The CIA’s vast database of software vulnerabilities has not only been putting the cyber security of millions of Americans at risk for years, it has also cost American taxpayers millions of dollars, as the agency has had to pay for a monopoly on the vulnerabilities. Considering that the CIA lost control of this database over a year ago, those dollars have essentially been wasted.
Part 2 - Feeding the Beast: Explosive Growth in the “Zero-day” Exploit Market
While the Wikileaks release is the first public disclosure of the U.S. government’s hefty expenditures on software vulnerabilities, the practice has been known about for years. In 2013, the New York Times reported on the sale of “zero-day” exploits to government agencies, bolstering claims made by NSA whistleblower Edward Snowden that government surveillance assets were embedded in software developed by private companies.
“Zero-day” refers to weaknesses in hardware or software that are not known to manufacturers, leaving them with zero days to create patches to address the vulnerabilities. While private companies have “bounty” programs that are meant to incentivize the reporting of weaknesses, governments find them incredibly attractive and valuable, using them in sophisticated cyberattacks or investigations.
Decades ago, hackers and other tech-savvy individuals would often inform tech companies of vulnerabilities for free for pennies on the dollar if they were sold. However, growing government – as well as criminal – interest has led to the emergence of a lucrative business in recent years, with companies dedicated to the discovery and sale of zero-day exploits springing up throughout the world.
Not surprisingly, many of these companies are secretive and refuse to disclose their clientele. However, Snowden’s revelations strongly suggested that the U.S. government was among the main buyers of programming flaws, though that evidence was not clear-cut.
Releases from Wikileaks have now proven that the U.S. government is very much involved in the purchase of exploits from contractors that specialize in their sale. In a document detailing some of the CIA’s exploits of iOS and Android, several exploits are listed as having been “purchased by the NSA” and “shared with CIA.” It also lists other tools that were acquired from several contractors, who were given code-names like Baitshop, SurfsUp, Fangtooth and Anglerfish.
While the code-names have obfuscated the identities of these companies (for now), there are some likely candidates. This 2013 New York Times article on the zero-day exploit market mentions a Virginia company called Endgame “in which a former director of the NSA is playing a major role.” According to the Times, Endgame has developed “a number of tools that it sells primarily to the United States government to discover vulnerabilities, which can be used for fighting cyber-espionage and for offensive purposes.”
Endgame also gained notoriety as being of particular interest to imprisoned journalist Barrett Brown and was allegedly part of a story slain journalist Michael Hastings was working on at the time of his death. Brown had uncovered an email in which former Endgame CEO Chris Rouland stated that he wanted to “keep a low profile” on his company’s work for the federal government. Another company – Netragard – is also named by the Times as having “strictly U.S.-based” clientele whose demand for its “services” pushed the price it charged per flaw up dramatically, rising from 35,000 dollars in 2010 to 160,000 dollars in 2013.
Source and links: