By Robert Folsom | February 14, 2013
U.S. commanders are committing vast resources and large numbers of military personnel to planning offensive cyberattacks and, in at least some cases, actually carrying them out. But the secrecy surrounding offensive cyberwar planning means there has been almost no public discussion or debate over the legal, ethical and practical issues raised by waging war in cyberspace.
So reports NPR’s Morning Edition on the offensive side of cyberwar. The quote reminds us that secrecy is incompatible with public debate — as in, General Eisenhower felt no need to crowdsource his invasion strategy in the months leading up to June 6, 1944 (D-Day).
But that was 70 years ago. Ike could never have imagined cyberwar and its mind-bendingly different rules of engagement.
For example: Instead of secrecy in operations like D-Day, offensive cyberwar demands secrecy regarding “Zero-day” vulnerabilities — the previously unknown software flaws elite hackers exploit to penetrate computer network firewalls.
To be clear, zero-day secrecy is not about companies keeping their software code and networks secure; it’s about hackers keeping their discovery and exploit of a security flaw a secret after the fact.
Why keep the exploit a secret?
For starters, because secrecy ensures that the vulnerability remains open, which ensures that elite hackers get paid. The market for zero-day exploits is large, lucrative and still growing. Along with NPR, sources including Forbes, Slate, and respected experts like Bruce Schneier say that the purchase price of a single zero-day exploit can reach far into the six figures.
There’s another reason to keep these exploits a secret: They play a critical role in the development of cyberweapons. According to NPR: “There is now a growing global demand for the software vulnerabilities… that allow an attacker to get inside his enemy’s computer network.”
In other words: First you find a flaw, then you build a weapon.
As for who’s driving that demand, yes, buyers range from third-party exploit brokers to criminal gangs. And here’s the show-stopper: “In the U.S., the National Security Agency and other branches of the U.S. military, law enforcement and intelligence agencies are among the biggest buyers of vulnerabilities.”
And since we are talking about commercial software — an industry dominated by U.S. companies — the next question is: Once the U.S. government becomes the buyer of a vulnerability, does it disclose the vulnerability to the U.S. software firms that wrote the code and would certainly want to repair their product?
No, it does not.
For the rest of this story — including why this is happening now and the related battles we expect will come — see part two of this article, scheduled to post on Friday (Feb. 15).
If you can’t wait until then, consider reading Alan Hall’s April-May 2010 study on authoritarianism/anti-authoritarianism, via this link.