Unlike conventional military equipment — which while made by private industry is exclusively for military use — cyber tools and infrastructure are by and large globally commercial systems used by civilians and governments.
"We used to be able to go out to a hacking conference and come back with zero-day vulnerabilities or new things people were working on," said Paul Nicholas, Microsoft Global Security Strategy and Diplomacy team lead. "Suddenly, those conversations stopped and they began to get smaller and smaller because there were new entrances in the market in buying vulnerabilities."
Speaking at the Washington-based Carnegie Endowment for International Peace on Feb. 6, Nicholas said industry began to experience zero-day cyberattacks because they no longer had visibility into what security researchers were studying. Both governments and criminal organizations seek to purchase and even horde zero-day vulnerabilities, some of which can individually cost millions.
The previous White House reacted by creating a vulnerabilities equities process in which any such vulnerability discovered by anyone — private or public sector — is disclosed for patching. The National Security Agency was recently caught with its pants down following a breach of its alleged cyber tools by an organization known as Shadow Brokers. The group released information on the hacking tools that took advantage of zero-day vulnerabilities the agency horded, which, if exploited, could have ramifications for systems used by a wide base of commercial users.
The vulnerabilities equities process aimed to disclose vulnerabilities discovered both by the government and the private sector in the name of cybersecurity for all. However, the government will likely continue to retain zero-day vulnerabilities for various national security reasons. This new paradigm that cyberspace is a medium from which one can project power in warfare has altered the threat models of industry, Nicholas said.
"I am now building something to deliver commercially from a threat model I think is reasonable and yet there is someone in Moscow or Beijing or Maryland working on something that is designed to blow up my product," he said. "So that sort of blows your threat model up — there's no way to anticipate that."
When a vulnerability comes along and someone exploits it, he said, commercial companies have to immediately identify the vulnerability and what products it affects. Often times there is no instant fix, he added, noting the key concern of industry is that if governments ratchet up conflict, it's unclear if the private sector can patch its way out.
This nature of warfare and cyberspace creates an environment rife with uncertainty. In the Cold War, the U.S. knew its adversary's capabilities in terms of planes, ships and divisions, Brig. Gen. J.P. McGee, deputy commanding general for operations at Army Cyber Command, told reporters Feb. 8. However, the possibly of unknowns in cyberspace is huge, he offered, making it difficult to scale what each side does and doesn't know.