Ex-NSA hackers and their corporate clients are stretching legal boundaries and shaping the future of cyberwar.
Bright twenty- and thirtysomethings clad in polo shirts and jeans perch on red Herman Miller chairs in front of silver Apple laptops and sleek, flat-screen monitors. They might be munching on catered lunch—brought in once a week—or scrounging the fully stocked kitchen for snacks, or making plans for the company softball game later that night. Their office is faux-loft industrial chic: open floor plan, high ceilings, strategically exposed ductwork and plumbing. To all outward appearances, Endgame Inc. looks like the typical young tech startup.
It is anything but. Endgame is one of the leading players in the global cyber arms business. Among other things, it compiles and sells zero day information to governments and corporations. “Zero days,” as they’re known in the security business, are flaws in computer software that have never been disclosed and can be secretly exploited by an attacker. And judging by the prices Endgame has charged, business has been good. Marketing documents show that Endgame has charged up to $2.5 million for a zero day subscription package, which promises 25 exploits per year. For $1.5 million, customers have access to a database that shows the physical location and Internet addresses of hundreds of millions of vulnerable computers around the world. Armed with this intelligence, an Endgame customer could see where its own systems are vulnerable to attack and set up defenses. But it could also find computers to exploit. Those machines could be mined for data—such as government documents or corporate trade secrets—or attacked using malware. Endgame can decide whom it wants to do business with, but it doesn’t dictate how its customers use the information it sells, nor can it stop them from using it for illegal purposes, any more than Smith & Wesson can stop a gun buyer from using a firearm to commit a crime.
Endgame is one of a small but growing number of boutique cyber mercenaries that specialize in what security professionals euphemistically call “active defense.” It’s a somewhat misleading term, since this kind of defense doesn’t entail just erecting firewalls or installing antivirus software. It can also mean launching a pre-emptive or retaliatory strike. Endgame doesn’t conduct the attack, but the intelligence it provides can give clients the information they need to carry out their own strikes. It’s illegal for a company to launch a cyberattack, but not for a government agency. According to three sources familiar with Endgame’s business, nearly all of its customers are U.S. government agencies. According to security researchers and former government officials, one of Endgame’s biggest customers is the National Security Agency. The company is also known to sell to the CIA, Cyber Command, and the British intelligence services. But since 2013, executives have sought to grow the company’s commercial business and have struck deals with marquee technology companies and banks.
Endgame was founded in 2008 by Chris Rouland, a top-notch hacker who first came on the Defense Department’s radar in 1990—after he hacked into a Pentagon computer. Reportedly the United States declined to prosecute him in exchange for his working for the government. He started Endgame with a group of fellow hackers who worked as white-hat researchers for a company called Internet Security Systems, which was bought by IBM in 2006 for $1.3 billion. Technically, they were supposed to be defending their customers’ computers and networks. But the skills they learned and developed were interchangeable from offense.
Rouland, described by former colleagues as domineering and hot-tempered, has become a vocal proponent for letting companies launch counterattacks on individuals, groups, or even countries that attack them. “Eventually we need to enable corporations in this country to be able to fight back,” Rouland said during a panel discussion at a conference on ethics and international affairs in New York in September 2013.
Rouland stepped down as the CEO of Endgame in 2012, following embarrassing disclosures of the company’s internal marketing documents by the hacker group Anonymous. Endgame had tried to stay quiet and keep its name out of the press, and went so far as to take down its website. But Rouland provocatively resurfaced at the conference and, while emphasizing that he was speaking in his personal capacity, said American companies would never be free from cyberattack unless they retaliated. “There is no concept of deterrence today in cyber. It’s a global free-fire zone.”
by Shane Harris, Slate | Read more:
Image: Charlie Powell
Bright twenty- and thirtysomethings clad in polo shirts and jeans perch on red Herman Miller chairs in front of silver Apple laptops and sleek, flat-screen monitors. They might be munching on catered lunch—brought in once a week—or scrounging the fully stocked kitchen for snacks, or making plans for the company softball game later that night. Their office is faux-loft industrial chic: open floor plan, high ceilings, strategically exposed ductwork and plumbing. To all outward appearances, Endgame Inc. looks like the typical young tech startup.
It is anything but. Endgame is one of the leading players in the global cyber arms business. Among other things, it compiles and sells zero day information to governments and corporations. “Zero days,” as they’re known in the security business, are flaws in computer software that have never been disclosed and can be secretly exploited by an attacker. And judging by the prices Endgame has charged, business has been good. Marketing documents show that Endgame has charged up to $2.5 million for a zero day subscription package, which promises 25 exploits per year. For $1.5 million, customers have access to a database that shows the physical location and Internet addresses of hundreds of millions of vulnerable computers around the world. Armed with this intelligence, an Endgame customer could see where its own systems are vulnerable to attack and set up defenses. But it could also find computers to exploit. Those machines could be mined for data—such as government documents or corporate trade secrets—or attacked using malware. Endgame can decide whom it wants to do business with, but it doesn’t dictate how its customers use the information it sells, nor can it stop them from using it for illegal purposes, any more than Smith & Wesson can stop a gun buyer from using a firearm to commit a crime.Endgame is one of a small but growing number of boutique cyber mercenaries that specialize in what security professionals euphemistically call “active defense.” It’s a somewhat misleading term, since this kind of defense doesn’t entail just erecting firewalls or installing antivirus software. It can also mean launching a pre-emptive or retaliatory strike. Endgame doesn’t conduct the attack, but the intelligence it provides can give clients the information they need to carry out their own strikes. It’s illegal for a company to launch a cyberattack, but not for a government agency. According to three sources familiar with Endgame’s business, nearly all of its customers are U.S. government agencies. According to security researchers and former government officials, one of Endgame’s biggest customers is the National Security Agency. The company is also known to sell to the CIA, Cyber Command, and the British intelligence services. But since 2013, executives have sought to grow the company’s commercial business and have struck deals with marquee technology companies and banks.
Endgame was founded in 2008 by Chris Rouland, a top-notch hacker who first came on the Defense Department’s radar in 1990—after he hacked into a Pentagon computer. Reportedly the United States declined to prosecute him in exchange for his working for the government. He started Endgame with a group of fellow hackers who worked as white-hat researchers for a company called Internet Security Systems, which was bought by IBM in 2006 for $1.3 billion. Technically, they were supposed to be defending their customers’ computers and networks. But the skills they learned and developed were interchangeable from offense.
Rouland, described by former colleagues as domineering and hot-tempered, has become a vocal proponent for letting companies launch counterattacks on individuals, groups, or even countries that attack them. “Eventually we need to enable corporations in this country to be able to fight back,” Rouland said during a panel discussion at a conference on ethics and international affairs in New York in September 2013.
Rouland stepped down as the CEO of Endgame in 2012, following embarrassing disclosures of the company’s internal marketing documents by the hacker group Anonymous. Endgame had tried to stay quiet and keep its name out of the press, and went so far as to take down its website. But Rouland provocatively resurfaced at the conference and, while emphasizing that he was speaking in his personal capacity, said American companies would never be free from cyberattack unless they retaliated. “There is no concept of deterrence today in cyber. It’s a global free-fire zone.”
by Shane Harris, Slate | Read more:
Image: Charlie Powell
