Cyberwar threatens to cause havoc worldwide, but it could be good for the U.S. economy and a handful of publicly listed companies. Defense Secretary Ashton Carter, as part of a $582.7 billion budget request to fund his department through 2017, recently said nearly $7 billion of that will be allocated toward improving the military’s ability to develop and deploy offensive cyberweapons. That's great news for a number of private contractors, who stand to benefit from the spending, and the highly skilled individuals they may end up hiring.
Last week, Carter publicly acknowledged that the U.S. is launching offensive cyberattacks as part of an active war against the Islamic State terrorist group. It was the first time an official of such standing has confirmed the U.S. is actually developing and using the type of digital weapons the international community has long known the American military and American industry are capable of producing.
The admission, combined with the $6.7 billion Carter requested for developing more offensive tools and training American cybersoldiers, is another clear indication that the battlefield is moving online.
“Among other things, this will further DOD's network defense, which is critical; build more training ranges for our cyberwarriors, and also develop cybertools and infrastructure needed to provide offensive cyberweapons,” Carter said in a speech on Feb. 2, seven days before President Barack Obama submitted the 2017 budget proposal.
The $6.7 billion is an increase over the $5.5 billion designated for "cyberspace operations" in the 2016 fiscal budget, though it was not immediately clear if that phrase refers to offensive cyberattacks. The Defense Department did not return multiple requests for comment on this story.
The budget proposal now moves to congressional subcommittees, where both parties have generally agreed on cybersecurity issues, though a number of prominent Republicans have suggested the 2017 defense budget should be larger.
Defense officials have avoided saying exactly how they have attacked ISIS digitally other than to admit they plan to overload cell, internet and radio networks in an attempt to sabotage planning and coordination efforts.
The Pentagon's plan comes as China, Russia, Iran and non-state hackers have carried out increasingly aggressive activities against the U.S., including ongoing attacks against numerous high-level email systems, and infiltrating a dam in upstate New York. Carter’s acknowledgement that U.S. attacks are taking place in the theater of war, rather than in a destructive espionage operation like 2010’s Stuxnet attack against Iran's nuclear program, shows that cyberwar has gone from science fiction to science fact.
“We're not showing off a capability that no one knows we have, but we're claiming it,” said P.W. Singer, strategist at the New America Foundation and author of a number of cybersecurity books. “Going back to even the Kosovo war [in 1999], we've had the capability to wipe foreign leaders' bank accounts, or override radar operating systems to hide our planes that are actually dropping bombs.”
Singer suggested that U.S. soldiers could digitally impersonate an ISIS commander and direct fighters to an area where they can easily be killed in a drone strike. Or, he said, U.S. operators could manipulate one of the online terrorist instruction manuals that show how to build an explosive to make the device more likely to kill the bomb builder.
It’s almost certain that, as the need for cyberweapons increases, the military will seek more support from the private sector. U.S. military and intelligence agencies are known to purchase zero-day exploits (security vulnerabilities known only to the attacker) for tens of thousands, or hundreds of thousands, of dollars depending on the type of software needed. A community of small companies — including Hacking Team and the French company VUPEN — and individual sellers have sought to fill this demand.
The Stuxnet attack, for instance, exploited four zero-day flaws in the Microsoft Windows operating system and Siemens industrial control software to target and destroy Iranian nuclear centrifuges. The operation has been attributed to the U.S. National Security Agency and the Israeli military without any suspected involvement from private American contractors.
A zero-day on an iPhone or iPad will sell for $500,000, according to a list of standard prices published last year by the startup Zerodium. Attacks that exploit holes in Safari or Internet Explorer, giving hackers remote access to a victim’s computer, run for roughly $50,000. Hacks affecting popular web software like WordPress or Drupal are the most affordable at $5,000.
Major defense contractors including Lockheed Martin, Booz Allen Hamilton, Raytheon, Harris Corporation and Northrop Grumman have also reportedly explored exploit sales to varying degrees.
“It's plausible that if I want to carry out an operation on ISIS I would turn to Lockheed or someone to develop a tool, give it to me, and then press the button," said Martin Libicki, a former consultant to the FBI and national security researcher at RAND. "The laws of war dictate that the person who starts the process and ultimately pushes the button needs to be a lawful combatant, but the person who develops the tool doesn't.”
Representatives for Lockheed, Raytheon, Harris and Northrop did not respond to multiple requests for comment. Booz Allen declined to offer comment on this story.
“What we see today is a very active economy for zero-days, and if you can operate behind the scenes, that offers some tactical advantages,” said Chris Doggett, senior vice president at the data protection company Carbonite and former managing director at Kaspersky, where he advised members of U.S. Congress on zero-day threat intelligence. Doggett added that there is no definitive international law regulating zero-day sales, creating a sense of unease among companies that could become the targets of an investigation, or cyberattack.
“If I’m a contractor and I’m helping the U.S. government develop a weapon that will be used against Russia, or China, or North Korea and that information gets out, guess who's one of the first organizations they’re going retaliate against? Me, and there’s virtually no way to stop them," Doggett said.
Job listings on various companies’ websites make it that clear contractors are increasingly focused on targeting networks. One listing, posted on Booz Allen Hamilton’s employment page on Feb. 16, seeks a mid-level digital network exploitation analyst capable of collecting metadata who can “implement strategies to exploit specific target networks, computer systems and specific hardware and software.”
Another Booz Allen listing makes it clear the company is hoping to hire a research and operations specialist with at least 10 years of experience who is able to “adapt Android’s Software Developers Kit to fully exploit mobile applications, particularly those with embedded geolocation data.” Experience reading the Chinese language is a plus, the ad states.
The number of soldiers pressing those buttons is poised to double, as well. Part of the Pentagon budget request allocates $25 million to the Air Force for disrupting foreign networks. That's nearly twice the $12.9 million allowed in the 2016 budget meant for the same purpose. While the Air Force has kept quiet on exactly what that money will be used for, experts say it's meant to train and prepare recruits, and ultimately transition the best of them to U.S. Cyber Command, or CYBERCOM.
Like the NSA, CYBERCOM is based in Fort Meade, Maryland, and is headed by Adm. Michael Rogers. While the NSA is primarily an intelligence agency, CYBERCOM is the armed services unit responsible for protecting Defense Department networks and carrying out cyberwarfare operations on DoD's behalf.
It's also been plagued by staffing problems, the result of an inability to match the lucrative salaries found in the private sector. Officials said last year CYBERCOM was only halfway to the goal of more than 6,000 personnel members meant to be on staff by 2016.
“My understanding is that the $7 billion is for defense as well as offense,” said Libicki. He suggested much of the $7 billion meant for offense will in fact be used to improve defense. "Cyberwar is a labor-intensive rather than a capital-intensive activity; it does not use a large amount of expensive equipment.”
That appears to be confirmed by the single procurement offer CYBERCOM has solicited since the 2017 budget request was submitted. That offer, a request for information from industry "for capabilities and architectures that would provide the mission support capabilities by the Cyber Mission Force,” did not state the contract value. Objectives include securing the Defense Department’s information network and “cyberspace operations intended to project power by the application of force in or through cyberspace.”
Maj. Matthew Perrie, program lead on the contract, declined to share a list of interested contractors. He said the contract relates to a plan for updating the federal government’s defensive posture online.
For now, it’s clear that developing defensive measures for the government, not zero days or other means of cyber aggression, is the surest way for contractors to earn a government paycheck. A mere $7 billion of the Defense Department’s $582.7 billion budget is meant for offensive cyber, and while much of the remaining budget will be devoted toward traditional military uses, Carter said DoD plans to invest $35 billion into cybersecurity over the next five years.
The U.S. Department of Homeland Security awarded a $1 billion contract to Raytheon to secure government computer networks in September. Booz Allen Hamilton was awarded a five-year, $6 billion contract in 2013 to secure government networks, just months after Edward Snowden, a computer technician at Booz Allen, leaked a trove of classified documents stolen from the NSA. Assuming the budget request is approved, the Defense Department could soon be on the hunt for a similar partnership.
If that’s the case, Booz Allen Hamilton, Raytheon, Lockheed and other corporations will have an edge in the bidding process. “They're looking at the usual suspects here,” said Libicki. “The specialty is not necessarily the technology but also the ability to sell to and service military and government clients. We have a procurement process that benefits companies that already know how to sell products to DOD.”
Decades-long relationships with the federal government could give those familiar names an advantage over FireEye, Palantir, and other relative newcomers.
Palantir is a New York City-based data analytics company founded with venture backing from the CIA. A so-called unicorn, it is valued at over $20 billion. The company has entered into a series of contracts with the NSA, FBI, armed services and other government agencies to link databases with the aim of stopping terrorist attacks before they occur, and detect fraud activity. Palantir did not return multiple requests for comment.
“One thing that's directly relevant with government contracts is the concept of task performance: You need to show you have the experience and past performance to produce in the future,” said Katell Thielemann, a research director at Gartner specializing in federal government contracts.
FireEye CEO Dave DeWalt told investors last year the cybersecurity company known for tracking foreign hackers hopes to leverage its involvement in the Sony, Home Depot and Anthem cybercrime investigations into government contracts. iSIGHT Partners, a firm acquired by FireEye in January, provides defensive threat intelligence information to more than 250 federal, state and local government agencies, the company said.
“We fully expect that as the United States government increases its focus on cybersecurity, this trend of support will continue and grow,” said FireEye spokesman Stephen Ward. “We don’t comment on pending contracts.”