February 12, 2008:
Good news and bad
news on the Cyber War front. The number of exploitable defects in software
declined five percent last year. But the number of serious exploits went up 28
percent. There is a growing market for exploitable defects, with some security
firms offering cash rewards. In the past, hackers had their own underground
market for these exploits. But so much commerce is moving to the web, and
Internet security is becoming such a large business, that finding those
exploits first (and disabling or exploiting them) is attracting more money. The
gangsters still want to have their hackers get to these exploits first, but now
they have to compete.
But the biggest news on the Cyber War front
is that it rarely makes the headlines. It's not that Cyber War isn't important,
it's just that all this geek stuff is hard to explain and just does not sound
that scary. In the competitive news business, Cyber War is not good news. But
to the intel and security people, the U.S. has been under heavy assault for
several years now. The losses of information have been huge, and it's not
certain just how much has been stolen. All this will be big news in a decade or
so when more details emerge about the extent of the losses. But for now, it's
just one of those stories no one could wrap their heads around.
In addition to the usual software flaws
(that serve as exploits), there is also a growing number "malware" type
software. This stuff is best known as "adware" programs that users, often
unknowingly, download onto their PCs. That results in more ads, or ads based on
a careful examination of what the user does, say, when using their browser.
There are hundreds of thousands of these little nasties out there, and Cyber
War operators have found this stuff to have military and espionage use.
In the middle of all this you have
military users of exploits. These are the shadowy organizations, particularly
in China and the United States, where exploits are stockpiled (and soon
replaced as the exploit is rendered ineffective via a software patch) for use
in wartime. China, and probably the United States, are already using their
exploits arsenals for espionage, and counter-espionage. Many criminal gangs
also do contract work, usually for espionage operations. Some corporations have
been caught doing this as well. Only small players have been caught so far. Any
large corporation going this way would put a premium on not getting caught.
Chinese firms are particularly energetic in stealing technology, and producing
their own versions. They are often quite blatant about it, especially if it's
military technology (which means government protection from retribution.) The
Russians are trying to force the Chinese government to crack down on this,
without much success so far. The United States, and many other Western nations,
are also going after China for the use of Internet based espionage. Again, so
far, the Chinese are refusing to admit to it, much less slack off. Western
Cyber War experts are urging some retaliation in kind. That could get
interesting.