In the classic hacker career narrative a juvenile genius breaks into the internet’s most sensitive networks, gets caught and then settles into a lucrative corporate gig selling his skills for defence. Nate Fick is trying to pull off the same story with an entire company.
Fourteen months ago Fick took over as chief executive of Endgame, perhaps the most controversial name in Washington, DC cybersecurity contracting. For years Endgame’s elite hackers worked in the shadows of the Beltway to build “zero-day exploits”, an industry term for malicious code that abuses a previously unidentified vulnerability. As a contractor to military and intelligence agencies, including the NSA, it enabled some of those customers’ most intrusive spying practices by selling ways to break into software from the likes of Microsoft, IBM and Cisco for millions of dollars.
Fick’s daunting task now is to shed Endgame’s reputation as the Blackwater of hacking and shift his firm’s focus to the far wider market in commercial defence products.
The 36-year-old CEO, a former elite Marine reconnaissance captain who served in Iraq and Afghanistan before developing a personal distaste for violence, hints at a motivation beyond profit. An ethical cloud still hangs over Endgame for its track record in undermining the internet’s security.
Fick’s first move: Taking Endgame out of the zero-day exploit game. “The exploit business is a crummy business to be in,” says Fick. “If we’re going to build a top-tier security firm, we have to do things differently. … This is one of those happy circumstances where business realities, reputational concerns and my personal feelings aligned.”
The company now touts itself as a Big Data analysis firm, selling “vulnerability intelligence” software that alerts clients to digital risks. Its tools pull together information from sources ranging from a customer’s antivirus program and intrusion detection system to its human resources and physical security data, and pairs the information with Endgame’s own research on malware and black-listed IP addresses. Integrating those feeds into a slick user interface, its software shows any anomaly that might represent a security threat.
Endgame’s new business direction helped the company raise a second round of financing last year, led by homeland-security-focussed Paladin Capital, bringing its total investment to $60 million after earlier investments by Bessemer Venture Partners, Kleiner Perkins Caufield & Byers and others. By Forbes’s estimate the company earned $20 million in revenue in 2013; Fick aims to more than double that number in 2014 and ﬂip the balance of sales so that the majority within two years comes from the private sector.
But Fick’s friendlier face for Endgame isn’t the full story. Its board still includes former NSA chief Kenneth Minihan, and it’s chaired by Christopher Darby, director of the CIA-backed venture firm In-Q-Tel. Though Fick says Endgame no longer sells exploits, the company doesn’t deny that it still sells tools to the federal government that can be used for offensive hacking. After all, the same vulnerability intelligence that finds chinks in a customer’s armour can also be used to discover them in a surveillance target.
Inside Endgame’s office an engineer shows me an older product code-named Bonesaw. Bonesaw pulls internet data to show what software runs on which machines, like a Google Maps for hackers. With a few clicks a user can zero in on a computer and see its vulnerabilities along with a list of publicly available techniques to hack it.
Fick won’t say what Endgame’s government customers might do with that tool. He won’t comment at all on the specifics of Endgame’s government business, citing secrecy agreements. In a year in which the NSA has been accused of out-of-control spying, that lack of transparency leaves critics to assume the worst.
“It sounds to me like they’re trying to put a rose on a pig,” says James Bamford, author of three books on the NSA and a vocal critic of Endgame’s practices. “If you’re saying you’re on the right path but won’t say what you’re doing, the burden’s on you.”
Critics can’t deny, however, that Fick’s Endgame is different from the one he inherited from his predecessor Chris Rouland.
In the early 1990s Rouland tried out rogue intrusion as a young hacker under the handle Mr Fusion before putting his skills to use for the feds. He eventually became the CTO of Internet Security Systems and spun Endgame out of the company in 2008 after ISS was acquired by IBM for $1.3 billion. The company used to offer an extensive package of zero-day exploits for $2.5 million a year, boasting of targets such as Russian oil refineries and the Venezuelan Ministry of Defense. “We don’t ever want to see our name in a press release,” Rouland wrote to a colleague in early 2010.
That clandestine business came to light only when the hacker group Anonymous penetrated Endgame partner HBGary Federal and published thousands of the company’s emails, including HBGary Federal’s proposal to attack donors and supporters of WikiLeaks on behalf of Bank of America. While other companies associated with the hacked firm apologised, Endgame became even more secretive, taking its website offline and scuttling its early commercial offerings. “Going dark was emphatically the wrong approach,” says Fick. “If you’re not telling your own story, people tell it for you.”
Fick was brought in by Endgame’s board to change that story, and began hiring executives with commercial-software backgrounds. He considered changing the company’s name but decided it held too much branding value. “The name’s cool,” Fick says.
Endgame has never apologised for its history. “Apologise for what?” Fick asks. He claims that even before his time the company never sold exploits to any customer other than the US government. And Fick also acknowledges that Endgame’s reputation provides a recruiting edge he’s reluctant to give up. “The guys who are really good at vulnerability research don’t want to go play in the sandbox and do penetration testing. They want to do it for real.”
Exactly what “doing it for real” entails, Fick isn’t saying. Until he does, the hacker-gone-straight story will have a major plot hole.