by Shane Harris
The analogy isn’t perfect. The NSA isn’t a law enforcement agency, it’s a military and intelligence organization. It operates by a different set of laws and with a different mission. But as the agency drums up talk of cyber war and positions itself as the best equipped to help defend the nation from intruders and attacks, it should act more like a security guard than a burglar.
In 2013 the NSA had a budget of more than $25 million to procure zero day exploits, referred to as “covert purchases of software vulnerabilities” in an internal budget document. But the NSA is not entirely dependent on a shadowy, unregulated market to obtain its cyber weapons. For the most part, the agency builds its own. And why not? It has an in-house production line comprising some of the country’s best hackers, many of whom have come up through the ranks of military service and are put through graduate-level computer security courses on the government’s dime. Those personnel represent an expensive, long-term investment. The United States relies on their skills and knowledge in a cyber struggle against China, which will probably always have an edge in terms of sheer numbers of hackers.
The problem for the NSA is that its top-flight cyber warriors don’t always stay in government service. They can easily triple their salaries in the private sector, and these days, the work they’re doing there is in as high demand as it is in the government.
Charlie Miller, a former NSA employee famous for finding hard-to-detect bugs in Apple products, including the MacBook Air and the iPhone, went to work for Twitter in 2012. Miller is what’s known in hacker circles as a “white hat.” He tries to break in to systems in order to fix them, before a “black hat” can exploit the flaw and do damage. As the social networking company has grown, it has naturally become a bigger target for spies and criminals. Miller is using his NSA-developed skills, and his innate talent, to protect Twitter—which went public in 2013—and its hundreds of millions of users.
Justin Schuh followed a similar path. He started his career in the mid-1990s as an intelligence analyst, software engineer, and systems administrator in the Marine Corps. In 2001, Schuh joined the NSA, where he enrolled in the agency’s System and Network Interdisciplinary Program (SNIP), which is essentially cyber warrior training. “Graduates of the program become invaluable to [the agency] as the solution to universal [computer network operations] problems,” says an NSA brochure, using the technical term for cyber offense. After less than two years Schuh joined the CIA, where he worked in the agency’s technical operations unit, which helps the NSA place surveillance equipment in hard-to-reach places. But soon he was off to the private sector, eventually winding up at Google, where he works as an information security engineer.
Google has set up a team, which includes Schuh, devoted to finding security weaknesses and zero day exploits that could be used against Google’s customers and its products, such as its e-mail system and web browser. The company itself has been the target of sophisticated hacking campaigns, most notably one by a Chinese group in 2010, which broke in to a database of proprietary software code. The hackers stole the code for a password system that allowed users to sign in to many Google applications at once. It was described by researchers as among the “crown jewels” of the company’s intellectual property. The theft triggered panic at the highest ranks of Google, a company that prides itself on protecting its users’ security and personal data and has built its reputation on that promise.
Google now has its own team of sleuths, several of whom worked for the NSA and other intelligence agencies, looking for threats to the company. “Here’s a little secret. Having a huge index of suspected and confirmed malware is really handy for protecting hundreds of millions of users,” Schuh wrote on Twitter in 2012, after Google bought a small company that scans e-mails and websites for viruses. Today Google scans its customers’ Gmail for threats and will even alert them with a message, displayed on an arresting red banner, if the system thinks a virus may have been sent by hackers working for a government. The alert doesn’t say China, but that’s the obvious implication.
Google doesn’t have enough employees to find all the zero day vulnerabilities and exploits that might threaten the company and its hundreds of millions of customers around the world. So, it also pays bounties to independent hackers, the same ones selling their discoveries to defense contractors. Google employees say their biggest competition on the zero day gray market is the NSA. It’s buying up zero days faster than anyone else, and paying top dollar.
The company also employs middlemen of its own to procure zero days. According to two sources with knowledge of Google’s security programs, it uses a boutique firm called Endgame, based just outside Washington, DC, to buy up vulnerability information and known exploits. It is not known precisely what Google intends to do with what it has acquired, but this much is certain: first, having a stockpile of zero day exploits would allow the company to start a private cyber war; and second, that would be illegal. Only the United States government is allowed to conduct offensive cyber operations that result in damage to computer systems.
But governments are not the exclusive targets of hackers—as the United States well knows. Indeed, it was the massive espionage campaign against defense companies that helped prompt US officials to start building up a cyber army. But today, US businesses are starting to realize that this army will never be big enough and strong enough to protect all of them. They have to defend themselves. And one of the first places they look for protection is that same shadowy network of hackers, selling their skills and weapons to the highest bidder.
SIX
The Mercenaries
BRIGHT-FACED twenty- and thirty-somethings clad in polo shirts and jeans perch on red Herman Miller chairs in front of silver Apple laptops and sleek, flat-screen monitors. They might be munching on catered lunch—brought in once a week—or scrounging the fully stocked kitchen for snacks, or making plans for the company softball game later that night. Their office is faux loft industrial chic: open floor plan, high ceilings, strategically exposed ductwork and plumbing. To all outward appearances, Endgame, Inc. looks like the typical young tech startup.
It is anything but. Endgame is one of the leading players in the global cyber arms business. Among other things, it compiles and sells zero day information to governments and corporations, and judging by the prices Endgame has charged, business has been good. Marketing documents show that Endgame has charged up to $2.5 million for a zero day subscription package, which promises twenty-five exploits per year. For $1.5 million, customers have access to a database that shows the physical location and Internet addresses of hundreds of millions of vulnerable computers around the world. Armed with this intelligence, an Endgame customer could see where its own systems are vulnerable to attack and set up defenses. But it could also find computers to exploit. Those machines could be mined for data—such as government documents or corporate trade secrets—or attacked using malware. Endgame can decide whom it wants to do business with, but it doesn’t dictate how its customers use the information it sells, nor can it stop them from using it for illegal purposes, any more than Smith & Wesson can stop a gun buyer from using a firearm to commit a crime.
The heart of Endgame’s business is the ability to ingest huge amounts of data about vulnerable computers and weaknesses in a network and display that information graphically. To do that, Endgame has used a proprietary software tool, internally known as Bonesaw, which the company has described as a “cyber targeting application.”
“Bonesaw is the ability to map basically every device connected to the Internet and what hardware and software it is,” an Endgame employee told a reporter in 2013. The software shows which systems are infected with viruses that make them vulnerable to attack.
According to security researchers and former government officials, one of Endgame’s biggest customers is the NSA. The company is also known to sell to the CIA, Cyber Command, the British intelligence services, and major US corporations. Endgame has four offices, includin
g one in the fashionable Clarendon section of Arlington, Virginia, a ten-minute drive or four Metro stops away from the Pentagon.
For its clients, Endgame has drawn up lists of computers owned and operated by some of the United States’ biggest strategic adversaries. In 2010, Endgame compiled a chart showing eighteen Venezuelan government agencies and large state-owned companies running attackable computers, including a water utility, a bank, the Ministry of Defense, the Ministry of Foreign Affairs, and the Office of the Presidency. The chart, which the company noted was “not an inclusive list,” showed the Internet address of each infected system, the city where it was located, and the compromised application it was running. At the end of the chart was a column labeled “EGS Vuln,” apparently indicating whether the applications were vulnerable to attack. The word yes appeared next to nearly all of the infected machines.
Endgame has also scouted targets in Russia. Internal documents show that the company found computers open to attack in the Ministry of Finance, as well as an oil refinery, a bank, and a nuclear power plant. And the company has identified target packages in China, Latin America, and the Middle East.
This kind of intelligence used to be the near-exclusive domain of government intelligence agencies. They alone had the access and the know-how to sniff out vulnerable computers with such precision, as well as the motive and the means to acquire cyber weapons to attack those systems. Not anymore.
Endgame is one of a small but growing number of boutique cyber mercenaries that specialize in what security professionals euphemistically call “active defense.” It’s a somewhat misleading term, since this kind of defense doesn’t entail just erecting firewalls or installing antivirus software. It can also mean launching a preemptive or retaliatory strike. Endgame doesn’t conduct the attack, but the intelligence it provides can give clients the information they need to carry out their own strikes. It’s illegal for a company to launch a cyber attack, but not for a government agency. According to three sources familiar with Endgame’s business, nearly all of its customers are US government agencies. But since 2013, executives have sought to grow the company’s commercial business and have struck deals with marquee technology companies and banks.
Endgame was founded in 2008 by Chris Rouland, a top-notch hacker who first came on the Defense Department’s radar in 1990—after he hacked into a Pentagon computer. Reportedly the United States declined to prosecute him in exchange for his working for the government. He started Endgame with a group of fellow hackers who worked as white-hat researchers for a company called Internet Security Systems, which was bought by IBM in 2006 for $1.3 billion. Technically, they were supposed to be defending their customers’ computers and networks. But the skills they learned and developed were interchangeable for offense.
Rouland, described by former colleagues as domineering and hot-tempered, has become a vocal proponent for letting companies launch counterattacks on individuals, groups, or even countries that attack them. “Eventually we need to enable corporations in this country to be able to fight back,” Rouland said during a panel discussion at a conference on ethics and international affairs in New York in September 2013. “They’re losing millions of dollars, and it’s so challenging for governments to help them, I think we have to enable them to do it themselves.” Rouland was voicing a frustration of many corporate executives who’d been the target of cyber spies and organized criminals. The Pentagon had chosen to provide special protection to defense contractors and seemed more worried about attacks on critical infrastructure like the power grid than on companies that were less vital to the US economy.
Fighting back could take a number of forms. A company could unleash a torrent of traffic on a malicious computer and knock it offline. It could break in to the hard drive of a Chinese cyber spy, find the stolen proprietary documents, and then delete them. Of course, once inside the spy’s computer, the company could delete everything else on it, too, and unleash a virus on its network. A single act of self-defense could quickly escalate into a full-fledged conflict. And to the extent that Chinese cyber spies are supported by the Chinese military, an American firm could end up launching a private cyber war against a sovereign government.
It’s illegal for a company or an individual to hack back against a cyber aggressor. But it’s not against the law to offer the products and services that Endgame does. Endgame has raised more than $50 million from top-flight venture capital firms, including Bessemer Venture Partners, Kleiner Perkins Caufield & Byers, and Paladin Capital. That’s an extraordinary amount of money for a cyber security startup, particularly one specializing in such a controversial field.
Rouland stepped down as the CEO of Endgame in 2012, following embarrassing disclosures of the company’s internal marketing documents by the hacker group Anonymous. Endgame had tried to stay quiet and keep its name out of the press, and went so far as to take down its website. But Rouland provocatively resurfaced at the conference and, while emphasizing that he was speaking in his personal capacity, said American companies would never be free from cyber attack unless they retaliated. “There is no concept of deterrence today in cyber. It’s a global free-fire zone.” One of Rouland’s fellow panelists seemed to agree. Robert Clark, a professor of law at the Naval Academy Center of Cyber Security Studies, told the audience that it would be illegal for a company that had been hacked to break in to the thief’s computer and delete its own purloined information. “This is the most asinine thing I can think of,” Clark said. “It’s my data, it’s here, I should be able to delete it.”
A few months after Rouland’s appearance in New York, Endgame appointed a new CEO. Nathaniel Fick was a thirty-five-year-old former Marine Corps captain who’d served in Iraq and Afghanistan and later got his MBA from Harvard Business School and helped run a prominent Washington think tank. Fick wrote a memoir of his combat experience and was profiled in another book, Generation Kill, which was made into a miniseries for HBO.
According to two individuals who know Fick and are familiar with Endgame’s business strategy, the new CEO was eager to wean the company off its intelligence contracts and to get out of the zero day business, which he saw as too controversial and ultimately not lucrative enough to justify the hundreds of thousands of dollars it takes to buy a single exploit. The margins for cyber arms were apparently too thin.
But getting out of the business won’t be easy. Endgame’s investors were drawn to its government clients, who had deep pockets and planned to spend billions of dollars over the coming years on cyber defense and offense. Endgame’s board of advisers have historic ties to that lucrative customer base. They include a retired senior Pentagon official who served in several influential technology management posts, as well as the former chief information officer for the CIA. Endgame’s chairman is the CEO of In-Q-Tel, the venture capital arm of the CIA, and a member of the board is a former director of the National Security Agency.
But as Fick noted in an interview shortly after his appointment in 2012, the post-9/11 bonanza of military spending is coming to end as the United States has wound down the wars in Iraq and Afghanistan and braced for a period of fiscal austerity amid calls in Congress for balanced budgets and smaller government. “The defense budget is going to be under pressure, and it should be,” Fick said. “In many cases, the rampant excesses of the last decade are completely unsustainable.” But, he added, “I think there are areas that will continue to grow.”
That growth is the private sector. The two people who know Fick say that Google has become one of the biggest buyers of Endgame’s zero day packages. Google would be breaking the law if it retaliated against those trying to steal its intellectual property. But Google has been among the most vocal corporations—and certainly the most influential—urging Congress and the Obama administration to call out China for its cyber espionage and take diplomatic action if the country fails to rein in its hackers. Google began sharing information about attacks on its networks with the NSA after the company was hi
t in a massive Chinese spying campaign, which saw some of its intellectual property stolen.
Rouland isn’t the only Endgamer who has claimed that companies have a right to defend themselves when the government can’t or won’t. After Anonymous revealed an Endgame presentation showing how customers could use clusters of infected computers, known as botnets, to launch attacks on websites or steal passwords and other sensitive information, a partner at one of Endgame’s major investors defended the idea. “If you believe that wars are going to be fought in the world of cyber in the future, wouldn’t you want to believe you would have a cyber army at your disposal?” Ted Schlein, who sits on Endgame’s board, told Reuters. “Why wouldn’t you want to launch a cyber army if needed?”
Most private cyber security companies are at pains to stress that they don’t conduct “hack-backs,” that is, breaking in to the intruder’s computer, which is illegal in the United States. But companies will spy on intruders once they’re inside clients’ networks. One prominent player in that business, CrowdStrike, baits the spies with honeypots. The company may lure hackers into what appears to be a client’s network but is actually a kind of sterile zone walled off from any real or important computers. The idea is to buy time to watch intruders, to see what they’re most interested in—technical diagrams, say, or negotiating points—and then force them to show what tools and techniques they’re using to steal that information. The company might protect a document with an especially long password, hoping that the hacker will deploy a novel technique for cracking it. Once the client has seen what’s in an intruder’s toolkit, CrowdStrike can predict how the intruder will try to break in to other systems in the future. If the client wants to throw the intruder off the trail, it might plant misleading or untrue information in those documents that purport to be about business strategy or plans for a new product launch.