The Cyberwar Industrial Complex

June 13th, 2013

Via: Wired:

In short, despite the sequestration, layoffs, and furloughs in the federal government, it’s a boom time for Alexander. In April, as part of its 2014 budget request, the Pentagon asked Congress for $4.7 billion for increased “cyberspace operations,” nearly $1 billion more than the 2013 allocation. At the same time, budgets for the CIA and other intelligence agencies were cut by almost the same amount, $4.4 billion. A portion of the money going to Alexander will be used to create 13 cyberattack teams.

What’s good for Alexander is good for the fortunes of the cyber-industrial complex, a burgeoning sector made up of many of the same defense contractors who grew rich supplying the wars in Iraq and Afghanistan. With those conflicts now mostly in the rearview mirror, they are looking to Alexander as a kind of savior. After all, the US spends about $30 billion annually on cybersecurity goods and services.

In the past few years, the contractors have embarked on their own cyber building binge parallel to the construction boom at Fort Meade: General Dynamics opened a 28,000-square-foot facility near the NSA; SAIC cut the ribbon on its new seven-story Cyber Innovation Center; the giant CSC unveiled its Virtual Cyber Security Center. And at consulting firm Booz Allen Hamilton, where former NSA director Mike McConnell was hired to lead the cyber effort, the company announced a “cyber-solutions network” that linked together nine cyber-focused facilities. Not to be outdone, Boeing built a new Cyber Engagement Center. Leaving nothing to chance, it also hired retired Army major general Barbara Fast, an old friend of Alexander’s, to run the operation. (She has since moved on.)

Defense contractors have been eager to prove that they understand Alexander’s worldview. “Our Raytheon cyberwarriors play offense and defense,” says one help-wanted site. Consulting and engineering firms such as Invertix and Parsons are among dozens posting online want ads for “computer network exploitation specialists.” And many other companies, some unidentified, are seeking computer and network attackers. “Firm is seeking computer network attack specialists for long-term government contract in King George County, VA,” one recent ad read. Another, from Sunera, a Tampa, Florida, company, said it was hunting for “attack and penetration consultants.”

One of the most secretive of these contractors is Endgame Systems, a startup backed by VCs including Kleiner Perkins Caufield & Byers, Bessemer Venture Partners, and Paladin Capital Group. Established in Atlanta in 2008, Endgame is transparently antitransparent. “We’ve been very careful not to have a public face on our company,” former vice president John M. Farrell wrote to a business associate in an email that appeared in a WikiLeaks dump. “We don’t ever want to see our name in a press release,” added founder Christopher Rouland. True to form, the company declined wired’s interview requests.

Perhaps for good reason: According to news reports, Endgame is developing ways to break into Internet-connected devices through chinks in their antivirus armor. Like safecrackers listening to the click of tumblers through a stethoscope, the “vulnerability researchers” use an extensive array of digital tools to search for hidden weaknesses in commonly used programs and systems, such as Windows and Internet Explorer. And since no one else has ever discovered these unseen cracks, the manufacturers have never developed patches for them.

Thus, in the parlance of the trade, these vulnerabilities are known as “zero-day exploits,” because it has been zero days since they have been uncovered and fixed. They are the Achilles’ heel of the security business, says a former senior intelligence official involved with cyberwarfare. Those seeking to break into networks and computers are willing to pay millions of dollars to obtain them.

According to Defense News’ C4ISR Journal and Bloomberg Businessweek, Endgame also offers its intelligence clients—agencies like Cyber Command, the NSA, the CIA, and British intelligence—a unique map showing them exactly where their targets are located. Dubbed Bonesaw, the map displays the geolocation and digital address of basically every device connected to the Internet around the world, providing what’s called network situational awareness. The client locates a region on the password-protected web-based map, then picks a country and city— say, Beijing, China. Next the client types in the name of the target organization, such as the Ministry of Public Security’s No. 3 Research Institute, which is responsible for computer security—or simply enters its address, 6 Zhengyi Road. The map will then display what software is running on the computers inside the facility, what types of malware some may contain, and a menu of custom-designed exploits that can be used to secretly gain entry. It can also pinpoint those devices infected with malware, such as the Conficker worm, as well as networks turned into botnets and zombies— the equivalent of a back door left open.

Bonesaw also contains targeting data on US allies, and it is soon to be upgraded with a new version codenamed Velocity, according to C4ISR Journal. It will allow Endgame’s clients to observe in real time as hardware and software connected to the Internet around the world is added, removed, or changed. But such access doesn’t come cheap. One leaked report indicated that annual subscriptions could run as high as $2.5 million for 25 zero-day exploits.

The buying and using of such a subscription by nation-states could be seen as an act of war. “If you are engaged in reconnaissance on an adversary’s systems, you are laying the electronic battlefield and preparing to use it,” wrote Mike Jacobs, a former NSA director for information assurance, in a McAfee report on cyberwarfare. “In my opinion, these activities constitute acts of war, or at least a prelude to future acts of war.” The question is, who else is on the secretive company’s client list? Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish. “It should be illegal,” says the former senior intelligence official involved in cyber­warfare. “I knew about Endgame when I was in intelligence. The intelligence community didn’t like it, but they’re the largest consumer of that business.”

Thus, in their willingness to pay top dollar for more and better zero-day exploits, the spy agencies are helping drive a lucrative, dangerous, and unregulated cyber arms race, one that has developed its own gray and black markets. The companies trading in this arena can sell their wares to the highest bidder—be they frontmen for criminal hacking groups or terrorist organizations or countries that bankroll terrorists, such as Iran. Ironically, having helped create the market in zero-day exploits and then having launched the world into the era of cyberwar, Alexander now says the possibility of zero-day exploits falling into the wrong hands is his “greatest worry.”

6 Responses to “The Cyberwar Industrial Complex”

  1. savethepopulation Says:

    K,

    I’m curious as to if you use VPN and what you think of VPN subscription? I have been contemplating Cryptohippie, which is said to be the best and recommended by Mark Nestmann and Simon Black of Sovereign Man. But being realistically paranoid, at the end of the day I’d be putting my faith in the people running Crypohippie, who would really know if they’re honest or not.

    I’ve also been wondering about fully encrypting my computer or just encrypting key folders. I’m leaning toward partial-encryption as the full-encryption downside seems to be stability, convenience and not really necessary unless you run a business or something.

  2. Kevin Says:

    I do use a VPN, but not because I think that it protects me from scrutiny by national security organizations, should they take any interest in me. I won’t say which VPN provider I use because people would take that as an endorsement.

    I use TrueCrypt for full disk encryption on all of my drives. This is mainly to make sure that my data would not be compromised in the event that my computer was stolen. As for how well the various TrueCrypt encryption options stand up against attacks by the national security apparatus of a government? Who knows… We never hear about those cases. When encrypted systems are confiscated at airports, for example, we don’t know what happens there.

    We do know, however, that all but the most sophisticated attackers would have a very hard time trying to recover data from a drive that was properly encrypted by TrueCrypt. But those situations in the airports… That’s not law enforcement, or the kid next door.

    I’m not sure why you think FDE affects stability, but that’s not the case at all in my experience. My system is as stable as ever using FDE. FDE via TrueCrypt does affect drive performance, however. Even with a relatively severe hit to SSD performance, I don’t notice it much because the SSD is so much faster than anything I’d used before.

    Be careful with assuming that encrypting individual folders is enough. You might have temp files cached in the clear somewhere outside the container, which could very definitely ruin your day. Under no circumstances should partial encryption be used on SSDs because of wear leveling. If you’re using an SSD, it has to be FDE.

    As usual, batteries not included, your mileage may vary.

  3. Kevin Says:

    I forgot to mention: If you have the right motherboard (I don’t), you might consider a drive that’s capable of hardware based FDE.

    I know, with this crowd, someone is going to suggest ATA Security eXtension BIOS. Thanks, but I’ve already considered that. Let’s just say that I don’t want to risk bricking my system to pull it off. Furthermore, the hardware FDE function on the OCZ Vertex 4 (my SSD) is broken with the current firmware. So……. No full speed hardware encryption for me right now. When I build my next system, though, I’m definitely getting a motherboard that supports ATA drive password and a self encrypting drive.

  4. savethepopulation Says:

    Thanks for the tips, you’re always helpful. I think I will try out Cryptohippie VPN and Truecrypt FDE, I do not have a SSD but a traditional HDD. In terms of computer theft, I placed a password on the HDD so supposedly the typical riff raff wouldn’t be able to access the HDD but I have read that even HDD passwords can be circumvented.

    I do realize that the Stasi can pretty much do whatever they want, but I would rather put up a few layers more of security to ward them and any other evil-doers off. Regarding the temp cache, I would guess clearing it out with CCleaner might help, but you are correct, I’m sure it can be retrieved.

  5. pookie Says:

    pookie doesn’t claim to understand even the basics of cryptology, but here’s her stab at it:

    xp..5iimls bss 922 g;q/sgg
    x[l2 ux2 0b’* lg1s’ mslt9
    mazel tov 9aovww bp yorick

    On Fridays when the moon is waxing, the above means “Fuck the NSA,” but if the JPY is falling against the AUD and the Yankees lost the most recent World Series, then it means “End the Fucking Fed”. But if pookie’s private cellar is all out of her favorite sauvignon blanc, then the above means not only “Fuck the NSA,” but also “and the horse it rode in on”.

  6. Kevin Says:

    haha, pookie. Let the bastards sink their teeth into that for awhile.

Leave a Reply

You must be logged in to post a comment.