An analyst looks at code in the malware lab of a cybersecurity defense lab at the Idaho National Laboratory in Idaho Falls, Idaho, Sept. 29, 2011.
In the past, security researchers who stumbled on a software flaw would typically report the flaw to the manufacturer of the software, so it could be fixed. That changed, however, when cyberweapon designers started looking at these flaws as vulnerabilities that could serve as a back door into a computer network. Most prized of all were "zero day vulnerabilities" — flaws whose existence was previously unknown.
Richard Bejtlich was a cyber specialist for the U.S. Air Force in the 1990s, a time when the U.S. military was going on the offense in the cyberwar. He remembers the day he realized how important a software vulnerability can be to a cyberweapons designer.
"Myself and a couple other guys, we found a zero day vulnerability in Cisco routing equipment," Bejtlich recalls. "And we looked at it, and we said, 'Did we really find this? Can we really get into these Cisco routers?' "
They could, and so Bejtlich and his colleagues reported it to Cisco. The company thanked him and said it would be fixed. Days later, he was talking to some friends who worked on the offensive side of the unit, and they had quite a different reaction to them reporting the bug to Cisco.
"They said, 'You did what? Why didn't you tell us? We could have used this to get into all these various hard targets,' " he says.
To Bejtlich, a software flaw was simply a mistake to be corrected. To a cyberweapons designer, however, it was a potential back door into the computer network he wanted to attack.
"We actually had a standing order after that," Bejtlich says, "that said, if you find something, you don't tell the vendor, you tell the offensive side, and they'll decide what to do about it."
A potential loser here, at least in the short run, is the consumer who may be stuck with a flawed piece of software because the government doesn't want anyone to know about the flaw, seeing it as something that could be exploited for the deployment of a cyberweapon.
ACLU technologist Christopher Soghoian, who is something of a privacy activist, says this is something people should know about.
"I don't think your average small business, medium-sized business or Fortune 500 company realizes what's going on here," Soghoian says. "I don't think they realize that their government knows about flaws that could be fixed, and is sitting on them and exploiting them against other people rather than having them fixed."
A good example would be the Stuxnet worm, used by the U.S. and Israel to attack computers controlling nuclear operations in Iran. The designers of Stuxnet took advantage of a software bug in the Microsoft Windows operating system, without alerting Microsoft to the flaw.
The demand for software vulnerabilities has grown to such an extent that the researchers who discover them no longer need to settle for a software vendor sending them a thank-you note, or even a small cash reward. In the context of escalating interest in cyberwar, there is now a growing global demand for the software vulnerabilities — the back doors — that allow an attacker to get inside his enemy's computer network.
"For every researcher who's doing the right thing [by alerting the vendor] and getting the modest gift," Soghoian says, "there are plenty of researchers who are selling these things for what they deem to be the true market value.
"And the true market value is whatever governments and their middlemen are willing to pay."
'It's Just Business'
Former Airman Bejtlich, now the chief security officer at Mandiant, a cybersecurity firm, is not in the business of selling vulnerabilities to the highest bidder, but he knows other cyber people who are.
"There seems to have been an explosion of interest in the last maybe two years," Bejtlich says, "where the hot thing to do is to found a company with five of your buddies who are all really good at finding vulnerabilities and just start making money."
Given that this interest is spurred by the development of secret cyberweapons research, the vulnerability market by necessity operates mostly in the shadows. When the vulnerability traders make a public appearance, it's usually at a conference where hackers and other cyber researchers gather to discuss their latest work.
A vulnerability seller named Donato Ferrante showed up recently at the "Suits and Spooks" conference in Arlington, Va. In an interview with NPR, Ferrante said he advertises his vulnerabilities through an email list. His clients see what vulnerabilities he has found in which products, but Donato gives only the barest of information about the flaws.
"If the customer wants [to] use the vulnerability, the customer needs to buy the vulnerability," Ferrante said. "This is just a sort of portfolio; then the customer needs to buy the details."
Ferrante's company, ReVuln, is the seller. For them, "it's business," he says.
An Unregulated Market
In the U.S., the National Security Agency and other branches of the U.S. military, law enforcement and intelligence agencies are among the biggest buyers of vulnerabilities. But there are other buyers, including any party with an interest in being able to penetrate an adversary's computer network.
Besides the U.S., other governments are also developing cyberweapons. Some private companies may have an interest in penetrating a rival company's network. For that matter, criminal organizations might be interested in purchasing vulnerabilities, or even groups plotting a cyberterrorist attack.
Not surprisingly, vulnerability sellers don't want to say much about their business. Asked where he is based, Ferrante simply says, "Europe," though in a subsequent email he clarifies that he operates out of Malta. He is not eager to describe the world in which he works.
"I don't see bad guys or good guys," Ferrante says. "It's just business."
After all, Ferrante says, ReVuln is only selling information. "The way the information is used is up to the customer; it's not up to us."
There is no regulation of the vulnerability market in the U.S. There is a law prohibiting the export of software that provides penetration capabilities that would enable the users to attack, deny, disrupt or otherwise impair the use of computer infrastructure or networks. But there is no mandatory reporting of vulnerability sales.
If the sellers are not aware of the use to which their vulnerabilities will be put, they may not be prosecutable.
"I am shocked that this has not been regulated," Bejtlich says. "It would be so easy for a legislator to say, 'We're going to do arms control. We're going to keep this out of the hands of the bad guys. You're going to need a license to have these tools.'
"Who's going to stand up and say, 'No, you have to have cyberweapons!' I mean, if you wanted to look for an easy way to have legislators appear to be doing something, this would be it," he says.
The vulnerability trade is just one example of many that indicates how developments in cyberwarfare, and the development of cyberweaponry, are proceeding so quickly that the thinking about how to manage this new domain of warfare is not keeping pace.