Pretty Complex

In October 2018, at a European Union data privacy conference, Apple CEO Tim Cook attacked competitors, Facebook and Google. According to Cook, Facebook and Google's business models had become a "surveillance industry" and likened their services (unlike Apple's devices) to a "data industrial complex" [1].

Analysts quickly agreed that Cook's underlying intention might have been to spin better public relations for Apple after several unfriendly articles about Apple's tax-evasion strategies. However, Cook's comments provoked more than the expected rebukes from Google and Facebook – it drew the attention of people who have been following American politics and military strategies since WWII.

Many were reminded of US President Dwight D. Eisenhower's legendary farewell adress in 1961. The former five-star general and commander of Allied forces in Europe warned the American public about the risks and dangers the "military-industrial complex" (installed during and after WWII) posed for the free and democratic Western world. Even though Eisenhower wrote his speech in a time when tanks and oil dominated warfare, some of his words remain as powerful today as they were during the cold war [2].

Today, this military-industrial complex has advanced into a new domain: If data is the new oil [3], then access to data is crucial for corporate and national prosperity. Detailed information about people and companies is considered the decisive factor in elections, polls, and nearly every product's selling point. The more the government and companies know, the better, as witnessed by the size of the NSA's hard drives and data centers. Needless to say, the Big Four (Facebook, Google, Apple, and Amazon) hold many keys in this game, which also makes them a target for hackers – much like certain operating systems are targeted. Data breaches happen: In September 2018, Facebook reported a cyberattack that affected 30 million users; just a few weeks later, Google admitted that its social network Google Plus had been compromised since March 2018. In both cases, "software glitches" had been exposed and used by hackers to access customers' data.

Windows, Android, and iOS are known for their flaws and backdoors, as shown by a recently published German government report on IT security [4]. Hackers continue to reveal zero-day exploits (see the "What Is a Zero-Day?" box), like when SandboxEscaper recently disclosed a new and scary Windows problem [5]. Security holes like the new Bleedingbit vulnerability for Cisco, Meraki, Aruba, and other wireless access points [6] show that even hardware isn't immune; this is a general IT problem, one that cannot be solved through open source alone.

The Exploit Market

Over the past decade, fewer and fewer exploits seem to be available, and at much higher prices than before. Depending on who you ask, you will hear different reasons for this. Activists and politicians claim that a financially well-equipped (read tax money) malware-digital complex keeps stockpiling and buying exploits so that there are simply no other influential buyers available. If a hacker finds a flaw, he'll sell it to the military or an affiliated institution and happily receive a decent reward. Early in 2018, Motherboard published a 2015 letter [7] from the Israeli Ministry of Defense asking hackers for zero-day exploits (see Figure 1).

Figure 1: In 2015, Israel's Ministry of Defense asked hackers to send them their newest zero-day exploits [8].

In the broader security world, few people were surprised by this letter being sent out to various companies. More interesting was its openness and clarity, since in 2015 it was not public knowledge that Western nations were involved in buying zero-day exploits. That knowledge came later, mostly in 2016 and 2017. In the US, the Vulnerabilities Equities Process (VEP) [9] was developed in 2008/2009 but was only unveiled in 2016, after the Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) request [10]. This was followed by a wave of ethical, philosophical, and political discussions circling around the question of whether a democratic state should engage in this type of activity.

Shadow Brokers and the VEP

In spring 2017, The Shadow Brokers (TSB), a hacker group said to have close ties to the Russian government, published several controversial NSA documents and tools. According to TSB, the NSA had been stockpiling exploits for Microsoft Windows and the international banking software SWIFT. TSB published proof of the claims, showing how US tax money had been used to put Windows users and banking customers in danger of being compromised rather than protecting them by informing Microsoft and the banks. The NSA's embarrassment over being hacked, which proved them incapable of protecting their own secret hacking tools, didn't last as long, though.

As one of the consequences, the US government took a more transparent approach in explaining the VEP in November 2017 [11]. Today, an Equities Review Board (ERB) decides on actions. The ERB meets monthly (or in emergency situations), and its members come from the US departments of Treasury, State, Justice, Energy, Defense and Commerce, the Office of Management and Budget, the CIA, and the Department of Homeland Security. With the NSA as the executive entity, the ERB follows four steps:

1. Submission and notification
2. Equity and discussion
3. Determination to disseminate or restrict
4. Handling and follow-on actions

Criticism of the VEP noted a number of deficiencies, from non-disclosure agreements to insufficient risk ratings to special treatment of the NSA to a missing default disclosure policy. While on paper the standard action defaults to disclosure, there are too many options to circumvent full discosure. Another unanswered question is whether these cyber weapons fall under the jurisdiction of any existing international arms treaties.

The Cold War Onward

If you take a deeper look at the history of cyberwarfare in the US, some surprising facts pop up. Perhaps the oldest record of an offensive cyberwar attack by the US government dates back to 1982 – if you believe Thomas C. Reed, an Air Force secretary in the Reagan administration, who claimed that a Trojan in CIA-doctored software was responsible for blowing up a Siberian gas pipeline [12]. It's a long read from there to Natanz, Iran, where alleged American-Israel cooperation sabotaged a nuclear facilities' centrifuges via Stuxnet [13], a malicious computer worm. Whereas Soviets denied US involvement in the 1982 explosion, the Obama administration half-heartedly admitted involvement in Stuxnet in Natanz (see the "Stuxnet and Wannacry" box for more information on two of the most successful malware attacks with government ties). Wikipedia offers a long and interesting entry on US cyberwarfare history [14], including a timeline. Then there is Donald Trump's National Cyber Strategy from September 2018 [15] (see the "DoD Cyber Strategy" box). Last, but not least, the United States Cyber Command (USCYBERCOM) "has the mission to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners" [16].

Within the vast body of literature regarding US cyberwar strategy, the recent German publication Cyberwar – Danger from the Network, by Constanze Kurz and Frank Rieger (from the Chaos Computer Club Germany and the renowned Netzpolitik blog) provides insight into modern cyberwarfare tactics and strategies [20]. Kurz and Rieger deal with a variety of topics, including Stuxnet and the impossible task of deterring enemies, and they explain in detail why classical warfare and intelligence work won't succeed in cyberspace, but will waste taxpayers' money to a previously unseen extent.

Often cyberattacks are an attempt to hide prior failed covert activities to prevent discovery by enemy intelligence services or – at worst – secret tools being compromised. Standard tools, like the Territorial Dispute function used in government malware, check for the presence of other malware on the system before taking further actions. Territorial Dispute is one of the first functions called by the malware, right after a successful system break-in. Like an intrusion detection system or antivirus software, Territorial Dispute scans the machine and its files and returns errors such as "go get help immediately", "friendly service", or "get out of here" – it's a scanner for other malware! Kurz and Rieger's story gets even crazier: Future high-end malware will wait for Territorial Dispute's scan and force it to return the "get out of here" value immediately as a defensive mechanism. For the attacking intelligence service, a failed attack is far less dangerous than being caught or having their tools compromised. Kurz and Rieger's book also gives insight into where all the money is going.

Money, Money, Money

There is a huge market of software developers, admins, hackers, and surveillance technology orbiting US military as well it's affiliated industries (Wikipedia lists BAE Systems, EADS, Leonardo, General Dynamics, Raytheon, and Thales, just to name a few). In the Europe, Lench IT's FinFisher [21], dubbed "Remote Monitoring and Deployment Solutions," has been the basis for many state-run Trojans deployed on Apple and MS Office, mostly by third-world regimes, but also by the German government. The tool seems to be quite efficient: In 2013, Reporters without Borders called it "Corporate Enemy of the Internet," and several human rights initiatives have criticized it and its customers harshly. The public controversy around FinFisher has resulted in a long and broad public discussion, leaving lots of traces of how the digital-military complex works and how governments fund "security" companies. The "enhanced remote deployment methods" that companies like FinFisher love to advertise are usually nothing more than exploits, usually zero-day exploits, which is where it becomes expensive. Most exploits are traded on the darknet on websites like the Russian hacking forum, FreeHacks (Figure 2), but these portals change quickly.

Figure 2: FreeHacks is one of the more commonly known exploit markets on the darknet. Knowing Russian might be helpful…

When you're shopping on the darknet, you better bring money. At the BOS Data Festival (BDF) 2015, Adriel Desautels explained [22]: "Zero days are used for very specific things. Things you usually don't get access to. The value is determined by operational need and window of time. The value of an exploit in the zero-day market is determined by target distribution. [...] The prices start at $110,000 for a single zero-day, non-exclusive exploit and can range up to millions. [...] If you sell something to a customer for 50K in one year, and he comes back the year after, needs somthing similar, and pays 200K, you know he might be pretty powerful and has a valuable target." In the same presentation, Desautels gave his audience some peace of mind: "You're not the target: Service providers are a much easier way for the government to get your data. They will hand over data; the government doesn't need to pay to get ordinary people's data."

The amounts Desautels mentions still seem credible, as high as they are. Zerodium [23], a major zero-day buyer, offers bug bounties on its website. One such bounty (Figure 3), dated August 23, 2018, offers "up to $100,000 for code execution exploits affecting major file archivers: WinRAR, 7-Zip, WinZip (on Windows 10/8.1), or tar (on Linux)."

Figure 3: Zerodium offers bug bounties.

Exploit Lifetimes

Obviously, there's a lot of money in the game, and its origin seems pretty clear. The overly potent buyers drive up the price by spending ridiculous amounts of taxpayer's money. However, there is another factor: Zero-day exploits are very volatile. They "die", resulting in intelligence services having a continuous need for them. And it gets worse: A recent Rand study [24] shows that while an exploit's life expectancy is about seven years, more than 25 percent don't survive the first year. Less than 25 percent survive up to nine years. However, no indicator explains why and which exploit is likely to survive longer than others. "For a given stockpile of zero-day vulnerabilities, after a year approximately 5.7 percent have been discovered and disclosed by others." This is very important for military usage, where attackers want to be the only ones. The Rand study found that it usually takes 22 days to create a fully functional exploit once a vulnerability has been discovered.

Code Quality and Bug Bounties

Bug bounties are another reason for the high prices of exploits: Companies like Google pay five-digit sums for bugs, to a total of $3 million in 2017, helping to create a valid business model for hackers – they don't need to actually exploit the flaws to make a living [25].

Many experts claim that the number of available zero-day exploits are decreasing (causing prices to explode), because software vendors' code quality is continuously increasing, resulting in fewer exploitable flaws. Code fuzzing, automated QA, and extended, faster testing are often mentioned as very successful. A former hacker, now trainer and security consultant for German prosecutors, says tools like Google's ClusterFuzz discover bugs before they can be exploited.

The Hacker's Business Model

The hacker's business may have become a lot harder. A former hacker noted that his "last full weaponized exploit took eight months to create; today you need a full chain from remote to kernel, and not every stack overflow is exploitable anymore – it's not like in the 90s. In '98, all we needed to create an exploit was a crate of Mate, a weekend, some computers, and no sleep." Technologies like address space layout randomization (ASLR), code fuzzing, and the extended use of canaries make it harder today to exploit software bugs, he further explains. "Someone at Pwn2Own had to chain 17 bugs to finally get code execution." Even though the prize money awarded at Pwn2Own 2018 [26] decreased, the work quality increased in skill level. Today, exploit programmers have to know more about operating systems, platforms, and software and invest more time and qualification in their work. Very likely that is also a reason for price increases.

If not for all the taxpayer money being wasted, the whole development could be seen as very positive: "If I find a bug, I can choose to get the $10 - 20K from Google – not too bad for a few days, maybe weeks of work – or invest months just to find the bug being closed or discovered by someone else in the meantime." With more and more open source, this scenario becomes more and more likely. It seems to be a business decision for a hacker as well.

Ethics

So what about the malware industry? On the one hand, they have enough money to have lots of skilled developers code exploits, even if it takes longer. The large amount of money spent should even make up for occasional losses due to the "death" of a bug before an exploit is finished.

When you talk to these companies' representatives, they usually don't want to talk about this. However, there's one topic they do like to talk about: lack of experts. Both the military and its affiliated businesses can't find experts with skill levels as high as they need. In addition, the ethical differences between the hacker culture and the military's goals pose another problem. Ethical hacking is a big thing; there are even certifications available now. In the meantime, Western military leaders and politicians alike wonder how the Russians motivate their hackers. Although patriotism might have some influence with Russian hackers, ideology is rare – most are more interested in cleaning out other people's bank accounts [27].