A new arms race is fought by defense contractors looking for online bugs.
WASHINGTON – On Florida’s Atlantic coast, cyber arms makers working for U.S. spy agencies are bombarding billions of lines of computer code with random data that can expose software flaws the U.S. might exploit.
In Pittsburgh, researchers with a Pentagon contract are programming computers to scan software for bugs and turn them automatically into weapons. In a converted textile mill in New Hampshire, programmers are testing the combat potential of coding errors on a digital bombing range.
Nationwide, a new league of defense contractors is mining the global Internet for glitches that can be turned to the country’s strategic advantage. They’re part of a cyber military-industrial complex that’s grown up in more than a dozen states and employs thousands of civilians, according to 15 people who work for contractors and the government. The projects are so sensitive that their funding is classified, and so extensive that a bid to curb their scope will be resisted not only by intelligence agencies but also the world’s largest military supply chain.
“We’re in an arms race,” said Chase Cunningham, the National Security Agency’s former chief cryptologic technician. The competition to find exploitable bugs before an enemy does is as intense as “the space race and the Cold War combined.”
The U.S. has poured billions of dollars into an electronic arsenal built with so-called zero-day exploits, manipulations of missteps or oversights in code that can make anything that runs on a computer chip vulnerable to hackers. They go far beyond flaws in web encryption like SSL and OpenSSL, which the NSA has exploited for years without warning the public about it, according to people with knowledge of the matter.
The agency’s stockpile of exploits runs into the thousands, aimed at every conceivable device, and many are not disclosed even to units within the agency responsible for defending U.S. government networks, people familiar with the program said.
Under a directive made public April 11, after Bloomberg News reported the NSA’s use of the infamous Heartbleed bug — a use the agency denied — the White House said exploits should in most cases be disclosed so computer users can protect themselves.
Michael Daniel, the White House cybersecurity coordinator, said in a blog post last week that “building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”
He said the U.S. would continue to develop and use those vulnerabilities to protect the country, however, and that the administration has established “a disciplined, rigorous and high-level decisionmaking process” when it comes to deciding whether to keep the flaws secret or disclose them so they can be fixed.
The NSA referred to the White House blog in response to a request for comment.
Because the White House directive said there should be exceptions for national security, the impact it will have is uncertain: Using just about any computer bug as a weapon can be justified as the Web plays an increasingly central role in intelligence gathering and kinetic conflict. During his confirmation hearing, Navy Vice Adm. Michael Rogers, director of the NSA and the U.S. Cyber Command, said it would be hard to imagine an international crisis not involving digital weaponry.
It’s also hard to imagine the U.S.’s increasingly sophisticated cyberspying and cyberwar operations without its deep arsenal of software exploits, according to current and former arms makers.