The commoditisation of hacking tools, materials, and services is an uncomfortable trend that is slowly becoming visible as more hackers work together to share information on how to exploit vulnerabilities.
First Published 21st November 2019
It's just like selling shovels in a gold rush.
4 min read | Reflare Research Team
In recent years, we have seen many indicators that hacking tools, materials, and services are becoming commoditized. From bug bounties to the first indicators that these bounties will become price-competitive to incentivizing hackers to strike activist targets, we are slowly moving away from hacking as an artistic skill towards hacking as a commodity traded on the open marketplace. In this briefing, we will take a look at the implications this change may have.
Emergent properties
Systems that become commoditized and fluid tend to display emergent properties. A great example of this is cloud computing. In the early days, many analysts and technology experts referred to the cloud as merely “someone else’s computer”. Some still do, but mostly to make a point about good fallback policies.
On the surface, this is true. The cloud is just someone else’s computer and even in 2005 you could go and rent a virtual server and have it running within one hour. So in theory, nothing should really change by reducing that time to one minute and allowing you to cancel the contract in minutely intervals, right? Well, we all know that it didn’t work out that way.
By uncoupling computational power from the actual hardware, we commoditized it and gave it incredible fluidity. From these changes grew entirely new paradigms for setting up infrastructure and writing code that have since changed the world.
The same is true for mundane things like milk. Yes, the 'dairy farmer selling bottled milk' and 'milk sold on the international marketplace' is in a way the same thing. But they are also fundamentally different. The neighbourhood dairy farmer cannot experience a speculative futures bubble.
Likewise, hacking services are bound to display emergent properties as they become commoditized.
What could happen
Disclaimer: We cannot predict the future. The following are general musings on the matter at hand with explicitly no predictive guarantees.
The commoditization would likely split into two markets. The official market and the black market. This is true for virtually any traded commodity, but the illegal nature of most hacking means that the black market will likely outperform the official market. As the market increases in volume, the availability and quality of payment and contract methods will likely improve to facilitate business. We expect both of these issues to be solved by blockchain-based systems.
State actors and special interest groups are likely to reduce spending on dedicated hacking teams and instead focus on offering sufficient bounties to take down the targets they select. This will take our common talking point - of security being a cost calculation - to its logical conclusion. If the cost to hack you is lower than the current marketplace bounty, you are fine.
Likewise, derivates in one form or another may start being developed. This could happen in the official or the black market. For example, a company may choose to hedge against being hacked using some sort of derivative. Likewise, the contracts to hacking a specific target could be structured in the form of a derivative.
In the official marketplace, companies are likely to start outbidding one another for vulnerability information. For example, the makers of smartphones may choose to outbid Google and one another on new bugs. By being the first to know, they could release fixes before the vulnerability becomes publicly known and establish a brand reputation for high security - a salespoint likely to become more and more important over time. Lawmakers in various jurisdictions may choose to step in and outlaw such practices.
Summary
While these ideas seem like likely bets at the time of writing (late 2019), the actual developments, technological shifts, and emergent properties will doubtlessly make the concrete examples in this briefing seem outdated and ridiculous just a decade down the road.
The important takeaway is this: As hacking becomes commoditized, emergent properties will become apparent. Monitoring their emergence and reacting appropriately is likely going to be a vital aspect of information security for the coming decade.