Fed offensive fueling hacker underground, report says

With the government said to be the biggest buyer of malicious tools, some fear it will weaken the nation's cyber defenses -- public and private

The U.S. government is contributing to the Internet's underground economy by scooping up hacker tools to incorporate into offensive cyber weapons, a report from Reuters says.

The feds have become the biggest buyer in a growing gray market where hackers and defense contractors sell tools to compromise computers, the report said.

A major concern about the government's actions is that it's using what it buys for offensive weapons at the expense of not only the country's cyber defenses but the private sector's as well.

That's because cyber weapons typically exploit vulnerabilities in commercial software, vulnerabilities that the government wants to hide behind a veil of secrecy where vendors can't patch the flaws to make their products more secure.

Start-up companies in the offensive exploit field are not wanting for customers in government and the private sector, said Jeffrey Carr, CEO of Taia Global and author of "Inside Cyber Warfare: Mapping the Cyber Underworld."

"It's pretty much if you have the cash and you meet the parameters, you can get an offensive exploit developed for you," Carr told CSO. "That's where the growth industry is for cyber."

"Just as we've created a military-industrial complex for traditional arms," he said. "I believe we'll see a similar development for cyber-related weapons."

While the government may be spending money on cyber weapon research, it's doubtful hackers-for-hire are contributing much to it, said John Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a non-profit research group that studies cyber warfare.

The CIA, NSA and all the major defense contractors have the technical capabilities to uncover software vulnerabilities and write exploits. "Multiple U.S. government agencies have access to extremely large repositories of malware," Bumgarner said. "These agencies can easily dissect and reuse components from any of these malware samples."

[Also see: U.S. rattles preemptive cyberattack saber]

Stuxnet, the cyber weapon attributed to the United States and Israel and used to attack the Iranian nuclear development program, exploited four zero-day, or never before seen, vulnerabilities.

"The U.S. government didn't buy zero-day exploits on the black market to embed in this offensive cyber weapon," Bumgarner said. "These complex zero-day exploits were written by government geeks working in total secrecy."

Carr said that a problem with paying for vulnerabilities and keeping them on the shelf is you never know when someone else is going to discover the flaw independently.

One researcher may sell a vulnerability to the government for half a million dollars, while another might sell the same vulnerability to a software company for thousands. "In which case, the government that paid six figures for it is out the money because it's useless," Carr said.

The scenarios can get as complicated as a spy novel by John le Carre. An enterprising hacker could decide to do a double dip on a sale -- sell to the government, then turn around and sell to the vendor affected by the vulnerability.

An adversary could also exploit a vulnerability sale by earmarking it. Then, if the nation that bought the vulnerability used it, its origin could be easily identified.

There's an irony in the notion that the federal government may be hiding vulnerabilities from vendors, said Richard Stiennon, chief research analyst at IT-Harvest.

"When the government started US-CERT, its purpose was to disseminate knowledge of new vulnerabilities," Stiennon said in an interview. "Now the government is in a position of purchasing vulnerabilities and then not disseminating them or disclosing them to the vendors."

Copyright © 2013 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.