It is simply more profitable to sell newly discovered exploits to bad guys than it is to report them to the software companies for fixing. The few companies that are willing to pay bounties for bugs are easily outbid by the bad guys as a cost of doing business. As long as that is a viable economic model, we will never have a hope of any defensive strategy that will work other than fast clean up of the mess when it happens.
This is simply an arms race with the criminals and the spooks driving the demand side of the economic equation. Unlike traditional weapons of warfare, the manufacturers of cyber-weapons only need to have a computer instead of massive industrial investment in manufacturing facilities and engineered metallurgic formula.
I have recently picked on China as being a major player in this game, but my cousin just reminded me that the United States is just as much to blame if not more so. *Update* Many others play the game too.
Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial.This only makes sense. Sales (and use) of traditional weapons of war is an infinitely easier event to detect than the sales of cyber-weapons. A physical product being bought and sold is an event that involves people and transport of product. A virtual product can be moved via recycled electrons, which are much harder to see. Of course, owing to where I work, I must say that the traces of the virtual transactions are certainly detectable and traceable events. That being said, I guarantee that the number of people on this planet that are capable of seeing a suspicious physical arms deal far outnumber those that are capable of detecting a cyber-arms deal.
It just doesn't add up.
Some national-security officials and security executives say the U.S. strategy is perfectly logical: It's better for the U.S. government to be buying up exploits so that they don't fall into the hands of dictators or organized criminals.Yeah...right. So a 'researcher' turned 'soldier of fortune' is only going to sell one copy of his exploit to the 'good guys?' This isn't a physical product that once sold you have sole possession of. Have we forgotten the war that still wages on in the music industry? And you want me to believe that the person selling this exploit is selling it to agents of the US, which can't be readily identified in the first place, and suddenly grows a conscience and will only sell it to one agent? Do you honestly think the spooks on either side of a given fence are going to email the other side and say "do you have exploit XYZ, or are we the only ones?" Unlike real espionage in the real world involving real people, it is quite safe to be a double (or more) agent in the cyber-warfare world. Such a person can change their identity with a few keystrokes.
Let's not forget that these exploits that are destined to be turned into weapons, if they are not already weaponized, are indiscriminate. They neither care about the nationality of the computer they are pointed at nor the company affiliation nor the politics or business of why.
What's certain is that criminal hackers copied Duqu's previously unheard-of method for breaking into computers and rolled it into "exploit kits," including one called Blackhole and another called Cool, that were sold to hackers worldwide.Sorry...that was pointed out already.
The truly funny part of this is the very exploits that make these weapons possible also make the very same elements of the governments that use them also vulnerable, as well as the rest of any given government as a whole. Isn't the purpose of any given weapons program to make the world safer for the entity possessing the weapons?
How do we move forward?
This certainly bodes ill for those of us fighting the good fight. So what can we do? Well, it seems to be rapidly becoming a favorite topic of mine, but incident response is the only answer for now. I have argued it here and here.
Long term, governments worldwide need to wake up and pursue some legislation and enforcement cooperation in a crime that is making life less safe and business more costly to the detriment of true innovation.
Until we start treating the crime of selling exploits to the highest bidder on the same level as arms trafficking or drug smuggling or the use of biological weapons, and expect international legal consensus and enforcement, we will all continue to pay the price.