Steve Gibson (139:54)
So this is, this is this has nothing to do with ethnicity. You know, although democracies elect their leaders, those leaders don't always do what many of those they lead wish they would. So, you know, we fill out our ballots and hope for the best. So I ran across a fascinating document which was prepared by Winona Desambre Bernson, a former security engineer at Google's oh, that's the name. Leo Tag, the Threat Analysis Group. Google's tag group. You know, Tag, you're it. She's the founder of the Offensive Security Conference District Con held in Washington D.C. and she has organized policy content at DEFCON and authored multiple pieces of offensive cyber capability proliferation. She's a fellow at the Atlantic Council, a Washington D.C. based policy think tank, and in that capacity she interviewed a sobering list of people whom she lists at the end of her piece. In many cases she's only able to use their approximate titles because of the sensitive nature of their positions within the US Government or military. She titled her piece Crash. Well, it would be Crash and Burn, but she put after Crash she had Imper, Exploit and Burn colon Securing the Offensive Cyber Supply Chain to counter China in Cyberspace. So she's taking a, you know, a a clearly US centric how do we give as well as we get stance. And note that her use of the term offensive cyber supply chain. In other words, how can the United States reliably obtain the tools, meaning the exploits we need to attack others? The PDF of this report is 44 pages and I placed a link to that PDF in the show notes for anyone who wishes to dig deeper. I'm certainly not going to go through all of that, but it's beautifully organized for the harried policy pusher. It makes all of its points quickly, then backs them up with data and specifics. So I only need to share the beginning of this well organized, lengthy, in depth and detailed report since it contains a ton of very interesting insights and specifics that we've never covered on this on this podcast before because we didn't have the the the results of these interviews which she has made. So the report begins by posing a question. As its thesis, she writes, if the United States wants to increasingly use offensive cyber operations internationally, does it have the supply chain and acquisition capabilities to back it up? Especially if its adversary is the People's Republic of China, she writes. Strategic Competition Strategic competition between the United States and China has long played out in cyberspace, where offensive cyber capabilities like zero day vulnerabilities are a strategic resource. Since 2016, China has been turning zero the zero day marketplace in East Asia into a funnel of offensive cyber capabilities for its military and and intelligence services, both to ensure it can break into the most secure Western technologies and to deny the United States from obtaining similar capabilities from the region. If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain. This report is the first to conduct a comparative study within the international offensive cyber supply chain comparing the United States fragmented risk averse acquisition model with China's outsourced and funnel like approach. Our key findings are we have some bullet points. First, zero day exploitation is becoming more difficult, opaque and expensive leading to feast or famine contract cycles and I'll get to explaining that in a minute. Middlemen with prior government connections further drive up costs and create inefficiency in the US and Five Eyes market while eroding trust between buyers and sellers. China's domestic cyber pipeline dwarfs that of the United States. China is also increasingly moving to recruit from the Middle east and East Asia. The United States relies on international talent for its zero day capabilities and its domestic talent investment in is sparse, focused on defense rather than offense. The U.S. acquisition process favors large prime contractors and prioritize extremely high levels of accuracy, trust and stealth which can create market inefficiencies and overly index on high cost exquisite zero day exploit procurements China's acquisition processes use decentralized contracting methods. The Chinese Communist Party outsources operations, shortens contract cycles and prolongs the life of an exploit through additional resourcing and end day usage. Meaning not just zero day. US Cyber security goals coupled with big tech market dominance are strategic counterweights to the U.S. offensive cyber capability program, demonstrating a strategic trade off between economic prosperity and national security. China's offensive cyber industry is already heavily integrated with artificial intelligence institutions and China's private sector has been proactively using AI for cyber operations. And finally, given the opaque international market for zero day exploits, preference among government customers for full exploit chains, leveraging multiple exploit primitives, and the increasing and the increase in bug collisions, governments can almost never be sure they truly have a unique capability. Okay, so it feels as though there may be an inherent conflict between the traditional way the US military has conducted its business and the faster, more furious and significantly less certain way the zero day cyber marketplace functions. It also sounds as though the US may still be stuck in a but we're the good guys mindset, whereas China's management may evidence more of a just get it done style which more closely aligns with the realities of cyber winona next lists three recommendations, writing first, strengthen the supply chain by creating Department of Defense dodge vulnerability research accelerators, funding domestic hacking clubs and competitions, expanding the NSA's Centers of Academic excellence in cyber operations and providing legal protections to security researchers. Second, improve acquisition processes by establishing a government sponsored vulnerability broker in a federally funded research and development center to decentralize and simplify exploit purchases while increasing cyber capability budgets and expanding research on automated exploit chain generation and third, adjust policy frameworks to consider counterintelligence strategies in the zero day marketplace, burning capabilities of malicious actors while recruiting willing responsible actors into a more formal pipeline, funding end day research through U.S. cyber Command where appropriate, and leveraging alliances to counter China's growing cyber dominance. That all appears to amount to, you know, quote, you know we need to be getting serious right now about zero day exploit acquisition. That's where all the action is and where it's going to be in the future and we're going to be in trouble if we don't rearrange our operations and priorities right away. She concludes, without meaningful reforms, the United States risks ceding China whatever strategic advantage it has left in cyberspace. By fostering a more deliberate offensive cyber supply chain and adjusting acquisition strategies, the US can retain a steady supply of offensive cyber capabilities to maintain its edge in the digital battlefield. Okay, it's unclear to me where the assumption comes from that the US Currently has any edge at all in the digital battlefield. We don't know what we don't know, but I wonder if this isn't just a bit of soft pedaling so as not to ruffle too many higher up feathers who are reading this policy piece. Her report then provides a pair of pull quotes to set the stage for a bit more background. The first quote is from Alexi Bullizel, incumbent on Special Assistant to the President and National Security Council Senior Director for Cyber Alexi says, quote, america has incredible offensive cyber power. We need to stop being afraid to use it. I dearly hope that America has incredible offensive cyberpower and that the only reason why we haven't seen more evidence of it is that we've been afraid to use it. That suggests that it might be available if and when needed. Jeremy Fleming, former GCHQ Director, is quoted saying, geopolitical conflicts are increasingly shifting to cyberspace, including tensions between the US And China. Technology is therefore no longer just an area for opportunity, but also a battlefield for control, values and influence. Unquote. Okay, so here's the background Winona provides to preface her more detailed analysis that follows, which I'm not going to share, but the background has got some good stuff in it, she says. China and the United States are engaged in strategic competition in cyberspace. While cyber operations are often an overlooked area of geopolitical power, both countries, militaries, intelligence communities, and law enforcement agencies conduct cyber operations. They do so to obtain intelligence crucial to national security, assist conventional military operations, and even create kinetic effects to achieve strategic goals. To make a cyber operation possible, one must have the capacity to break into a particular system. I want to repeat that because this is where the whole thing turns. To make a cyber operation possible, one must have the capacity to break into a particular system. Offensive cyber capacities, and particularly zero day vulnerabilities are the necessary strategic resources required to conduct such operations. In other words, that's it, that's what we need. That's the future zero days. We need them, she writes. The United States clearly wishes to further leverage its cyber prowess in the international arena, particularly against the People's Republic of China. Doing so would help the United States protect its vital national security and economic interests, international partnerships and norms. However, to operationalize a cyber power strategy, the United States must acquire enough high end capabilities to ensure it can achieve such strategic goals. Moreover, the timeline for implementing these policies is urgent given the increasing potential for conflict with China in the coming years. Thus, given the international privatized offensive cyber capability marketplace. Let me say that again. Given the international privatized offensive cyber capability marketplace, how can the United States and its allies continue to ensure the availability of offensive cyber capabilities? She says, focusing on zero day vulnerabilities while limiting China's access to those same capabilities. In other words, we want to buy them, we don't want them to be able to buy them. Cyber operations consists, she writes, of a variety of offensive cyber capabilities. Many of the most crucial cyber capabilities involve the exploitation of zero day vulnerabilities, also known as zero days or O days zero day vulnerabilities. And I'm repeating, we all know this, but I'll just just to set the context, zero day vulnerabilities are issues or weaknesses, bugs in software or hardware typically unknown to the vendor and for which no fix is available. In other words, the vendor has had zero days to fix the issue. Some of these vulnerabilities are exploitable. An actor with knowledge of the vulnerability could write code that takes advantage of said vulnerability. This results in a zero day exploit code enabling a range of behaviors that could include establishing access into the computer system the software is installed on, escalating privileges on those systems, or remotely issuing commands you could tell this woman knows of what she speaks and she was after all, In Google's exploit world, the work of finding vulnerabilities and writing exploits, thanks to its strategic necessity to governments worldwide, has become get this. The work of finding vulnerabilities, writing exploits, thanks to its strategic necessity to governments worldwide, has become a billion dollar international services industry in the last 20 years. During this podcast, a billion dollar international services industry has appeared selling exploits to governments, she writes. Private firms now often create cutting edge offensive cyber capabilities for governments. Given the sensitivity around supporting government cyber operations, many of these firms do not openly advertise their services, shrouding the industry in secrecy. Between this secrecy and the variation in products offered, for example, governments target different technology systems and no 20 days are identical. The supply chain for such capabilities is not only opaque to outsiders, but also to governments and even among players in the industry. Within this highly fragmented and opaque market, large firms like The United States, L3Harris or Mantech frequently hold multimillion dollar valuations. Notably, Israel's NSO group's worth reached $1 billion at its peak. Meanwhile, individual US government agencies receive millions of dollars to procure offensive tools. Such company's tools have clearly been purchased by such government agencies and put to use in modern day cyber operations. Notably, of all the zero day vulnerabilities found exploited in the wild in 2023 and 2024 by Google, around 50% of them were attributed to commercial vendors that sell capabilities to government customers. Again, half of the zero days that Google found through 2023 and 2024 are directly attributable to commercial vendors selling them to government customers, she says. While this statistic only encompasses detected zero day exploits, this is still a significant set of capabilities being provided by private sector actors private companies selling to government customers, she says. The offensive cyber capability industry itself is international and ranges in professionalism depending on the region. Companies in Russia, Israel, Spain, Singapore and the United States all have varying relationships with their home governments, other firms including middlemen and brokers, international government customers, and even cyber criminal groups. However, the study of offensive cyber capabilities has largely over indexed on firms based in Israel and Europe rather than the United States greatest political rival, China. This is surprising as the Chinese hacking and cybersecurity ecosystem is robust. Chinese companies have on multiple occasions been directly linked to Chinese government sponsored cyber operations against the United States. Moreover, the development of offensive cyber capabilities in the United States remains largely unstudied or examined in a way that does a disservice to the domestic hacker community. In other words, she just said, what I keep talking about on this podcast is that what's going on here, we don't ever see anything right? She asks. Why is this question important? At first glance, it can be difficult to see why the private sector zero day exploit market, a series of obscure companies selling code that can enable governments to break into widely used software, would be important in preserving national interests in cyberspace, particularly against China. A simple explanation of this relationship is as follows. The United States and its allies rely on an increasingly digital world, and China is both a savvy adversary and a hardened target in cyberspace. When any country's intelligence community wishes to infiltrate high value, hard to access digital targets, it likely must use zero day exploits or other bespoke, in other words, custom made or tailored offensive cyber capabilities. Intelligence organizations from both the United States and China, due to decreasing internal supply and rising demand for such capabilities, have increasingly relied on acquiring such exploits from the private sector zero day exploit market. However, the private sector zero day market is murky and more international than policymakers expect. Even if the United States and China are truly entering a new cold war, both countries cyber capability firms and cold war both countries still Sorry, both countries still source these capabilities from an overwhelmingly opaque and international market of offensive cyber capability firms and do not know if they are being supplied with potentially overlapping capabilities. In short, any cyber operation that relies on an acquired capability conducted by the United States, China, or anyone else carries a counterintelligence and operational security risk with no guarantee that that they can source a similar capability in the future. Thus, securing the cyber supply chain, which means understanding the industry, constraining malicious actors, and ensuring availability from trusted parties is important to address such risks. While former President Joe Biden's administration sought to constrain private sector actors with additional regulations and placing bad actors on the enemies list, these policies were framed around human rights concerns, largely out of Europe and Israel. President Donald Trump's administration is moving away from this approach, focusing on China as a geostrategic threat over transnational digital repression framings, as well as signaling willingness to engage with private sector actors in the space. The Trump administration as of 2025 has accelerated plans for a U.S. cyber Command 2.0, focusing on working better with private industry partners. This is a continuation of the first Trump administration's policies. Trump was the first president to delegate the authority for offensive cyber operations down to the Secretary of defense, allowing U.S. cybercom more leeway to conduct operations without presidential approval, albeit still with a re with a robust interagency review process and finally, if the United States wishes to further leverage its cyber prowess in the United in the international arena by leveraging private sector partners, does it have the supply chain and acquisition capabilities to back it up, especially if its adversary is the People's Republic of China? Although the author does not condone general analogies between cyber and other domains, supply chain and acquisition analysis in the cyber domain can be similar to nuclear or other arms proliferation. For example, to answer whether a country has the capability to construct a nuclear weapon, one must understand how much enriched uranium the country can easily acquire. Similarly, she writes, to answer whether a country can become a cyber power that can access the hardest of digital targets, one must ask how easily it can source and acquire Zero days and other offensive cyber capabilities. So Winona made assertions in a lot of assertions and what I just read. In nearly every case those assertions were followed by a reference in her text to their source. So none of this was just her opinion, regardless of how well informed it may be. So we have a somewhat bizarre new world where governments need to purchase newly discovered zero day vulnerabilities from anywhere they can be purchased, and where the anywhere they can be purchased is an entirely ad hoc mishmash of entities from someone in their mother's basement to an international weapons dealer or a public government contractor. If we were to extend Winona's uranium acquisition analogy a bit, this would be analogous to tens of thousands of individuals, each with their own little backyard uranium enrichment operation, who then sell what they've created to the highest bidder or to someone they trust. She offered some interesting numbers to give us a sense of scale of what's going on today, she wrote. Live hacking competitions where hackers hack into systems live on stage and bug bounty programs, usually company run reward programs that encourage hackers to find and report system vulnerabilities, enable hackers to develop similar skill sets as those required for government sponsored hacking. These programs and competitions are both common recruiting pipelines for defensive cybersecurity companies and offensive vendors alike. Common recruiting pipelines, she said. The number of individuals that participate in such programs globally is staggering. In 2020, HackerOne, a well respected bug bounty program, reported around 600,000 contributors spanning 170 countries. A 2024 survey of bug Crowd, one of the largest bug bounty and vulnerability disclosure companies on the Internet, revealed Most of bug crowd's over 200,000 hackers hailed from India, Egypt, Nigeria, Pakistan, Nepal, Vietnam, Australia and the United States. 78% of them are self taught, 78% are self taught and 58% of them were under 25 years old. While not all of these individuals possess the skills to find zero day vulnerabilities and write code to exploit them, multiple security experts interviewed estimated that there are likely thousands of international individuals able to do so, with numbers in the low hundreds that could be trained to do so well. Okay, so we have an informal community of hackers who are potentially able to make a bunch of money, but as the saying goes, don't quit your day job. Winona provides some interesting background to that writing. While selling offensive cyber capabilities, and particularly zero day vulnerabilities to governments is a lucrative profession, it's a risky industry. Creating a zero day exploit to leverage against a widely used technology product may require between six and 18 months of full time engineering and research work. Unless an offensive cyber capability firm has multiple engineers working on different products or uses different payment schemes teams, meaning salaries, this timeline can lead to long down times between exploit sales. And this is what she means when she says this feast or famine payout schedule carries risks for companies that rely on one or two windfalls a year to pay their overhead and engineering costs. In addition, finding a customer to sell exploits to is more difficult than it first seems. In general, potential sellers must find an existing government contract through which to sell their exploits or know the right government individual to speak with. Unless an offensive cyber capability firm has hired employees who've recently left a government interested in such capabilities, actual buyers may be extremely hard to find. Thus, international hackers without former former government connections normally sell their products to middlemen, many of whom operate internationally like Zerodium. Right. We've talked about Zerodium a lot in the past. You know the. This is exactly that. Even then, the exploit may go through multiple levels of middlemen to get to a government customer. This frustrates both buyers and sellers. Buyers know that exploits sold to them have extremely high markups given the number of middlemen involved, and often will not know who the original bug producers are. Meanwhile, the sellers are likely aware of the extreme markups, but they don't know whether their bugs were sold to multiple governments. So she she quotes a former official with the with the Office of the National Cyber Director saying an individual researcher who is not informed on what bugs are selling for may sell a good bug for $100,000. By the time it makes it to a customer, an individual bug could go for 750,000 to $1 million. And a senior this was this is the National Cyber Director saying this And a senior DoD official working on offensive cyber security research programs who thus knows exactly what he's talking about says quote, the system by which zero day vulnerabilities are acquired is horrendously inefficient and broken. Okay, so we learn that there is a system of middlemen who are not contributing anything meaningful beyond their connections and contacts within government. And they're almost, and they almost certainly owe their loyalty only to the dollar, not to any nation. Nothing prevents them from double dipping. We know that money motivates. So if a program existed to cut out the middlemen, to protect hackers legally and to allow governments to purchase those vulnerabilities directly, hackers could be making 10 times the money and have 10 times the motivation. They would also have the assurance that their work would only go to help the company they the country they wish to help and not their country's enemies. The problem is that there's a well deserved prevalent mistrust of government within the hacking community. Winona reminds us of a bit of this past writing. Undermining all these efforts is the anti government sentiment that remains Strong within the U.S. cybersecurity and hacking community, which likely contributes to difficulty in maintaining an offensive talent pipeline. Much of the original US hacking community emerged from countercultural activities like phone freaking, she says in Parens I. E. Bypassing Pac Bell telephone lines to make long distance phone calls without paying. She said law enforcement responses from the 1960s to the early 2000s treated many hackers as criminals rather than as innovators. In in 1990, the Secret Services Operation Sun Devil seized more than 40 computers and 23,000 data disks from teenagers in 14American cities and charged individuals who managed the hacker magazine FRACK with interstate transport of stolen property. The charge was based on information published by FRACK that later proved to have already been widely publicly available. The arrests and subsequent court cases resulted in the creation of the Electronic Frontier Foundation. While the US government has made significant strides toward repairing their relationship with domestic hackers in recent years, anti government sentiment still persists. And of course Leo, we all remember our friend being arrested and handcuffed at the at at McLaren in Las Vegas as he was leaving, you know, trying to go back to England.
