Let’s start this article by a simple question, do you know what is a software bug ? Just to be sure, here’s a quick reminder :
“A software bug is an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. “Wikipedia
In our societies mostly powered by computers, bugs would be like real-life cheat codes. They could give you the power to break the matrix and do good or bad without ever leaving your confortable seat. The firsts to have understood it, was intelligence agencies all around the world.
You wouldn’t be surprised if I told you that these same persons are actually stockpiling every unreported bugs as potential cyberweapons.
Bug Bounties and the way things are supposed to work
Depending on the type of behavior, a bug can be quite valuable to discover, that’s why, software companies try to encourage bug reporting by offering to pay IT professionals and hackers a “bug bounty” of up to several thousand dollars to those who find them.
As for instance, Twitter offered recently some $20,160.00 for reporting a potential pre-auth remote code execution on the twitter’s virtual private network.
However, if these bugs are kept secret from the vendor, they become zero-day exploits for organizations as the CIA or any other government intelligence agencies. “Vault 7” leak on WikiLeaks revealed a culture wielding incredible power by hoarding these exploits at the expense of everyday citizens who rely on vulnerable infrastructure to run their lives.
These “superpowers” give criminals and government agencies the option to “skip” legal, constitutional, and technical questions faced by their behavior.
Even if companies offer bounties of up to a few thousands dollars for serious, newsworthy bugs, such efforts are meaningless with governments paying far more to keep these 0day exploits secret.
Today, hackers are offered far more to keep bugs as secret for truly valuable exploits, particularly ones that compromise user’s privacy by simplifying cyber espionage.
While some rewards miles from United Airlines might be alluring to an aspiring hacker, an exploit allowing tracking of international travel patterns might be worth real cash to a cyber-arms broker or government agency.
Bugs as 0Day Exploits
There’s a saying about artillery that applies to cyberweapons: “If the enemy is in range, so are you.” It doesn’t take a lot of common sense to realize an exploit won’t remain secret if you try warn some people about it but not the others, leaving you just as exposed as the intended targets.
The revelation of the advanced capabilities of the NSA badly damaged faith in American tech companies. In response, the Obama administration acknowledged that it was possibly not a great idea to have all these great weapons that rely on zero-day exploits in devices American infrastructure runs on.
The administration, in the interest of national security, agreed to "release" critical bugs to vendors to enable the “hardening” of American devices and infrastructure.
“We wouldn’t share this with Google for even $1 million.”Chaouki Bekrar, Vupen
At the opposite, many companies have sprung up that couldn’t care less about the bounties offered by software companies, such as French company Vupen, run by Chaouki Bekrar. When they attend hacking competitions, they keep the most valuable exploits for themselves.
“We wouldn’t share this with Google for even $1 million,” Bekrar told Forbes. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Vault 7 leaks has shown a culture that directly contradicts the Obama administration position, leading some security researchers to take selling zero-day exploits as a foregone conclusion.
Indeed, this precious leak showed that the CIA went against the administration policy, choosing instead to hoard exploits in a growing cyberwarfare capabilities arms race between some superpowers as the US, China, and Russia.
These weapons aim to cause casualties, damage, and destruction with a new type of warfare that has never been possible to wage before. Hoarding these zero days has real world consequences for users of these compromised devices, fueling a black market in cyberweapons that is just impossible to control.
The Rise of Private Military Contractors in Cyberwarfare
In war, PMCs (private military contractors) have been providing cost-saving value for governments since the invasions of Iraq and Afghanistan. Companies like Blackwater offered to solve problems the US government needed solved, and this has caused and explosion in the private arms market.
The legal showdown prompted by the FBI’s demand to Apple to produce iPhone malware drew international attention, but was suddenly resolved with a payment to an outside cybersecurity company. Just like that, a private contractor made over a million dollars to circumvent a legal process for the FBI. In fact, this is pretty common, with private cyberweapon marketplaces doing as much as $100,000,000 annually in sales.
This incident shed light on a growing trend of cyber mercenaries where companies specialize in weaponizing zero-day exploits for whoever pays them to. Like traditional arms brokers, the best paying customers are often those looking to do something illegal, criminal, or in violation of human rights. Groups like Hacking Team have been widely accused of enabling human rights abuses and selling cyberweapons to whoever will pay them, putting anyone with vulnerable devices at risk.
These weapons are known to proliferate and turn up domestically, trickling down to the civilian market as “spouse tracking” or “catch my spouse cheating” spyware to enable harassment, stalking, extortion, and other illegal activity. In particular, journalists and vulnerable people are routinely targeted by these less-elegant exploits of common vulnerabilities. But for hackers wanting to get paid, it’s often more profitable to sell interesting bugs to spies than to worry about end users affected by the vulnerabilities.
The Growing Arsenal of Weapons Targeting an Increasingly Connected World
As our lives become increasingly influenced by connected devices, it has never been easier to cause damage through the weaponized use of exploits. Once limited to taking down websites or erasing data, cyberweapons in 2019 have the capability to kill people and destroy physical infrastructure.
A tense political situation has caused an explosion in the grown of cyberweapons, with the military pumping government funds into the private sector to create new and more lethal weapons.
Unlike nuclear or conventional weapons, these weapons can be copied, transported, and used across the globe in a matter of seconds. The political value of these weapons, and the dazzling scope of power they provide, has led organizations like the CIA (Again) to create new and more interesting ways to make people vulnerable through the devices around them.
Between the black and grey cyberweapons markets of zero-day exploits, and the government funded creation of more, these tools are growing increasingly sophisticated and powerful in scope. Thanks to the explosion in malware availability, users of modern technology globally are vulnerable to weapons that allow political control, extortion, and even national acts of sabotage or war.
In recent attacks in the Ukraine, Russia has deployed increasingly sophisticated cyberweapons in conjunction with disinformation attacks that deny citizens the right to an impartial understanding to the world around them.
The ability to present a person with false information from a supposedly trusted source and invade their private life represents a level of control and manipulation that can be abused and automated to a terrifying degree.
From invasive data collection, to targeted disinformation campaigns, to automated exploits of zero-day vulnerabilities, most users are unprotected against this kind of interference in their everyday lives.
When Governments Stockpile Vulnerabilities, Private Citizens Lose Around the World
An increasingly tense geopolitical situation is causing governments around the world to stockpile cyberweapons capable of destroying critical infrastructure and causing loss of life, while quietly testing and refining these weapons in global conflicts.
These weapons only work when governments pay to keep knowledge of these bugs secret and cyberweapons dealers accept payment to turn a blind eye to how their tools are used.
Everything from our traffic patterns to our understanding of what time it is relies on technology today. As we advance into a world of further automation and trust in the devices around us to run our lives and shape our understanding, we confront a the new reality of where technology fits into our lives today.
Rather than safeguarding the world’s growing reliance on technology by disclosing and advancing development of zero-day vulnerabilities, the worlds governments are stockpiling methods of committing a new frontier of attacks against populations never targeted by such sophisticated weapons before.
Users and developers of cyberweapons insist that the capacity is needed to track down terrorists and criminals using encryption and other methods that make them hard to trace. Copying these weapons, however, takes only a moment, and NSA tools developed to invade computer systems were recently lost only to resurface on the black market.
Criminals can buy software to spy on government employees, shut down power stations, disable metro fare collectors, or encrypt millions of dollars worth of data thanks to the diligent efforts of the NSA and private contractors working to satisfy government contracts.
As shown by the CIA leaks, the casual way in which government agencies have began to share purchased or developed exploits increases the proliferation of highly sophisticated malware and worsens the risk of it falling into the wrong hands.
Vault 7 documents show that the US and UK governments pay to join in on the fun of exploiting vulnerable devices under the promise to not warn vulnerable users in their own country or use the weapon on each other’s citizens—even though they could.
The grey market purchase of a zero-day exploit in the Apple showdown prevented a potential constitutional confrontation that could have had far-reaching implications for digital privacy in America. Today, the cyber gray and black market provides governments a relief valve to attack the technology we rely on for privacy without outlawing encryption itself.
As these weapons grow in power and scale, we as citizen, need to debate and decide whether contributing to today’s stockpile of cyberweapons is worth putting the people around us, or around the world, at risk of having these tools used against them.