WASHINGTON – On Florida’s Atlantic coast, cyberarms makers working for U.S. spy agencies are bombarding billions of lines of computer code with random data that can expose software flaws the U.S. might exploit.
In Pittsburgh, researchers with a Pentagon contract are teaching computers to scan software for bugs and turn them automatically into weapons. In a converted textile mill in New Hampshire, programmers are testing the combat potential of coding errors on a digital bombing range.
Nationwide, a new league of defense contractors is mining the foundation of the Internet for glitches that can be turned to the country’s strategic advantage.
They’re part of a cybermilitary industrial complex that has emerged in more than a dozen states and employs thousands of civilians, according to 15 people who work for contractors and the government.
The projects are so sensitive that their funding is classified, and they are so extensive that a bid to curb their scope will be resisted not only by intelligence agencies but also by the world’s largest military supply chain.
We’re in an arms race, said Chase Cunningham, the National Security Agency’s former chief cryptologic technician. The competition to find exploitable bugs before an enemy does is as intense as the space race and the Cold War combined, he said.
The U.S. has poured billions of dollars into an electronic arsenal built with so-called zero-day exploits, manipulations of missteps or oversights in code that can make anything that runs on a computer chip vulnerable to hackers.
They go far beyond flaws in Web encryption, which the NSA has exploited for years without warning the public about it, according to people with knowledge of the matter.
The agency’s stockpile of exploits runs into the thousands, aimed at every conceivable device, and many are not disclosed even to units within the agency responsible for defending U.S. government networks, people familiar with the program said.
Under a directive made public last month, after Bloomberg News reported the NSA’s utilization of the infamous Heartbleed bug – a use the agency denied – the White House said exploits should, in most cases, be disclosed so computer users can protect themselves.
Michael Daniel, the White House cybersecurity coordinator, said in a blog post last week that building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.
As conventional military spending has been cut back and funding for cyberoperations ramped up, Lockheed Martin, Northrop Grumman and others better known for jets and tanks are retooling for a new generation of armaments.
Of countries that are developing industrial-strength cybercapabilities, certainly the U.S. is in the lead, said Nate Freier, a research professor in defense and military strategy at the U.S. Army War College.
The question is whether we understand it well enough to use it without encountering a significant amount of blowback or unintended consequences.
Spy agencies develop exploits themselves, buy them from contractors or steal them from rivals.
And the arsenal must be constantly refreshed, as the software at which they’re aimed is updated and fixed.
Some exploits are used for years; others only for a short time until the flaws on which they are based are patched.
There are more than bugs in the government’s arsenal: Hackers at the NSA’s Tailored Access Operations, or TAO, have more than 1,000 special tools to aid them in stealing data or manipulating a rival’s electronics.
If TAO wants to switch on a microphone in a computer running Microsoft Windows, covertly recording conversations of anyone nearby, a custom module does the job. If it needs to hijack the system that communicates between computers and the controls that operate railroad track switches or dam flow gates, there’s a plug-in for that, too.
The private sector provides support at all levels.
When intelligence agencies were looking three years ago for holes in commercial software that runs video conferencing systems, they reached out to several contractors. Endgame, an Atlanta company that once specialized in weaponizing software bugs, provided the exploits, allowing U.S. spies to tap into the systems, according to a person familiar with the contract.
Cyber money is not shrinking the way the rest of the defense budget is, said Dave Aitel, chief executive officer of Immunity, an offensive security firm in Miami.
That means that all the big beltway bandits must invest heavily to build their cyberteams – and that this market is going to continue to grow.
In President Barack Obama’s proposed fiscal 2014 budget, the money for cyberoperations jumped 20 percent, to $4.5 billion. The Pentagon has placed it on a list of priority programs, an unclassified comptroller’s presentation shows.
Zeroing in on problems
Finding bugs requires the creativity of human researchers as well as the power of computers, which relentlessly pound software programs with unpredictable data to spot a possible malfunction, a technique called fuzzing.
ForAllSecure, a Pittsburgh company founded by researchers from Carnegie Mellon University, has a Pentagon contract to teach computers to scan for software vulnerabilities and automatically generate attack code.
Its product, called Mayhem, has been used to analyze more than 37,000 off-the-shelf software programs and found 14,000 bugs in them, including 152 for which the company has developed exploits, said David Brumley, an assistant professor in computer science and engineering at Carnegie Mellon who is leading the work.
If the U.S. wanted to use an exploit to gather intelligence and not disclose the underlying error’s existence, Brumley said he wouldn’t object.
We have to be free to be able to strategically and appropriately use cyberweapons, Brumley said.
Unlike Tomahawk missiles, which do one thing and with a high degree of reliability, even the best-crafted exploits are unpredictable because computer systems and software can come in almost endless combinations of configurations that could foil attacks.
Siege Technologies, a startup in a converted 19th-century textile mill along the Merrimack River in Manchester, New Hampshire, is working to change that with more than $10 million in contracts from the Department of Defense and other agencies.
For the past four years, Siege has been developing an algorithm that predicts the likelihood of a cyberattack’s success, a process that entails running attack code through thousands of test cases to generate models of how effective it would be in the real world, whether it’s breaking into power grids or hacking mobile phones.
Siege Technologies is considering enhancements that would provide real-time feedback as to whether an exploit actually hit its target, said company founder Jason Syversen.
Military commanders want a smoking crater to prove an attack was successful, he said.
We don’t have that in cyber.
I feel more comfortable working on electronic warfare, he said. It’s a little different than bombs and nuclear weapons – that’s a morally complex field to be in. Now, instead of bombing things and having collateral damage, you can really reduce civilian casualties, which is a win for everybody.