SPECIAL REPORT: When it comes to hacking, the best defense is not the best offense.
Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.
The strategy is spurring concern in the technology industry and intelligence community that Washington is in effect encouraging hacking and failing to disclose to software companies and customers the vulnerabilities exploited by the purchased hacks.
That’s because U.S. intelligence and military agencies aren’t buying the tools primarily to fend off attacks. Rather, they are using the tools to infiltrate computer networks overseas, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems.
The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired.
Moreover, the money going for offense lures some talented researchers away from work on defense, while tax dollars may end up flowing to skilled hackers simultaneously supplying criminal groups. “The only people paying are on the offensive side,” said Charlie Miller, a security researcher at Twitter who previously worked for the National Security Agency.
Almost every Fortune 500 company has been hacked and likely won’t even know it until 6 months after the breach, according to one leading expert.
The task of protecting your company seems almost insurmountable, but there are ways to make would-be hackers seek easier targets as Antony De Rosa finds out in this edition of Tech Tonic.