Thomas Lim, the founder of a boutique company that sells cybermunitions and hacking tools to governments and corporations around the world, has mischievous taste in T-shirts. The one he’s got on, as he sits in the Art Deco-style bar of Miami Beach’s famed Fontainebleau Hotel, says he’s a reservist for Unit 61398 of the People’s Liberation Army, a notorious group of Chinese computer spies. It’s an inside joke aimed at the 160 hackers, spooks, and mercenaries attending Infiltrate, an annual security conference that draws a more elite crowd than the larger industry confabs.
An unusually boisterous 44-year-old in a business that prizes discretion, Lim is the chief executive officer of Coseinc, based in Singapore. His nation-state clients are mostly countries that want to join the U.S. and China in the cyberpower club but don’t have the skills to do it on their own. He conducts a lot of business at conferences—networking, picking up clients—and Infiltrate is one of his favorites. While most such gatherings have become unabashedly commercial affairs, Infiltrate still maintains the feel of a digital Casablanca, where hackers mingle with spies, and defense contractors troll the bars for talent. Mindful of laws on corporate espionage, sellers of cybermunitions are careful to say they only provide information and code; the buyers decide what to do with it.
Over two days in May, Lim trades Edward Snowden jokes with National Security Agency spies and slams beers with Argentinian exploit developers. (Exploits allow a hacker to take over an unsuspecting user’s PC.) The event’s technical talks—and sideshows such as Brazilian jujitsu demonstrations—draw experts from England, Finland, France, Italy, and Malaysia. There are no name badges, only color-coded wristbands: black for featured speakers, red for the audience. The list of attendees is secret. If you don’t already know who you’re talking to, the ground rules suggest, you shouldn’t be asking.
Infiltrate is the brainchild of Dave Aitel, who began developing hacking tools for the NSA at the age of 18 and at 26 started Immunity, a company that develops exploits for government and commercial clients.
The conference doesn’t sell sponsorships to Microsoft (MSFT), Adobe (ADBE), or other vendors that frown on people who break into computers for a living. Better-known events, such as Black Hat, focus on defending networks. “The best among us work on offense,” Aitel, 38, says of Infiltrate. “And they do their best work when they aren’t apologizing for it.”
The global market for cybermunitions is booming. U.S. officials have determined that more than 100 countries have offensive cyber units, even if most are just a handful of hackers spying on political opponents and dissidents, according to a person familiar with the assessment who was not authorized to speak about it.
At least 20 countries are capable of major attacks, and the club is expanding rapidly. The NSA “will send a small number of people here, so they know what’s going on, as well as to network,” says Richard “Dickie” George, one of the keynote speakers, who recently retired after 41 years at the agency. “There are so many smart people here doing so many things. Everyone gets better by sharing ideas.” The publicity-shy NSA delegation—all men in their twenties and early thirties—can be spotted enjoying mojitos at the open bar outside the conference hall. These are not the debonair operatives of spy novels; they have the body type and skin tone of people who spend long hours in front of computers. They’re in Miami to improve their own craft and because techniques shown off at the conference today may be bought by U.S. adversaries tomorrow.
In dollar terms, cyber is a bargain. The cost of digital munitions is tiny compared with major weapons systems like the F-35, the Pentagon’s next-generation fighter jet. At the dawn of the era of cyberwar, however, budgets for digital weapons are growing faster than for physical ones. In 2014, the president’s budget requested $4.5 billion for cyber operations, a 20 percent increase from the prior year.
To get a picture of the global cybermunitions industry, few vantage points are better than Infiltrate. Talks tend toward the hypertechnical—“SQL injection vulnerabilities” and “fuzzing.” Because that approach is increasingly rare among the major security conferences, the event draws renowned hackers from around the world, including exploit developers from Boston and fuzzing experts from the Pacific Rim. If there were a hacker equivalent of baseball cards, many of the faces around the Fontainebleau’s pool would be collectibles.
After finishing off heaping plates of Cuban food at lunch on the second day, the crowd rushes to find seats in the conference hall. Cesar Cerrudo, described by one attendee as the godfather of Argentinian hackers, demonstrates how to create gridlock and slow emergency response in Washington, D.C., by manipulating the data that flows between roadbed sensors and traffic-light controls. The job could be done for less than $100, he says, not including the cost of a small hovering drone that transmits the fake numbers. The Department of Homeland Security did not respond to a request for comment.
Security bugs in widely used software are relatively easy to find. The trick is to turn the bug into an “exploit,” which allows a hacker to take over someone else’s computer. Defense contractors refine the process further through “weaponization.” They make the exploits so stable and easy to use that a corporal sitting in Beijing can hack a computer in Paris without fuss.
The lone-wolf hacker still has a lot of mystique, but as the industry matures, pools of talent are settling in Silicon Valley-like concentrations around the world. Thailand is hot; so is Buenos Aires. While it’s impossible for a handful of people to make a fighter jet, boutique hacking firms with only a few employees can thrive as digital arms makers. The best are steeped in a culture famous for intense, Red Bull-fueled periods of productivity punctuated by robust partying. “The big guys have the resources in terms of financing,” Lim says, “but we have the skill set.”
One of his advantages, he says, is that he can accommodate the industry’s exotic personalities in ways larger companies won’t. Of his 17 employees, only five work from his offices in Singapore. One lives in the Marshall Islands; other workers have clocked in from Bangkok and Nepal. One of his top fuzzing experts rarely puts on shoes or long pants, Lim says. “How would that guy work for Raytheon (RTN)?”
The imperative for secrecy means that some deals are laundered through middlemen, while others are negotiated by characters that veil their identity in sometimes comical ways. At the bar in the Fontainebleau, Lim tells the story of being approached by two men at a conference in Taiwan. They were ethnically Chinese, but had pitch-perfect American accents, with crew cuts and muscled physiques.
After a discussion over potent Chinese liquor about the capabilities of Lim’s fuzzing engine, the men handed him a card with a U.S. Defense Department logo on it. It was a decent cover story, Lim says. Except the given e-mail address was a Google webmail account, and the card itself looked like it had been printed at a shop around the corner.
“This business has gotten so shady,” he says, laughing raucously. “You just never know who you’re talking to.”