When the Pentagon launched its much-anticipated “Strategy for Operating in Cyberspace” in July 2011, it appeared the US military was interested only in protecting its own computer networks, not in attacking anyone else’s. “The thrust of the strategy is defensive,” declared Deputy Secretary of Defense William Lynn. The Pentagon would not favor the use of cyberspace “for hostile purposes.” Cyber war was a distant thought. “Establishing robust cyber defenses,” Lynn said, “no more militarizes cyberspace than having a navy militarizes the ocean.”
That was then. Much of the cyber talk around the Pentagon these days is about offensive operations. It is no longer enough for cyber troops to be deployed along network perimeters, desperately trying to block the constant attempts by adversaries to penetrate front lines. The US military’s geek warriors are now prepared to go on the attack, armed with potent cyberweapons that can break into enemy computers with pinpoint precision.
The new emphasis is evident in a program launched in October 2012 by the Defense Advanced Research Projects Agency (DARPA), the Pentagon’s experimental research arm. DARPA funding enabled the invention of the Internet, stealth aircraft, GPS, and voice-recognition software, and the new program, dubbed Plan X, is equally ambitious. DARPA managers said the Plan X goal was “to create revolutionary technologies for understanding, planning, and managing cyberwarfare.” The US Air Force was also signaling its readiness to go into cyber attack mode, announcing in August that it was looking for ideas on how “to destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage.”
The new interest in attacking enemies rather than simply defending against them has even spread to the business community. Like their military counterparts, cybersecurity experts in the private sector have become increasingly frustrated by their inability to stop intruders from penetrating critical computer networks to steal valuable data or even sabotage network operations. The new idea is to pursue the perpetrators back into their own networks. “We’re following a failed security strategy in cyber,” says Steven Chabinsky, formerly the head of the FBI’s cyber intelligence section and now chief risk officer at CrowdStrike, a startup company that promotes aggressive action against its clients’ cyber adversaries. “There’s no way that we are going to win the cybersecurity effort on defense. We have to go on offense.”
The growing interest in offensive operations is bringing changes in the cybersecurity industry. Expertise in patching security flaws in one’s own computer network is out; expertise in finding those flaws in the other guy’s network is in. Among the “hot jobs” listed on the career page at the National Security Agency are openings for computer scientists who specialize in “vulnerability discovery.” Demand is growing in both government and industry circles for technologists with the skills to develop ever more sophisticated cyber tools, including malicious software—malware—with such destructive potential as to qualify as cyberweapons when implanted in an enemy’s network. “Offense is the biggest growth sector in the cyber industry right now,” says Jeffrey Carr, a cybersecurity analyst and author of Inside Cyber Warfare. But have we given sufficient thought to what we are doing? Offensive operations in the cyber domain raise a host of legal, ethical, and political issues, and governments, courts, and business groups have barely begun to consider them.
The move to offensive operations in cyberspace was actually under way even as Pentagon officials were still insisting their strategy was defensive. We just didn’t know it. The big revelation came in June 2012, when New York Times reporter David Sanger reported that the United States and Israel were behind the development of the Stuxnet worm, which had been used to damage computer systems controlling Iran’s nuclear enrichment facilities. Sanger, citing members of President Obama’s national security team, said the attacks were code-named Olympic Games and constituted “America’s first sustained use of cyberweapons.” The highly sophisticated Stuxnet worm delivered computer instructions that caused some Iranian centrifuges to spin uncontrollably and self-destruct. According to Sanger, the secret cyber attacks had begun during the presidency of George W. Bush but were accelerated on the orders of Obama. The publication of such a highly classified operation provoked a firestorm of controversy, but government officials who took part in discussions of Stuxnet have not denied the accuracy of Sanger’s reporting. “He nailed it,” one participant told me.
In the aftermath of the Stuxnet revelations, discussions about cyber war became more realistic and less theoretical. Here was a cyberweapon that had been designed and used for the same purpose and with the same effect as a kinetic weapon: like a missile or a bomb, it caused physical destruction. Security experts had been warning that a US adversary could use a cyberweapon to destroy power plants, water treatment facilities, or other critical infrastructure assets here in the United States, but the Stuxnet story showed how the American military itself could use an offensive cyberweapon against an enemy. The advantages of such a strike were obvious. A cyberweapon could take down computer networks and even destroy physical equipment without the civilian casualties that a bombing mission would entail. Used preemptively, it could keep a conflict from evolving in a more lethal direction. The targeted country would have a hard time determining where the cyber attack came from.
In fact, the news that the United States had actually developed and used an offensive cyberweapon gave new significance to hints US officials had quietly dropped on previous occasions about the enticing potential of such tools. In remarks at the Brookings Institution in April 2009, for example, the then Air Force chief of staff, General Norton Schwartz, suggested that cyberweapons could be used to attack an enemy’s air defense system. “Traditionally,” Schwartz said, “we take down integrated air defenses via kinetic means. But if it were possible to interrupt radar systems or surface to air missile systems via cyber, that would be another very powerful tool in the tool kit allowing us to accomplish air missions.” He added, “We will develop that—have [that]—capability.” A full two years before the Pentagon rolled out its “defensive” cyber strategy, Schwartz was clearly suggesting an offensive application.
The Pentagon’s reluctance in 2011 to be more transparent about its interest in offensive cyber capabilities may simply have reflected sensitivity to an ongoing dispute within the Obama administration. Howard Schmidt, the White House Cybersecurity Coordinator at the time the Department of Defense strategy was released, was steadfastly opposed to any use of the term “cyber war” and had no patience for those who seemed eager to get into such a conflict. But his was a losing battle. Pentagon planners had already classified cyberspace officially as a fifth “domain” of warfare, alongside land, air, sea, and space. As the 2011 cyber strategy noted, that designation “allows DoD to organize, train, and equip for cyberspace as we do in air, land, maritime, and space to support national security interests.” That statement by itself contradicted any notion that the Pentagon’s interest in cyber was mainly defensive. Once the US military accepts the challenge to fight in a new domain, it aims for superiority in that domain over all its rivals, in both offensive and defensive realms. Cyber is no exception. The US Air Force budget request for 2013 included $4 billion in proposed spending to achieve “cyberspace superiority,” according to Air Force Secretary Michael Donley.
It is hard to imagine the US military settling for any less, given the importance of electronic assets in its capabilities. Even small unit commanders go into combat equipped with laptops and video links. “We’re no longer just hurling mass and energy at our opponents in warfare,” says John Arquilla, professor of defense analysis at the Naval Postgraduate School. “Now we’re using information, and the more you have, the less of the older kind of weapons you need.” Access to data networks has given warfighters a huge advantage in intelligence, communication, and coordination. But their dependence on those networks also creates vulnerabilities, particularly when engaged with an enemy that has cyber capabilities of his own.
“Our adversaries are probing every possible entry point into the network, looking for that one possible weak spot,” said General William Shelton, head of the Air Force Space Command, speaking at a CyberFutures Conference in 2012. “If we don’t do this right, these new data links could become one of those spots.”
Achieving “cyber superiority” in a twenty-first-century battle space is analogous to the establishment of air superiority in a traditional bombing campaign. Before strike missions begin against a set of targets, air commanders want to be sure the enemy’s air defense system has been suppressed. Radar sites, antiaircraft missile batteries, enemy aircraft, and command-and-control facilities need to be destroyed before other targets are hit. Similarly, when an information-dependent combat operation is planned against an opposing military, the operational commanders may first want to attack the enemy’s computer systems to defeat his ability to penetrate and disrupt the US military’s information and communication networks.
Indeed, operations like this have already been carried out. A former ground commander in Afghanistan, Marine Lieutenant General Richard Mills, has acknowledged using cyber attacks against his opponent while directing international forces in southwest Afghanistan in 2010. “I was able to use my cyber operations against my adversary with great impact,” Mills said, in comments before a military conference in August 2012. “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”
Mills was describing offensive cyber actions. This is cyber war, waged on a relatively small scale and at the tactical level, but cyber war nonetheless. And, as DARPA’s Plan X reveals, the US military is currently engaged in much larger scale cyber war planning. DARPA managers want contractors to come up with ideas for mapping the digital battlefield so that commanders could know where and how an enemy has arrayed his computer networks, much as they are now able to map the location of enemy tanks, ships, and aircraft. Such visualizations would enable cyber war commanders to identify the computer targets they want to destroy and then assess the “battle damage” afterwards. Plan X would also support the development of new cyber war architecture. The DARPA managers envision operating systems and platforms with “mission scripts” built in, so that a cyber attack, once initiated, can proceed on its own in a manner “similar to the auto-pilot function in modern aircraft.” None of this technology exists yet, but neither did the Internet or GPS when DARPA researchers first dreamed of it.
As with those innovations, the government role is to fund and facilitate, but much of the experimental and research work would be done in the private sector. A computer worm with a destructive code like the one Stuxnet carried can probably be designed only with state sponsorship, in a research lab with resources like those at the NSA. But private contractors are in a position to provide many of the tools needed for offensive cyber activity, including the software bugs that can be exploited to provide a “back door” into a computer’s operating system. Ideally, the security flaw or vulnerability that can be exploited for this purpose will be one of which the network operator is totally unaware. Some hackers specialize in finding these vulnerabilities, and as the interest in offensive cyber operations has grown, so has the demand for their services.
The world-famous hacker conference known as Defcon attracts a wide and interesting assortment of people each year to Las Vegas: creative but often antisocial hackers who identify themselves only by their screen names, hackers who have gone legit as computer security experts, law enforcement types, government spies, and a few curious academics and journalists. One can learn what’s hot in the hacker world just by
hanging out there.
In August 2012, several attendees were seated in the Defcon cafe when a heavy-set young man in jeans, a t-shirt, and a scraggly beard strolled casually up and dropped several homemade calling cards on the table. He then moved to the next table and tossed down a few more, all without saying a word. There was no company logo or brand name on the card, just this message: “Paying top dollar for 0-day and offensive technologies . . . ” The card identified the buyer as “zer0daybroker” and listed an e-mail address.
A “zero-day” is the most valuable of computer vulnerabilities, one unknown to anyone but the researcher who finds it. Hackers prize zero-days because no one knows to have prepared a defense against them. The growing demand for these tools has given rise to brokers like Zer0day, who identified himself in a subsequent e-mail exchange as “Zer0 Day Haxor” but provided no other identifying information. As a broker, he probably did not intend to hack into a computer network himself but only to act as an intermediary, connecting sellers who have discovered system vulnerabilities with buyers who want to make use of the tools and are willing to pay a high price for them.
In the past, the main market for these vulnerabilities was software firms themselves who wanted to know about flaws in their products so that they could write patches to fix them. Big companies like Google and Microsoft employ “penetration testers” whose job it is to find and report vulnerabilities that would allow someone to hack into their systems. In some cases, such companies have paid a bounty to freelance cyber researchers who discover a vulnerability and alert the company engineers. But the rise in offensive cyber operations has transformed the vulnerability market, and hackers these days are more inclined to sell zero-days to the highest bidder.
In most cases, these are governments. The market for back-door exploits has been boosted in large part by the burgeoning demand from militaries eager to develop their cyber warfighting capabilities. The designers of the Stuxnet code cleared a path into Iranian computers through the use of four or five separate zero-day vulnerabilities, an achievement that impressed security researchers around the world. The next Stuxnet would require the use of additional vulnerabilities. “If the president asks the US military to launch a cyber operation in Iran tomorrow, it’s not the time to start looking for exploits,” says Christopher Soghoian, a Washington-based cybersecurity researcher. “They need to have the exploits ready to go. And you may not know what kind of computer your target uses until you get there. You need a whole arsenal [of vulnerabilities] ready to go in order to cover every possible configuration you may meet.”
Not surprisingly, the National Security Agency—buying through defense contractors—may well be the biggest customer in the vulnerability market, largely because it pays handsomely. The US military’s dominant presence in the market means that other possible purchasers cannot match the military’s price. “Instead of telling Google or Mozilla about a flaw and getting a bounty for two thousand dollars, researchers will sell it to a defense contractor like Raytheon or SAIC and get a hundred thousand for it,” says Soghoian, now the principal technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union and a prominent critic of the zero-day market. “Those companies will then turn around and sell the vulnerability upstream to the NSA or another defense agency. They will outbid Google every time.”
The government customers may be intelligence or law enforcement agencies who need to know about software vulnerabilities in order to hack into the computers and phones of suspected criminals or intelligence targets. Private companies who have been repeatedly penetrated and are looking to retaliate may also be customers. The vulnerability market has developed to such a point that entire security companies are now devoting themselves exclusively to the discovery and sale of these exploits. Some deal strictly with US government agencies or the defense contractors that act on their behalf, but other companies (and individuals) deal with foreign buyers as well. Perhaps the most prominent is Vupen, a French security firm that sells exploits to a variety of governments.
According to the Vupen website, the company sees itself as “the leading source of advanced vulnerability research.” It describes its role as providing “government-grade exploits specifically designed for the intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions. . . . Our offensive and exclusive exploits take advantage of undisclosed zero-day vulnerabilities discovered by Vupen researchers and bypass all modern
Vupen executives note that they do business only with government agencies, not private buyers, and that the company “has chosen to comply” with European and international regulations restricting technology exports (emphasis added). They say they will not do business in countries subject to US or international sanctions. But the idea of a private company openly boasting of its business record selling hacker secrets and bypassing security protections seems odd at a time when so much of the cybersecurity community is focused on defending computer networks and boosting security protections. And the company’s hint that its compliance with international standards is voluntary, not required, underscores the possibility that other dealers in the shadowy vulnerability market may be willing to sell to more questionable clients.
Soghoian, the ACLU technologist, is among those who say the vulnerability market needs some regulation, such as mandatory reporting of sales transactions. Like other critics, he warns of the possibility that a zero-day vulnerability or some other exploit sold with no questions asked may end up in the wrong hands and get used in an attack on financial institutions or critical infrastructure assets. “The existence of this market is
terrifying,” he says.
Offensive operations in cyberspace have expanded so rapidly in recent years that legal, regulatory, and ethical analyses have not kept up. The development of the zero-day market, the inclination of some private companies to mimic the Pentagon by going on the offense rather than continuing to depend on defensive measures to protect data, the design and development of cyberweapons, and the governmental use of such weapons against unsuspecting targets all raise serious and interesting questions, and the answers are far from obvious.
Given the destructive use to which they could be put, the lack of transparency in the buying and selling of zero-days may be problematic. The consequence could be the development of a global cyber arms bazaar, where criminals or terrorist groups could potentially find tools to use. The US government regulates the export of sensitive technologies out of a fear that adversaries could use them in a way hostile to US interests, but whether such restrictions apply to the sale of zero-day vulnerabilities is not entirely clear. Current law restricts the export of “encryption commodities and software that provide penetration capabilities that are capable of attacking, denying, disrupting, or otherwise impairing the use of cyber infrastructure or networks.”
Does that language cover the possibility that some researcher or broker may try to sell a back-door exploit, or even a cyberweapon, to a foreign agent who could put it to destructive use? “I think it does cover the export of some kinds of cyberweapons,” says Washington lawyer Roszel Thomsen, who helped write the regulations and specializes in export control law. But other specialists are not convinced.
There is also the legal question of whether private firms who have been subject to cyber attacks can legally strike back against attackers who penetrate their networks and steal their data. Steven Chabinsky, formerly the top cyber lawyer at the FBI, argues that if a company can identify the server from which a cyber attack originated, it should be able to hack into that server to delete or retrieve its stolen data. “It is universally accepted that in the physical world you have the right to protect your property without first going to law enforcement,” Chabinsky argued at a recent cyber symposium.
Other computer consultants have a different view. “I get asked this all the time,” said Richard Bejtlich, chief security officer at Mandiant, a prominent cybersecurity firm, speaking at the Air Force’s CyberFutures conference. “People in hacked companies want to hit back. ‘We want to go get these guys,’ they tell us. But almost always, our lawyers say, ‘Absolutely not.’”
In addition, there are policy questions raised by the escalating government investment in offensive cyber war capabilities. One fear is that each new offensive cyberweapon introduced into use will prompt the development of an even more lethal weapon by an adversary and trigger a fierce cyber arms race. A hint of such an escalatory cycle may be seen in the confrontation with Iran over its nuclear program. US officials suspect the Iranian government was responsible for the recent wave of cyber attacks directed against Aramco, the Saudi oil company, and may also have been behind a series of denial-of-service attacks on US financial institutions. Such attacks could be in retaliation for the Stuxnet worm.
Some writers foresee a dangerous new world, created by the United States and Israel with the deployment of Stuxnet. Misha Glenny, writing in the Financial Times, argued that the tacit US admission of responsibility for Stuxnet will act “as a starting gun; countries around the world can now argue that it is legitimate to use malware pre-emptively against their enemies.” One danger is that US adversaries, notably including Russia and China, may now cite the use of Stuxnet to support their argument that an international treaty regulating the use of cyberweapons may be needed. The United States has long opposed such a treaty on the grounds that it would undermine its own technological advantages in cyberspace and could also lead to efforts to regulate the Internet in ways that would harm freedom of expression and information.
Some of these issues will be resolved as cyber activities mature and the cyber domain becomes more established. The US military as yet has not set up its own rules of engagement for cyber conflict, even though the head of the US Cyber Command, Army General Keith Alexander, says they are necessary. Neither has the US government articulated a “declaratory policy” regarding the use of cyberweapons analogous to government statements on when and where nuclear weapons may be used.
All these are serious issues. It is now obvious that adversarial actions in cyberspace have fundamentally changed warfighting, crime, espionage, and business competition. Our institutions must adapt to this new reality, and quickly, or we will face the danger of cyber chaos and anarchy.
Tom Gjelten is a correspondent for NPR.