Pages

4 December 2014

The business of cyberwar

BERT OLIVIER

Most “connected” people will probably have noticed the symptoms of what is really a war going on right under our noses, even if one does not really put two and two together as far as the bellicose nature of these symptoms goes. I am not only talking about what ends up, mostly, in our spam email folders — these are obvious signs of the “war” being waged in the shape of attempts to extract diverse information from unsuspecting internet users (are there still such innocents around?), but there are many other such signs.

To be sure, many of these signs are too subtle for most of us to notice, and I myself may well be unaware of many. Among those that internet users probably also pick up, at least in preventative guise, are the regular “updates” you are prompted to download, from Windows and Adobe updates to updates for your virus protection programmes, including Windows Defender, Norton, AVG and Malwarebytes Anti-Malware. Hardly any reasonably intelligent person would fail to infer that these “updates” have a reason. Usually it is simply put down to increased efficiency, but what does such “efficiency” really stand for?

Performance efficiency, no doubt. But even if the emphasis is on performativity, this is not restricted to smoother or faster operation. It also, and if I am not mistaken, increasingly, means more efficiency in ironing out or “patching” weak points in the “armour” of a programme, that is, its so-called “vulnerabilities” to possible attacks. But what kind of attacks? In a word, those which would render the programme incapable of warding off hostile probes aimed at copying, or stealing, information framed in terms of the functionality of the programme in question. And not just any information; your information, such as the password to your bank accounts.

Surely this does not warrant the description “war”, one might object. According to Timemagazine tech-writer Lev Grossman, however, this is precisely the case. In an article titled “The Code War”, announced on the cover as “World War Zero” (Time, July 21, 2014, pp. 20-27), Grossman starts with the caption (p. 20): “The internet is a battlefield, the prize is your information, and bugs are the weapons.” It would appear that 17th century political philosopher Thomas Hobbes’s dictum, that “man is a wolf unto other men” is as true today as it was then.

In a previous post I elaborated on Grossman’s discussion of the sheer breadth and depth of the virtual battlefield in question, but in the present article he focuses on the bellicose nature of many of the virtual activities encountered there — something that has given rise to a lucrative new profession, one that might be called “software vulnerability trader”. This is someone who is an expert at uncovering vulnerabilities (“bugs” or “zero-days” in tech-jargon) in software programmes and who “sells” these to companies who would benefit from knowing about them — either defensively by patching them up, or belligerently by using them as gateways for penetrating into competitors’ software programmes that harbour valuable information. Grossman has this to say about such vulnerabilities or bugs (p. 22):

“They’re worth a lot of money. Vulnerabilities in popular applications and operating systems have been known to change hands for hundreds of thousands of dollars each. They’re worth a lot because although you wouldn’t know to look at it, the internet is a war zone. Even as it gets outwardly ever glossier and more social and eager to please, below the surface the Net is becoming a hostile, contested territory where private companies, law enforcement, criminals, the military and various international intelligence agencies are engaged in constant low-level cyberwarfare. This conflict only occasionally becomes visible to the naked eye — in May, for example, when the US indicted five members of the Chinese army for stealing data from American companies, including Westinghouse and Alcoa. That wasn’t an anomaly; it’s the norm, and it’s getting more normal all the time … Cyberwar isn’t the future; it’s already here. It’s business as usual.”

It should surprise no one that Grossman quotes retired army general Keith Alexander’s remark that the continuing theft, by Chinese hackers, of “intellectual property” created by Americans amounts to “the greatest transfer of wealth in history” (p. 22). This highlights the reason behind the cyberwarfare that is raging below the celebrity bling of the internet and the hype of social networking sites: it’s all about money. In case anyone hasn’t noticed, we live in an age where everything — politics, religion, education, art, science (“for its own sake”) — takes a back seat to economics in the crude sense of ruthless competition to exceed the profits of what is seen as “competitors”. These competitors include your fellow employees, other companies or corporations, and other countries.

The reason why I added “for its own sake” parenthetically after “science” is that although “pure” science is still pursued by genuine scientists, no one can guarantee that it will not be used to develop the technological means to gain, or keep, the upper hand over your “competitors”, usually by means of technological applications of the science in question. The form assumed by the “new cold war”, if you will, is therefore a merciless struggle for the technological means to “wealth”, as General Alexander so accurately noticed, because today, more than ever before, financial wealth is the means to power of all stripes — even the power, supposedly, to survive the worst extremes of weather as the climate changes, as Naomi Klein notes in This Changes Everything (2014).

This is why Grossman focuses a lot of attention on a particular individual in the Time article, a hacker turned bug-entrepreneur called Aaron Portnoy, whose career as a hacker goes back to his schooldays, when he hacked into his school’s network and eventually got caught. It turned out to adumbrate his present profession — “ … researching and selling software vulnerabilities … ” (p. 22). Portnoy now co-runs a vulnerability-trading company called Exodus Intelligence, and by all accounts it is very lucrative. What the company, which tellingly sports an old-fashioned skull-and-crossbones pirate flag on the wall at its headquarters in Austin (US), does, is to search for, find and sell bugs or vulnerabilities that constitute weak spots in software programmes. Unless these are identified and fixed, they could give “third parties” access to computers and/or networks, with God-knows what results.

Importantly (and this explains why the company is so lucrative), when a “researcher” at Exodus discovers a vulnerability, or, if it is still “fresh” and new, a “zero-day” in a programme, they locate it precisely, determine its function and potential yields (negative and positive), its “signature” for identification, and how to “mitigate” its effects. And the coup de grace is this: the company provides anyone who is interested with an “exploit”, that is, the procedure for “triggering” the bug if you want to “take advantage of it” (p. 23). If there is no “exploit” available, it is not worth offering it for sale to potential customers.

Portnoy’s explanation of the “superior quality” of the exploits that Exodus sells is chilling, to say the least (quoted on p. 23): “We try to make them as nasty and invasive as possible … We tout what we deliver as indicative of or surpassing the current technical capabilities of people who are actually actively attacking others.” (Hence the Jolly Roger at the Exodus headquarters, I suppose.) Companies subscribe to Exodus at about $200 000 a year, in exchange for a specific number of bugs.

The seriousness of all this must be understood against the background of the fact that companies are willing to pay big bucks for bugs that are unearthed in their software. Grossman points out that on average, Facebook, for instance, spent $2 204 per bug in 2013, and that Microsoft pays as much as $100 000 to hackers who uncover weaknesses in Windows. Clearly, it is no exaggeration to claim that there is a (cyber-)war going on right under our noses — a very potent war, which can disable anything from electricity grids to military defence systems.

No comments:

Post a Comment