Nation states are now outsourcing critical elements of their cyber security programs. Nations have been arguably employing third party hackers for years, but in recent years the demand for hacker work products and support has developed a global market where support goes to the highest bidder. Hackers are starting legitimate businesses whose sole purpose and product is to develop tools to exploit vulnerabilities or to discover yet unidentified vulnerabilities known as zero days. “Zero days” get their name from the number of days that a computer user has to fix a vulnerability before a hacker can exploit them. Hackers often focus efforts on developing exploits for day vulnerabilities because there is no available patch or fix identified to close the vulnerability.
The fact that hundreds of companies are developing to address this very market is telling to say the least. Bounties can literally be set if and when new vulnerabilities or their exploits have been developed/discovered. More troubling is that this information typically would go to the highest bidder which would likely be a government entity. Microsoft, Google, and Facebook all offer rewards for people who find the zero day vulnerabilities, but these rewards often can’t touch the kinds of money and resources being invested by governments.
Further, there is also evidence that governments are now hiring third party hackers to infiltrate targeted enemies and allies on their behalf. The benefit of hiring a non-affiliated hacker for this type of effort is really three-fold: the government can have plausible deniability associated with any infiltration and exploitation since there is no direct link between the hacker and the nation-state, the hacker is often located in a third party location so even if discovered the physical location would not lead to the government, and the government can take advantage of greater flexibility in being able to hire specific hackers for specific purposes rather than employing personnel long term.
While there is a clear and evident upside to outsourcing for cyber security support, there is also a very clear risk that is often not considered. When outsourcing hackers who will work for the highest bidder, governments are not dealing with people who have any clear loyalty to the nation state. Living and working within the confines of the Internet often leads hackers to become a citizen of the world rather than a particular nation. Additionally, the same hacker that at one point may support once nation could easily work for that nation’s enemy if they offer a bigger bounty or salary. Further, in cases where that hacker could get access to the government’s networks as an insider, the government could literally be sharing information, access, and secrets with someone who has not been vetted for trust and who harbors no loyalty. In the rush to compete with their enemies in this burgeoning “hacker marketplace”, governments could be inviting their enemy in through the front door. Much of this threat could be combatted with proper compartmentalization of the information, role-based access, and proper security infrastructure. Unfortunately, many government agencies do not properly implement protections to watch, monitor, and limit insiders for their systems. This has most recently become evident in the Snowden NSA Leaking Scandal. As a recently acquired cyber security administrator, Snowden was able to steal information from multiple locations, some above his actual clearance level. Further, it does not appear that any monitoring or additional protections were in place to catch his suspicious actions before he decided to release classified material and flee the country.
While it is important to stay competitive in the cyber security war being waged, it is also important to consider whom you are hiring and what the benefits and potential risks they really offer. Additionally, it is key that proper security infrastructure, policy, and procedures are in place to detect and deter the insider threat.