Cyber Weapons: The New Arms Race

The Pentagon’s been hacked. The IMF has been hacked. Sony, Citigroup, Google—all victims of debilitating online attacks. It’s war out there, and a scary new cyber-weapons industry is exploding to arm the combatants

In the early morning hours of May 24, an armed burglar wearing a ski mask broke into the offices of Nicira Networks, a Silicon Valley startup housed in one of the countless nondescript buildings along Highway 101. He walked past desks littered with laptops and headed straight toward the cubicle of one of the company’s top engineers. The assailant appeared to know exactly what he wanted, which was a bulky computer that stored Nicira’s source code. He grabbed the one machine and fled. The whole operation lasted five minutes, according to video captured on an employee’s webcam. Palo Alto Police Sergeant Dave Flohr describes the burglary as a run-of-the-mill Silicon Valley computer grab. “There are lots of knuckleheads out there that take what they can and leave,” he says. But two people close to the company say that they, as well as national intelligence investigators now looking into the case, suspect something more sinister: a professional heist performed by someone with ties to China or Russia. The burglar didn’t want a computer he could sell on Craigslist. He wanted Nicira’s ideas.

Intellectual-property theft is hardly unheard of in Silicon Valley. Most often, it takes place when a hacker breaks into a network and goes after a widely used product. This was a physical break-in by an armed robber who was after arcane technology that isn’t even on the market yet. Nicira has spent the past four years quietly developing computing infrastructure software for data centers. According to the company’s sparse website, Nicira’s founders came from the computer science departments of Stanford University and the University of California at Berkeley, and the company counts big venture capital names, including Andreessen Horowitz and New Enterprise Associates, as its backers. Nicira also sought a grant from the Defense Dept. to work on networking technology for the military. Nicira declined to comment for this article. (Bloomberg LP, which owns Bloomberg Businessweek, is an investor in Andreessen Horowitz.)

Those familiar with the burglary refuse to talk about it on the record, citing orders handed down by the federal investigators. In private, they share a common concern: Cyber espionage and nation-state-backed hacking incidents appear to be increasing in frequency and severity. What once seemed the province of Hollywood—high-tech robbers with guns; Internet worms that take out power plants—has become real. They fear that online skirmishes and spying incidents are escalating into a confusing, vicious struggle that involves governments, corporations, and highly sophisticated free-ranging hackers. This Code War era is no superpower stare-down; it’s more like Europe in 1938, when the Continent was in chaos and global conflict seemed inevitable.

Cyber attacks used to be kept quiet. They often went undiscovered until long after the fact, and countries or companies that were hit usually declined to talk about attacks. That’s changed as a steady flow of brazen incursions has been exposed. Last year, for example, Google accused China of spying on the company’s workers and customers. It said at the time that at least 20 other companies were victims of the same attack, nicknamed Operation Aurora by the security firm McAfee. The hacked included Adobe Systems, Juniper Networks, and Morgan Stanley. Joel F. Brenner, the head of U.S. counterintelligence until 2009, says the same operation that pulled off Aurora has claimed many more victims over several years. “It’d be fair to say that at least 2,000 companies have been hit,” Brenner says. “And that number is on the conservative side.”

Dozens of others, ranging from Lockheed Martin and Intel to the Indian Defense Ministry, the International Monetary Fund, and the Pacific Northwest National Laboratory, have suffered similar assaults. Earlier this year hackers raided the computer networks of RSA, a marquee security firm that protects other companies’ computers. They stole some of the most valuable computer code in the world, the algorithms behind RSA’s SecureID tokens, a product used by U.S. government agencies, defense contractors, and major banks to prevent hacking. It was like breaking into a heavily guarded locksmith and stealing the master combination that opened every vault in every casino on the Las Vegas Strip. This month the Pentagon revealed that it, too, had been hacked: More than 24,000 files were stolen from the computers of an unnamed defense contractor by “foreign intruders.”

The most famous cyber-war incident to date, and the one with the most public details, involved the Stuxnet worm. Last year, Stuxnet—whose existence was first reported by security blogger Brian Krebs—appeared in dozens of countries, targeting what are known as programmable logic controllers, ubiquitous industrial computers the size of cigarette cartons. Stuxnet was designed to harm only one kind: controllers processing uranium fuel at a nuclear facility in Iran. People who have analyzed the attack think someone slid a thumb drive with Stuxnet code into a Windows PC that was linked to the centrifuges, which were buried in a bunker. The worm then ordered the machinery to spin too fast, eventually destroying it. While all this happened, Stuxnet remained hidden from the Iranian technicians at the facility. The worm disabled alarms and fed the workers fake log reports that assured them the centrifuges were operating just fine.

Stuxnet set Iran’s nuclear program back months. It didn’t merely compromise some database, like most computer worms; it obliterated something physical. “Stuxnet was the equivalent of a very high-powered ballistic weapon,” says Ed Jaehne, the chief strategy officer at KEYW, a fast-growing computer security firm in Maryland. As researchers dissected the technology and hunted for motives, some of them pointed to the U.S. or Israel as the worm’s likeliest place of origin.

Not that the forensics on Stuxnet would necessarily be that helpful: If there’s a distinguishing characteristic of a Code War attack, it’s that the technology involved keeps changing. Cyber weaponry appears to be entering a golden age of rapid development—a new arms race. The quest in Washington, Silicon Valley, and around the globe is to develop digital tools both for spying and destroying. The most enticing targets in this war are civilian—electrical grids, food distribution systems, any essential infrastructure that runs on computers. “This stuff is more kinetic than nuclear weapons,” says Dave Aitel, founder of a computer security company in Miami Beach called Immunity, using a military term for destructive power. “Nothing says you’ve lost like a starving city.”

Cyber weapons have existed for years, mostly in military and national intelligence agencies. Security experts have confirmed that work by Northrop Grumman, Raytheon, and General Dynamics, the stalwarts of the traditional defense industry, is helping the U.S. government develop a capacity to snoop on or disable other countries’ computer networks. The industry started to change around 2005, however, when the Pentagon began placing more emphasis on developing hacker tools specifically as a means of conducting warfare. The shift in defense policy gave rise to a flood of boutique arms dealers that trade in offensive cyber weapons. Most of these are “black” companies that camouflage their government funding and work on classified projects. “Five years ago, there was an explosion that occurred,” says Kevin G. Coleman, the former chief strategist of Netscape and author of The Cyber Commander’s eHandbook, a downloadable guide. “People with offensive capabilities just burst onto the scene.”

Two of the primary weapons in a cyber warrior’s arsenal are botnets and exploits. A botnet is a collection of tens or even hundreds of thousands of computers that have been commandeered without their owners’ knowledge. Hackers spend years building these involuntary armies by infecting peoples’ computers with malicious code—self-propagating computer worms—that remains hidden and primes the computer to receive orders. When activated, a botnet can take down networks by bombarding them with digital chatter. It can also help spy on and, if needed, sabotage large numbers of machines.

An exploit, in the hacker sense of the word, is a program that takes advantage of vulnerabilities in widely used software such as Windows from Microsoft or in the millions of lines of code that control network servers. The hacker uses an exploit to break in and insert a worm or other destructive payload. Some such software weaknesses are well known, though software vendors can still take months, even years, to create patches to plug the holes. The most valuable exploits are those that are unknown to everyone else until the first time they’re put to use. These are called zero-day exploits. (The day the attack is discovered would be Day One.) In the hacker underground, the invite-only online chat boards where illicit wares are sold, a zero-day exploit for a network running Windows can sell for up to $250,000. Stuxnet used four high-end zero days, establishing it as an all-star in hacker circles.

Coleman’s handbook lists about 40 types of attacks that play off botnets and exploits. No. 38 is assassination. Just as Stuxnet caused a centrifuge to spin out of control, a computer worm can shut off a hospital’s computer-controlled intravenous drip or oxygen system before the medical staff knows anything is wrong. No. 39: hacking cars. Cars are full of computers that run the brakes, transmission, engine, just about everything. Control those systems, and you control the vehicle—and can crash it at will. Sounds far-fetched? Last year researchers from Rutgers University hacked into the computers of a car traveling at 60 mph via a wireless system used to monitor tire pressure. It’s unclear whether the U.S. government has used any of these techniques. “We are able to do things which we have not yet decided are wise to do,” says General Michael V. Hayden, the former director of the CIA.

What separates a typical hack from a Pentagon-scale attack in this context is not awe-inspiring power but rather the deftness with which an intruder can sneak into a network, hide his work, and then vanish. Leading up to a 10-day attack in March on South Korea, an Internet worm took control of thousands of computers belonging to students, office workers, and shop owners. The machines then bombarded government and military websites with incessant network traffic, crashing or partially disabling them. The attack destroyed thousands of computers and cost hundreds of man-hours in mitigation efforts. But according to McAfee, the security firm, its real goal was probably to test South Korean cyber defenses, suggesting more is to come. McAfee researchers trying to figure out the origin of the attack found that the worm received its commands from servers in 26 countries, including Vietnam, Saudi Arabia, and the United Arab Emirates. A fifth of the servers were located in the U.S. Just as this digital trail began to untangle, the commandeered computers were instructed to erase some of their basic software code, rendering themselves useless. Investigators still aren’t certain who launched the assault, although McAfee suspects North Korea.

The incident demonstrated one of the scariest aspects of cyber war: untraceability. Jaehne, from KEYW, says that such weird, fast-moving attacks are best handled by startups such as his. “The large corporate defense industrial base is not known for its capabilities here or its speed of innovation,” Jaehne says. “They have to reach out to smaller, more agile companies to find that innovation.”

KEYW says it’s the only publicly traded pure-play “cyber superiority” specialist. Jaehne and other founding executives of the Hanover, Md., company broke away from Northrop Grumman to start their venture in 2008. Most of the approximately 800 employees at KEYW have clearance to work on classified projects for U.S. intelligence agencies, where the company derives most of its revenue. Last year, revenue rose 175 percent, from $39 million to $108 million. When asked about the types of digital munitions KEYW makes, Jaehne replies, “There’s nothing I can say about that.”

Immunity’s Aitel, too, declines to discuss his company’s government work. According to one person familiar with Immunity, it makes weaponized “rootkits”: military-grade hacking systems used to bore into other countries’ networks. (The person didn’t want to be identified because of the sensitivity of the work.) Clients include the U.S. military and intelligence agencies.

In fact, all these companies clam up when it comes to what they make, which is the way the U.S. government likes it. Some, such as a three-year-old startup called Endgame Systems, prefer not to talk at all.

On a leafy block in midtown Atlanta, across from the campus of the Georgia Institute of Technology, sits the old Biltmore Hotel, a bygone focal point of the city’s social life once billed as “the South’s supreme hotel.” The 1924 building was converted to office space in 1999 and now houses a Kwik Kopy and a barber shop with red leather chairs. On the seventh floor, behind locked glass doors, is a black, red, and gray honeycomb logo that reads “Endgame Systems.” The company’s website described Endgame as a commercial computer security company but gave few salient details. That was until recently; by early July the website had disappeared.

Endgame does sell commercial products. It’s also a major supplier of digital weaponry for the Pentagon. It offers a smorgasbord of wares, from vulnerability assessments to customized attack technology, for a dizzying array of targets in any region of the world. Last year, Endgame raised $30 million from venture capital firms including Bessemer Venture Partners and Kleiner Perkins Caufield & Byers. An Endgame press release at the time said the company’s products protect organizations from viruses and botnets. What really whet the VCs’ appetites, though, according to people close to the investors, is Endgame’s shot at becoming the premier cyber-arms dealer. (Endgame declined repeated requests for an interview. Bessemer and Kleiner Perkins declined to discuss their investments in the company on the record.)

The company started in 2008 when a group of elite hackers decided to have a crack at building a computer security company tuned for this era of heightened conflict. Many of the key engineers were part of the X-Force, a team of “white hat” hackers at a company called Internet Security Systems. The X-Force concentrated on breaking into secure networks to find holes before someone with bad intentions could do the same. “That group was about finding a door and then picking it or punching it or doing whatever it takes to get it open,” says Christopher Klaus, a founder of ISS. “There are maybe 500 people in the world who could do this kind of stuff.” IBM acquired ISS in 2006 for $1.3 billion.

Christopher J. Rouland, a member of X-Force, left IBM and recruited some of his hacking brethren to Endgame. According to two former associates, Rouland has an intense demeanor and a tendency toward angry outbursts. He also receives praise as a brilliant manager able to recruit top talent that would otherwise shy away from government work. That’s in part because Rouland was once a hacker himself, known by the handle Mr. Fusion. According to the 2000 book Cybershock, by security consultant Winn Schwartau, Rouland was interviewed by U.S. Air Force investigators in 1990 after he hacked into the Pentagon. Federal authorities recognized skills they could use, says a former ISS colleague, and rather than charge him with a crime, they turned him. Rouland declined to comment on the incident.

Today, Rouland’s firm deals in zero-day exploits. Some of Endgame’s technology is developed in-house; some of it is acquired from the hacker underground. Either way, these zero days are militarized—they’ve undergone extensive testing and are nearly fail-safe. “Endgame is a well-known broker of zero days between the community and the government,” says David Baker, vice-president for services at the security firm IOActive. By “community,” he means hackers. “Some of the big zero days have ended up in government hands via Endgame,” Baker says.

People who have seen the company pitch its technology—and who asked not to be named because the presentations were private—say Endgame executives will bring up maps of airports, parliament buildings, and corporate offices. The executives then create a list of the computers running inside the facilities, including what software the computers run, and a menu of attacks that could work against those particular systems. Endgame weaponry comes customized by region—the Middle East, Russia, Latin America, and China—with manuals, testing software, and “demo instructions.” There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million. A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million. Ease of use is a premium. It’s cyber warfare in a box.

Those prices come from a trove of Endgame’s secrets that were exposed earlier this year. Some of the company’s communications were made public in February when the shadowy activist group Anonymous hacked a computer security firm named HBGary Federal. That firm’s entire cache of e-mail, including documents from Endgame, turned up online. Endgame’s allies believe the leak hurt national security and say the company has moved to lower its profile even further, which may explain the recent disappearance of its website.

A demonstration product, detailed in the e-mails, charts the computer vulnerabilities of key institutions in Russia, such as the Ministry of Finance. Those vulnerabilities can be used to gain access to computer networks for spying; they can also be used to implant more destructive software for what’s known as a CNA, or computer network attack, military jargon for cyber warfare. Targets for which Endgame has collected details include an oil refinery in the Russian city of Achinsk, the National Reserve Bank, and the Novovoronezh nuclear power plant.

Endgame’s price list may be the most important document in the collection. If the company were offering those products only to American military and intelligence agencies, such a list would be classified and would never have shown up in the HBGary e-mails, according to security experts. The fact that a nonclassified list exists at all—as well as an Endgame statement in the uncovered e-mails that it will not provide vulnerability maps of the U.S.—suggests that the company is pitching governments or other entities outside the U.S. Endgame declined to discuss the specifics of any part of the e-mails, including who its clients might be. Richard A. Clarke, former Assistant Secretary of State and special adviser to President George W. Bush on network security, calls the price list “disturbing” and says Endgame would be “insane” to sell to enemies of the U.S.

The global market may be disturbing to people like Clarke, but U.S. companies don’t appear to face export restrictions, as the Pentagon’s manufacturers of bombs and fighter jets do. In fact, companies like Endgame have cropped up all over the world. Appin Technologies, to cite one example, is a New Delhi company that offers a wide variety of computer security services, including helping countries analyze attacks and, if needed, respond in kind. “This represents a true dilemma for U.S. security policy makers,” says Richard Falkenrath, a principal at Chertoff Group, a consulting firm started by former Homeland Security Secretary Michael Chertoff that sits at the center of Washington’s defense-intelligence community. He says government monitors are simply choosing not to look too carefully. “They need these capabilities. On the other hand, they don’t want to see them offshored more quickly than necessary as the result of a blunt export restriction.”

On occasion, someone in the military establishment will brag about the U.S. cyber-war arsenal. “Are we the best in the globe? Absolutely,” says Hayden, the ex-CIA chief who’s also a principal at Chertoff Group. For the most part, though, U.S. officials keep mum about the Pentagon’s capabilities. This is, in part, because the Code War does not reward shows of force. Cyber weapons fall into the category of “brittle” technology, susceptible to the swift development of countermeasures. “Once you know how a weapon works in cyberspace, it can cease to become a weapon,” says Martin Libicki, a digital warfare expert at RAND Corp., the think tank. The best weapon is one an enemy never knows exists.

There’s another reason for the silence. Traditional military logic falls apart in the Code War. Deterrence and arms treaties are but philosophical concepts when invisible weapons are involved. Assigning certain blame for an attack may be impossible when it’s conducted through computers in dozens of countries. The fear of retaliation—which kept the Cold War from becoming hot—may not apply.

The U.S. government has spent the past couple of years formalizing its operations and thinking around computer warfare. In 2009 the Obama Administration announced the creation of the U.S. Cyber Command, headquartered at Fort Meade, Md. President Barack Obama recently signed executive orders that gave the military the all-clear to use weapons that can perform tasks ranging from espionage to the crippling of an enemy’s electrical grid. (The latter would require a Presidential directive.) It’s a moment of rapid and frightening change. “It’s like the early days of the American-Soviet nuclear balance,” says Clarke. “We don’t know the rules of the road.”

Gunter Ollmann, a computer security expert and former X-Force director, says the seductive power of cyber weapons may override governments’ fear of the instability their use may cause. But he also believes the weapons may reduce the risk of conflicts fought with tanks and missiles. Stuxnet prevented the open conflict that would have ensued from bombing the Iranian nuclear facility. Nations with advanced digital arsenals could use the technology to bend rogue states to their will, shutting off the lights in Caracas, for example, or disabling the harbor in the Libyan capital. “It shifts from being a kinetic battle to siege warfare,” Ollmann says. “I can control your water or your power remotely. And when the whole mess gets sorted out, I can switch them back on again.”

To deal with the Code War, which amounts to a constant state of threat, governments and companies can always try to develop their own technology. As with smart bombs, fighter jets, and other real-world countermeasures, though, it’s often easier to buy than build. “The hacking industry is way ahead in terms of being able to deploy something like a massive botnet,” says Amichai Shulman, chief technology officer at Imperva, a security specialist. “If a nation wants to launch an attack that distributes some kind of malware, it makes more sense for them to just rent an existing botnet.”

And so the unregulated cyber-weapons makers flourish, selling to the highest bidder. Business is great. In a June article in the Atlanta Business Chronicle, Rouland said revenue is “more than doubling yearly.” He recently opened an office in Washington and is increasing head count from 40 to 100 this year. On June 15, just before his firm disappeared from the Internet, the Metro Atlanta Chamber named Rouland the 2011 Business Person of the Year, Early-Stage Entrepreneur category.

    Before it's here, it's on the Bloomberg Terminal.