The New Guard: Blurring Roles between the United States Cybersecurity Apparatus and the Technology Industry Veekas Shrivastava Arizona State University Introduction
In 2015, President Obama declared that the “increasing prevalence and severity of malicious cyber-enabled" attacks “constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States” (U.S.-China Economic Security Review Commission, 2015). Economic cyber espionage has cost US interests $400 billion dollars, more than one percent of GDP (Welgan, 2017). As a result, even as the Trump Administration and Republican US Congress have proposed budget cuts, agencies with the responsibilities and capabilities to conduct cyber security operations are expected to be granted increased line items (Konkel, 2017). The federal government is already the biggest national cyber security market, but that market is still expected to grow rapidly and consistently for at least the next few years (Morgan, 2016). There have been many technology entrants to the market to take advantage of this opportunity, such as Palantir, FireEye, and Crowdstrike. This phenomenon is creating immense competition and upheaval among traditional players in the national defense industry. Companies like Boeing have sold most of its cyber security staff and technology licenses (Censer, 2015). Raytheon, Lockheed Martin, and General Dynamics have also restructured or spun out their cyber units (Morgan, 2016). Even the National Security Agency (NSA) has struggled to compete in talent retention against these start-ups (Moore, 2015). Meanwhile, newer companies like FireEye, founded in 2004, are rapidly growing (FireEye Fastest Growing Cyber Security Company, 2015). This paper will explore the proliferation of cyber warfare and the resulting rise of cybersecurity companies in the United States. It will further explore the roles these companies have shouldered in the national security apparatus such as serving as force multipliers for offensive measures, discovering and addressing vulnerabilities, attributing actions to foreign countries, and defending private networks from state actors.
Cyber Warfare: “A New Kind of War”
Cyber-attacks have been described as “a new kind of war” (U.S.-China Economic Security Review Commission, 2015), and the US government is partnering with private industry to fight it. China, for example, has conducted cyber warfare in an asymmetrical and sustained fashion for decades. They are the most “active and persistent” perpetrators of spying on industry, media, government, and the military (Gorman, et al, 2016; Shanker, 2011; U.S.-China Economic Security Review Commission, 2015). One private cybersecurity company, Mandiant, reported in 2013 that they found that just one of the dozens of bureaus within the People’s Liberation Army (PLA) had conducted hacks of at least 115 US-based organizations representing 20 major industries (U.S.-China Economic Security Review Commission, 2015). Many of these hacks have been on strategic industrial interests due to President Xi Jinping’s stated interest in localization and indigenous innovation as factors in national security (Rodin, 2015). For example, the Chinese have infiltrated US solar, steel, health care companies (U.S.-China Economic Security Review Commission, 2015), and oil and gas (Gold, 2013; Rodin, 2015). Even though the US and China signed an agreement to cease knowingly supporting cyber-attacks that resulted in the theft of intellectual property or confidential information (Eichensehr, 2017), two years later China is still regarded as the biggest IP offender in the world (Update to the IP Commission Report, 2017). It should be noted, though, that the United States has been a significant player in offensive attacks as well, although Western thought leaders downplay the US’s role (Rodin, 2015). The federal government has ceded the responsibility of dealing with tracking and defending against many of these attacks to the private sector (Eichensehr, 2017). This has led to the explosion in the number of private cyber security companies in the United States and their influence. FireEye is the fastest-growing cyber security company in the world (FireEye Fastest Growing Cyber Security Company, 2015). Palantir, a young company founded by controversial Paypal co-founder and Trump advisor (Ahari, et al, 2017), has also benefitted. Seed funded by the CIA (Alexander, 2016), Palantir conducts counterterrorism tracking, predictive policing, and other security services for the military and intelligence and law enforcement agencies (McGruddy, 2013). Companies like these two have served to reshape the cyber security industry over the last decade.
Four Major Roles of Private Cybersecurity Firms
“Neither government nor the private sector can defend the nation alone. It’s going to have to be a shared mission—government and industry working hand in hand, as partners.” —Barack Obama (Eichensehr, 2017)
It is important to recognize that the growth of private cyber security firms differs from traditional privatization that typically involved formal processes to contract out government functions. In this sector, the privatization occurs informally by acting in areas in which the government has been unwilling or unable to act (Eichensehr, 2017). There are four key themes to the evolving role that cyber security companies have developed in less than a decade:
- Acting as force multipliers for offensive measures,
- Discovering and addressing network vulnerabilities,
- Attribution of cyber warfare to foreign countries, and
- Defending private networks from state actors.
First, the private sector and national security agencies have worked together as force multipliers to dismantle robot networks (“botnets”) that control computers remotely and covertly generally to steal information, spam victims, or perpetrate denial-of-service (DDoS) attacks against websites. This trend began in February 2010 when Microsoft was granted an unprecedented court order to take down the Waledac botnet that distributed spam through Microsoft’s Windows operating system and Hotmail email products. In 2011, the US government conducted a “botnet takedown” of its own against Coreflood, a botnet that stole usernames and passwords to gain access to user bank accounts. Since those initial actions, collaboration has grown. For example, the FBI and Europol along with Microsoft, Dell SecureWorks, Crowdstrike, and The Shadowserver Foundation attacked the ZeroAccess botnet in 2013. Both government and private partners released public statements celebrating the partnership (Eichensehr, 2017). Cyber security firms have taken the responsibility to protect private networks from foreign actors, even when those networks are critical to US national security, such as energy and infrastructure. About three-quarters of federal resources are controlled by private interests, but contractors have presented bad actors with opportunities to infiltrate US systems (U.S.-China Economic Security Review Commission, 2016). The process of privatization of network security in this regard has been informal and was unknown to many in the commercial sector until 2010. After Google was hacked in 2010, their representatives called the NSA frustrated that they did not protect Google’s networks. The NSA responded with incredulity to the assertion that they should have any involvement in the protection of one of the US’s largest databases of private information on Americans. Since then, the government has explicitly stated their hands-off policy. Former National Security Council director Robert Knake has deemed it the “Home Depot model: You can do it; we can help!” (Eichensehr, 2017) Another responsibility filled by the private sector due to government inaction has been the investigation and response to vulnerabilities in security systems, most of which as “zero-day” vulnerabilities that are unknown to software creators and therefore have not created a patch to address. Federal agencies have been known to buy these exploits in the black and gray market. While the National Security Agency (NSA) discovers many of these bugs themselves, but most security experts to assert that the NSA is also the “single largest procurer of zero-day exploits. Large defense contractors such as Raytheon and Harris Corporation have served as intermediaries between the government and the hackers selling the products These hackers make a business out of discovering vulnerabilities and crafting exploits to attack them without any outside knowledge. Many of these hackers have organized into boutique firms operated by retired military or intelligence officials. This growing industry is very lucrative for the hackers involved. Depending on the complexity and recency of the exploit, average prices for zero-day vulnerabilities can be as high as $300,000. Weaponized exploits earn a premium in addition to that. Some of the most lucrative transactions have involved Apple Corporation. In 2015 hackers were paid a million dollars to create an exploit to Apple iPhones and the iOS operating system. A few months later, the US government paid even more for a method to access the contents of the San Bernardino shooting perpetrators’ iPhone. Silicon Valley companies, in particular, have legitimized these marketplaces by creating “bug bounty” programs to reward hackers for disclosing vulnerabilities in commercial and government networks to their owners, but these companies typically have trouble competing with the black markets that can sometimes pay up to 100 times the price. Google paid out more than two million dollars in 2015, for example. In 2016, the Department of Defense collaborated with one of these cyber security start-ups, HackerOne, to create “Hack the Pentagon”. The DoD paid a cumulative $150,000 for the event and around one hundred vulnerabilities the hackers there discovered. (Eichensehr, 2017) HackerOne provided the platform and organization to conduct this program. Also in 2016, the DoD has partnered with another Silicon Valley start-up, Synack, to manage similar projects. Similar programs are being created in other agencies such as the US Army (Harper, 2017). Lastly, another symbiotic relationship that has been formed between the government and the private sector is related to the attribution of espionage and cyber-attacks to foreign governments and state-sponsored hackers. The government must be careful not to accuse foreign governments of cyber-attacks for fear of escalation, releasing classified information, or otherwise deteriorating relations, so they allow private companies to make the announcement and earn the resulting marketing and business boost. In 2013, a cyber security firm Mandiant earned became viral after discovering a group dubbed Advanced Persistent Threat 1 (APT1) that had compromised over 140 companies since 2006. They attributed the attacks to a building in Shanghai that was a location used by the Chinese People’s Liberation Army (PLA) (Eichensehr, 2017). One of the clearest examples of this abdication of government responsibility to private companies is described by the Office of Personnel Management hack in 2015, a breach of 21.5 million records of federal workers including fingerprints, background investigations, performance reviews, and other records. (U.S.-China Economic Security Review Commission, 2016; U.S.-China Economic Security Review Commission, 2015) Even while the government refused to directly disclose the perpetrators of the attack, they provided “technical information” to private firm Crowdstrike. Crowdstrike then alleged that the hackers had connections with the Chinese government (Eichensehr, 2017). Another well-publicized example is the 2014 report by ThreatConnect that linked high-profile hacks with individuals in the Chinese People’s Liberation Army (PLA). The US Department of Justice (DoJ) indicted five of these hackers for IP theft (U.S.-China Economic Security Review Commission, 2016; Rollins, 2015). Palantir sells digital products that secure and share information that is being used by the “Five Eyes”, Australia, Canada, Britain, New Zealand, and the United States (McGruddy, 2013). In other cases, the government is not even involved in these counterespionage efforts. In 2014 a coalition of private cyber security firms including Novetta, Microsoft, iSight Partners, FireEye, and Cisco released a report on a group called Axiom that attributed six years of spying on governments, companies, and media to Chinese intelligence agencies (Eichensehr, 2017). The government has celebrated these actions. In 2015, former Secretary of Defense Ash Carter expressed appreciation to FireEye, Crowdstrike, HP, and similar private companies for their work. When the Obama Administration was criticized for their agreement with China to refrain from corporate cyber espionage due to a lack of ability to monitor and enforce the agreement, private companies volunteered that they would provide assistance to verify compliance (Eichensehr, 2017). The incentives for the growth of informal public-private partnerships are strong for both the government and private companies. The government is interested in on-demand force multipliers and the ability to have plausible deniability in both asymmetric attacks and defense. Even in areas in which they would prefer to have internal agents, the government is struggling to retain employees given constraints on compensation. The NSA has lost many elite hackers to private sector companies that can double their pay (Moore, 2015). Even in operations that do not involve private firms, the NSA is incentivized to stay in communication with private companies to reduce the risk of accidental interference with government actions. Private companies are incentivized to work with the government to avoid public embarrassment and loss of trust if knowledge of bugs, email leaks, and other sensitive information became known. Security companies also financially significantly from the marketing caused by being involved in high-profile takedowns and foreign attributions. This explains why the market for commercial cyber security services is growing. Fortune 500 companies have all created cyber security departments in the last few years, and the role of Chief Security Officer has been growing in prominence in these companies. (Welgan, 2017) Recent US government policies have also begun to regulate the data integrity processes for federal contractors, although many of these contractors have criticized the new regulations as onerous and costly. Cyber security firms will benefit from those complexities (White House issues draft guidance, 2015; Cassidy & Vohra, 2016; Stanton & Cassidy, 2017; Gnau, 2017).
Challenges
The rise in private cyber security companies has had other national security benefits if viewed from a constructionist perspective. For example, private companies have developed tools and devoted resources to address human trafficking, climate change, and other social ills (Alexander, 2016; Musto & Boyd, 2016). But while there is evidence that the rise in private cyber security firms has benefitted safety in the United States, there are countervailing opinions and challenges as well.
The black market for zero-day vulnerabilities may provide the government invaluable tools for espionage and cyber warfare, but they also create security risks if non-state actors or foreign governments use the same methods to attack US resources and infrastructure. Although companies like FireEye have expressed publicly that they will not publicize hacking campaigns by the US government, other cyber security firms have appeared across the world. For example, Qihoo 360 is a similar company that was been founded in China in response to US firms (Eichensehr, 2017). The FBI has refused to disclose the method that they purchased in 2015 to access the San Bernardino shooters’ iPhone, nor are they willing to disclose basic information to a formal government review process, citing that they did not purchase the technical details of the vulnerability (Eichensehr, 2017). This is not an isolated case, as evidenced by the Snowden leaks about NSA programs that create and exploit secret back doors (Musto & Boyd, 2016). As evidenced by the conflict in Syria, the “most well-documented war in history,” the wealth of open source and communications intelligence data does not necessarily help alleviate conflict (Powers, 2015). Private companies have obtained judicial orders allowing them to take over networks, investigate transnational crime, and defend major infrastructure against malware. Meanwhile, the federal security apparatus has at times acted as a consumer of cyber intelligence rather than a producer by buying and exploiting zero-day vulnerabilities on the black or gray markets and ceding responsibility for international action to the private sector. There may be implications related to the creation of international partnerships between cyber security firms that conduct counterespionage operations with limited government involvement like the Operation SMN coalition or Palantir’s security suite for the Five Eyes. Another challenge is the reporting process for private companies. Currently, subcontractors have to report cyber incidents to prime contractors, and although major players defend this process, there are concerns about the impacts of this bureaucracy to rapid response (Federal contractors irked by OMB cyber security guidance, 2015). This contributes to a six-month average response time between malware infection and its discovery (Koerner, 2016).
Conclusion
In this paper, we discussed the rise of cyber warfare tactics, particularly as they relate to the two largest state cyber espionage participants, China and the United States. The rapid growth in cyber-attacks in the 21st century led to a rapid expansion of the private cyber security industry and the growing integration of those companies into the national security apparatus. These companies have quickly adopted many roles previously seen as the government’s responsibility, including as serving as force multipliers for offensive measures, discovering and addressing vulnerabilities, attributing actions to foreign countries, and defending private networks from state actors. It is generally regarded that these developments are filling a void left by the federal government, but it is undetermined whether the process is serving to escalate tensions internationally. It is also concerning that the rise of private security companies is giving the federal government opportunities to obscure information and skirt transparency norms, as these private firms have no democratic accountability. Regardless, the blurring of roles between the private and public security apparatus has proved to be consequential for national security in the United States.
References
Ahari, Z. C., Price, N., Ryan, H., Fulton, B. S., Siemion, R., Kate, B. & Hartig, L. (2017, June 15). Disrupting the White House: Peter Thiel’s Influence is Shaping the National Security Council. Retrieved August 10, 2017, from https://www.justsecurity.org/37466/disrupting-white-house-peter-thiels-influence-shaping-national-security-council/ Alexander C. (Alex) Karp - Co-Founder and CEO, Palantir Technologies, Inc. (2016). Boardroom Insiders Profiles, N/a. Cassidy, S., & Vohra, A. (2016, December 29). Cybersecurity for Government Contractors 2017. Retrieved August 10, 2017, from https://www.insidegovernmentcontracts.com/2016/12/cybersecurity-changes-expected-contractors-2017/ Censer, M. (2015, January 14). Defense Contractors Refining, Narrowing Approach To Cybersecurity Market. InsideDefense.com's SitRep, p. N/a. Eichensehr, K. (2017). Public-Private Cybersecurity. Texas Law Review, 95(3), 467-538. Gold, S. (2013). Cybersecurity For Pipeline, Gas Companies. Pipeline & Gas Journal, 240(7), 42-44. Federal contractors irked by OMB cybersecurity guidance for acquisition process. (2015, September 15). Inside Cybersecurity, p. 15. "FireEye Fastest Growing Cyber Security Company in North America on Deloitte's 2015 Technology Fast 500(TM)." Yahoo! Finance. Yahoo!, 19 Nov. 2015. Web. 10 Aug. 2017.
Gnau, T. (2017, May 23). Federal Cybersecurity Directive Looms Over Contractors. Retrieved August 10, 2017, from http://www.govtech.com/policy/Federal-Cybersecurity-Directive-Looms-Over-Contractors.html Gorman, S., Devlin, B., & Yadron, D. (2013, February 01). China Hackers Hit U.S. Media --- Wall Street Journal, New York Times Are Breached in Campaign That Stretches Back Several Years. Wall Street Journal, p. B.1. Harper, J. (2017). Silicon Valley Could Upend Cybersecurity Paradigm. National Defense, 101(759), 32-34. Koerner, Brendan I. "Inside the Cyberattack That Shocked the US Government." Wired. Conde Nast, 23 Oct. 2016. Web. 11 Aug. 2017. Konkel, F. (2017, April 26). Government's Biggest Cyber Problem Will Be Contractors' Big Opportunity, Report Says. Retrieved August 10, 2017, from http://www.nextgov.com/cybersecurity/2017/04/government-biggest-cyber-problem-will-be-contractors-big-opportunity-report-says/137342 McGruddy, J. (2013). Multilateral Intelligence Collaboration and International Oversight. Journal of Strategic Security, 6(5), 214-220. Moore, J. (2015, April 14). In Fierce Battle for Cyber Talent, Even NSA Struggles to Keep Elites on Staff. Retrieved August 10, 2017, from http://www.nextgov.com/cybersecurity/2015/04/fierce-battle-cyber-talent-even-nsa-struggles-keep-elites-staff/110158/ Morgan, S. (2016, January 28). Top five U.S. defense contractors bungle commercial cybersecurity market opportunity. Retrieved August 10, 2017, from http://www.csoonline.com/article/3027383/security/top-five-u-s-defense-contractors-bungle-commercial-cybersecurity-market-opportunity.html Powers, S., & O’Loughlin, B. (2015). The Syrian data glut: Rethinking the role of information in conflict. Media, War & Conflict, 8(2), 172-180. Rodin, D. (2015). THE CYBERSECURITY PARTNERSHIP: A PROPOSAL FOR CYBERTHREAT INFORMATION SHARING BETWEEN CONTRACTORS AND THE FEDERAL GOVERNMENT. Public Contract Law Journal, 44(3), 505-528. Rollins, J., & Library of Congress. Congressional Research Service, issuing body. (2015). U.S.-China cyber agreement (CRS insights ; IN10376). Shanker, T. (2011, November 04). In Blunt Report to Congress, U.S. Accuses China and Russia of Internet Spying. New York Times (1923-Current File), p. A4. Stanton, P., & Cassidy, S. (2017, February 10). DoD Further Clarifies Its DFARS Cybersecurity Requirements. Retrieved August 10, 2017, from https://www.insidegovernmentcontracts.com/2017/02/dod-clarifies-dfars-cybersecurity-requirements/ Update to the IP Commission Report: The Theft of American Intellectual Property: Reassessments and the Challenge of United States Policy 2017. (2017). Retrieved August 10, 2017, from http://ipcommission.org/report/IP_Commission_Report_Update_2017.pdf U.S.-China Economic Security Review Commission, & U.S.-China Security Review Commission. (2015). Commercial Cyber Espionage and Barriers to Digital Trade in China. Bethesda, Md.: ProQuest. U.S.-China Economic Security Review Commission, & U.S.-China Security Review Commission. (2016). China's Intelligence Services and Espionage Operations. Welgan, J. (2017, June 6). Why Corporate Leaders Should Read China's Five Year Plan. Retrieved August 10, 2017, from http://blog.cybervista.net/corporate-leaders-should-read-chinas-five-year-plan-part-2 White House issues draft guidance on cybersecurity for federal contractors. (2015, August 11). Inside Cybersecurity, p. Inside Cybersecurity, Aug 11, 2015.