Information Warfare: Can't Trust Them, Can't Do Without Them

Archives

July 9, 2012:  The big problem with Internet security is that there are more people looking for vulnerabilities (that allow hackers to secretly get into someone else's computers) than there are people of equal skill trying to prevent this. There are few highly skilled people in this hacker community, and many of them spend most of their time developing software that will automatically seek out vulnerabilities. Called "Zero Day Exploits" (ZDEs), in the right hands these vulnerabilities/flaws can enable criminals to pull off a large online heist or simply maintain secret control over thousands of computers. The most successful hackers use high-quality (and very expensive) ZDEs. Not surprisingly ZDEs are difficult to find and can be sold on the black (or legitimate) market for over $250,000.

Until recently most of the demand for ZDEs was for criminal activity. But now governments and Internet security firms (who get paid lots to protect large firms or government organizations) realize that it's cheaper to outbid the bad guys for ZDEs than it is to try and defend against hackers using these exploits to penetrate Internet security.

Finding ZDEs is still a favorite activity for hackers. A growing number of countries encourage local hackers to find ZDEs. For example, China encourages and helps organize patriotic Internet users in order to obtain hacking services. This enables the government to use (often informally) thousands of hackers to attack targets (foreign or domestic) and find ZDEs or do other mischief. Government sponsored organizations arrange training and mentoring to improve the skills of group members. While many of these Cyber Warriors are rank amateurs, even the least skilled can be given simple tasks. And out of their ranks will emerge more skilled hackers, who can do some real damage. These hacker militias have also led to the use of mercenary hacker groups, who will go looking for specific secrets, for a price. Chinese companies are apparently major users of such services, judging from the pattern of recent hacking activity, and the fact that Chinese firms don't have to fear prosecution for using such methods.

All nations with a large Internet user population have these informal groups but not all nations have government guidance, subsidies, immunity from prosecution, and encouragement to make attacks. Another factor is events that cause highly publicized tensions between nations with large number of Internet users. This almost always results in the "hacker militias" of both nations going after each other.

The U.S. has one of the largest such informal militias but there has been little government involvement. That is changing. The U.S. Department of Defense, increasingly under hacker attack, is now organizing to fight back, sort of. Taking a page from the corporate playbook, the Pentagon is sending many of its programmers and Internet engineers to take classes in how to hack into the Pentagon. Not just the Pentagon but any corporate, or private, network. It's long been common for Internet security personnel to test their defenses by attacking these targets. Some "white hat hackers" (as opposed to the evil "black hat hackers") made a very good living selling their attack skills, to reveal flaws or confirm defenses. This was eventually standardized with the establishment of the EC (E Commerce Consultants) Council, which certified who were known and qualified white hat hackers. This made it easier for white hats to get work and for companies to find qualified, and trustworthy, hackers to help with network security. There are still problems with certifying that former black hat hackers, especially those who have been prosecuted and jailed, are trustworthy enough to work for the good guys.

Now the Department of Defense is paying to get members of its Internet security staff certified as white hats, or at least trained to be able to do what the black hats do or recognize it. While many in the Department of Defense have been calling for a more attack-minded posture, when it comes to those who are constantly attacking Pentagon networks, the best that can be done right now is to train more insiders to think, and operate, like outsiders. Meanwhile, the CIA and NSA have long had a special recruiting program that sought out black hats wishing to change sides. The vetting process was intense, and some of these guys (they are mostly guys) were always kept under surveillance, just to be on the safe side.

At the moment, the black hats are winning. While some sites (most financial institutions, some government agencies) are largely invulnerable to hacker attack, most networks are not. As the scope of the losses becomes more widely known, that may change.