Written byChris Bing
Defense contractors developing military grade cyber weapons find themselves in a prime position to capitalize on President-elect Donald Trump’s rise to the White House. With this enormous business opportunity on the horizon, policy and security experts tell CyberScoop they question what Trump’s plan for offensive cyber tools will mean for both those at home and abroad.
Since Trump won the election, publicly traded defense contractors have enjoyed a spike in their stock’s value. Many investors are buying defense stocks based on Trump’s promise to end the sequester, which would cause defense spending to return to a level familiar under the George W. Bush administration. A segment of this market, in addition to developing rockets, warships, fighter jets and command systems, also sells cyber weapons to the U.S. government.
More than a week after the election, BAE Systems and Raytheon saw their price per stock increase by about 9 and 10 percent respectively. Both companies are defense contractors that previously sold offensive cyber tools to the U.S. government.
In late 2015, an offensive cyber development contract introduced by U.S. Cyber Command worth $460 million reportedly drew interest from Raytheon, Northrop Grumman and Lockheed Martin. The contract was ultimately awarded to Booz Allen Hamilton, SAIC, Secure Mission Solutions, CACI Federal, KEYW Corporation and Vencore. The proposal called for, among other things, the creation of digital weapons capable of deadly force.
Defense industry lobbyists, consultants and other executives have begun setting in motion optimistic plans to conduct increased business with the U.S. government, Politico reports. Asked broadly about the business opportunities presented by a Trump administration, a BAE Systems spokesperson declined to comment. Raytheon did not respond to a request for comment.
“Defense contractors are eager to mature from developing standalone cyber weapons to larger cyber weapon systems to attain levels of profitability similar to that of complex conventional weapons systems like the F-22 and F-35,” said Blake Darche, a former computer network exploitation analyst at the National Security Agency. “The proliferation of these tools has already begun. For instance, the Sony attack represented this war is well underway and cannot be stuffed into a backpack and sealed up.”
Though the production and sale of offensive-leaning cybersecurity products lends itself to a niche market, business is growing as leaders in developing countries have become more aware of these capabilities, research shows.
Broadly speaking, the global cyber warfare industry is largely controlled by a few select players, according to Lexington Institute Chief Operating Officer Loren Thompson, because purchases “are so secret that companies must have special qualifications to bid [on defense contracts]” and acquiring the talent to develop cyber weaponry remains challenging.
“This probably works to the advantage of Lockheed Martin, which is the biggest player in the federal information services market, because it has the mass and resources to keep up with changing needs, but for smaller players it’s a big problem,” Thompson previously wrote.
“The big problem with developing offensive cyber capabilities is how do you demonstrate them? If you use them, you might lose them. So you have to convince adversaries that you can continue producing effective weapons,” said Adam Segal, director of digital and cyberspace policy at the Council on Foreign Relations.
“Given the conflicts that we are currently in, it is not clear that there are a wealth of targets that we cannot reach because we do not have adequate offensive capabilities. If Trump improves relations with Russia, then demand for offensive tools would seemingly decrease,” said Segal.
The longstanding issue of a cybersecurity workforce shortage is also a factor, former DARPA program manager Jason Syversen told CyberScoop.
“Frankly it’s a small base so the challenge would be scaling up people wise,” said Syversen, now CEO of Siege Technologies. “In my experience, high end OCO [offensive cyber operations] companies are limited more by talent than by work opportunities. It’s a broader problem in the community; not enough smart people work in the domain.”
Trump’s plan to bolster cybersecurity remains ambiguous and laden with hyperbole. He has rarely spoken on the topic. During his campaign, Trump played down the U.S.’ capabilities in cyberspace compared to other nations.
“I will make certain that our military is the best in the world in both cyber offense and defense,” Trump said in a speech at a Retired American Warriors event on Oct. 3. “Today is just the beginning of a long and overdue national discussion of how to … develop the cyber offense strategies necessary to gain a critical security edge in the 21st century.”
“First off, we’re so obsolete in cyber. We’re the ones that sort of were very much involved with the creation, but we’re so obsolete,” Trump said in a March interview with The New York Times. “You can take out, you can make countries nonfunctioning with a strong use of cyber. I don’t think we’re there. I don’t think we’re as advanced as other countries are.”
Trump’s White House transition team has yet to announce a leader dedicated to cybersecurity policy or staffing.
A six-point plan published on the president-elect’s websites lists a series of cybersecurity-related initiatives. The last initiative reads: “Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.”
It remains unclear how Trump’s policy team interprets “offensive cyber capabilities” or if related policy will become a reality. Repeated attempts to reach a Trump spokesperson in an effort to clarify this objective went unanswered.
If and when the Trump administration does address the topic, they will have to separate the different components of offensive cyber capabilities.
“It generally consists of both computer network exploitation, or stealing information, and computer network attacks, which can be described as damaging systems…sometimes resulting in physical effects like making nuclear centrifuges spin erratically until they blow up,” Ely Kahn, a former National Security Council director of cybersecurity in the White House, told CyberScoop.
“[Computer Network Exploitation] has been a staple of the U.S. intel community for years and has and will continue to be an area of growth as it is an extremely cost effective means to gather intelligence,” Kahn added. “[Computer Network Attacks] is still relatively new and the rules of engagement are still maturing. It is a tactic that has its place in certain situations, but there are collateral damage risks … and [it] should be used when other less risky tactics are not appropriate or relevant.”
Security and policy experts differ on whether they believe President-elect Trump’s apparent focus on offensive cyber development represents a positive step forward in terms of national security.
Rep. Will Hurd, R-Texas, a former CIA analyst and cybersecurity executive who now heads the House Committee on Oversight and Government Reform’s Subcommittee on IT, told CyberScoop that he is encouraged by Trump’s comments focused on the development of offensive cyber tools. However, he cautioned that more needs to be done to establish “standard operating procedure.”
“There are military operators and planners, people beyond political appointees, that will provide input here in the next administration — those people aren’t going to change,” said Hurd. “Cyber is an arena that is constantly evolving, TPPs change, and so I think we need clear policy.”
While vague, Trump’s proposal may prove significant given how past defense budgets have allocated resources to cyber weaponry compared to kinetic arms, Syversen said, specifically referencing CNA techniques. A publicly accessible budget plan spanning three years, from 2014 and 2017, shows the U.S. Air Force was allocated $50 million to purchase and develop offensive cyber tools. For reference, a single F-35 fighter jet costs about $100 million to purchase.
“You look at the cost of an F-35, a single tank, and then compare that to the dollars flowing into actual offensive/defensive cyber capabilities acquisition and it pales in comparison when you consider the asymmetric capabilities created in cyberspace,” said Syversen. “That ability to reverse effects, have effects quickly, limit damage to physical infrastructure and human lives is part of the reason OCO is so valuable.”
Other security professionals emphasized that the unique risks associated with deploying CNAs can’t be ignored. Although a digital weapon may be less destructive than a missile, it is also not a “silver bullet” that should be deployed by the military in a nonchalant manner, according to Kahn.
“Probably the biggest risk is malware jumping from the intended target to other innocent systems. There was reporting of this around the Stuxnet malware that targeted the programmable logic controllers for Iranian centrifuges jumping to other SCADA systems in other countries,” Kahn told CyberScoop. “Military targeters will need to decide what the best instrument of war is needed to get the job done. Sometimes it might be a logic bomb… other times it will be kinetic bomb.”
“With capabilities like these, it really comes down to whether you trust your government to use them responsibly,” said New America policy analyst Robert Morgus. “The answer to that question will dictate whether or not you see these developments as good or bad for international peace and security.”