running a nuclear power plant. So you need a way in.
GJELTEN: Once you've found that way in, once you've penetrated a network, you instruct the computer to do what you want. But these are separate operations, and Soghoian says the first step in a cyber-attack is often the most challenging.
SOGHOIAN: The code that you run that steals data, that taps the microphone, this is easy stuff to write. The code that gets in the door is really sophisticated, very difficult and completely unregulated.
GJELTEN: Here's the trick. All computer systems linked to the Internet use applications like Internet Explorer or Adobe. These programs inevitably have bugs in them. Some are security flaws. They're like that back door someone neglected to lock. Cyber researchers call these bugs vulnerabilities because they expose the program to intruders just as an open window makes a house vulnerable to burglary.
When security researchers found these bugs in the past, they'd report them to the software manufacturer so they could be patched. But then the cyber weapon designers came along and set their sights on the vulnerabilities. They'd actually call them back doors because they could serve as back doors into a network.
They didn't want to patch them. They wanted to exploit them. The weapon designers especially liked the vulnerabilities nobody else knew about. In cyberspeak these are called zero days or O-days. Richard Bejtlich, a former cyber specialist in the Air Force, remembers the time back in the '90s when he first realized a software vulnerability was something a cyber weapon designer could exploit.
RICHARD BEJTLICH: Myself and a couple other guys, we found a zero day vulnerability in Cisco routing equipment, and we looked at it and we said, did we really find this? We can really get into these Cisco routers? Yes, we can. So what did we do? Called up Cisco, told them, hey, we found this vulnerability, and they go, thank you for telling us, we'll work on fixing it.
A couple days later, I'm talking to some of my friends who work on the offensive side of the unit and I said, yeah, we actually reported this O-day to Cisco. And they said, you did what? Why didn't you tell us? We could have used this to get into all these various hard targets.
GJELTEN: To Bejtlich, a software flaw was a mistake to be corrected. But that was the view from the defensive side. Air Force guys assigned to offensive cyber operations saw that software flaw as an open door into the network they were trying to attack.
BEJTLICH: We actually had a standing order past that point that said if you find something, you don't tell the vendor, you need to tell the offensive side, and then they'll decide what to do about it.
GJELTEN: What this means is that if the military thinks a software flaw can be used for a cyber weapon, it may not want anyone else to know about it. Christopher Soghoian with the Speech Privacy and Technology Project at the ACLU says consumers, individuals and businesses could be the losers here.
SOGHOIAN: I don't think they realize that their government knows about flaws that could be fixed and is sitting on them and exploiting them against other people rather than having them fixed.
GJELTEN: That's just one issue. There's more. The greater interest there is in a capability to launch cyber attacks, the more demand there is for those software vulnerabilities, the back doors that allow an attacker to sneak into someone's network. There's now a global market for back doors. Soghoian says private researchers who discover a software flaw have a choice - alert the manufacturer and maybe get a little reward or share that vulnerability with a potential cyber-attacker for a big payoff.
SOGHOIAN: For every researcher who's doing the right thing and getting, you know, the modest gift, there are plenty of researchers who are selling these things for what they deem to be the true market value. And the true market value is whatever governments and their middlemen are willing to pay.
GJELTEN: Former Air Force officer Richard Bejtlich is on the private side himself now, as chief security officer at Mandiant, a cyber consultancy. He's not in the business of selling vulnerabilities to the highest bidder, but he knows other people who are.
BEJTLICH: There seems to have been an explosion of interest in the last maybe two years, where the hot thing to do is to found a company with five of your buddies who are all really good at finding vulnerabilities and just start making money.
GJELTEN: Essentially we're talking here about a cyber arms market. Not surprisingly, it operates mostly in the shadows, but at conference last weekend I caught up with one seller of back door vulnerabilities. His name is Donato Ferrante. He says he advertises his vulnerabilities through an email list. Clients see what back doors he has found into which software products, but they get only the barest information about the vulnerability.
DONATO FERRANTE: If the customer wants to use the vulnerability, the customer needs to buy the vulnerability. This is just a sort of, you know, portfolio and then the customer needs to buy the details.
GJELTEN: And would you sell them?
FERRANTE: I mean if they want to buy, yeah. I mean this is our job. It's business.
GJELTEN: It's business. Between the U.S. military, law enforcement and intelligence agencies, the U.S. government is a big buyer of vulnerabilities or back doors. But it's not only the U.S. developing cyber weapons. So are other governments. Private companies wanting to penetrate an adversary's network may also be in the market for back doors. So could cyber criminals, for that matter, or even groups plotting a cyberterrorist attack.
No wonder vulnerability sellers don't want to say much about their business. Donato Ferrante says he's based in Europe, but won't say which country. I want to know more.
What's this world like that you work in?
FERRANTE: It's just, you know, I don't see, you know, bad guys or good guys. It's just business.
GJELTEN: No bad guys or good guys, just clients. After all, Ferrante says, he's just selling information.
FERRANTE: The way the information, you know, would be used, it's up to the customer. It's not, you know, up to us.
GJELTEN: At the moment, there is virtually no regulation of the back door market in the United States, no mandatory reporting of vulnerability sales, for example. Richard Bejtlich of Mandiant.
BEJTLICH: I am shocked that this has not been regulated, because to me it would be so easy for a legislator to say, we're going to do arms control. We're going to keep this out of the hands of the bad guys. You're going to need a license to have these tools. And who's going to stand up and say, no, you have to have cyber weapons.
I mean, if you wanted to look for an easy way to have legislators appear to be doing something, this would be it.
GJELTEN: But developments in cyber warfare and cyber weaponry are moving so fast that our thinking about this new domain of combat and crime just can't keep pace. And it's not just governments finding new ways to attack each other. Private firms frustrated by their inability to defend their networks against cyber-attacks are increasingly going on the offense themselves. That story tomorrow. Tom Gjelten, NPR News. Transcript provided by NPR, Copyright NPR.