Growing Black Market for Cyber-Attack Tools Scares Senior DoD Official

A growing black market for zero-day vulnerabilities is allowing almost anyone with the cash to buy the means to launch destructive cyber-attacks against U.S. industrial control systems, a senior Defense Department official said Feb. 22.
Zero-day vulnerabilities are previously undiscovered security holes in software such as Microsoft products. There has been a black market for those willing to sell knowledge of them for years. That market has now moved into the world of supervisory control and data acquisition (SCADA) systems that run power plants, said Eric Rosenbach, deputy assistant secretary of defense for cyber policy.
The black market for potentially destructive malware is being made easier by Google-like search engines that connect those who have discovered the vulnerability with customers who have the money to buy the knowledge. That may include nation states, terrorist groups or even individuals who want to make their mark on history, he said. They connect on the so-called “darknet,” a loose term for underground communications on the Web.
“That to me is scary,” he said at the Armed Forces Communications and Electronics Association Washington, D.C. chapter cybersecurity symposium.
Zero-day vulnerabilities were famously used in the so-called Stuxnet operation that attacked SCADA systems attached to Iran's nuclear program. In that case, malware disrupted the normal operation of centrifuges used to enrich uranium.
Stuxnet brought attention to how industrial control systems can be used to cause physical damage to such facilities as power plants, dams, and other critical infrastructure. This tactic may allow an adversary to cause physical and economic damage to a target country without launching a military operation. They may also be able to do so without being detected.
Attributing such attacks has been a problem in the past, but Rosenbach said that is changing. A recent report by cybersecurity company Mandiant was able to nail down the exact location of a concerted effort on the part of the Chinese military to steal intellectual property from U.S. corporations.
“Attribution is getting a lot better inside and outside the government,” he said.
SCADA systems were generally designed before cyber-attacks became a problem, and therefore, did not have security features built in. They were made with programs that could be easily changed on purpose, and their coding was once widely shared, he added.
The demand in this black market is being driven by nations that don't have the technical sophistication to find their own vulnerabilities and launch attacks, he said.
 
The potential bright spot for those seeking to stop the proliferation of this kind of malware is that there is only a small number of experts who are capable of finding zero-day vulnerabilities in SCADA systems, and fewer still willing to exploit this knowledge.
 
Rosenbach suggested a three-prong strategy toward mitigating such attacks. One is to strengthen information sharing among the critical infrastructure sectors that are vulnerable.
 
Companies need to also beef up their own security. Unfortunately, many of the technicians who operate SCADA systems are not cybersecurity experts, he noted.
 
There also needs to be stronger international cooperation among law enforcement agencies to catch those who are involved in this black market. There are countries where there are no laws on the books against engaging in this type of activity. The first step is to make sure that such laws are in place, he said.
Photo Credit: Thinkstock

Topics: C4ISR, Cybersecurity