Cyber Weapons: The New Arms Race
The Pentagon, the IMF, Google, and others have been hacked. It's war out
there, and a cyber-weapons industry is exploding to arm the combatants
By Michael Riley and Ashlee Vance
In the early morning hours of May 24, an armed burglar wearing a ski mask
broke into the offices of Nicira Networks, a Silicon Valley startup housed in
one of the countless nondescript buildings along Highway 101. He walked past
desks littered with laptops and headed straight toward the cubicle of one of
the company's top engineers. The assailant appeared to know exactly what he
wanted, which was a bulky computer that stored Nicira's source code. He
grabbed the one machine and fled. The whole operation lasted five minutes,
according to video captured on an employee's webcam. Palo Alto Police
Sergeant Dave Flohr describes the burglary as a run-of-the-mill Silicon
Valley computer grab. "There are lots of knuckleheads out there that take
what they can and leave," he says. But two people close to the company say
that they, as well as national intelligence investigators now looking into
the case, suspect something more sinister: a professional heist performed by
someone with ties to China or Russia. The burglar didn't want a computer he
could sell on Craigslist. He wanted Nicira's ideas.
Intellectual-property theft is hardly unheard of in Silicon Valley. Most
often, it takes place when a hacker breaks into a network and goes after a
widely used product. This was a physical break-in by an armed robber who was
after arcane technology that isn't even on the market yet. Nicira has spent
the past four years quietly developing computing infrastructure software for
data centers. According to the company's sparse website, Nicira's founders
came from the computer science departments of Stanford University and the
University of California at Berkeley, and the company counts big venture
capital names, including Andreessen Horowitz and New Enterprise Associates,
as its backers. Nicira also sought a grant from the Defense Dept. to work on
networking technology for the military. Nicira declined to comment for this
article. (Bloomberg LP, which owns Bloomberg Businessweek, is an investor in
Those familiar with the burglary refuse to talk about it on the record,
citing orders handed down by the federal investigators. In private, they
share a common concern: Cyber espionage and nation-state-backed hacking
incidents appear to be increasing in frequency and severity. What once seemed
the province of Hollywood—high-tech robbers with guns; Internet worms that
take out power plants—has become real. They fear that online skirmishes and
spying incidents are escalating into a confusing, vicious struggle that
involves governments, corporations, and highly sophisticated free-ranging
hackers. This Code War era is no superpower stare-down; it's more like Europe
in 1938, when the Continent was in chaos and global conflict seemed
Cyber attacks used to be kept quiet. They often went undiscovered until long
after the fact, and countries or companies that were hit usually declined to
talk about attacks. That's changed as a steady flow of brazen incursions has
been exposed. Last year, for example, Google (GOOG) accused China of spying
on the company's workers and customers. It said at the time that at least 20
other companies were victims of the same attack, nicknamed Operation Aurora
by the security firm McAfee (INTC). The hacked included Adobe Systems (ADBE),
Juniper Networks (JNPR), and Morgan Stanley (MS). Joel F. Brenner, the head
of U.S. counterintelligence until 2009, says the same operation that pulled
off Aurora has claimed many more victims over several years. "It'd be fair to
say that at least 2,000 companies have been hit," Brenner says. "And that
number is on the conservative side."
Dozens of others, ranging from Lockheed Martin (LMT) and Intel (INTC) to the
Indian Defense Ministry, the International Monetary Fund, and the Pacific
Northwest National Laboratory, have suffered similar assaults. Earlier this
year hackers raided the computer networks of RSA (EMC), a marquee security
firm that protects other companies' computers. They stole some of the most
valuable computer code in the world, the algorithms behind RSA's SecureID
tokens, a product used by U.S. government agencies, defense contractors, and
major banks to prevent hacking. It was like breaking into a heavily guarded
locksmith and stealing the master combination that opened every vault in
every casino on the Las Vegas Strip. This month the Pentagon revealed that
it, too, had been hacked: More than 24,000 files were stolen from the
computers of an unnamed defense contractor by "foreign intruders."
The most famous cyber-war incident to date, and the one with the most public
details, involved the Stuxnet worm. Last year, Stuxnet—whose existence was
first reported by security blogger Brian Krebs—appeared in dozens of
countries, targeting what are known as programmable logic controllers,
ubiquitous industrial computers the size of cigarette cartons. Stuxnet was
designed to harm only one kind: controllers processing uranium fuel at a
nuclear facility in Iran. People who have analyzed the attack think someone
slid a thumb drive with Stuxnet code into a Windows PC that was linked to the
centrifuges, which were buried in a bunker. The worm then ordered the
machinery to spin too fast, eventually destroying it. While all this
happened, Stuxnet remained hidden from the Iranian technicians at the
facility. The worm disabled alarms and fed the workers fake log reports that
assured them the centrifuges were operating just fine.
Stuxnet set Iran's nuclear program back months. It didn't merely compromise
some database, like most computer worms; it obliterated something physical.
"Stuxnet was the equivalent of a very high-powered ballistic weapon," says Ed
Jaehne, the chief strategy officer at KEYW (KEYW), a fast-growing computer
security firm in Maryland. As researchers dissected the technology and hunted
for motives, some of them pointed to the U.S. or Israel as the worm's
likeliest place of origin.
Not that the forensics on Stuxnet would necessarily be that helpful: If
there's a distinguishing characteristic of a Code War attack, it's that the
technology involved keeps changing. Cyber weaponry appears to be entering a
golden age of rapid development—a new arms race. The quest in Washington,
Silicon Valley, and around the globe is to develop digital tools both for
spying and destroying. The most enticing targets in this war are
civilian—electrical grids, food distribution systems, any essential
infrastructure that runs on computers. "This stuff is more kinetic than
nuclear weapons," says Dave Aitel, founder of a computer security company in
Miami Beach called Immunity, using a military term for destructive power.
"Nothing says you've lost like a starving city."
Cyber weapons have existed for years, mostly in military and national
intelligence agencies. Security experts have confirmed that work by Northrop
Grumman (NOC), Raytheon (RTN), and General Dynamics (GD), the stalwarts of
the traditional defense industry, is helping the U.S. government develop a
capacity to snoop on or disable other countries' computer networks. The
industry started to change around 2005, however, when the Pentagon began
placing more emphasis on developing hacker tools specifically as a means of
conducting warfare. The shift in defense policy gave rise to a flood of
boutique arms dealers that trade in offensive cyber weapons. Most of these
are "black" companies that camouflage their government funding and work on
classified projects. "Five years ago, there was an explosion that occurred,"
says Kevin G. Coleman, the former chief strategist of Netscape and author of
The Cyber Commander's eHandbook, a downloadable guide. "People with offensive
capabilities just burst onto the scene."
Two of the primary weapons in a cyber warrior's arsenal are botnets and
exploits. A botnet is a collection of tens or even hundreds of thousands of
computers that have been commandeered without their owners' knowledge.
Hackers spend years building these involuntary armies by infecting peoples'
computers with malicious code—self-propagating computer worms—that remains
hidden and primes the computer to receive orders. When activated, a botnet
can take down networks by bombarding them with digital chatter. It can also
help spy on and, if needed, sabotage large numbers of machines.
An exploit, in the hacker sense of the word, is a program that takes
advantage of vulnerabilities in widely used software such as Windows from
Microsoft (MSFT) or in the millions of lines of code that control network
servers. The hacker uses an exploit to break in and insert a worm or other
destructive payload. Some such software weaknesses are well known, though
software vendors can still take months, even years, to create patches to plug
the holes. The most valuable exploits are those that are unknown to everyone
else until the first time they're put to use. These are called zero-day
exploits. (The day the attack is discovered would be Day One.) In the hacker
underground, the invite-only online chat boards where illicit wares are sold,
a zero-day exploit for a network running Windows can sell for up to $250,000.
Stuxnet used four high-end zero days, establishing it as an all-star in
Coleman's handbook lists about 40 types of attacks that play off botnets and
exploits. No. 38 is assassination. Just as Stuxnet caused a centrifuge to
spin out of control, a computer worm can shut off a hospital's
computer-controlled intravenous drip or oxygen system before the medical
staff knows anything is wrong. No. 39: hacking cars. Cars are full of
computers that run the brakes, transmission, engine, just about everything.
Control those systems, and you control the vehicle—and can crash it at will.
Sounds far-fetched? Last year researchers from Rutgers University hacked into
the computers of a car traveling at 60 mph via a wireless system used to
monitor tire pressure. It's unclear whether the U.S. government has used any
of these techniques. "We are able to do things which we have not yet decided
are wise to do," says General Michael V. Hayden, the former director of the
What separates a typical hack from a Pentagon-scale attack in this context is
not awe-inspiring power but rather the deftness with which an intruder can
sneak into a network, hide his work, and then vanish. Leading up to a 10-day
attack in March on South Korea, an Internet worm took control of thousands of
computers belonging to students, office workers, and shop owners. The
machines then bombarded government and military websites with incessant
network traffic, crashing or partially disabling them. The attack destroyed
thousands of computers and cost hundreds of man-hours in mitigation efforts.
But according to McAfee, the security firm, its real goal was probably to
test South Korean cyber defenses, suggesting more is to come. McAfee
researchers trying to figure out the origin of the attack found that the worm
received its commands from servers in 26 countries, including Vietnam, Saudi
Arabia, and the United Arab Emirates. A fifth of the servers were located in
the U.S. Just as this digital trail began to untangle, the commandeered
computers were instructed to erase some of their basic software code,
rendering themselves useless. Investigators still aren't certain who launched
the assault, although McAfee suspects North Korea.
The incident demonstrated one of the scariest aspects of cyber war:
untraceability. Jaehne, from KEYW, says that such weird, fast-moving attacks
are best handled by startups such as his. "The large corporate defense
industrial base is not known for its capabilities here or its speed of
innovation," Jaehne says. "They have to reach out to smaller, more agile
companies to find that innovation."
KEYW says it's the only publicly traded pure-play "cyber superiority"
specialist. Jaehne and other founding executives of the Hanover, Md., company
broke away from Northrop Grumman to start their venture in 2008. Most of the
approximately 800 employees at KEYW have clearance to work on classified
projects for U.S. intelligence agencies, where the company derives most of
its revenue. Last year, revenue rose 175 percent, from $39 million to $108
million. When asked about the types of digital munitions KEYW makes, Jaehne
replies, "There's nothing I can say about that."
Immunity's Aitel, too, declines to discuss his company's government work.
According to one person familiar with Immunity, it makes weaponized
"rootkits": military-grade hacking systems used to bore into other countries'
networks. (The person didn't want to be identified because of the sensitivity
of the work.) Clients include the U.S. military and intelligence agencies.
In fact, all these companies clam up when it comes to what they make, which
is the way the U.S. government likes it. Some, such as a three-year-old
startup called Endgame Systems, prefer not to talk at all.
On a leafy block in midtown Atlanta, across from the campus of the Georgia
Institute of Technology, sits the old Biltmore Hotel, a bygone focal point of
the city's social life once billed as "the South's supreme hotel." The 1924
building was converted to office space in 1999 and now houses a Kwik Kopy and
a barber shop with red leather chairs. On the seventh floor, behind locked
glass doors, is a black, red, and gray honeycomb logo that reads "Endgame
Systems." The company's website described Endgame as a commercial computer
security company but gave few salient details. That was until recently; by
early July the website had disappeared.
Endgame does sell commercial products. It's also a major supplier of digital
weaponry for the Pentagon. It offers a smorgasbord of wares, from
vulnerability assessments to customized attack technology, for a dizzying
array of targets in any region of the world. Last year, Endgame raised $30
million from venture capital firms including Bessemer Venture Partners and
Kleiner Perkins Caufield & Byers. An Endgame press release at the time said
the company's products protect organizations from viruses and botnets. What
really whet the VCs' appetites, though, according to people close to the
investors, is Endgame's shot at becoming the premier cyber-arms dealer.
(Endgame declined repeated requests for an interview. Bessemer and Kleiner
Perkins declined to discuss their investments in the company on the record.)
The company started in 2008 when a group of elite hackers decided to have a
crack at building a computer security company tuned for this era of
heightened conflict. Many of the key engineers were part of the X-Force, a
team of "white hat" hackers at a company called Internet Security Systems.
The X-Force concentrated on breaking into secure networks to find holes
before someone with bad intentions could do the same. "That group was about
finding a door and then picking it or punching it or doing whatever it takes
to get it open," says Christopher Klaus, a founder of ISS. "There are maybe
500 people in the world who could do this kind of stuff." IBM (IBM) acquired
ISS in 2006 for $1.3 billion.
Christopher J. Rouland, a member of X-Force, left IBM and recruited some of
his hacking brethren to Endgame. According to two former associates, Rouland
has an intense demeanor and a tendency toward angry outbursts. He also
receives praise as a brilliant manager able to recruit top talent that would
otherwise shy away from government work. That's in part because Rouland was
once a hacker himself, known by the handle Mr. Fusion. According to the 2000
book Cybershock, by security consultant Winn Schwartau, Rouland was
interviewed by U.S. Air Force investigators in 1990 after he hacked into the
Pentagon. Federal authorities recognized skills they could use, says a former
ISS colleague, and rather than charge him with a crime, they turned him.
Rouland declined to comment on the incident.
Today, Rouland's firm deals in zero-day exploits. Some of Endgame's
technology is developed in-house; some of it is acquired from the hacker
underground. Either way, these zero days are militarized—they've undergone
extensive testing and are nearly fail-safe. "Endgame is a well-known broker
of zero days between the community and the government," says David Baker,
vice-president for services at the security firm IOActive. By "community," he
means hackers. "Some of the big zero days have ended up in government hands
via Endgame," Baker says.
People who have seen the company pitch its technology—and who asked not to be
named because the presentations were private—say Endgame executives will
bring up maps of airports, parliament buildings, and corporate offices. The
executives then create a list of the computers running inside the facilities,
including what software the computers run, and a menu of attacks that could
work against those particular systems. Endgame weaponry comes customized by
region—the Middle East, Russia, Latin America, and China—with manuals,
testing software, and "demo instructions." There are even target packs for
democratic countries in Europe and other U.S. allies. Maui (product names
tend toward alluring warm-weather locales) is a package of 25 zero-day
exploits that runs clients $2.5 million a year. The Cayman botnet-analytics
package gets you access to a database of Internet addresses, organization
names, and worm types for hundreds of millions of infected computers, and
costs $1.5 million. A government or other entity could launch sophisticated
attacks against just about any adversary anywhere in the world for a grand
total of $6 million. Ease of use is a premium. It's cyber warfare in a box.
Those prices come from a trove of Endgame's secrets that were exposed earlier
this year. Some of the company's communications were made public in February
when the shadowy activist group Anonymous hacked a computer security firm
named HBGary Federal. That firm's entire cache of e-mail, including documents
from Endgame, turned up online. Endgame's allies believe the leak hurt
national security and say the company has moved to lower its profile even
further, which may explain the recent disappearance of its website.
A demonstration product, detailed in the e-mails, charts the computer
vulnerabilities of key institutions in Russia, such as the Ministry of
Finance. Those vulnerabilities can be used to gain access to computer
networks for spying; they can also be used to implant more destructive
software for what's known as a CNA, or computer network attack, military
jargon for cyber warfare. Targets for which Endgame has collected details
include an oil refinery in the Russian city of Achinsk, the National Reserve
Bank, and the Novovoronezh nuclear power plant.
Endgame's price list may be the most important document in the collection. If
the company were offering those products only to American military and
intelligence agencies, such a list would be classified and would never have
shown up in the HBGary e-mails, according to security experts. The fact that
a nonclassified list exists at all—as well as an Endgame statement in the
uncovered e-mails that it will not provide vulnerability maps of the
U.S.—suggests that the company is pitching governments or other entities
outside the U.S. Endgame declined to discuss the specifics of any part of the
e-mails, including who its clients might be. Richard A. Clarke, former
Assistant Secretary of State and special adviser to President George W. Bush
on network security, calls the price list "disturbing" and says Endgame would
be "insane" to sell to enemies of the U.S.
The global market may be disturbing to people like Clarke, but U.S. companies
don't appear to face export restrictions, as the Pentagon's manufacturers of
bombs and fighter jets do. In fact, companies like Endgame have cropped up
all over the world. Appin Technologies, to cite one example, is a New Delhi
company that offers a wide variety of computer security services, including
helping countries analyze attacks and, if needed, respond in kind. "This
represents a true dilemma for U.S. security policy makers," says Richard
Falkenrath, a principal at Chertoff Group, a consulting firm started by
former Homeland Security Secretary Michael Chertoff that sits at the center
of Washington's defense-intelligence community. He says government monitors
are simply choosing not to look too carefully. "They need these capabilities.
On the other hand, they don't want to see them offshored more quickly than
necessary as the result of a blunt export restriction."
On occasion, someone in the military establishment will brag about the U.S.
cyber-war arsenal. "Are we the best in the globe? Absolutely," says Hayden,
the ex-CIA chief who's also a principal at Chertoff Group. For the most part,
though, U.S. officials keep mum about the Pentagon's capabilities. This is,
in part, because the Code War does not reward shows of force. Cyber weapons
fall into the category of "brittle" technology, susceptible to the swift
development of countermeasures. "Once you know how a weapon works in
cyberspace, it can cease to become a weapon," says Martin Libicki, a digital
warfare expert at RAND Corp., the think tank. The best weapon is one an enemy
never knows exists.
There's another reason for the silence. Traditional military logic falls
apart in the Code War. Deterrence and arms treaties are but philosophical
concepts when invisible weapons are involved. Assigning certain blame for an
attack may be impossible when it's conducted through computers in dozens of
countries. The fear of retaliation—which kept the Cold War from becoming
hot—may not apply.
The U.S. government has spent the past couple of years formalizing its
operations and thinking around computer warfare. In 2009 the Obama
Administration announced the creation of the U.S. Cyber Command,
headquartered at Fort Meade, Md. President Barack Obama recently signed
executive orders that gave the military the all-clear to use weapons that can
perform tasks ranging from espionage to the crippling of an enemy's
electrical grid. (The latter would require a Presidential directive.) It's a
moment of rapid and frightening change. "It's like the early days of the
American-Soviet nuclear balance," says Clarke. "We don't know the rules of
Gunter Ollmann, a computer security expert and former X-Force director, says
the seductive power of cyber weapons may override governments' fear of the
instability their use may cause. But he also believes the weapons may reduce
the risk of conflicts fought with tanks and missiles. Stuxnet prevented the
open conflict that would have ensued from bombing the Iranian nuclear
facility. Nations with advanced digital arsenals could use the technology to
bend rogue states to their will, shutting off the lights in Caracas, for
example, or disabling the harbor in the Libyan capital. "It shifts from being
a kinetic battle to siege warfare," Ollmann says. "I can control your water
or your power remotely. And when the whole mess gets sorted out, I can switch
them back on again."
To deal with the Code War, which amounts to a constant state of threat,
governments and companies can always try to develop their own technology. As
with smart bombs, fighter jets, and other real-world countermeasures, though,
it's often easier to buy than build. "The hacking industry is way ahead in
terms of being able to deploy something like a massive botnet," says Amichai
Shulman, chief technology officer at Imperva, a security specialist. "If a
nation wants to launch an attack that distributes some kind of malware, it
makes more sense for them to just rent an existing botnet."
And so the unregulated cyber-weapons makers flourish, selling to the highest
bidder. Business is great. In a June article in the Atlanta Business
Chronicle, Rouland said revenue is "more than doubling yearly." He recently
opened an office in Washington and is increasing head count from 40 to 100
this year. On June 15, just before his firm disappeared from the Internet,
the Metro Atlanta Chamber named Rouland the 2011 Business Person of the Year,
Early-Stage Entrepreneur category.
Riley is a reporter for Bloomberg News. Vance is a technology writer for