RENEE MONTAGNE, HOST:
Wars have long been fought on land, on sea and in the air. Now there's a new battlefield - cyberspace. Countries, the United States included, are launching attacks on each other's computer networks. Software can be a lethal weapon. This week, NPR's Tom Gjelten is looking at the offensive side of cyber war. Today, the cyber arms market - how computer weapons are developed, bought and sold around the world.
TOM GJELTEN, BYLINE: To understand how a cyber-attack works, think of it like a burglary. First, you have to get inside the place you're going to burgle. You do that by picking a lock or maybe you can sneak in through a back door someone left open. Only then, when you're inside, can you carry out the crime. Technologist Christopher Soghoian says it's the same thing when you attack a computer network.
CHRISTOPHER SOGHOIAN: You need a way of getting in the door. You need a way of getting into the system that you're hacking into, whether it's the computer of a surveillance target or the computer running a nuclear power plant. So you need a way in.
GJELTEN: Once you've found that way in, once you've penetrated a network, you instruct the computer to do what you want. But these are separate operations, and Soghoian says the first step in a cyber-attack is often the most challenging.
SOGHOIAN: The code that you run that steals data, that taps the microphone, this is easy stuff to write. The code that gets in the door is really sophisticated, very difficult and completely unregulated.
GJELTEN: Here's the trick. All computer systems linked to the Internet use applications like Internet Explorer or Adobe. These programs inevitably have bugs in them. Some are security flaws. They're like that back door someone neglected to lock. Cyber researchers call these bugs vulnerabilities because they expose the program to intruders just as an open window makes a house vulnerable to burglary.
When security researchers found these bugs in the past, they'd report them to the software manufacturer so they could be patched. But then the cyber weapon designers came along and set their sights on the vulnerabilities. They'd actually call them back doors because they could serve as back doors into a network.
They didn't want to patch them. They wanted to exploit them. The weapon designers especially liked the vulnerabilities nobody else knew about. In cyberspeak these are called zero days or O-days. Richard Bejtlich, a former cyber specialist in the Air Force, remembers the time back in the '90s when he first realized a software vulnerability was something a cyber weapon designer could exploit.
RICHARD BEJTLICH: Myself and a couple other guys, we found a zero day vulnerability in Cisco routing equipment, and we looked at it and we said, did we really find this? We can really get into these Cisco routers? Yes, we can. So what did we do? Called up Cisco, told them, hey, we found this vulnerability, and they go, thank you for telling us, we'll work on fixing it.
A couple days later, I'm talking to some of my friends who work on the offensive side of the unit and I said, yeah, we actually reported this O-day to Cisco. And they said, you did what? Why didn't you tell us? We could have used this to get into all these various hard targets.
GJELTEN: To Bejtlich, a software flaw was a mistake to be corrected. But that was the view from the defensive side. Air Force guys assigned to offensive cyber operations saw that software flaw as an open door into the network they were trying to attack.
BEJTLICH: We actually had a standing order past that point that said if you find something, you don't tell the vendor, you need to tell the offensive side, and then they'll decide what to do about it.
GJELTEN: What this means is that if the military thinks a software flaw can be used for a cyber weapon, it may not want anyone else to know about it. Christopher Soghoian with the Speech Privacy and Technology Project at the ACLU says consumers, individuals and businesses could be the losers here.
SOGHOIAN: I don't think they realize that their government knows about flaws that could be fixed and is sitting on them and exploiting them against other people rather than having them fixed.
GJELTEN: That's just one issue. There's more. The greater interest there is in a capability to launch cyber attacks, the more demand there is for those software vulnerabilities, the back doors that allow an attacker to sneak into someone's network. There's now a global market for back doors. Soghoian says private researchers who discover a software flaw have a choice - alert the manufacturer and maybe get a little reward or share that vulnerability with a potential cyber-attacker for a big payoff.
SOGHOIAN: For every researcher who's doing the right thing and getting, you know, the modest gift, there are plenty of researchers who are selling these things for what they deem to be the true market value. And the true market value is whatever governments and their middlemen are willing to pay.
GJELTEN: Former Air Force officer Richard Bejtlich is on the private side himself now, as chief security officer at Mandiant, a cyber consultancy. He's not in the business of selling vulnerabilities to the highest bidder, but he knows other people who are.
BEJTLICH: There seems to have been an explosion of interest in the last maybe two years, where the hot thing to do is to found a company with five of your buddies who are all really good at finding vulnerabilities and just start making money.
GJELTEN: Essentially we're talking here about a cyber arms market. Not surprisingly, it operates mostly in the shadows, but at conference last weekend I caught up with one seller of back door vulnerabilities. His name is Donato Ferrante. He says he advertises his vulnerabilities through an email list. Clients see what back doors he has found into which software products, but they get only the barest information about the vulnerability.
DONATO FERRANTE: If the customer wants to use the vulnerability, the customer needs to buy the vulnerability. This is just a sort of, you know, portfolio and then the customer needs to buy the details.
GJELTEN: And would you sell them?
FERRANTE: I mean if they want to buy, yeah. I mean this is our job. It's business.
GJELTEN: It's business. Between the U.S. military, law enforcement and intelligence agencies, the U.S. government is a big buyer of vulnerabilities or back doors. But it's not only the U.S. developing cyber weapons. So are other governments. Private companies wanting to penetrate an adversary's network may also be in the market for back doors. So could cyber criminals, for that matter, or even groups plotting a cyberterrorist attack.
No wonder vulnerability sellers don't want to say much about their business. Donato Ferrante says he's based in Europe, but won't say which country. I want to know more.
What's this world like that you work in?
FERRANTE: It's just, you know, I don't see, you know, bad guys or good guys. It's just business.
GJELTEN: No bad guys or good guys, just clients. After all, Ferrante says, he's just selling information.
FERRANTE: The way the information, you know, would be used, it's up to the customer. It's not, you know, up to us.
GJELTEN: At the moment, there is virtually no regulation of the back door market in the United States, no mandatory reporting of vulnerability sales, for example. Richard Bejtlich of Mandiant.
BEJTLICH: I am shocked that this has not been regulated, because to me it would be so easy for a legislator to say, we're going to do arms control. We're going to keep this out of the hands of the bad guys. You're going to need a license to have these tools. And who's going to stand up and say, no, you have to have cyber weapons.
I mean, if you wanted to look for an easy way to have legislators appear to be doing something, this would be it.
GJELTEN: But developments in cyber warfare and cyber weaponry are moving so fast that our thinking about this new domain of combat and crime just can't keep pace. And it's not just governments finding new ways to attack each other. Private firms frustrated by their inability to defend their networks against cyber-attacks are increasingly going on the offense themselves. That story tomorrow. Tom Gjelten, NPR News.