If you want to find out how much it costs if you get caught selling exploits, don't bother with comparisons to drug dealing — or even hacking.
ZDNet discovered it might be more useful instead to find out how much it costs to get busted for arms trading.
The recent RAND Corporation report on the "cyber black market" for exploits and zero days detailed a market where the fear of getting caught dictates economics. It left us wondering: What's the cost of getting caught?
The RAND report commissioned by Juniper Networks and released last month, Markets for Cybercrime Tools and Stolen Data, presented us with its collection of observations and data points about the black market for hacks, cracks, data theft, botnets and zero days as told to RAND by its handpicked experts.
RAND explained the black market for cybercrime has changed from a "varied landscape of discrete, ad hoc networks of individuals motivated by ego and notoriety, has now become a burgeoning powerhouse of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states."
An economy of fear
Operating within layers of secrecy and razor-sharp opsec are the players in the cybercrime black market and thus the market's behavior: the market necessitates a fanatical obsession of trying not to get caught. The fear of getting caught dictates much more about the market than its conditions.
Surely this has a cost, too.
To get an understanding of a hacker's potential cost of getting caught doing black market business, ZDNet spoke with a number of high-profile attorneys. Marcia Hofmann is a litigator specializing in digital rights cases who woked on Andrew “Weev” Auernheimer's case.
Ms. Hofmann explained,
Lawyers' rates are highly variable — they depend on years of experience, depth of specialization, technical proficiency, where the lawyer works, where the lawyer is geographically based, etc.
I'd estimate the most senior, elite, highly specialized tech litigators working for big firms in major urban areas probably cost as much as $800 an hour or more. A general criminal defense litigator with a couple years of experience in a less urban area might cost something like $200 an hour or even less.
Hofmann offered a sobering caveat. "Ideally, a hacker facing this kind of case would hire a lawyer with experience in hacking-related law and the capability to explain highly technical issues in an understandable, compelling way to a judge and members of a jury who don't have much experience with technology. In a criminal case, criminal defense experience is also paramount."
She cautioned, "These lawyers are few and far between, so they're likely to be expensive."
Take that one expensive lawyer, and add a few more. Ms. Hofmann is one of Andrew “Weev” Auernheimer's six attorneys. The DOJ said that was looking at up to "35 years in prison, to be followed by three years of supervised released, restitution, forfeiture and a fine of up to $1 million." Swartz's lawyers said the minimum cost to defend a federal criminal suit is a staggering $1.5 million. Don't forget bail: Auernheimer's second bail was $50,000.
Even still, it's critical to point out that neither Aurenheimer nor Swartz were busted for exploit sales.
Hofmann stressed, “I've yet to see a case in which a hacker is either sued or prosecuted for selling an exploit. So from my perspective, it's hard to speak concretely about how this type of situation would develop.”
There's no doubt that the murky conditions of getting caught dominates the black market's very mechanics. In former NSA employee Charlie Miller’s 2007 black market version of War and Peace (The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales), he explained the inherent obstacles to market function and growth: nearly every single problem comes back to the various players’ fear of criminal prosecution.
In proposing an above-board solution to the market’s obstacles, Miller suggested a system of direct auctions. However, he noted:
The biggest drawback to this system is its questionable legal status. Noted information security attorney Jennifer Granick stated that while running such an auction is probably legal, it would certainly be risky.
But risky — how? In order to determine the cost of getting caught, we have to find out exactly what’s illegal about exploit sales.
Prosecution for exploit sales a virtual unknown
When ZDNet asked attorneys working in the world of high-profile hacking cases how much it costs to get caught selling zero days, we were told again and again that prosecution for sales is a virtual unknown.
Jason Schultz, Associate Professor of Clinical Law and Director of NYU's Technology Law & Policy Clinic told ZDNet this is most likely because “it is hard to prove intent to encourage an attack against a specific target and the information itself is often simply knowledge, and not even code. I could see a prosecutor charging a 0-day seller with aiding and abetting or conspiracy to violate the CFAA or Espionage Act if the seller had any knowledge of what the buyer intended to do with the exploit. But that's probably why they typically don't.”
That said, if Cyberwarfare treaties become anything real to deal with, they might give rise to prosecution for mere trading, but it will be tough to prove that an exploit is a weapon just because it works.
Funny that Mr. Schultz should mention warfare treaties.
The world's primary arms trading control treaty added the new category and definition of "intrusion software" into its control lists of munitions in December 2013.
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a global treaty, so it’s not legally binding, but its controls are implemented by national legislation within its 41 member countries.
The treaty oversees export controls on munitions and arms like tanks, missiles and guns, as well as “Dual Use Goods and Technologies.”
Section 4: Computers of the Dual Use Goods List includes “Software” with particular attention to,
"Software" specially designed or modified for the "development" or "production" of equipment or "software" specified by 4.A. or 4.D.
4.A. is described as:
Systems, equipment, and components therefor [SIC], specially designed or modified for the generation, operation or delivery of, or communication with, "intrusion software".
RAND observed, “It is challenging to describe what the entire market looks like. It is too vast, has too many players, is too disjointed, is constantly changing, and, because it is a criminal market, pains are taken to prevent law enforcement from understanding it.”
It apparently depends who's brandishing the badge.
Governments "bankrolling dangerous R&D"
The biggest transformation to the hacker black market has been the influx of government money: notably U.S. government money. In 2013's article Nations Buying as Hackers Sell Flaws in Computer Code, the New York Times reported that after the United States,
Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore, are buying, too, according to the Center for Strategic and International Studies in Washington.
The Economist reported in March 2013’s The digital arms trade,
Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits.
It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.
The Economist concluded, “As an American military-intelligence official points out, governments that buy exploits are “building the black market”, thereby bankrolling dangerous R&D.”
To firmly criminalize exploit sales, or most aspects of it, would bend governments beyond hypocrisy — though that’s not much of a stretch for some in the NYT’s nation-state buyer list.
Right now the cyber black market is a teeming, growing and economically thriving digital black market whose fabric is woven with fear of criminal prosecution, and a multiplicity of perversities preventing it from being regulated, and those who would regulate it would surely endeavor to maintain its holes.
Jennifer Granick, the Director of Civil Liberties at the Stanford Center for Internet and Society, points out that in her experience, “the issues with zero day and exploit sales are very similar to vulnerability disclosure.”
The only difference is one suggests only disclosure/distribution of code, which courts may view more suspiciously.
In terms of examples, there are lots of researchers being sued for pure talks (e.g. MTBA suing Zack Anderson et al, or Cisco/ISS suing Michael Lynn) but I don't currently remember anywhere it was a pure seller. Usually there's some other factor, like someone also used the vuln, either to test or to prove its viability (e.g. US v. Eric McCarty).
Stephen Watt wasn't a seller, but the U.S. courts certainly saw his case as more than suspicious — and it's one of the closest comparisons to getting caught for trading exploits for financial gain. In 2009, the hacker was sentenced to two years in prison after pleading guilty to creating a custom sniffer that helped his friend Alberto Gonzalez steal millions of credit card numbers from retailer TJ Maxx.
Watt was charged with providing a data theft tool in an identity theft case and ordered by the court to pay back $171.5 million in restitution. Court documents noted that he had to borrow considerable sums from his mother to afford his legal fees, bail, and living expenses without employment.
Equally as fascinating — and readable — as RAND’s light-of-day roundup of black market hackonomics are the shadows the report continues to cast.
RAND stressed — repeatedly — that the cyber black market was akin to the global drug trade. But the answers we found in asking cyberlaw experts about the cost of getting caught (which turned into trying to figure out what getting caught even meant) moved the dial closer to arms trading than getting busted for drug dealing, or even hacking.
And to contemplate the cost of getting caught in that market offers a terrifying glimpse of the future, where gifted hackers and virtuous officials all honestly believe they're doing the right thing, or at least if not, they'll get rich or die trying.