Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace

Winnona DeSombre Bernsen

Source Link

If the United States wants to increasingly use offensive cyber operations internationally, does it have the supply chain and acquisition capabilities to back it up—especially if its adversary is the People’s Republic of China?  

Strategic competition between the United States and China has long played out in cyberspace, where offensive cyber capabilities, like zero-day vulnerabilities, are a strategic resource. Since 2016, China has been turning the zero-day marketplace in East Asia into a funnel of offensive cyber capabilities for its military and intelligence services, both to ensure it can break into the most secure Western technologies and to deny the United States from obtaining similar capabilities from the region. If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain.  

This report is the first to conduct a comparative study within the international offensive cyber supply chain, comparing the United States’ fragmented, risk-averse acquisition model with China’s outsourced and funnel-like approach.  

Key findings: 

Zero-day exploitation is becoming more difficult, opaque, and expensive, leading to “feast-or-famine” contract cycles.  Middlemen with prior government connections further drive up costs and create inefficiency in the US and Five Eyes (FVEYs) market, while eroding trust between buyers and sellers.   China’s domestic cyber pipeline dwarfs that of the United States. China is also increasingly moving to recruit from the Middle East and East Asia.  The United States relies on international talent for its zero-day capabilities, and its domestic talent investment is sparse – focused on defense rather than offense.  

The US acquisition processes favor large prime contractors, and prioritize extremely high levels of accuracy, trust, and stealth, which can create market inefficiencies and overly index on high-cost, exquisite zero-day exploit procurements.  China’s acquisition processes use decentralized contracting methods.