This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

John P. Watters is a private equity investor from Texas who bought the failing cybersecurity company, iDefense, in 2002 and transformed it into a profitable, industry-leading business. Early cybersecurity companies functioned by informing their customers of newly discovered bugs and exploits in software, offering ways to work around or patch the vulnerabilities. Generally, this practice left security companies and users in a constant state of catch-up, simply reacting to threats after they appeared. iDefense primarily based its alert system (iAlert) on information gleaned from the hacker forum-cum-mailing list, BugTraq, which was distributed by their competitor, SecurityFocus.

However, Watters completely changed the corporate culture of iDefense by listening to skilled hackers in his employ and finding new ways to reshape company policy and strategy. Hackers David Endler and Sunil James were particularly influential in this process. Watters began offering to pay a bounty to hackers for every zero-day exploit that they reported directly to iDefense, inadvertently creating the first iteration of a legitimate market for hackers to sell zero-day exploits. Big tech companies hated Watters’s business model because it put pressure on them to patch exploits that they would rather ignore. Although Microsoft was initially one of the least security-conscious companies of the tech world, it changed its stance after weathering several highly publicized cyberattacks on its products.