According to a new report, the United States government is now in fact the single largest buyer of malware in the world thanks to the shift to “offensive” cybersecurity and is leaving us all vulnerable in the process.
Speaking of the government’s new focus on offensive cybersecurity, former White House cybersecurity advisors Howard Schmidt and Richard Clarke both told Reuters that the government is putting so much emphasis on offensive measures that it ultimately leaves people in the U.S. at risk.
“If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users,” Clarke said. “There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn’t.”
In order for the government to exploit vulnerabilities discovered in major software, they cannot disclose those vulnerabilities to the manufacturers or the public, lest the exploit be fixed.
According to the Verge, the pursuit of those vulnerabilities is quite costly, “zero-day exploits (those which are unknown to software developers at the time of discovery) have been known to sell for as much as $50,000 – $100,000 each.”
These zero-day exploits are then packaged into weaponized malware and sold to anyone from cybercriminals to repressive governments.
The entities can then use that malware for spying on their own citizens – though you can always get a nice sleek package like FinFisher which was marketed directly to the United States – or even sabotage a nuclear facility as was the case with the US/Israeli-developed Stuxnet.
“My job was to have 25 zero-days on a USB stick, ready to go,” one former executive at a defense contractor told Reuters. The defense contractor would purchase vulnerabilities from independent hackers and then turn them into exploits for the government to use as an offensive cyberweapon.
While the U.S. government is unsurprisingly silent when it comes to their cyberwarfare program, much has been revealed by former defense contractors and vendors.
These individuals have revealed that the U.S. is dominating the so-called “gray market” – which is really a completely illegal black market – where so much money is to be made that some researchers are lured towards helping an offensive cyberwar.
“The only people paying are on the offensive side,” said Charlie Miller, who formerly worked at the National Security Agency and now works for Twitter as a security researcher.
Even more troubling is that “tax dollars may end up flowing to skilled hackers simultaneously supplying criminal groups,” according to Reuters.
Most of all, this approach ensures that the U.S. government has a vested interest in keeping as many security vulnerabilities open in the most popular software available so those vulnerabilities can be exploited and even weaponized.
If this is the future of war, there very well might be more collateral damage than ever.