World War Zero: How Hackers Fight to Steal Your Secrets

by Lev Grossman,

The Global battle to steal your secrets is turning hackers into arms dealers.

The Internet is a battlefield, the prize is your information, and bugs are the weapons.

Aaaron Portnoy started his hacking career when he was still in high school, at the Massachusetts Academy of Math & Science in Worcester. Showing what in retrospect seems like considerable restraint, Portnoy tweaked the school’s website to say something uncomplimentary about another student. Then he got out. Later the school brought in tech experts to trace the intrusion, but they could never quite track it back to him.

So naturally Portnoy did it again the next year and got caught. The academy encouraged him to find an alternative venue for his education. It didn’t really matter. He graduated from a local high school instead and went on to Northeastern University. It was all excellent preparation for what he does for a living now: researching and selling software vulnerabilities, which since his high school days have become one of the world’s newer and more controversial commodities.

Portnoy, now 28, is the co-founder of a two-year-old company in Austin called Exodus Intelligence. Its mission statement reads, “Our goal is to provide clients with actionable information, capabilities, and context for our exclusive zero-day vulnerabilities.” Which means–translated from the quasi-paramilitary parlance that’s endemic to the software-security industry–that Exodus Intelligence finds and sells bugs, specifically the kind of bugs that could potentially give a third party access to a computer, the same way Portnoy got access to his high school’s network. They’re worth a lot of money. Vulnerabilities in popular applications and operating systems have been known to change hands for hundreds of thousands of dollars each.

Cyberwar isn’t the future; it’s already here. It’s business as usual. In this war, the battlefield is everywhere, bugs are weapons, and people like Portnoy are arms dealers.

The idea that a software bug can be worth actual dollars and cents is an odd one. Bugs are mistakes; people generally pay money to fix them. The fact that there’s a market for them is a consequence of the larger oddness of our present technological era, in which our entire world–our businesses, medical records, social lives, governments–is emigrating bit by bit out of physical reality and into the software-lined innards of computers in the form of data.

In 2009 there was a good object lesson in what makes vulnerabilities so useful. The U.S. and Israel had jointly developed a complex computer worm that was designed to penetrate and compromise a specific uranium-enrichment facility in the Iranian city of Natanz. The worm, which is now known as Stuxnet, was arguably the first true cyberweapon. It was introduced into the facility’s computer system by a double agent with a USB drive. The worm checked out the place and sent detailed intelligence back to its masters. Then it really let down its hair and went after the computers that controlled the centrifuges used to enrich the uranium. It eventually destroyed about 20% of them. (All this has been deduced after the fact by security experts and journalists, since both the U.S. and Israeli governments are still mum on the subject.)

What made Stuxnet so effective? In a word: bugs. To get the access it needed, Stuxnet took advantage of at least four distinct vulnerabilities, including one in Microsoft Windows.

The vulnerabilities business has a mixed reputation, based on the presumption that the bugs it provides are being used for criminal or unethical purposes. A Washington, D.C., company called Endgame that sold vulnerabilities to the government for years was dubbed “the Blackwater of hacking” by Forbes magazine.

Exodus’ clients come in two basic types, offensive and defensive. Playing for the defense are security firms and antivirus vendors who are looking for information they can integrate into their products, or who want to keep their clients up to speed on what threats are out there. On offense are penetration testers, consultants who use Exodus’ zero-days to play the “red team” in simulated attacks on their own or other people’s networks. “If they want to show what a real attack would look like from a determined adversary,” Portnoy says, “we give them the tools to do that.”

And then there are the ones who aren’t just playing. Portnoy is discreet about his client list, but others have been less so. It’s well known that the NSA and the FBI are fond of implanting surveillance software on target computers to gather intelligence; the FBI is even now lobbying the courts to make it easier to get warrants to do just that. How do you implant software on somebody’s computer without them knowing about it? One way is to exploit a vulnerability. Last year the FBI busted a company called Freedom Hosting, which it called “the largest facilitator of child porn on the planet.” Freedom Hosting operated on the Tor network, which anonymizes Web traffic. To get around the anonymity, the FBI used a vulnerability in Firefox.

As for the NSA, the Washington Post’s analysis of the Edward Snowden leaks revealed an NSA budget that included $25.1 million for “additional covert purchases of software vulnerabilities,” suggesting that they both buy zero-days and roll their own internally.

According, again, to the Snowden documents, the U.S. mounted 231 offensive cyberoperations in 2011 against China, Russia, Iran and North Korea, among others–and that was 2011, ancient history in cybertime. The 2015 defense budget includes $5 billion for cyberspace operations, which is a very general term for an arena about which not much is known.

The real nightmare scenario is an attack on public infrastructure by a political group unrestrained by any national affiliation. Terrorists, for example. “Zero-day vulnerabilities, if you’re able to identify one of them, can do serious harm,” says Mary Galligan, formerly the special agent in charge of cyber and special operations in the FBI’s New York office, currently at Deloitte and Touche. As an example she mentions SCADA, which stands for Supervisory Control and Data Acquisition, the software used to control industrial systems. That’s what Stuxnet went after. “Everything that we think of–manufacturing floors, the electrical grid, or the water supply, or elevators–that are run with data equipment, it’s connected to the Internet. The real concern is, that’s the part that’s least protected.”

More From TIME Magazine: