Last July, Celil Unuver got an unexpected call from the Turkish police. They couldn't find him at his office, the policeman said, and they would like him to come to the cybercrime bureau as soon as possible. Unuver is a security researcher, focusing on vulnerabilities in industrial systems, but he soon realized someone thought he was up to something more sinister: selling valuable cyberweapons to the US and Israel. It was an accusation of high treason.
"At first, I thought they needed my help in an investigation," Unuver says "I answered that I had a busy week and could visit next week." The policeman replied that if he didn't come in voluntarily in the next three days, he would be arrested.
If he didn't come in voluntarily in the next three days, he would be arrested
Unuver is the co-founder of SignalSec, focusing on vulnerabilities in industrial control software. He's been doing this work for eight years, disclosing some bugs publicly and selling others legally on the vulnerability market, but he'd never thought of his actions as anything close to treasonous. He was just trying to make a living by finding ways software might break. It’s how security research usually works: you’re looking for a bug nobody’s found before. ("Zero day" just means the bug hasn’t been published before, so the researcher still has something to sell.) If the people making the software aren’t interested (and they usually aren’t), you can sell it to a third-party security company or an exploit broker. For years, the US government has been the biggest buyer of those exploits, but they’re far from the only buyer.
But there’s a big difference between a zero-day vulnerability and a cyberweapon, and Unuver had stayed on the right side of the line. He’d written exploits before, sure: it’s a common part of proving a vulnerability is really workable. He’d also sold to clients in the US, simply because that's where most of the brokers and reward programs are. At his interrogation, a policeman asked him simply, "Do you sell zero-days?" and he worried any simple answer would land him in jail. How could he explain his business to the police without coming off like a spy?
After eight months of uncertainty, Unuver recently got word that the case had been abandoned, but it's left Unuver with real concerns that his work might get him in trouble with the local government. "It was a difficult process for me, always worrying what would happen," Unuver said. "I really felt paranoid."
Researchers aren't just seen as potential criminals, but potential spies
There’s a long history of security research being mistaken for criminal activity. In one particularly infamous incident in 2001, the FBI arrested a Russian researcher named Dmitri Skylarov after a public presentation that detailed security flaws in Adobe’s ebook DRM. It’s still unfortunately common for researchers to face legal retaliation after disclosing a particularly embarrassing bug. But as governments have become more publicly involved in the vulnerability trade, researchers are also exposed to espionage charges, which can leave them with much less recourse.
It's not clear where the treason accusations against Unuver came from, although they may have had more to do more with Stuxnet than anything Celli has worked on. One of the most infamous pieces of state malware, Stuxnet targeted a nuclear plant in Iran using vulnerabilities in industrial control systems, and was widely attributed to the United States and Israel. Unuver insists his work has nothing to do with Stuxnet, but he does work in the same area. He joked about the impression in his Twitter bio, describing himself as a "Siber Silah Saticisi" or "cyberweapon seller," although he's now concerned some in law enforcement may have taken the joke seriously.
The same accusations have also cropped up against more established security researchers. US firms like FireEye and Crowdstrike have faced criticism for failing to detect and report US state malware, leading to speculation that the US government has actively suppressed related research. Earlier this month, Russian research firm Kaspersky was accused of having close ties to Russian intelligence agencies, potentially to the detriment of its US clients. Kaspersky vigorously denied the claim, calling it "speculations, assumptions, and unfair conclusions based on incorrect facts." (Kaspersky was one of the first firms to report on Red October, a strain of malware that many attribute to the Russian government.) Still, the overall message is clear: researchers aren't just seen as potential criminals, but potential spies.
In the meantime, smaller researchers like Unuver are left to fend for themselves. In his case, the biggest concern wasn't international pressure but local misunderstandings about the nature of vulnerabilities and the exploit trade. What used to be simple security research can now be cast as developing cyberweapons, and the international nature of the trade makes law enforcement particularly curious. "If there is the USA and Israel in a complaint, government officials always take it seriously," Unuver says, "especially when it's a mysterious business like zero days."