Good news: my book 'No Shortcuts' is being sold at a healthy rate!

Bad news: It's now out of stock in Europe. But a few copies still left on Amazon UK. Hopefully new hardback copies available next month.

Paperback out this summer.

https://www.amazon.co.uk/No-Shortcuts-Struggle-Military-Cyber-Force/dp/1787386872

Excited to announce the release of
Cyberspace and Instability, edited by Bobby Chesney, James Shires, and myself.

It's entirely open access!

Extremely proud to have worked together with such a great group of scholars for this edited volume.

You can download the book here:

https://edinburghuniversitypress.com/book-cyberspace-and-instability.html

Really happy to see my article with Myriam Dunn Cavelty on 'Regulatory cybersecurity governance in the making: the formation of ENISA and its struggle for epistemic authority' published in a special issue of the Journal of European Public Policy, edited by Andreas Kruck and Moritz Weiss!

https://www.tandfonline.com/doi/full/10.1080/13501763.2023.2173274

Our abstract:
Over the last decades, cybersecurity has become a top priority for the European Union (EU). As a contribution to scholarship on the ‘regulatory security state’, we analyze how the European Union Agency for Cybersecurity (ENISA), emerged and stabilized as the EU's key agency for cybersecurity. We use data from policy documents, secondary sources, and semi-structured interviews to show how ENISA struggled to become a relevant actor by carving out a specific role for itself. In particular, we show how challenging it was for the agency to acquire epistemic authority. Although the trajectory of ENISA supports attempts to govern through regulation, it also shows that its role was never a given, only functions as part of a larger whole, and continues to be subject to change. Our article indicates that the study of security governance must remain ontologically flexible to capture hybrid forms and political struggles.

The Cyber Partisans is a digital resistance movement from Belarus. This group has claimed responsibility for several major cyberattacks, including a high profile operation against the Belarusian railway system that reportedly halted Russian ground artillery and troop movement into Ukraine.

I interviewed Yuliana Shemetovets, spokersperson of the Cyber Partisans, at Theater Neumarkt in Zurich. We talked about the group’s motives, targeting objectives, NFTs and
more.

The video is now online: https://www.youtube.com/watch?v=Ipa_q5wRZes&list=PL0JijBOlUIIelMF4El4KWaYKe86SAUea_&index=4&t=431s&ab_channel=TheaterNeumarkt

For more background: https://www.washingtonpost.com/politics/2022/05/13/cyber-attack-hack-russia-putin-ukraine-belarus/

My opening statement for the PEGA Committee
public hearing on:
‘Trade in zero-day vulnerabilities’ held last week:

Over the past years, zero-day exploits have been deployed by commercial surveillance companies in
order to install their spyware on target devices.

These zero-day exploits often only contribute to specific parts of multi-stage operations (ie. attack
chains). Sometimes, they are combined with known exploits, also referred to as n-days.
The level of sophistication can be incredibly high. Some surveillance companies have managed to link
up a series of exploits in such a way that that they can conduct ‘zero-click’ attacks: it is a method of
installing spyware on a device that does not require interaction from the user, such as clicking on
malicious link sent in a text message.

How do these commercial surveillance companies get these zero day exploits? Either they develop
them internally, buy them directly from a developer or indirectly through an exploit broker. The split
in terms of supply we often do not know – and depends per company (NSO is believed to have a
large internal team). But what we do know is that there are frequent, keen and resourceful
customers on this market.

And commercial surveillance companies are not the only customers on this market. States and
criminal groups like to shop for zero-days too. In 2013, the National Security Agency had a budget of more than $25 million to purchase zero-days, in an internal budget document referred to as “covert
purchases of software vulnerabilities.” The Vault 7 leaks revealed that of the 14 exploits for Apple’s
iOS owned by the CIA at the time, four were purchased.

The market for zero-days is said to be flourishing, global and active. However, it is worth pointing out
that often it is much more inefficient than people realize.

The reason is because the zero-day market shares many characteristics of what George Akerlof
would call a ‘Market for Lemons’.
Akerlof won the Nobel Prize for his research showing how information asymmetries can lead to
adverse selection in markets. When car buyers have imperfect information—not knowing as much
about a car’s quirks and problems as the seller who has owned the car for a while—sellers of low-
quality cars (“lemons”) can crowd out everyone else from their side of the market, stifling mutually
advantageous transactions. If the buyer is unable to tell the difference between a good car and a
lemon, she is unwilling to pay top-tier prices. This means the price is bound to be lower than what
sellers of high-quality cars would be willing to sell for, driving them out of the market.

The zero-day exploit market is also a market with extreme information asymmetries. That is for
three reasons.

- First, the seller has much more information about whether the exploit is actually working.
- Second, the market is also flooded with low-quality exploits: many of the exploits offered are
a lot less reliable than sellers initially report.
- Third, the buyer of an exploit is not always able to test the exploit before purchasing it, as
the economic value would be lost once given to the buyer for “testing.”

This structural setup makes even beneficial zero-day transactions difficult. It also makes trust a
crucial dimension of exploit sales and localizes the market.

It means that spyware companies will tend to buy from a highly select group of preferred sellers.

They need to invest many resources developing trusted channels that carry repeated transactions
between developer and buyer.

The story of HackingTeam illustrates that some surveillance companies are frequent and keen
customers on the market for zero-day exploits. But, this in spite of the fact that they often face
adverse information asymmetries and scarcity of reliable supply.

There are other complications associated with buying zero day exploits, which in turn effects how
they are used.

Buying zero-day exploits, rather than developing them internally, increases the chances of early
discovery due to potential non-exclusive sales, which subsequently incentivizes the earlier use
of the exploits.

The likelihood that two (or more) independent parties will discover a vulnerability is known as
the vulnerability collision rate. A RAND study found that, for a given stockpile of zero-day
vulnerabilities, after a year, almost 6 percent have been publicly discovered and disclosed by
another entity.

Normally, this risk of co-discovery drives semi-calculated decisions about exploit use. A hacker
may, for example, decide to only go after the most valuable victims or keep exploits for some
unusual circumstances to avoid discovery.

We know from leaked documents that intelligence
agencies have created various tools to optimize exploit use.

When an intelligence agency, surveillance company, or other entity buys exploits, rather than
develops them internally, it also further complicates the decision-making process around their
usage. A buyer can either purchase an ‘exclusive’ or ‘non-exclusive’ exploit. Exclusive purchases
mean that the exploit is only sold to one client and is thus pricier. Vice versa, non-exclusive
exploits can be sold to multiple clients and are cheaper.

In the case of non-exclusive sales, the client has to take into consideration the chances that the
exploit is sold to one or more other clients, and whether others who buy the exploit will use it
discreetly. It incentivizes “use it or lose it” behavior, the belief that an exploit should be used quickly before it becomes ineffective.

This additional risk is also nonzero in the case of exclusive sales; there is no certainty that the
broker does not sell it on to other actors, or that the developer does not shop it around to multiple brokers.

In sum, surveillance companies as well as other hacking entities are buying zero day exploits in
the market. But there are many difficulties associated with buying zero days from this market.

This statement is based on my previous research:

- No Shortcuts: Why States Struggle to Develop a Military Cyber Force (Hurst Publishers &
Oxford University Press: 2022)

-'‘Hack Global, Buy Local: The Inefficiencies of the Zero-Day Exploit Market,’ Lawfare,
(2022, June 6) https://www.lawfareblog.com/hack-global-buy-local-inefficiencies-zero-
day-exploit-market

- ‘The Risks of Managing a Purchased Cyber Arsenal,’ Council on Foreign Relations, (2022,
May 31), https://www.cfr.org/blog/risks-managing-purchased-cyber-arsenal

- ‘We Buy and Sell: The Public Advertisement of Zero-Day Exploits,’ The Alert, (2022 June
7
th), https://offensivecyber.org/2022/06/07/we-buy-and-sell/
...

@ridt - on deceptive ops and potential for misattribution:

CIA ‘UMBRAGE’ database of hacking techniques from other groups is an interesting case study too.

Although the code reuse here was supposedly done to save time - as reported by @kimzetter in 2017

https://theintercept.com/2017/03/08/wikileaks-files-show-the-cia-repurposing-foreign-hacking-code-to-save-time-not-to-frame-russia/