Earlier this year, shortly after the Sony attack, Financial Sense Newshour spoke with Shane Harris to discuss the world of hacking, cyberwarfare, and the rapidly growing market for cybersecurity as detailed in his new book, @War: The Rise of the Military-Internet Complex. Not only was the interview very well received by our audience but it was also quite timely—in a matter of weeks two more hacks were reported against major corporations.
Given this very important long-term trend, we want to share a few fascinating excerpts as Shane explains the reason for the military-internet complex as it exists today, how the NSA is sitting on the equivalent of a nuclear arsenal of cyberweapons, and the risk of all-out cyberwar. Keep in mind, this just scratched the surface of his book and what we discussed!
(Subscribers can access the full audio broadcast by clicking here. If you are not a subscriber and would like to become one, please click here.)
What is the military-internet complex and why is it such a large part of our world today?
"The military internet complex is an alliance between two very powerful forces: one in government and one in the private sector...This alliance really has formed largely for the purpose of operating in cyberspace both to defend it against hackers, against foreign spies, and foreign governments, but also to operate in cyberspace, which the military now refers to as the "fifth domain" of warfare after air, land, sea, and outer space. And the reason there is an alliance in the first place is because most of the networks in this country—roughly 85% of them—are privately owned. And so in order to defend against those networks, but also to operate in cyberspace, the military and the intelligence community has to partner up with industry and specifically with those companies that basically run and control the internet."
You write that the NSA has the equivalent of a nuclear arsenal and that it's just waiting to use it if necessary. What is it holding exactly?
"What the NSA looks for in particular are something called zero day exploits. What this is is it's a computer exploit—a software code—that takes advantage of a vulnerability, flaw, or hole in a piece of software or a computer operating system that has never been discovered before and only known to the person that has discovered the exploit. It's kind of a secret way into a computer that has been left undefended. And the agency goes out looking for this information because those exploits are how you hack into a system secretly and take over that system. It's how you get inside without being noticed. These are the building blocks of cyberweapons. And what the agency has been doing for a number of years now is through its own research and also contractors that it pays to go find these flaws in technology, amassing and stockpiling these exploits so that when it does need to go out and break into a computer system it has a ready supply of these zero day exploits ready to go. And this is kind of the equivalent of an arsenal. If you're building cyberweapons...things that are designed to get into computer systems and cause damage or erase data or possibly destroy or disrupt equipment connected to these computers, you need these exploits to be able to do that effectively. And NSA we know is the single largest acquirer in this country of those exploits. On the one hand, that makes a lot of sense since if you are the agency as the NSA that is tasked with going out and breaking into your adversary's networks. On the other hand, the NSA also has a defensive mission: trying to keep the bad guys out of our networks. And those bad guys are also looking for these zero day exploits. So there's a question now that's a really important one that's being debated in Washington about whether the NSA rather than hoarding these exploits should actually be disclosing them to the companies whose technology is at risk and saying, 'Hey, we have found these holes in your system. Patch it. Even though that will prevent us from ever getting inside your system that's in use in another country, it's more important to do that to defend the computer systems in our country that are using that technology.'"
Could we see an all-out cyberwar and what would be a common example that could lead to this?
"Well, if you're talking about this tit-for-tat retaliation, the possibility exists of a private cyberwar breaking out. I write in the book actually the risk that a bank might one day decide to take matters in its own hands and hack back against the Iranians who have been harassing U.S. banking websites in years past. There's actually a report in Bloomberg recently that suggested that may have happened—that a bank may have hired or allowed others on its behalf to hack back against the Iranians. You run the risk of escalation if that happens; the same way that you would with two countries going at it in cyberspace, except in this case it would be private actor who's not really accountable through the government and I think that could arguably make matters worse."
It seems there is a lot of money being poured into cybersecurity nowadays. Do you think this is going to continue?
"Yeah, I definitely do. Just in the defense department budget, spending on cybersecurity/cyberdefense/cyberoffense is the only part of the budget that's really growing. And in the private sector too we're seeing a tremendous growth of new companies and start-ups focused on cybersecurity—big companies acquiring smaller ones. I mean some of the most successful IPOs in the past few years have been cybersecurity firms and there's a demand for this. The Sony attack points out the degree to which even large global companies are at risk and when those companies get hacked they go hire private firms to make sure they don't get hacked again so that's what's really driving the market is that the threat really is that big and the consequences to companies' bottom line is significant if they don't do something about it. So I don't see spending on this abating any time soon because the threat is not abating..."