US Government is the Largest Purchaser of Hacking Tools

It has been recently revealed that the US Government is the largest purchase of hacking tool.  What?  Did you think that only China was hacking other government?  I guarantee you, everyone is doing it.  Check out this new item from the SANS NewsBites Vol. 15 Num. 038:


 –US Government is the Largest Purchaser of Hacking Tools

(May 10 & 13, 2013)

According to a report from Reuters, the US government is the single largest buyer in the “gray market” of offensive hacking tools. While tools that exploit unknown vulnerabilities provide a tactical advantage, not disclosing the flaws leaves other organizations, including those in the US, vulnerable to attacks. Former high level cybersecurity officials have expressed concern about the situation. Former White House cybersecurity advisor Richard Clarke said, “If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users.” Howard Schmidt, also a former White House cybersecurity advisor, said, “It’s pretty naive to believe that with a newly-discovered zero-day, you are the only one in the world that’s discovered it.” And former NSA director Michael Hayden said that although “there has been a traditional calculus between protecting your offensive capability and strengthening your defense, it might be time now to readdress that at an important policy level.” Paying the vulnerability purveyors for the malware also removes the incentive for talented hackers to inform software makers about the flaws.

[Editor’s Note (Pescatore): Governments are the largest buyers of all offensive weapons and the US government (DoD/Intelligence plus national law enforcement) is usually the largest of the government buyers, so this is sort of a “drug companies are the biggest buyers of opiates” story.

(Assante): The main rus-cyber-command-2010-11-05-398amification of a thriving tools market is greater investment in vulnerability discovery and the development of more powerful tools to assemble and test exploits.  2006 is considered a turning point as the emerging underground tool market breed specialization and provided paths for money to cycle through the system.  Monetization of hacking gains began to feed upstream tool developers and people willing to commit attacks became more reliant on tools that were purchased.  Super buyers will certainly influence this market place, but they are only one category of participant – these markets are here to stay.]

Unfortunately, that is a short sighted and overlooking the implication of such a policy/strategy.  You are leaving your own interests exposed so that you can keep a perceived advantage over your foes.  As stated above, it is naive to think that nobody else has discovered those same zero-day vulnerabilities.  Plus the fact that now the US government has ensured that people who are discovering those vulnerabilities have no incentive to report those flaws to the vendors as it is more lucrative to simply sell that information to the highest bidder.

The proper way to handle the discovery of of zero day vulnerabilities is to:

  1. Disclose the vulnerability to the software vendor privately
  2. Give the vendor a reasonable amount of time in order for them to release a patch/update.
  3. Provide a public disclosure of the vulnerability in a responsible manner.  That public disclosure has two goals:
    1. Put pressure on those vendors that do not produce a patch/update in a timely fashion.
    2. Allow for the organizations affected by the vulnerability to put into place compensating controls in order to protect themselves from the newly discovered vulnerability.

Of course, this assumes that the person who did discover the vulnerability is not making it his goal to generate revenue from those vulnerabilities and is driven by altruistic intentions.  And therein lies the real problem.  That is exactly why we have arms dealers that sell weapons that are used in civil wars and in the perpetration of crimes against humanity.

Unfortunately, I don’t have an answer to that problem…