U.S. government becomes 'biggest buyer' of malware

U.S. government becomes 'biggest buyer' of malware

Summary: Amid a growing battle between federal government agencies and hackers, cyberwarriors, and cyber-enemy nation states, the U.S. is ramping up its malware stockpile to 'hack back' at those who attack it.


The U.S. government has become the biggest buyer of malware, according to a Reuters special report, which is leading to growing concerns in the technology and intelligence industry.

President Obama delivers the 2013 State of the Union address, in which he lifts the lid on a cybersecurity executive order. (Image: CBS News)

By engaging with a dubious, unregulated grey market of hacks, vulnerabilities, and exploits, which the federal government can use to strike back at its opponents that in turn attack it, some are warning that Washington's actions are "encouraging" hacking and similar practices.

Read this

'Cyber 9/11 imminent' warns DHS chief; suggests CISPA-like laws

'Cyber 9/11 imminent' warns DHS chief; suggests CISPA-like laws

Homeland Security Secretary Janet Napolitano suggested Congress should pass legislation similar to CISPA, in order to avoid a calamitous end to American civilization.

The security industry is concerned that the superpower is failing to register the vulnerabilities it buys, funded by the taxpayer, because it is instead using the exploits to attack and infiltrate foreign networks in order to lay cyberweapons and spy technology.

This "offensive" cybersecurity strategy is leaving ordinary U.S. businesses and consumers vulnerable to their own security breaches and hacks, according to former White House cybersecurity advisors Howard Schmidt and Richard Clarke.

"If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," Clarke said.

Meanwhile, Schmidt, the former White House cybersecurity coordinator who retired from the Obama administration in May last year, said it is "pretty naive" to believe that when a zero-day flaw is discovered, they are the only person in the world who knows about it.

"Whether it's another government, a researcher, or someone else who sells exploits, you may have it by yourself for a few hours or for a few days, but you sure are not going to have it alone for long."

Because the government relies on flaws in existing networks, software, and systems, the argument is that these hacks and exploits would be less effective if the security industry informed the public of such threats, which would alert companies to patch their software and networks in order to prevent such attacks.

"So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired," said Reuters.

It comes in recent weeks after The New York Times reported that the Obama administration can order a pre-emptive cyberattack against a threatening nation if the U.S. needs to defend itself. Ultimately, the order would have to come from the president himself.

The Times' report noted that as a result of Obama's victory in taking a second term in the White House, his administration is reviewing the range of cyberweapons that the U.S. government has in its possession.

These cyberweapons are not necessarily powered-up datacenters that launch denial-of-service (DoS) attacks against foreign machines, or specially crafted malware designed to infiltrate the networks of oppressive regimes; Stuxnet was just one of a few malware attacks found in the wild by private research firms.

Many such cyberweapons, in fact, can fit on an ordinary USB thumb drive. Many can be sent via email. And some are no different from the viruses and exploits that black-hat hackers use against unsuspecting citizens going about their daily business.

Such exploits can be sold for as little as $50,000, which is small change to the U.S. government, but many are toward the $100,000 price mark for a number of exploits that are needed for a "solid operation."

"Exploits are used as part of lawful intercept missions and homeland security operations as legally authorized by law," according to Paris, France-based Vupen, which spoke to Reuters. Vupen began selling vulnerabilities to governments and intelligence agencies when software makers failed to agree on a compensation system. The security firm said it sells its discoveries as part of efforts to "protect lives and democracies against both cyber and real-world threats."

Vupen first came to prominence when it was named as part of a Wikileaks release in late 2011 of 287 initial documents describing internet and cell-phone based technology procured by "dictatorships and democracies alike," first developed by the U.S., the U.K., Australia, and Canada.

The security company was named as a company that manufactures trojan malware that can hijack computers and phones — including BlackBerrys, iPhones, and Android devices — that can be used to record movements, sights, and sounds in the rooms they are located in.

[Via Reuters]

Topics: Security, Government US, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This should be good.

    It certainly starts to put a different light on the criticism of China and their massive, ongoing cyber operations. I'm curious to see who comes out of the woodwork to offer spins. Hopefully it won't end up being another Dem/Repub whacking stick - those are tiresome and go nowhere.
  • Unfortunately, it is not a perfect world.

    A note from history (quoted from memory, may not be verbatim):

    We cannot tell you WHAT you will be doing, but we will tell you HOW to do it. And we can say that if our enemies succeed in what we are doing before we do, God help us.

    These were the instructions given to workers in the Oak Ridge plant during World War Two. And fortunately (in the short term, if you believe a five-year battle to take Japan would somehow have been better for humanity), we did succeed before our enemies. But in a world in which opposing sides, or worse, ANYONE, knows how to make a devastating weapon, the good guys had better know at least how it works and how to defend against it.

    Ending the Cold War and negotiating reductions to somewhat saner levels of nuclear missiles took decades, and building such a social consensus in the evil of cyber weapons, either for crime or for aggression, to the point that even the worst of us DARE not try to launch them, will take perhaps a century or longer. In the meantime, knowing that both sides have the ABILITY to attack via the internet may reduce the likelihood of it being used by actors with a big enough profile to suffer a counterattack.

    Many years ago there was a science fiction story set in a computerized future somewhat beyond ours, in which everyone knew how to use computerized control panels to do all the things required in daily life (no cash, only e-payment for everything). The punishment for serious computer-related crimes was a mind control implant creating an artificial kind of CYBERPHOBIA, in which the convict would suffer an emotional breakdown when attempting to control any electronic device. These people were marked for life, since even to cash a paycheck, buy a lunch or groceries, or anything else, they were forced to ask a bystander to do it for them. Until we have that neuro-technology, we will have hackers: from the equivalent of muggers, to terrorists, to invading armies.

    I assume, and we can only trust, that the vulnerabilities exploited by our government are only the ones so hard to find that it is unlikely they will be found soon. And that as each one becomes "stale" they will release the fix simultaneously with the announcement. But our biggest vulnerability is that the processor chips we use are manufactured in China, and we have no idea what they have put into that hardware.

    Our critical systems should be run on processors designed and built HERE in the US, with a firmware layer that allows only the interfaces needed for PUBLISHED functions of their popular OS'es. They would thus run LEGAL applications identically with the Chinese-built ones, but would not run programs containing the Chinese back doors.

    Life always has its hazards, including on occasion the hazard of trusting the police not to commit crimes themselves. But trusting the police, and keeping their activities as public as possible, is better than trusting the crooks.
    • I afraid neuro control is already here...

      and who can think of something more terrifying that a zombie army of victims of neuro-transmitter control?!
  • Hack first!

    BS its all about using everyone. Everyone.
  • I can see this coming....

    Some anti-maleware researcher looking into how to detect and remove some malware finds this in the code:

    (c) United States Government
  • usa has an agenda inimical to mankind

    One must identify traitors as one discovers them;
    alt links: