Adm. Rogers Talks about Buying Cyberweapons

At a talk last week, the head of US Cyber Command and the NSA Mike Rogers talked about the US buying cyberweapons from arms manufacturers.

"In the application of kinetic functionality -- weapons -- we go to the private sector and say, 'Build this thing we call a [joint directed-attack munition], a [Tomahawk land-attack munition].' Fill in the blank," he said.

"On the offensive side, to date, we have done almost all of our weapons development internally. And part of me goes -- five to ten years from now is that a long-term sustainable model? Does that enable you to access fully the capabilities resident in the private sector? I'm still trying to work my way through that, intellectually."

Businesses already flog exploits, security vulnerability details, spyware, and similar stuff to US intelligence agencies, and Rogers is clearly considering stepping that trade up a notch.

Already, Third World countries are buying from cyberweapons arms manufacturers. My guess is that he's right and the US will be doing that in the future, too.

Posted on February 27, 2017 at 2:28 PM • 20 Comments

Comments

BrandonFebruary 27, 2017 3:09 PM

The problem he will need to work around is the procurement guidelines. You can't exactly put out an RFP for a weaponized exploit. It's a totally different process than - we need a plane, with wings, and bombs. Go build it.

Ross SniderFebruary 27, 2017 3:12 PM

@Brandon

Hmm, really interesting.

Perhaps the RFP could look like... for versions X - Y of this software, a reliable (>99%) retargetable exploit with ASLR bypass is needed such that a payload greater than 1k can be run in the context of the running software. Yadda yadda.

Seems like there are technical specifications that could be made.

RhysFebruary 27, 2017 4:12 PM

This is about money to hand out to hungry aerospace industry lobby. Cyberweapons is just a smokescreen.

Had we been paying attention with McNamara's mutually assured destruction (AKA MAD), we should all know this, too, is a battle of attrition which no one wins. Even the survivor's won't want to live with the result. Assuming that survival isn't just a slower form of death.

Pastured old timers still reminiscing when a good fight had a conclusion and something was won. Like the Charge of the Light Brigade. You know- Balaclava. Oh- wait, that's not resolved yet, now is it? Well, the British had a parade and lots of medals/knighthoods anyway.

Have you- let alone this policy maker, ever thought about what is to be won? What will be settled? Ever? Shouldn't we at least ask?

At best, if you have the Russians, they may allow just another "cold war" scenario. Controlled, limited tit-for-tat. But the Chinese, the North Koreans, the Iranians, - fill in your own list, won't. They have martyrdom to look forward to. And life is cheap. Regaining control after the resulting chaos would be a Nobel winning thesis. Or a fairy tale.

Once the escalation to HEMP (high-altitude electro magnetic pulse) occurs, even if you survive, we'll all be back to the limits of local community systems of sustainment using written, signing, and verbal communications. Even the Laser-Induced Plasma Channel, or LIPC, is enough to burn out whole sections of the grid. Power and/or Comms.

Talk about going back to the stone age. There is no such thing a selective violence for the greater good.

Be cheaper to just fly money in B-52 drops over the countries and turn them into 'consumers'.

tyrFebruary 27, 2017 4:23 PM


Having had occasion to plow through the
verbiage of governments specifications
a time or two, I doubt the efficacy of
anything produced in that fashion. By
the time a developer read though the
mad scheme they would be so fuddled as
to become useless. For those in the feather
merchantry of government procurement it
should provide a tidy income for as long
as the mad scheme can be milked though.

cyberweapon?February 27, 2017 5:35 PM

What is a "cyberweapon"?

Is it the computer you break into? My house is not a "weapon" if I use a brittle lock that any local policeman or criminal could easily break with one swift kick at the door.... Yet my computer is? Do I have a second amendment right to carry a computer??

Is it the knowledge of how to break into the computer? So then knowledge itself is a weapon? Do I have a second amendment right to learn that knowledge? Are all educational institutions weapons manufacturers because they educate people?

Is it the act of breaking into a computer that's a weapon? So the act of using a computer is a weapon? Who knew I was "weaponing" on this keyboard here as I type this out to you!

Is it the piece of code that automates such a break-in in a more easy-to-use manner? Ah, so then, mathematicians and linguists must be criminals, just like programmers? Or maybe they're the ones with the second amendment right to do math or logic or language or write code? Those who who write code are weapons manufacturers?

It isn't merely a weapon or a war when your target is everyone. We use bigger words to describe such things, like genocide. For computers, maybe "malware" just doesn't have a big enough sounding ring to it, so we call it a "war" or a "weapon"?? Except it's more like carpet bombing the world, to use an analogy... Who does that? Why is MY government doing that?? Even to itself??? Nobody in charge sees the problem there?

John SchillingFebruary 27, 2017 5:59 PM

When the DoD went out and contracted for the Tomahawk cruise missile, they could be reasonably certain that Raytheon wasn't going tweak the production rate upwards and sell the extras to North Korea, or to the Mafia. The market for cruise missiles is small and all the players are known, production is highly visible and easily tracked, and if any do find their way into the wrong hands their subsequent misuse will be highly visible and easily tracked. With cyberweapons, the criminal market is large and murky, production takes but a keystroke, and the source can be obfuscated. The potential for mischief seems much higher, so as with e.g. nuclear weapons this seems like it might best be kept to government labs and very closely scrutinized monopsony contractors.

rFebruary 27, 2017 6:05 PM

Nobody is asking the question about this being in a completely different direction than the existing orientation.

Instead of the military being in control of the 'technology' it's going to be civilian arms (which it pretty much is now) in control of military capabilities.

Weren't we already worried about corporate states?

This changes everything or it simply changes nothing because it's just an admission of what's already going on?

rFebruary 27, 2017 6:12 PM

If a malware or exploit was used unilaterally it would have a high chance of having pressure exerted on detection companies in a multilateral/unilateral way.

It may cause a stalling of detection through defeating competing interests, be aware.

PeteFebruary 27, 2017 6:51 PM

The defense electronics industry is 200 companies. Large DoD contractors are about 50 bloated companies.

The software attack industry is every kid with a PC.

RAD development is the only way this stuff works. Start with a simple contract then do add-ons AFTER the supplier proves they can do good stuff.

Completely different than the typical DoD contractor with 500 people working on the code.

DroneFebruary 27, 2017 11:03 PM

Modern Defence Procurement has become hyper-politicized, more so than ever. That is a VERY dangerous and costly thing indeed! See this for example (run-time, about seven minutes):

www.youtube.com/watch?v=ba63OVl1MHw

trentFebruary 28, 2017 6:40 AM

@cyberweapon? has a good point about 2nd amendment implications, and there are various observations about how the RIAA's "you would download a car" somehow needs to be upgraded once it does become possible to download a nuke.

Also: warcrimes - including impact on civilian infrastructure disproportionate to military gain, and anti-personnel landmines are prohibited due to the lasting impact on civilian population after any war, though the US isn't signatory to the Ottawa treaty, so yeah.

> "And part of me goes -- five to ten years from now is that a long-term sustainable model?"

Well, it sounds like a military-industrial complex. On what level does he mean sustainable? Is he concerned about being able to get the weapons he wants, or is the concern about still having a society worth protecting?

JohnLFebruary 28, 2017 9:25 AM

If you use a cyber weapon you have a very strong chance of rendering it unusable again.

I think this statement here summed up the issue with "cyber-weaponry". Once an exploit is used in the wild, the chance of detection goes way up. While it is certainly possible to keep such attacks few, targeted, an with a lot of opsec work to clean up afterwards and prevent discovery of the exploit, they do have a half-life. Even without use, with the community of security researchers always working to find and disclose vulnerabilities, an unused exploit may well be rendered inert simply by virtue of someone else discovering it and publicly disclosing it.
With that being the case, I cannot really fault Gen. Rogers for looking for innovative solutions to "building" such capabilities. Whether or not we really like the idea, the goal of the military is to kill people and break stuff. And Gen. Rogers has been given the mandate to figure out how best to accomplish this in the digital world. It is literally his job to figure this out. It is the responsibility of our civilian government to decide if what he is asking for is in keeping with our Constitution and values as a country.
As for building out something more similar to the military-industrial complex solution for "cyber-weapons", I suspect that we will see something similar to, but not exactly like what what we have for kinetic weapons. Though, I suspect part of this is down to the newness of the digital battlefield. We are more akin to the ancient Sumerians, just figuring out war at a city-state level. We don't have the long history and research into fighting online that we do in the physical world. Perhaps eventually we'll discover some broad truths about online battle which will guide weapons manufacture. But, for the moment, it's easy for us to get blind-sided when we show up to a fight with the equivalent of stone axes and our enemy is carrying bronze tipped spears.

NetBeansMarch 1, 2017 5:44 PM

there is a app in f-droid to detect illegal cyber weapon criminals use called "stinkray"
i am reading the posts there to try to educate myself
please can someone say if
https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector/issues/69

public SmsDetector(Context newcontext){
tContext = newcontext;
dbacess = new
AIMSICDDbAdapter(newcontext);//SmsDetectionDbAccess(newcontext);
//# dbacess.open();
ArrayList silent_string = dbacess.getDetectionStrings(); // //# dbacess.close();
SILENT_ONLY_TAGS = new String[silent_string.size()];
for(int x = 0;x SILENT_ONLY_TAGS[x] = silent_string.get(x).getDetection_string()+"#"+silent_string.get(x).getDetection_type();
}
prefs =
newcontext.getSharedPreferences(AimsicdService.SHARED_PREFERENCES_BASENA ME, 0);
}

will call .size() through virtual ta le in each loop iteration if inheritance is used? is compiler realistically able to optimize that good even if what function is called can changes during the run time?

why does google nots stop the cyberweapon themself instead make community do it for them? https://code.google.com/p/android/issues/detail?id=5353
the ssl people defend against similar cyberweapon that was attacking the rsa export https://www.us-cert.gov/ncas/current-activity/2015/03/06/FREAK-SSLTLS-Vulnerability
and the ssl people have lot less funding than google..... http://www.bankinfosecurity.com/openssl-gets-funding-after-heartbleed-a-6893
but google do nothing about a5/0 export
do no evil? is bad joke?

rMarch 2, 2017 5:33 AM

@NetBeans,

F-Droid has a search box, you could ask it? ;-)

But, to satisfy your question I believe at least one of the towering programs is open source. Some of them include crowdsourcing functionality for -known- towers.

EvilKiruMarch 2, 2017 5:12 PM

@NetBeans: "do no evil? is bad joke?"

That hasn't evem been Google's slogan for several years now and it's been a bad joke for even longer.

xMarch 4, 2017 2:26 AM

Businesses already flog exploits, security vulnerability details, spyware, and similar stuff to US intelligence agencies, and Rogers is clearly considering stepping that trade up a notch.

In a POTUS-Trump universe, the delta between this status quo and mandated (or bribed or otherwise coerced) built in backdoors is pretty much a joke. We are in a fairly long term (still measured in internet years however) dark age of reasonable government internet policy. Snowden certainly sparked some hopes. Trump pretty much snuffed them out for the forseeable future. The man f'ing advocates torture for christs sake. And Schumer wants to pretend like the net neutrality battle is worth fighting. 977779r5...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.