Cyber contractors ramp up new tools for NSA

WASHINGTON — On Florida’s Atlantic coast, cyber arms makers working for U.S. spy agencies are bombarding billions of lines of computer code with random data that can expose software flaws the U.S. might exploit.

In Pittsburgh, researchers with a Pentagon contract are teaching computers to scan software for bugs and turn them automatically into weapons. In a converted textile mill in New Hampshire, programmers are testing the combat potential of coding errors on a digital bombing range.

Nationwide, a new league of defense contractors is mining the foundation of the Internet for glitches that can be turned to the country’s strategic advantage. They’re part of a cybermilitary industrial complex that’s grown up in more than a dozen states and employs thousands of civilians, according to 15 people who work for contractors and the government. The projects are so sensitive their funding is classified, and so extensive a bid to curb their scope will be resisted not only by intelligence agencies but also the world’s largest military supply chain.

“An arms race”

“We’re in an arms race,” said Chase Cunningham, the National Security Agency’s former chief cryptologic technician. The competition to find exploitable bugs before an enemy does is as intense as “the space race and the Cold War combined.”

The U.S. has poured billions of dollars into an electronic arsenal built with so-called zero-day exploits, manipulations of missteps or oversights in code that can make anything that runs on a computer chip vulnerable to hackers. They go far beyond flaws in web encryption like SSL and OpenSSL, which the NSA has exploited for years without warning the public about it, according to people with knowledge of the matter.

The agency’s stockpile of exploits runs into the thousands, aimed at every conceivable device, and many are not disclosed even to units within the agency responsible for defending U.S. government networks, people familiar with the program said.

Heartbleed bug

Under a directive made public April 11, after Bloomberg News reported the NSA’s utilization of the infamous Heartbleed bug — a use the agency denied — the White House said exploits should in most cases be disclosed so computer users can protect themselves.

Michael Daniel, the White House cybersecurity coordinator, said in a blog post this week that “building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”

He said the U.S. would continue to develop and use those vulnerabilities to protect the country, however, and that the administration has established “a disciplined, rigorous and high-level decision-making process” when it comes to deciding whether to keep the flaws secret or disclose them so they can be fixed.

The NSA referred to the White House blog in response to a request for comment.

Because the White House directive said there should be exceptions for national security, the impact it will have is uncertain: Using just about any computer bug as a weapon can be justified as the Web plays an increasingly central role in intelligence gathering and kinetic conflict. During his confirmation hearing, Navy Vice Admiral Michael Rogers, director of the NSA and the U.S. Cyber Command, said it would be hard to imagine an international crisis not involving digital weaponry.

A valuable arsenal

It’s also hard to imagine the U.S.’s increasingly sophisticated cyberspying and cyberwar operations without its deep arsenal of software exploits, according to current and former arms makers. Those operations would be slower and more susceptible to detection without zero days.

And like giving up sophisticated missiles and bombers, giving up an arsenal of highly valuable computer exploits could leave the country more vulnerable in a future national security crisis, those experts say. Pentagon contractors are working on developing them for the CIA, the Army’s recently activated 780th Military Intelligence Brigade, the NSA’s Tailored Access Operations corps and other units.

Spending ramps up

As conventional military spending has been cut back and funding for cyber operations ramped up, Lockheed Martin, Northrop Grumman and others better known for jets and tanks are retooling for a new generation of armaments.

“Of countries that are developing industrial-strength cyber capabilities, certainly the U.S. is in the lead,” said Nate Freier, a research professor at the Army War College in defense and military strategy. “The question is whether we understand it well enough to use it without encountering a significant amount of blowback or unintended consequences.”

Spy agencies develop exploits themselves, buy them from contractors or steal them from rivals. And the arsenal must be constantly refreshed, as the software at which they’re aimed is updated and fixed. Some exploits are used for years; others only for a short time before the flaws on which they are based are patched.

Special tools

There are more than bugs in the government’s arsenal: Hackers at the NSA’s Tailored Access Operations, or TAO, have more than 1,000 special tools to aid them in stealing data or manipulating a rival’s electronics. As described by three people briefed on the technology, the tools enable rapid, mix-and-match attack capabilities against the most widely used computers, servers and software.

If TAO wants to switch on a microphone in a computer running Microsoft Windows, covertly recording conversations of anyone nearby, a custom module does the job. If it needs to hijack the system that communicates between computers and the controls that operate train-track switches or dam flow gates, there’s a plug-in for that too. Dozens of the plug-ins can be loaded onto a single digital warhead, customized to the needs of the mission at hand.

Private sector help

The private sector provides support at all levels. When intelligence agencies were looking three years ago for holes in commercial software that runs video conferencing systems, they reached out to several contractors. Endgame, an Atlanta- based company that once specialized in weaponizing software bugs, provided the exploits, allowing U.S. spies to tap into the systems, according to a person familiar with the contract.

Sara Conneighton, a spokeswoman for Endgame, which is also working on commercial security applications, said she had no comment on business the company may have done with the U.S. government.

Most defense contractors have launched cyber-weapons programs; many have grown through acquisitions of boutique security and Internet-intelligence firms.

Northrop Grumman, which makes the Global Hawk drones, purchased Essex, a NSA supplier, in 2006. Combat radio- maker Harris Corp. purchased Crucial Security, which develops hacking tools, in 2009.

“Cyber money is not shrinking the way the rest of the defense budget is,” said Dave Aitel, chief executive officer of Immunity, an offensive security firm in Miami. “That means that all the big beltway bandits must invest heavily to build their cyber teams and that this market is going to continue to grow.”

A 20 percent increase

In President Barack Obama’s proposed fiscal 2014 budget, the money for cyber operations jumped 20 percent, to $4.5 billion, and the Pentagon placed it on a list of priority programs, an unclassified comptroller’s presentation shows.

The Defense Department foresees spending $26.6 billion on cybersecurity efforts for the five years ending in 2019, and requested $5.06 billion for fiscal year 2015, according to Pentagon budget documents.

Of all the major defense contractors, Raytheon may be best positioned to take advantage of the shift through a little- noticed acquisition made six years ago. In 2008, it bought SI Government Solutions, the brainchild of a former computer science professor at the Florida Institute of Technology who developed a method to rapidly scan software code to find flaws that could be exploited by hackers. Since then, the Raytheon division has grown to become one of the most prolific U.S. cyber arms makers, said several people familiar with the subsidiary.

Its engineers develop exploits not only for computers but for every conceivable device with a microchip, from heating and air conditioning systems to printers to industrial computers used in manufacturing, according to a person who was recruited by the company and received a detailed description of the program.

Air-gapped computers

For the CIA, SI Government Solutions specializes in ways to gain access to computers that aren’t connected to the Internet, according to a second person familiar with the subsidiary’s government contracts. That includes the use of technology that can surreptitiously transfer data from so-called air-gapped computers, which often contain a rival country’s most sensitive secrets.

Jason Kello, a Raytheon spokesman, declined to comment on the company’s role or to identify its clients. Ed Wallach, who recruits prospective employees for SI Government Solutions, said high demand and the need for specialized skills makes his job difficult, even though the 250-person subsidiary offers a more lucrative benefits package than the rest of Raytheon.

“We may not be building ships, but it’s clear this is one area where the government is willing to spend money,” he said.

Finding software bugs

Finding bugs requires the creativity of human researchers as well as the power of computers, which relentlessly pound software programs with unpredictable data to spot a possible malfunction, a technique called fuzzing. The Finnish company Codenomicon was using an advanced fuzzing engine when it detected Heartbleed earlier this month, according to Mikko Varpiola, a Codenomicon co-founder. Researchers from Codenomicon and Google reported both the flaw and a fix for it.

ForAllSecure, a Pittsburgh company founded by researchers from Carnegie Mellon University, has a Pentagon contract to teach computers to scan for software vulnerabilities and automatically generate attack code. Its product, called Mayhem, has been used to analyze more than 37,000 off-the-shelf software programs and found 14,000 bugs in them, including 152 for which the company has developed exploits, said David Brumley, an assistant professor in computer science and engineering at Carnegie Mellon University who is leading the work. Without automation, it can take months to turn a coding mistake into a weapon.

If the U.S. wanted to use an exploit to gather intelligence and not disclose the underlying error’s existence, Brumley said he wouldn’t object. “We have to be free to be able to strategically and appropriately use cyber weapons,” Brumley said.

Unlike Tomahawk missiles, which do one thing and with a high degree of reliability, even the best-crafted exploits are unpredictable, because computer systems and software can come in almost endless combinations of configurations that could foil attacks. Siege Technologies, a startup in a converted 19th century textile mill along the Merrimack River in Manchester, New Hampshire, is working to change that with more than $10 million in contracts from the Department of Defense and other agencies.

Predicting success

For the last four years, Siege has been developing an algorithm that predicts the likelihood of a cyberattack’s success, a process that entails running attack code through thousands of test cases to generate models of how effective it would be in the real world, whether it’s breaking into power grids to hacking mobile phones. The company’s main product is Eprouvette, named after military equipment used to test the strength of gunpowder.

Siege Technologies is considering enhancements that would provide real-time feedback as to whether an exploit actually hit its target, said company founder Jason Syversen, whose background is in cryptography and hacking. Military commanders “want a smoking crater to prove an attack was successful,” he said. “We don’t have that in cyber.”

Syversen said he set out to create the equivalent of the military’s so-called probability of kill metric, a statistical analysis of whether an attack is likely to succeed.

“I feel more comfortable working on electronic warfare,” he said. “It’s a little different than bombs and nuclear weapons — that’s a morally complex field to be in. Now instead of bombing things and having collateral damage, you can really reduce civilian casualties, which is a win for everybody.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Traffic idles while waiting for the lights to change along 33rd Avenue West on Tuesday, April 2, 2024 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Lynnwood seeks solutions to Costco traffic boondoggle

Let’s take a look at the troublesome intersection of 33rd Avenue W and 30th Place W, as Lynnwood weighs options for better traffic flow.

A memorial with small gifts surrounded a utility pole with a photograph of Ariel Garcia at the corner of Alpine Drive and Vesper Drive ion Wednesday, April 10, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Death of Everett boy, 4, spurs questions over lack of Amber Alert

Local police and court authorities were reluctant to address some key questions, when asked by a Daily Herald reporter this week.

The new Amazon fulfillment center under construction along 172nd Street NE in Arlington, just south of Arlington Municipal Airport. (Chuck Taylor / The Herald) 20210708
Frito-Lay leases massive building at Marysville business park

The company will move next door to Tesla and occupy a 300,0000-square-foot building at the Marysville business park.

The oldest known meteor shower, Lyrid, will be falling across the skies in mid- to late April 2024. (Photo courtesy of Pixabay)
Clouds to dampen Lyrid meteor shower views in Western Washington

Forecasters expect a storm will obstruct peak viewing Sunday. Locals’ best chance at viewing could be on the coast. Or east.

Everett police officers on the scene of a single-vehicle collision on Evergreen Way and Olivia Park Road Wednesday, July 5, 2023 in Everett, Washington. (Photo provided by Everett Police Department)
Everett man gets 3 years for driving high on fentanyl, killing passenger

In July, Hunter Gidney crashed into a traffic pole on Evergreen Way. A passenger, Drew Hallam, died at the scene.

FILE - Then-Rep. Dave Reichert, R-Wash., speaks on Nov. 6, 2018, at a Republican party election night gathering in Issaquah, Wash. Reichert filed campaign paperwork with the state Public Disclosure Commission on Friday, June 30, 2023, to run as a Republican candidate. (AP Photo/Ted S. Warren, File)
6 storylines to watch with Washington GOP convention this weekend

Purist or pragmatist? That may be the biggest question as Republicans decide who to endorse in the upcoming elections.

Keyshawn Whitehorse moves with the bull Tijuana Two-Step to stay on during PBR Everett at Angel of the Winds Arena on Wednesday, April 17, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
PBR bull riders kick up dirt in Everett Stampede headliner

Angel of the Winds Arena played host to the first night of the PBR’s two-day competition in Everett, part of a new weeklong event.

Simreet Dhaliwal speaks after winning during the 2024 Snohomish County Emerging Leaders Awards Presentation on Wednesday, April 17, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Simreet Dhaliwal wins The Herald’s 2024 Emerging Leaders Award

Dhaliwal, an economic development and tourism specialist, was one of 12 finalists for the award celebrating young leaders in Snohomish County.

In this Jan. 12, 2018 photo, Ben Garrison, of Puyallup, Wash., wears his Kel-Tec RDB gun, and several magazines of ammunition, during a gun rights rally at the Capitol in Olympia, Wash. (AP Photo/Ted S. Warren)
With gun reform law in limbo, Edmonds rep is ‘confident’ it will prevail

Despite a two-hour legal period last week, the high-capacity ammunition magazine ban remains in place.

Everett Fire Department and Everett Police on scene of a multiple vehicle collision with injuries in the 1400 block of 41st Street. (Photo provided by Everett Fire Department)
1 in critical condition after crash with box truck, semi in Everett

Police closed 41st Street between Rucker and Colby avenues on Wednesday afternoon, right before rush hour.

The Arlington Public Schools Administration Building is pictured on Tuesday, April 16, 2024, in Arlington, Washington. (Ryan Berry / The Herald)
$2.5M deficit in Arlington schools could mean dozens of cut positions

The state funding model and inflation have led to Arlington’s money problems, school finance director Gina Zeutenhorst said Tuesday.

Lily Gladstone poses at the premiere of the Hulu miniseries "Under the Bridge" at the DGA Theatre, Monday, April 15, 2024, in Los Angeles. (AP Photo/Chris Pizzello)
Mountlake Terrace’s Lily Gladstone plays cop in Hulu’s ‘Under the Bridge’

The true-crime drama started streaming Wednesday. It’s Gladstone’s first part since her star turn in “Killers of the Flower Moon.”

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.