The number of exploitable defects in software declined five percent last year. But the number of serious exploits went up 28 percent.
There is a growing market for exploitable defects, with some security firms offering cash rewards.
In the past, hackers had their own underground market for these exploits. But so much commerce is moving to the web, and Internet security is becoming such a large business, that finding those exploits first (and disabling or exploiting them) is attracting more money.
The gangsters still want to have their hackers get to these exploits first, but now they have to compete.
But the biggest news on the Cyber War front is that it rarely makes the headlines.
It’s not that Cyber War isn’t important; it’s just that all this geek stuff is hard to explain and just does not sound that scary.
In the competitive news business, Cyber War is not good news. But to the intel and security people, the U.S. has been under heavy assault for several years now.
The losses of information have been huge, and it’s not certain just how much has been stolen.
All this will be big news in a decade or so when more details emerge about the extent of the losses. But for now, it’s just one of those stories no one could wrap their heads around.
In addition to the usual software flaws (that serve as exploits), there is also a growing number “malware” type software. This stuff is best known as “adware” programs that users, often unknowingly, download onto their PCs.
That results in more ads, or ads based on a careful examination of what the user does, say, when using their browser. There are hundreds of thousands of these little nasties out there, and Cyber War operators have found this stuff to have military and espionage use.
In the middle of all this you have military users of exploits. These are the shadowy organizations, particularly in China and the United States, where exploits are stockpiled (and soon replaced as the exploit is rendered ineffective via a software patch) for use in wartime.
China, and probably the United States, are already using their exploits arsenals for espionage, and counter-espionage.
Many criminal gangs also do contract work, usually for espionage operations. Some corporations have been caught doing this as well. Only small players have been caught so far. Any large corporation going this way would put a premium on not getting caught.
Chinese firms are particularly energetic in stealing technology, and producing their own versions. They are often quite blatant about it, especially if it’s military technology (which means government protection from retribution.)
The Russians are trying to force the Chinese government to crack down on this, without much success so far.
The United States, and many other Western nations, are also going after China for the use of Internet based espionage. Again, so far, the Chinese are refusing to admit to it, much less slack off.
Western Cyber War experts are urging some retaliation in kind.
That could get interesting.