U.S. government becomes 'biggest buyer' of malware

Amid a growing battle between federal government agencies and hackers, cyberwarriors, and cyber-enemy nation states, the U.S. is ramping up its malware stockpile to 'hack back' at those who attack it.
Written by Zack Whittaker, Contributor

The U.S. government has become the biggest buyer of malware, according to a Reuters special report, which is leading to growing concerns in the technology and intelligence industry.

President Obama delivers the 2013 State of the Union address, in which he lifts the lid on a cybersecurity executive order.
Image: CBS News

By engaging with a dubious, unregulated grey market of hacks, vulnerabilities, and exploits, which the federal government can use to strike back at its opponents that in turn attack it, some are warning that Washington's actions are "encouraging" hacking and similar practices.

The security industry is concerned that the superpower is failing to register the vulnerabilities it buys, funded by the taxpayer, because it is instead using the exploits to attack and infiltrate foreign networks in order to lay cyberweapons and spy technology.

This "offensive" cybersecurity strategy is leaving ordinary U.S. businesses and consumers vulnerable to their own security breaches and hacks, according to former White House cybersecurity advisors Howard Schmidt and Richard Clarke.

"If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," Clarke said.

Meanwhile, Schmidt, the former White House cybersecurity coordinator who retired from the Obama administration in May last year, said it is "pretty naive" to believe that when a zero-day flaw is discovered, they are the only person in the world who knows about it.

"Whether it's another government, a researcher, or someone else who sells exploits, you may have it by yourself for a few hours or for a few days, but you sure are not going to have it alone for long."

Because the government relies on flaws in existing networks, software, and systems, the argument is that these hacks and exploits would be less effective if the security industry informed the public of such threats, which would alert companies to patch their software and networks in order to prevent such attacks.

"So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired," said Reuters.

It comes in recent weeks after The New York Times reported that the Obama administration can order a pre-emptive cyberattack against a threatening nation if the U.S. needs to defend itself. Ultimately, the order would have to come from the president himself.

The Times' report noted that as a result of Obama's victory in taking a second term in the White House, his administration is reviewing the range of cyberweapons that the U.S. government has in its possession.

These cyberweapons are not necessarily powered-up datacenters that launch denial-of-service (DoS) attacks against foreign machines, or specially crafted malware designed to infiltrate the networks of oppressive regimes; Stuxnet was just one of a few malware attacks found in the wild by private research firms.

Many such cyberweapons, in fact, can fit on an ordinary USB thumb drive. Many can be sent via email. And some are no different from the viruses and exploits that black-hat hackers use against unsuspecting citizens going about their daily business.

Such exploits can be sold for as little as $50,000, which is small change to the U.S. government, but many are toward the $100,000 price mark for a number of exploits that are needed for a "solid operation."

"Exploits are used as part of lawful intercept missions and homeland security operations as legally authorized by law," according to Paris, France-based Vupen, which spoke to Reuters. Vupen began selling vulnerabilities to governments and intelligence agencies when software makers failed to agree on a compensation system. The security firm said it sells its discoveries as part of efforts to "protect lives and democracies against both cyber and real-world threats."

Vupen first came to prominence when it was named as part of a Wikileaks release in late 2011 of 287 initial documents describing internet and cell-phone based technology procured by "dictatorships and democracies alike," first developed by the U.S., the U.K., Australia, and Canada.

The security company was named as a company that manufactures trojan malware that can hijack computers and phones — including BlackBerrys, iPhones, and Android devices — that can be used to record movements, sights, and sounds in the rooms they are located in.

[Via Reuters]

Editorial standards