July 12, 2007:
Cyber War commanders are resigned to the fact
that they will have to use mercenaries if they want to survive any future
Internet based conflict. Much use is being made of mercenaries right now, in
the race to build up stockpiles of munitions. In Cyber War, the ammo is
information. That is, knowledge of vulnerabilities in software connected to the
Internet, or major networks not connected to the Internet.
The software vulnerabilities are basically
bugs that enable a hacker to gain access to a computer they are not supposed be
in. Not all vulnerabilities are equal. Some are much more valuable than others.
Commercial Internet security firms offer rewards to people (usually software
engineers who spend too much time on the Internet) who first discover a "zero
day vulnerability" (this is a bug that has not yet been put to use by a hacker
to create a "zero day exploit.") The rewards can sometimes exceed $100,000. The
commercial security firms, which provide services for corporate and government
clients, offer the rewards openly. There is a more lucrative underground
market, financed by criminals and some governments, that offer even larger
rewards.
The commercial firms get after the software
publishers to fix the bugs, but they have noted that this takes, on average,
348 days. The publishers know that every time they open their source code to
repair something, there is high risk of creating more bugs. Moreover, it's
expensive to fix the bug, test the patched software, and then distribute it to
their customers. Thus, unless the bug is highly likely to be exploited, it is
not attended to right away. The problem with this approach is that the software
publisher may not be aware of how exploitable the bug is. Criminals and Cyber
Warriors have an interest in finding ways to exploit bugs that appear relatively
harmless. That turns the bug into ammunition, for the Cyber War, and a way to
make money, for the criminals.
In preparation for a Cyber War, ammo supply
is critical. Put simply, whoever has the largest number of vulnerabilities
(unpatched, of course), and has turned them into exploits, will win. There's a
lot of evidence that the United States and China have both compiled large
arsenals, and tested a lot of their stuff. Other countries are players as well,
but the U.S. and China appear to be the superpowers of Cyber War.
The U.S. has an edge in the number of
potential "mercenaries" (commercial security firms, and freelance experts) it
could enlist for the war effort. China openly encourages its hackers to go out
and practice on foreigners, especially the Japanese (still hated for World War
II era atrocities) and the United States. China is also believed to have
arrangements and understandings with the gangs that specialize in Internet
based crime. Remember, China is still a police state, and communist secret
police organizations have long been known to use criminal organizations for all
sorts of things.
In the United States, some police agencies
have been known to at least open up communications channels with Internet
criminals. If only for intelligence purposes. But in wartime, offers of
employment might made as well.
There hasn't been a full out, no-holds-barred
Cyber War yet. But there's no longer any doubt that it is possible. And the
major powers are getting ready.