Beware the Cyber Weapons Industrial Complex

by Josephus Alexander

In his famous farewell speech, the American President Dwight D. Eisenhower famously spoke about the dangers of the "military-industrial complex" and its corrosive power on society (i.e., being a drain of resources from social programs that affect the general well being of the American people via the "defense" budget).

Since President Eisenhower's speech in the late-1950s, we can see that his warning fell on deaf ears as defense spending has been increasing while budgets for schools, Social Security, national parks, etc. continue to stagnate or get cut to unsustainable levels.

As the multi-billion dollar military industrial complex continues to sell conventional arms for continuous wars of "peace" against "terrorists," and, of course, "Communists," a new aspect of the military industrial complex has arisen out of the depths of cyberspace.  This new weapon is not a physical weapon, but a digital one that is not bound by any rules, arms embargoes, or treaties.  The effects of this new form of warfare have shown up in Iran in the form of (((Stuxnet))), Duqu, and now Flame.  The 20th century saw the building of the military industrial complex, and now the 21st century has spawned its digital successor which we will term the "cyber weapon industrial complex."

Of course before we go further down the rabbit hole, here's the traditional 2600 obligatory disclaimer: This article is for informational and educational use only, so we can all be better informed citizens of the physical and virtual world.

Any development of digital weaponry for criminal/terrorist means or being a digital arms dealer (think Nicholas Cage in the movie Lord of War) for the above mentioned people is pretty damn illegal and also counts against you for karma and heaven points.  Lastly, if you're some government agent at a three letter agency reading this and you start freaking out about the information here, please put your energies somewhere else.  All my information comes from those oh so "classified" sources such as Google, my local library, and, of course, the Barnes and Noble at the local mall.

Besides, you guys might want to police up your own backyard in light of the recent disclosures about the American cyber warfare program by The New York Times and in a book titled Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power by David Sanger found in hardcover, audio book, and Kindle.  So, with that bit of sarcasm and disdain of over-reactive government officials aside, let's get started, shall we?

Definitions

In order to properly discuss the cyber weapons industrial complex, it is important to define the term and to also talk about the end product: cyber weapons.

So, without further ado, here we go:

Cyber Weapons Industrial Complex - A subset of the larger military industrial complex that produces weaponized/militarized code (cyber weapons) that attacks information systems (i.e., networks, servers, routers, databases, OS, games, etc.) in order to inflict damage or destroy virtual or physical property of a designated enemy.

Cyber Weapons (short version because this is an article in and of itself) - Computer code (a.k.a. botnets, sock puppets, DDoS scripts, viruses, etc.) that is developed or utilized for the destruction of the confidentiality, integrity, and availability of information systems and threatens or causes physical, functional, or mental harm to structures, systems, or living beings.

Now that we have defined our two main terms, let's get to know our "friends" in the cyber weapons industrial complex a lot better.

The Purpose

Why build cyber weapons?  The better question to ask is really, why not?

Cyber weapons are a big draw to the customers and the builders of these digital munitions because cyber weapons are relatively cheap (billion dollar stealth bomber and million dollar bunker buster bomb versus a one million dollar Stuxnet virus), readily available (depending on what you want), have a fairly short development cycle, and are for the most part anonymous (unless you run your mouth to a reporter, get snitched on, or blab on chat rooms about your exploits).

For example, last year it is believed that the North Koreans used a botnet to zombify thousands of computers in South Korea for a DDoS attack that lasted ten days.

More recently, two conservative South Korean news papers, JoongAng Ilbo and Korea JongAng Daily, had their databases trashed and websites defaced allegedly by North Korea in retaliation for some smack talking about North Korea's children's festival.

The end result of that attack was the infection and thousands of hours to clean the malware out of hijacked computers which led to thousands of hours of manpower to mitigate future threats.  There have been reports for years that the North Koreans have trained some cyber warfare specialists (a.k.a. malicious hackers, black hats, whatever) to do this sort of attack, but no one knows for sure if it was them or somebody else.

This attack was likely used to test out the South Korean digital defenses, bully the conservative South Korean press, and probably to show the U.S. and Korean governments that they aren't so low tech after all.  If you stop to think about it, all it likely cost the North Koreans was time, a few tens of thousands of dollars, some cyber arms dealers on the darknet, and commitment to the cause.  I'd say that is a pretty good investment in the time and money lost to South Korean businesses, not to mention the South Koreans getting pwnd by the North Koreans, eh?

Builders, Buyers, and Dealers

In my definition of the cyber weapons industrial complex, I mentioned that it is a subset of the much larger military industrial complex and, as such, many of the players from there can be found in this aspect of arms sales as well.

If you were to go onto any defense contractor site (like General Dynamics, Northrop Grumman, and Raytheon) you find listings for "cyber warfare specialists" or "cyber vulnerability researcher" which I'm sure knowledge of Python, fuzzing techniques, C/C++, or exploit development should clue you in to what they would be doing: developing cyber weapons.

However, the "big boys" of the cyber weapons industrial complex are not the only players on the block and there are "boutique" dealers that are giving the traditional stalwarts a run for their money.

As in any industry, there are the "big boys" and the "little guys" and, usually in the typical military industrial complex, the "little guys" don't do too well.

But in this era of "cyber warfare," the smaller players might just have the bigger guns.  Last year, during the "year of pwnage" (what we know as the year 2011), Anonymous pulled the shorts down on the computer "security" firm HBGary Federal and released all their confidential emails online.  The treasure trove of documents showed price listings of weapons pages and the clients who they worked for.

One of the firms named in the HBGary hack was an unknown firm called Endgame Systems which was founded by a gentleman named Christopher J. Rouland, better known by his handle Mr. Fusion.  Endgame is one of many companies such as KeyW and Immunity that develop cyber weapons for the Pentagon and "other" clients such as the U.S. Chamber of Commerce and other corporate entities.

However, this industry is not just an American venture.  It is a global enterprise that has other cyber weapons manufacturers in various countries.  Of course, here comes the whole issue with the cyber weapons industrial complex: the buyers.

Previously, I mentioned the HBGary hack and the public release of the confidential emails between HBGary Federal and Endgame.  However, the scariest part of the whole thing was that it was not just the U.S. government buying Endgame's wares, but also American corporations and their "lackeys" on K Street and other shady places.  As with the traditional military industrial complex, profit is the true motivation of developing weapons and the same thing prevails in the cyber weapons business.

Back in the 1990s, Arnold Schwarzenegger and the sexy Vanessa Williams starred in the movie Eraser about an arms manufacturer selling advanced weapons to some unfriendly (and stereotypical) Russian Mafia dude.  Minus the cheesy plot, the idea of weapons being given to a non-governmental entity was the issue for Arnold and the same issue applies in the real world as well.  In the physical world, national/local laws, international treaties, and arms embargoes prevent weapons from getting into the hands of the wrong people (sometimes), but in the virtual one there are no such restrictions.  Because cyber weapons are not per se weapons, they occupy a gray area where regular laws and oversight allow cyber weapons to be in the hands of some rather unscrupulous folks.

Now, of course, "cyber weapons" can be found anywhere depending on what you want, but when you read through the HBGary emails, you can see the collusion between the cyber weapons industry, corporations, and their conspirators.  The liberated emails from Anonymous showed that HBGary and two larger security firms - Palantir Technologies and Berico Technologies - were deeply involved in the preparation of an aggressive and possibly illegal attempt to target and silence supporters of WikiLeaks and the U.S. Chamber of Commerce.  As in the "real" world, the use of "legally" purchased arms can easily be turned back on the friendly populous to suppress or intimidate them into complying with a certain agenda.

So What?

The reason I wrote this article is to inform our community of weapons and an industry that tends to operate outside the scrutiny of the general public under the guise of "national security."

Cyber weapons are not new, but the people who build, buy, and use them are in new territory.  Since the advent of the Internet we all are fond of (from, say, 1975 forward), viruses, botnets, and other Internet shenanigans have been confined to mostly the IT or hacker realms.  With the "publicity" of the Internet in the mid-1990s, the general public, corporations, and governments have become assimilated into the IT world on some level.

With the amount of information (public and secret alike) on the Internet, the viruses and other malware that was once a novelty for geeks is now not just an annoyance, but a large risk to more people.  While there were always people like the one from the movie Hackers (folks more focused on profit and selfishness versus being community minded and working for the common good), I'd like to think the majority of us are just guilty of the crime of curiosity, self expression, and being advocates of free speech in pursuit of the intellectual advancement of mankind.  However, we see hackers working to make a profit by militarizing malware and rootkits for the military and whoever has the money to buy them.

I'm not hatin' on the folks who work for the companies or founded the companies that are the cyber weapons industrial complex.  But think about what you're doing.  By enabling governments with people who don't understand technology (past the sensationalist coverage and scare tactics from arms dealers), the ability to easily pwn a hostile botnet is easy, but what are the second and third-order effects of that action?  I personally think instead of arming them with cyber weapons, we should arm them with knowledge.

Call me a "peacenik" or "hippie" but I'd rather make love than cyber war any day.

Thanks to Dragorn whose article "Real 'Cyberwar'" in 28:2 inspired me to do more research on the topic of cyberwar and, more specifically, cyber weapons.

Works Cited
Return to $2600 Index