The Code War: Why A Cyber Weapons Stockpile Isn’t So Bad

A map that shows real-time attacks on honeypots – or cyber traps to catch hackers – set up by cyber-intelligence firm Norse. (Christiaan Colen/Flickr Creative Commons).
A map that shows real-time attacks on honeypots – or cyber traps to catch hackers – set up by cyber-intelligence firm Norse. (Christiaan Colen/Flickr Creative Commons).
A map that shows real-time attacks on honeypots – or cyber traps to catch hackers – set up by cyber-intelligence firm Norse. (Christiaan Colen/Flickr Creative Commons).

A new wild west has been born. It’s wilder than before: wanted posters lack daunting portraits of purported criminals, the guns are bigger and absolutely silent, and the bullets are no longer bullets—they’re bits and bytes. The 21st century has seen the boom of a new kind of cyber battlefield and a new cyber arms market to accompany it. Cyber weapons, ranging from simple zero-day vulnerabilities in software to fully weaponized malware, are sold on white markets, grey markets and underground black markets across the world to supply governments, businesses, individuals and even terrorist groups with the latest exploits for the most unknown of vulnerabilities. These cyber arms dealers have sparked the creation of national stockpiles of cyber weapons across the world not only by the so-called Great Powers, but also by middle powers vying to level the cyber playing field. As similar as this sounds to Cold War and post-Cold War era nuclear weapon stockpiling, cyber arms are not necessarily weapons of mass destruction—and stockpiles are not necessarily a bad thing.

Of the cyber threat vectors a nation-state faces, the zero-day exploit encased in sophisticated malware is the most frightening. These weapons leverage existing vulnerabilities (suggesting errors or inconsistencies in the underlying code) in consumer software of which manufacturers are totally unaware. The manufacturer will have had ‘zero days’ to prepare for an attack that employs such a vulnerability, and will be unable to produce a patch (to correct it) until the exploit has executed its payload and done the damage intended. As such, zero-days can be cyber-WMDs for Microsoft, Apple or Adobe products—software that almost every digital citizen owns and uses regularly.

The greater accessibility to a population that a zero-day provides an attacker, the more devastating its potential. The damage can range from exposing hidden or secret data on a device or network to altering such data to deleting the data entirely. What does this mean in terms of users, organizations or countries? A zero-day could make the device on which you’re reading this unusable, along with everyone else’s. A zero-day could expose essential company secrets and destroy its reputation. A zero-day for critical infrastructure could shut down a power grid, bringing a whole country to a standstill.

Fortunately, exorbitantly high prices limit the list of potential buyers of these attacks. Several boutique cyberweapon firms like VUPEN, The Hacking Team and Endgame operate in a grey cyber arms market to supply their digital munitions to national governments with sufficiently large budgets. The grey market exists where the morality of cyber weapons’ sales can be questionable. Essentially, they are not blatantly criminal in nature as in the black market, nor are they for the sake of public good as in the white market. In the grey market, the weapons’ morality depends on how they’re used by the buyer. Several cyber arms dealers claim they will not sell their products to oppressive regimes or those blacklisted by the US or NATO; yet, a massive (and ironic) 2015 hack of The Hacking Team revealed Russia, Bahrain, Ethiopia and Sudan as buyers of software that could quietly enable webcams and intercept all web passwords and user data. But none of these nations earned the ‘biggest client’ award. That honor went to—unsurprisingly—the United States.

The US government has purchased millions of dollars worth of cyber weapons from a variety of dealers (both companies and individuals) to build stockpiles of zero-days reminiscent of nuclear stockpiles in the 1960’s. The government also finds and develops vulnerabilities on its own. Once a zero-day is acquired, there are two options: (1) either disclose the vulnerability to the company responsible to create a patch or (2) retain it in a stockpile of weapons to use when national security requires. US policy is to generally disclose vulnerabilities, but it makes exceptions when the vulnerability can hypothetically be used for national security purposes. While option one supports defensive security by patching holes in citizens’ software, option two allows the construction of a potentially offensive stockpile based on the ambiguous national security exception.

But this is not the same as the nuclear issue, where each weapon possesses sheer destructive power with no discernibility for its targets. Even a zero-day for a ubiquitous product like Apple iOS, properly coded, can be used for a limited target. Each weapon can be tailor-made for an (arguably) beneficent national security purpose—such as dismantling centrifuges in an Iranian nuclear facility or gathering evidence to prosecute a child pornographer. Stockpiling also allows the US to prevent oppressive middle power regimes from acquiring weapons due to American bidding power in the weapons market.

Both options – to disclose or not disclose – are viable and necessary for national security. The US government, as the largest alleged buyer of zero-days, ought to consider all pertinent intelligence regarding the vulnerability before choosing an option. If a vulnerability may already be known by an adversary or in the wild, it may be wiser to disclose it and eliminate it; if it is relatively unknown, it makes more sense to stockpile it until it can either be used or it becomes known to an adversary and loses its value.

Cyber arms make cyber policy incredibly complex. There is no obvious choice as to whether a weapon should be kept or released, despite the commonplace arguments that any weapon stockpile is ‘bad’. Eliminating stockpiles and weapon creation is nearly an impossible task, given the ease of learning how to find zero-days and create malware (relative to, say, acquiring nuclear material and building a bomb). Instead of eliminating stockpiles, agreements between countries (like the one currently undergoing negotiations between the US and China) would enable an implicit acknowledgement of the existing stockpiles and promises not to use them to turn the Code War hot. Establishing inter-state norms is a first step to governing cyberspace and ending the new anarchy of this cyber Wild West. Until this anarchy subsides, it may be best for the US to keep its guns loaded for when a need to fire arises.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.