The zero-day industry is rapidly growing, and the West was not prepared for the pace at which adversaries are catching up. Meanwhile, former US government employees do not shy away to profit from questionable buyers, and tech companies persistently avoid any regulation.
According to Nicole Perlroth, a cybersecurity journalist for the New York Times, the cyber arms industry has sprawled around the globe, with only Antarctica lacking an appetite for surveillance and espionage technology.
“This industry went from one that was really Western-dominated to one that was drifting to corners of the world where we didn’t see it coming. And these other countries were seeing a huge benefit to purchasing these tools off the shelf,” she said during a webinar by the Center for Strategic & International Studies (CSIS) on her latest book, ‘This is How They Tell Me the World Ends.’
Her recent work focuses on the zero-day vulnerability industry. Governments and private individuals partake in the trade of information on software flaws and tools to detect and maintain them. When you hear of a zero-day attack, think of the Solarwinds hack that allowed threat actors access to dozens of US agencies, including the Pentagon.
This industry went from one that was really Western-dominated to one that was drifting to corners of the world where we didn’t see it coming,
Perlroth claims that it was clear that countries and people actively trade in zero-day capabilities since Snowden documents were leaked. However, it was not entirely clear who is selling what and where. A long-standing notion of the US’s supremacy in the industry could face challenges as the trade in zero-day exploits has outgrown the States.
One of Perlroth’s contacts for the book explained that a time when hackers were selling zero-day exploits only to the Pentagon or other government agencies is primarily gone. Every government on Earth has realized the potential of having an arsenal of zero-day exploits.
“Some of them are countries you would never suspect in looking for zero-day exploits to add to their arsenal. I was able to get contract proposals for Finland. Whoever thought Finland would be buying spyware, but of course, they share a border with Russia, and Russia has been nibbling across the border,” Perlroth said.
In the wrong hands
She argues that lack of zero-day supervision creates macabre situations where tools developed by the US or other Five Eyes members are later used to spy on and persecute civil rights activists or other individuals deemed dangerous.
For example, an ally of the US, the United Arab Emirates, Perlroth claims, uses spyware developed by the NSA and controlled by former NSA agents in Abu Dhabi to spy on Twitter critics or hack neighboring countries’ agencies.
“These are former NSA hackers sitting in a villa in Abu Dhabi, reading Michelle Obama’s emails. There’s something deeply wrong with that, but there were also no rules, at least in the UAE, prohibiting them from doing so,” Perlroth explained.
Since there are virtually no rules of engagement when it comes to zero-day exploits, the US finds itself in a tricky situation at times. For example, an NSA developed spyware was used on Ahmed Mansoor, a famous UAE’s human rights activists’ phone.
“These capabilities are going to countries that are using them for hardcore surveillance in a way that we likely never would. And that’s worth calling out and probably having some discussions around whether we should talk about who we can and cannot sell these tools and tradecraft to,” Perlroth said.
Several attempts to medicate the issue with government regulations were met with skepticism. According to Perlroth, not always with good intentions at heart. As she points out, some people who claim that regulations might hinder cross-border security research exchange benefit from the sale of tradecraft and zero-day exploits.
“I don’t think people realized that they were giving voice to people who were actually essentially just lobbyists for, for the zero-day industry,” Perlrothclaimed during a CSIS webinar.
She says that zero-day iOS exploits are sold for as much as $2.5 million in some parts of the world, allowing actors with thick wallets access to mobile devices without the owner realizing they’re being spied on.
Others, for example, tech companies that have their products hacked into, also are reluctant to support regulations based on fractured trust with the US government. For example, the EternalBlue exploit, developed by the NSA to allow penetration of Windows systems.
The US government was aware of the exploit but chose not to disclose it to Microsoft, somewhat throwing the company under the bus once the exploit was used in the 2017 WannaCry ransomware attack and NotPetya cyberattacks on Ukraine the same year.
According to Perlroth, even though the US intelligence community claimed that the exploit allowed to collect top-grade counter-intelligence, the businesses are not so keen to be manipulated or, even worse – take the fall once the cat’s out of the bag.
“Unfortunately, that’s left us in a place where there are no laws around selling zero-day exploits to or tradecraft to other countries. […] There was nothing keeping former NSA hackers from moving to Abu Dhabi and reading Michelle Obama’s emails in the course of some of those operations,” she explained.
Even though cyberattacks cost more than terrorism in recent years, countries like the United States still don’t adopt a comprehensive cybersecurity approach. There’s a lot of defense, Perlroth says, but not much smart defense.
She claims to have found out about cases where a government agency ordered antivirus software from a company that outsourced the task to a subcontractor that outsourced operations to several developers in Moscow who wrote code ‘riddled’ with intentional and unintentional backdoors.
“That tells you where’s all that money we’re spending on cyber defense. It’s not smart defense; it’s stupid defense. Yea, I know that we spend a lot of money on cyber defense. But we’re not putting our best people on it,” Perlroth explained.
Recent Solarwinds hack made it clear, gaping holes in cyber awareness within the government and businesses alike. Some of the victims of the attack were not aware their systems were compromised until journalists inquired. Moreover, very few people were aware that Solarwinds is built-in and maintained from Belarus, among other countries.
“We haven’t bothered to ask those questions or look seriously at what’s in our network or how much of it is American-made. Not to be xenophobic and say that building code overseas is inherently dangerous, but I think a good first step is just understanding exactly what’s touching your network, and we haven’t even bothered to address that question,” she said.
More great CyberNews stories:
Subscribe to our monthly newsletter