U.S. government tops list of malware buyers

While vocally and repeatedly tying all kinds of discovered cyber attacks to Chinese hackers, the U.S. has quietly been working on their own cyber offensive capabilities – so much so that the U.S. government has become the biggest buyer of zero-day security vulnerabilities and the tools that exploit them, reports Reuters.

You won’t find many public reports and articles about that, because the U.S. offensive cyber-warfare strategy is classified information. Even when the fact that Stuxnet was developed through a joint effort of the US and Israeli government agencies has been made public by the NYT, it was never – and I suspect it will never – confirmed by the U.S. government.

And now, yet again, persons “in the know” are saying that U.S. intelligence and military agencies are working on assuring themselves the upper hand by using their defense contractors, vulnerability-selling companies, and independent brokers to amass as many zero-days they can – especially those affecting popular software and devices – and all this in addition to finding vulnerabilities themselves.

In fact, as they can throw huge sums at researchers, other buyers simply cannot compete. As time went by, researchers have practically stopped disclosing the information for free to the developers of the software and hardware, and have turned to selling it to the highest bidder.

According to Charlie Miller, a well-known security researcher who used to work for the National Security Agency, “the only people paying are on the offensive side”.

And while former counter-terrorism czar Richard Clarke and former Cyber-Security Coordinator of the Obama Administration Howard Schmidt point out that the U.S. government should tell U.S. users about vulnerabilities they know about and that could lead to serious compromises, the reality is that they don’t.

The U.S. government and the president have been very vocal about the private sector sharing information within itself and with the government, but there hasn’t been much talk about intelligence and defense agencies sharing helpful information with the private sector.

In the meantime, vulnerability sellers such as Vupen are washing their hands of any responsibility and say that software developers should invest in in-house research to discover vulnerabilities in their products.

Some of them say that they are selling information about security flaws only to democratic governments, but such claims are difficult to verify. After all, who’s to say that the first buyer is always the last?

Another problem is that once the vulnerabilities become common knowledge, non-state sponsored cyber criminals are implementing exploits for them in their own attack tools. Also, some less-scrupulous seller aren’t above selling vulnerability information directly to organized cyber gangs.

But the scariest thing of all is that the vulnerabilities for sale get implemented in cyber tools with unsettling capabilities.

According to Reuters’ Joseph Menn, who had the opportunity to take a peak at a product catalogue by a large government contractor, there are tools that turn iPhone into eavesdropping devices, allow the transmission of malware via radio waves from one device to another, data-grabbing tools and so on. Most of them had versions for Windows, Apple and Linux machines, and again most of them depend on the exploitation of zero-days.