Regulation of the Cyber Weapons Market
1 Emergence of Norms
A first step towards cyber peace will be the emergence of norms that operate between major powers,(1) yet it is unclear what these might be.
One possible component of a solution for controlling the cyber arms race is to control the sale and distribution of cyber weapons. Over time, the market has evolved.(2) In the early stages, as computerization was spreading, only a few hackers were present to experiment with breaking into networks, and then creating worms that might move from one machine to another so as to cause problems. The first markets were created when it became clear that hacking tools could be used for the crime of conversion, the theft of money or other things of value. This led to the criminalization of some hackers, thus breaking up the hacking community into distinct parts of a single sub-culture. Those hackers remaining on the “good” side have gone on to create a flurry of services for companies and governments. This is the so-called “Ethical Hacking” part of the community. The other side went to the dark side, and eventually organized a legal but clandestine market for trade in exploits and malware. This side of the community built the Dark Web(3) and engaged in buying and selling of hacker exploits. This dark market goes on even today, but has become more commercialized. These developments formed the “supply” side of the production of cyber weapons.
The market side of the cyber arms race was started by criminals and later terrorists. These individuals and groups sought to use cyber as yet another tool in their method of operations. The criminal element became transnational in nature.(4) For example, the theft of credit card information in one part of the world would see the stolen information moved quickly to parties on the other side of the Earth, there to be processed into credit cards. While one part of the world was sleeping, activities of a criminal nature in another part of the world would commence, leading to the exploitation by theft of many credit card accounts. The practical effect of this is that even consumers who are receiving credit card transaction alerts probably are sleeping while the first illegal transactions take place.(5) These transnational criminal networks have evolved into acting as a distribution infrastructure for transfer of malicious code from one part of the world to another.
A second market force on the demand side has been the vendors of information technology and software. As security problems have become more pronounced, vendors initially set up informal reporting arrangements. Any hacker finding a software flaw could report this information to the vendor, who in turn would develop a patch and have it distributed to its customers. There was no compensation in this arrangement. Eventually, however, the brokers identified other potential purchasers for hacking exploits. Market sophistication increased.
Exploits for sale on the market were divided into classes. Zero day exploits were separated. Zero day exploits are not known to the software vendor, and thus have not been patched. In addition, they are not known to manufacturers of cyber security software. This greatly increases their value.(6) One factor in this increase was the broadening of the customer base. Software vendors learned they no longer could receive vulnerability information without paying for it. One must assume exploits are sold on both an exclusive and non-exclusive basis, or on an exclusive time-boxed basis.(7) Law enforcement agencies are a major market for computer exploits, as criminals are not the only purchasers. As a vendor of Zero-Day exploits advertises:
While social engineering or physical access is often used by law enforcement agencies and investigators to gain access to computer systems and install monitoring and interception tools on target PCs or mobile devices, using 0-day exploits taking advantage of previously unknown software vulnerabilities can help investigators in speeding up the process while covertly and remotely installing payloads on PCs and mobiles.(8)
Most computer exploits are not zero day. They already are known to the software vendor and usually have been “patched” in subsequent releases of the targeted software. Why do they have any value at all? There are at least two reasons: First, even when a software vendor releases a patch for its software, there is a large lag time before end-users patch their systems. Generally, large commercial organizations patch very quickly. Walmart, for example, has a policy to patch world-wide within four hours.(9) For others, including a large number of consumers, patching does not take place quickly and sometimes is neglected altogether. The result is that these machines remain unprotected and vulnerable to a software exploit, even when there is no need for them to remain so. The second reason is that throughout the world, a large number of users, perhaps a majority, rely on stolen or pirated software. These machines, in turn, are not able to take advantage of the update benefits provided by the software vendor to its paying customers. Consequently, they are unable to receive the patches that otherwise would seal up the vulnerability. For all of those machines remaining unprotected, the computer exploit, even if it has been patched through official software channels, retains its value. This value is enhanced by the international and transnational nature of the cyber exploit market.
Eventually, software vendors started offering “bug bounty” programs. The term “bounty” is derived from the American term for “Bounty Hunter”.(10) So the term “Bug Bounty” refers to the (1872))“reward” that a software vendor would pay to a “Bug Bounty Hunter” who could bring in a zero day exploit. This development further increased the sophistication of the market by adding another party, the bounty hunter who would act as intermediary between brokers and software vendors searching to find exploits.
In addition to the increase in demand caused by activities of software vendors and cyber security firms, governments started to show interest. There are reports of the U.S. National Security Agency (NSA) starting to recruit “hackers” for its Tailored Access Program.(11) This was after the disaster of 9/11 in the United States when there was a general sense that the NSA would need to transition from “analogue” to “digital” in its signals intelligence (SIGINT) operations.(12) It seems that at the time, there was a shortage of known talent that could be utilized by the U.S. government. At the same time the U.S. government was reaching out to the hacker community, other governments were doing the same.(13) As the government demand for software exploits grew, this in turn created yet another market — the large systems integrator suppliers employed in carrying out massive projects for the U.S. government.(14) Systems integrator companies are needed because of the complexity and sophistication needed in the development of cyber weapons.(15) These companies in turn also scoured the market for both software exploits, and even in the search for talented individuals.(16) In some cases, criminal records were ignored, as long as the hacker went to the “good side” and performed work for the government.(17) This type of decriminalization of hacking took place world-wide. In general, governments started to sanction what otherwise would be illegal activity, providing it was done under government control.
Here, a problem emerged in the functioning of the cyber exploit market. As governments started to build software exploit tools, their intent was to have them available to investigate crime, or conduct espionage. Since the activities of government organizations such as the National Security Agency are secret in nature, the result is that the existence and identity of any cyber exploit is protected by laws governing national security. They are classified. The practical result of this is that in the United States, it would be a violation of the Espionage Act to report to the targeted software vendor a government acquired or created computer vulnerability. The irony is that the government enters into the business of manufacturing cyber tools that strip away the security of information technology devices used by its citizens, but then never takes steps to protect that security by allowing the software vendor to release a patch.(18) As a foremost authority writes:
In amassing zero-day exploits for the government to use in attacks, instead of passing the information about holes to vendors to be fixed, the government has put critical-infrastructure owners and computer users in the United States at risk of attack from criminal hackers, corporate spies, and foreign intelligence agencies who no doubt will discover and use the same vulnerabilities for their own operations.(19)
This, perhaps, is a supreme irony – by engaging in a cyber arms race that has as its objective protection of national security, the government is thwarting the ability of end-users to deploy security cyber infrastructure. What is the practical result of the emergence of this shady market? The world’s cyber infrastructure has become completely insecure. What are the possible options?
2 Market reform in the sale of cyber exploits
If the cyber exploit market works imperfectly, then perhaps there is room to engage in reform. This would need to be done in a two-step manner. First, an informal non-binding international understanding would need to be reached so that nation States would agree upon the outlines and principles of such reform. The second step would be for individual nation States in turn to enact enabling legislation internally, and to do so in a way that is harmonized with corresponding legislation and regulation elsewhere.In the same way that equities and other financial instruments, or commodities are traded in various markets, the offering and sale of computer exploits might be regulated.
The role of being a broker would be licensed and regulated according to an accepted set of criteria, including certification, testing, continuing education, ethics training, as well as guidance by a professional association. This would make it illegal to engage in the buying and selling of cyber exploits without being licensed. Brokers engaging in the buying and selling of cyber weapons would be prosecuted.
There would be reporting of prices for exploits purchased. This would potentially increase the value of exploits since a market would allow a greater number of potential customers to bid on any exploit.
Exploits bought and sold would need to be described in a reasonable, accurate and comprehensive way so as to prevent fraud or misrepresentation. Product liability rules would govern the sale of exploits. The offering of exploits would receive the same type of scrutiny given to the language found in initial public offerings (IPOs). Ancillary components of product definition also would be defined, such as any time period for exclusivity.(20)
One a market is formalized, it is possible to control the export of the technology as needed. At the same time, it would be possible to put in place corresponding government policies that would subsidize or encourage the export of cyber exploits.
Taxation and Enforcement.
An additional tool of regulation would be taxation. For example, if the sale of cyber exploits were subject to a Federal Tax, then any party attempting to bypass the established and licensed market would be subject to the full investigatory power of the government that is used against parties who avoid paying their taxes. This would be a very important tool of compulsion on the part of any government wishing to exercise control over the buying and sale of cyber exploits.
Is it possible to use blockchain technology to verify the identity and trace the distribution of computer code, including malware?
But for the time being, there is no regulation of the market for cyber exploits. As a result, there is no control, no accountability, no reliable statistics on what is taking place, and no way to protect either buyers or sellers.
Although there appears to be an “equities process” inside the U.S. government in which different departments decide whether or not to report a vulnerability to the software vendor so it can be fixed, it is not clear exactly from which statute the government derives the power to do this.(21) It is an open question as to whether the U.S. Government incurs liability for not reporting these exploits.
3 Using the Nuclear Non-Proliferation Act as a Model
Can Efforts to Control the Proliferation of Nuclear Weapons be used as a Model to Stop the cyber Arms Race? In the late 1970s, the US Congress passed Public Law No. 95–242, the Nuclear Non-Proliferation Act of 1978.(22) The purpose of the act was two-fold: First, to set up a system of export licenses for nuclear technology; Second, to place even tighter restrictions on the bilateral treaties signed by the US with partners governing the use of nuclear technology. The law specified that any nuclear related export could not be used for an explosion of any type. This language aimed specifically at addressing the fiction used by India through which it deceptively argued that creation of thermonuclear weapons was actually a “peaceful explosion”. The law enforced a system of heightened physical security on all exports, even after they had arrived at their destination in other countries. In the event a recipient of nuclear technology was able to create downstream technologies related to nuclear power, the law was to be applied to “subsequent generations of material or equipment generated from exported sensitive nuclear technology”.(23) The nuclear safeguards system was to be applied to all nations that were using nuclear energy, whether they had weapons or not. There was a requirement that no nation could carry out reprocessing of nuclear fuel without US approval. No uranium supplied by the US could be reprocessed without prior approval. All storage facilities of separated plutonium must be in US approved locations.
There are inherent differences between nuclear weapons and cyber weapons. This makes it impossible to use exactly the same solution for control of cyber weapons proliferation. Given the intangible nature of dual-use cyber security technology, it is particularly difficult to control its proliferation. Nevertheless, compared to the “Wild West” situation prevalent at this time, almost any tightening of controls over the international proliferation of these dangerous technologies shall be an improvement.
It should be noted that any controls over the international trade in cyber security dual-use technologies will be met with fierce opposition from the entrenched commercial community. Such companies will argue that this type of law is a severe constraint on the free market, and on free trade. Of course it is. That is the whole point. It will be pointed out that a broad range of high-technology items and all manner of defense equipment, including dual-use technologies long have been subject to export controls and licensing. In fact, the same mechanisms and governmental channels already in place for this purpose can be transitioned over to monitoring the export of cyber security dual-use technologies. The only difference is that parties on all sides will come to recognize the importance and danger of these technologies. By moving them into the same channel as offensive weapons or supporting methods of work, these technologies will have come home.The example of the Non-Proliferation law would suggest the following:
3.1 License Exports of Cyber Weapons
Companies, such as cyber security consultants, that have developed either cyber weapons or “dual-use” cyber technologies would not be able to export their software or services to parties outside of the country without getting approval. In the course of getting approval for the export, all relevant details regarding the projected utilization of the technology, the location of its use, and its potential impact on the cyber weapon balance of power will be assessed.
Licenses would be revocable upon violation of the safeguards put in place for their use.
3.2 Prohibit Dual-Use Cyber Security Technologies being Deployed as Weapons
Cyber security technologies having dual use will not be used for offensive cyber purposes. If they are used this way, then the license will be subject to immediate revocation.
3.3 Dual-Use Cyber Security Technologies to be Stored only in Approved Facilities
Cyber security technologies are stored inside the information systems in which they are being used. These “storage” facilities must meet international security standards before being licensed as storage facilities for these cyber weapons.
A uniform set of information security standards will be enforced on all dual-use cyber tool storage facilities. The party receiving a license for use of these technologies will take all necessary measures to ensure these weapons do not leak out of control. An acceptable standard shall be used for ensuring compliance with security requirements for storage of cyber dual-use technologies.(24)The receiving party will be responsible for ensuring that cyber dual-use technologies are not distributed beyond the range of the protected system.
3.4 Extend Licensing to Subsequent Generations of Cyber Technology
In the case that the receiving party (outside of the country imposing these unilateral controls) modifies, improves, or creates a next-generation technology from the cyber technology that has been exported, then all new derivative technology shall be subjected to the same licensing restrictions as the originally-exported technology.
This will prevent a recipient country from making small modifications to exported cyber dual-use security technologies so as to allow them to escape from the system of controls over their use.
3.5 Bar Re-Export of Dual-Use Cyber Security Technologies
One a set of dual-use cyber security technologies has been obtained via license, the obtaining organization (or nation state) will agree that they may not be re-exported to third parties without the consent of the original license giver. This will prevent the emergence of entrepˆot states acting as quasi-illegal “free trade” areas allowing technology to be traded internationally without restriction.
3.6 Criminalize the Black Market (Dark Web)
As part of the unilateral agreement allowing the licensing of dual-use cyber technologies, nations will agree to criminalize the black market(25) in the sale of cyber security dual-use technologies. If necessary the prohibition of illicit trading in these technologies can be backed up by international financial sanctions used in the same way as they are for controlling the proliferation of nuclear technologies.
(1)This concept is advocated by the Chief Legal officer for Microsoft, Mr. Brad Smith. He has called for a “Digital Geneva Convention”. See Martin Giles, We need a cyber arms control treaty to keep hospitals and power grids safe from hackers, MIT Technology Review 01 October 2018
(2) See Figure 2
(3)Definition: Deep Web: that part of the web not indexed by search engines; Dark Web: web content that exists on darknets, or overlay networks. These require authorization or specific software in order to access.
(4)The term “multinational” refers to something that involves the participation of different nation States, or the participation of entities that are located within the territorial jurisdiction of different nation States. The term Transnational refers to activities that take place within the jurisdiction of two or more nation States and are organized in a way that operates generally independently of State direction. An example of a transnational activity would be a global supply chain run by multinational enterprises. It is often said that one threat to international peace and security is the operation of transnational criminal syndicates.
(5)The innovative nature of crime always is a marvel, and often would be beautiful in a different context.
(6)For a discussion of the market, See Charlie Miller, The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales, white paper, Independent Security Evaluators, May 6, 2007. He notes that there is little price transparency in the market for exploits. However in giving examples of sale prices, the author provides examples of $500–$300,000 dollars. See Table 1, p. 4 in Miller.
(7)The exploit is sold on an exclusive basis but only for a certain period of time, after which it might be sold again.
(8)See VUPEN Threat Protection Program, White paper, VUPEN Security, Montpellier, France, n.d. at www.vupen.com, (emphasis added)
(9)Source: Interview with the Chief Information Officer of Walmart. <name deleted>
(10)A bounty hunter is a person who tracks down a criminal for the purposes of getting a reward offered by either legal authorities or by an organization that has loaned out the money for the bail fee. The bail fee is money paid to release an accused criminal from jail while awaiting trial. See Taylor v. Taintor 83 U.S. (16 Wall.) 366 (1872) (11)Interview, General Michael Hayden, Director of the National Security Agency, in the documentary film A Good American, Friedrich Moser, Director, El Ride Productions, 2015 (12)Signals Intelligence originally referred to interception and decryption of radio communications. After 9/11 in the United States, and the birth of social media, the term now refers to radio intercepts plus social media intercepts.
(13)Including Russia, which later was accused of having employed cyber mercenary forces in its foreign information operations policy. This has never been proved conclusively in any court.
(14)In the United States, this includes companies such as Lockheed-Martin, and Science Applications International Corporation (SAIC).
(15)The Stuxnet malware, for example, contained four or more zero day exploits, and was designed in a way to attack only the programmable controllers working in the uranium centrifuges in Natanz, Iran.
(16)These talented individuals could be hired outright, of their entire small company gobbled up and absorbed by the larger systems integrator.
(17)This was the case for Kevin David Mitnick. According to his Wikipedia entry he was arrested in 1995 and was put in prison for five years for computer crime. He has been rehabilitated and runs the security firm Mitnick Security Consulting, LLC. He now holds the title of Chief Hacking Officer of the security awareness training company KnowBe4.
(18)This problem has become a target of discussion within the First Committee (Disarmament) of the United Nations.
(19)See Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, New York, Crown Publishers, 2014, para. 2, p. 221
(20)For example, a cyber exploit might be sold to a software vendor under a limited time frame, generally enough time to create a patch and have it released to the customer base. After that initial time period is expired, then the product could be resold to cyber security vendors. This secondary sale also could be time-boxed so that eventually the software might be used in cyber security services. After that, it might be sold to the general public or other targeted customer groups.
(21)This is reported by Zetter, p. 225.The US equities process involves a central committee composed of representatives from multiple departments and agencies—DoD, Justice Department, State Department, Homeland Security, the White House, and the intelligence community—and is patterned after one developed by the Committee on Foreign Investment in the United States. (emphasis added)
(23)See discussion in Frederick Williams, The United States Congress and Nonproliferation, 3(2) International Security 45–50 (1978)
(24)See for example: National Institute of Standards and Technology (NIST), NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (2015) (25)Rus. chernyy rynok