Expert Warns of the Growing Trade in Software Security Exploits

The growing trade in exploits of software security has become a “market in digital weapons,” leaving people in the U.S. and abroad vulnerable to cyberattack, said Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the ACLU, in an October 24th talk at Harvard Law School.

“The entire industry, while it’s been in existence hasn’t received much sunlight,” said Soghoian, arguing that many regulators and policymakers do not even understand that the market exists. (Soghoian said that his talk, which was co-sponsored by the Berkman Center for Internet and Society and the Journal of Law and Technology, only reflected his views and not those of the ACLU.)

Software security exploits are flaws in computer code that allow access into some aspect of software or hardware. These flaws can enable cyberattacks, as in the recent case of Stuxnet, where the U.S. and Israel reportedly set a computer worm on several Iranian organizations.

In general, it is security researchers who identify the flaws – called zero-day flaws when they are unknown to the vendor – and they have several choices for what to do with that information. If they believe the vendor is known for not disclosing these flaws, the researchers may make a full public disclosure. Other companies offer “bug bounties,” or small sums of money to researchers who find flaws. Mozilla, for example, offers  $500 per flaw to researchers. Researchers looking to make a little more cash can sell flaws within the confines of a managed disclosure process: an intermediary firm pays the researcher anywhere from $500 to $20,000, then informs the software company. While the software company is working on a fix for the problem, the intermediary firm tells client companies about the flaw, but does not publicly disclose the problem until after the fix is created.

But now, there are also intermediaries who buy these flaws from researchers and resell them as what Soghoian terms “weaponized security exploits,” working at the same time to prevent vendors from learning of the exploits. These intermediaries sell to the U.S. government as well as to foreign governments, but Soghoian said both markets are problematic.

In order for an exploit to be valuable to the U.S. government, Soghoian explained, all citizens must be vulnerable. When Microsoft finds a flaw, for example, it releases a patch to the public at large. But if a flaw is patched, the National Security Administration, for example, can no longer use that flaw strategically – so, Soghoian says, it buys flaws to keep them a secret and use them later.

“Governments are now acquiring these security flaws, not to patch systems, not to make the Internet more secure, but rather to deliver offensive code that may be used for warfare, for espionage,” he said.

The same is true for foreign governments, Soghoian said, especially when exploits are sold to particular states. And many intermediaries do not care who their customers are, he said. One company, VUPEN, has said it only sells security exploits to certain countries, including NATO partners and ASEAN members. However, Soghoian pointed out, this list includes, among others, Pakistan and Indonesia. Another company, Gamma, produces a spyware suite called Finfisher, which allows video monitoring of computer users. The owner of Gamma, Martin Muench, has said he only sells to governments to monitor criminals. But in Soghoian’s opinion, the criminals being monitored by client governments are not pedophiles or terrorists, but journalists and dissidents. Researchers have traced the fingerprint of the program, he said, and believe that Egypt used a demo version of Finfisher to launch cyberattacks on activists.

The United Kingdom is planning to regulate export of Finfisher and the European Union has banned the export of Internet surveillance products to Iran, but the security exploit market remains unregulated in the U.S., Soghoian said. Although Harold Koh, top lawyer for the Department of State, said in a speech on law in cyberspace that cyber weapons should be subject to legal review, Soghoian said, each branch of the military has its own standards of review. Only the Air Force has accounted for cyber weapons in its guidelines, he said, and do not consider security exploits within this category.

To the army, Soghoian said, exploits and flaws are not weapons, and so their sales are not regulated as weapons.” But in his view, they should be. He said he does not believe the market will self-regulate, as companies will never be able to outbid the government. And unfortunately, he argued, policymakers are largely unaware of this shadow market.

“They’re scared,” he said, “but they don’t really know what they’re scared of besides China and the Internet.”

Soghoian received his doctorate in 2012 from Indiana University, where he focused on government surveillance and third-party service providers. Previously, he was the first in-house technologist at the Federal Trade Commission’s Division of Privacy and Identity Protection. He was also a Student Fellow at Harvard’s Berkman Center for Internet and Society in the 2008-2009 academic year.