Twitter Facebook Google RSS
National Defense > Blog > Posts > Growing Black Market for Cyber-Attack Tools Scares Senior DoD Official
Growing Black Market for Cyber-Attack Tools Scares Senior DoD Official
By Stew Magnuson

A growing black market for zero-day vulnerabilities is allowing almost anyone with the cash to buy the means to launch destructive cyber-attacks against U.S. industrial control systems, a senior Defense Department official said Feb. 22.

Zero-day vulnerabilities are previously undiscovered security holes in software such as Microsoft products. There has been a black market for those willing to sell knowledge of them for years. That market has now moved into the world of supervisory control and data acquisition (SCADA) systems that run power plants, said Eric Rosenbach, deputy assistant secretary of defense for cyber policy.

The black market for potentially destructive malware is being made easier by Google-like search engines that connect those who have discovered the vulnerability with customers who have the money to buy the knowledge. That may include nation states, terrorist groups or even individuals who want to make their mark on history, he said. They connect on the so-called “darknet,” a loose term for underground communications on the Web.

“That to me is scary,” he said at the Armed Forces Communications and Electronics Association Washington, D.C. chapter cybersecurity symposium.

Zero-day vulnerabilities were famously used in the so-called Stuxnet operation that attacked SCADA systems attached to Iran's nuclear program. In that case, malware disrupted the normal operation of centrifuges used to enrich uranium.

Stuxnet brought attention to how industrial control systems can be used to cause physical damage to such facilities as power plants, dams, and other critical infrastructure. This tactic may allow an adversary to cause physical and economic damage to a target country without launching a military operation. They may also be able to do so without being detected.

Attributing such attacks has been a problem in the past, but Rosenbach said that is changing. A recent report by cybersecurity company Mandiant was able to nail down the exact location of a concerted effort on the part of the Chinese military to steal intellectual property from U.S. corporations.

“Attribution is getting a lot better inside and outside the government,” he said.

SCADA systems were generally designed before cyber-attacks became a problem, and therefore, did not have security features built in. They were made with programs that could be easily changed on purpose, and their coding was once widely shared, he added.

The demand in this black market is being driven by nations that don't have the technical sophistication to find their own vulnerabilities and launch attacks, he said.
The potential bright spot for those seeking to stop the proliferation of this kind of malware is that there is only a small number of experts who are capable of finding zero-day vulnerabilities in SCADA systems, and fewer still willing to exploit this knowledge.
Rosenbach suggested a three-prong strategy toward mitigating such attacks. One is to strengthen information sharing among the critical infrastructure sectors that are vulnerable.
Companies need to also beef up their own security. Unfortunately, many of the technicians who operate SCADA systems are not cybersecurity experts, he noted.
There also needs to be stronger international cooperation among law enforcement agencies to catch those who are involved in this black market. There are countries where there are no laws on the books against engaging in this type of activity. The first step is to make sure that such laws are in place, he said.

Photo Credit: Thinkstock


There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Name: *

eMail *

Comment *



Name: *

eMail *

Comment *


Please enter the text displayed in the image.
The picture contains 6 characters.

Characters *


Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.



Bookmark and Share