As Eisenhower warned of the undue influence of the military industrial complex in the twentieth century, so to we need worry about the cyber-contractor industrial complex of the twenty first.
As Edward Snowden’s name bounces through the media, the word contractor is often attached to it. Outside help, the word often denotes. The United States defense department has heavily leaned on contractors during the last decade: sometimes it’s because extra manpower is needed, sometimes it’s because a specialist skill can’t be found within existing staff.
Contractors play a sizeable role in cyberwarfare. Given the rapid expansion of cyberwarfare capabilities in the last few years, contractors play a large and diverse role in the cyber-battle since sufficient manpower can’t be found in the current ranks. While US intelligence officials develop the cyber equivalent of a smart bomb — weapons such as Stuxnet — internally, they lean on contractors to provide the “small arms” in the cyber fight: the low level exploits that make up smaller parts of the larger puzzle. These “small arms” are exploits for operating systems and web browsers that allow for malicious code execution.
There’s big money in developing these exploits. At CanSecWest, held earlier this year in Vancouver, over half a million dollars in prizes for exploits was on the line in a contest sponsored by Hewlett Packard’s Zero Day Initiative. A conference center in a city best known for its hippy politics and anti-war protests was quietly turned into a cyber small-arms bazaar as contractors pitted their exploits against the latest patched versions of operating systems and web browsers.
To the untrained observer, what happens at CanSecWest is far from interesting. Code is delivered to a system and a calculator pops up on screen as proof the code was successfully executed. Not exactly spectator material.
A murky world
The interesting aspect of CanSecWest happens behind closed doors. Once a vulnerability has been proven, its proprietors are taken into another room to demonstrate it again with a vendor representative present then release the rights to the vulnerability brokerage.
With the exception of Google’s Pwnium contest, most of the exploits developed at CanSecWest (and other events like it) are sold to a brokerage which auctions them off to the highest bidder. A brokerage, such as HP’s Zero Day Initiative, will try to make contact with the vendor to advise them of the bug. At the same time, the brokerage will be disclosing to its own customers how to mitigate the impact of the vulnerability. If the vendor does not acknowledge the brokerage’s repeat attempts to make contact, the principles of responsible disclosure — which most brokerages swear to abide by — dictate that the vulnerability can be released into wild via posted security advisories.
Chaouki Bekrar, the CEO of VUPEN, a security consultancy with a rockstar like presence at these events, has stated on numerous occasions that his firm only sells to governments and never vendors.
“We wouldn’t share this with Google for even $1 million,” Bekrar said in an interview with Forbes. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
In an interview with Security Week Bekrar said that VUPEN’s original business model was selling the bugs back to the vendors, but vendors generally proved to be uninterested in working with the company for a fee. The company evolved, and shifted its business model to offer both “defensive” and “offensive” security services. When asked about his current client list, Bekrar won’t elaborate who’s on the list because of a “firewall” around it but he stresses his company only sells to NATO-aligned states.
“It’s a very secret business,” Bekrar told Security Week. “It allows governments to achieve offensive missions as part of their lawful intercept missions.”
VUPEN is not alone in the business of selling exploits to governments. Arguably the most famous, or notorious, merchant of bugs is Gamma International, maker of the FinFisher suite. FinFisher has been used by the Egyptian government and Bahraini government to spy on dissidents, which brought the NGO Reporters Without Borders to call the company one of the “Corporate Enemies of the Internet” and a “digital mercenary”.
Bekrar, however, shrugs off accusations that what he sells, or his business model, is anything as as such.
“The offensive model is really misunderstood by people, he said.” “When we sell offensive services to government agencies it helps them fight crime. They use these exploits as part of criminal investigations. They don’t use it to spy on people.”
Bekrar takes a libertarianish view of the power of exploits. He seems them as a tool, but not the root of oppression.
“Exploits do not kill. Computers do not kill. If a regime wants to spy on people they have old school methods. They don’t need zero-day exploits,” he said to Security Week. “I don’t believe exploits are a threat to privacy, a threat to dissidents. The real threat to dissidents is the regime.”
Bekrar’s attitude towards the relationship between government and exploit brokers has drawn a sizeable share of critics.
Beware the cyber-contractor industrial complex
Having an edge in cyber warfare is a necessity in the twenty first century. Since having a strong standing cyber army doesn’t necessarily require a large economy to support it. Thus, cyberwarfare is the great equalizer. Hegemons like the United States might be brought to their knees by a cyber army of a developing country.
With cyber warfare comes the use of contractors. Booz Allen Hamilton’s Snowden; VUPEN. It’s a necessity for governments as they might not have the available talent in their current ranks.
But who is keeping an eye on the burgeoning cyber-contractor industrial complex? 4.86 million US government employees and contractors have security clearances, and hundreds of firms have contracts to play a role in cyber security efforts in defense and law enforcement.
Without increased oversight, the cyber leviathan is sure to grow big and unwieldy. The worldwide push for cyber armaments is sure to make profiteers and cowboys out of some. Booz Allen Hamilton and VUPEN may become the Lockheed Martin and Remington of the twenty first century.
As Eisenhower warned of the undue influence and profiteering of the military industrial complex in the twentieth century, lawmakers and citizens need to be concerned about the role of the cyber-contractor industrial complex of the twenty first century.
Where do VUPEN’s exploits, its weapons, wind up? Are they being used against dissidents in Turkey? Are they being transferred via third party countries (that are in NATO) to rogue states or oppressive regimes? Traditional weapons are frequently trafficked this way — what’s to say cyber weapons that can fit on a USB drive, not a tanker container, aren’t. It might not be above some ethically devoid contractors to sell to both sides in a conflict. Given the culture of secrecy and lack of transparency within the sector we may never know.