The
CIA’s vast database of software vulnerabilities has not only been
putting the cyber security of millions of Americans at risk for
years, it has also cost American taxpayers millions of dollars, as
the agency has had to pay for a monopoly on the vulnerabilities.
Considering that the CIA lost control of this database over a year
ago, those dollars have essentially been wasted.
Part
2 - Feeding the Beast: Explosive Growth in the “Zero-day” Exploit
Market
While the
Wikileaks release is the first public disclosure of the U.S.
government’s hefty expenditures on software vulnerabilities, the
practice has been known about for years. In 2013, the New York Times
reported on the sale of “zero-day” exploits to government
agencies, bolstering claims made by NSA whistleblower Edward Snowden
that government surveillance assets were embedded in software
developed by private companies.
“Zero-day”
refers to weaknesses in hardware or software that are not known to
manufacturers, leaving them with zero days to create patches to
address the vulnerabilities. While private companies have “bounty”
programs that are meant to incentivize the reporting of weaknesses,
governments find them incredibly attractive and valuable, using them
in sophisticated cyberattacks or investigations.
Decades ago,
hackers and other tech-savvy individuals would often inform tech
companies of vulnerabilities for free for pennies on the dollar if
they were sold. However, growing government – as well as criminal –
interest has led to the emergence of a lucrative business in recent
years, with companies dedicated to the discovery and sale of zero-day
exploits springing up throughout the world.
Not
surprisingly, many of these companies are secretive and refuse to
disclose their clientele. However, Snowden’s revelations strongly
suggested that the U.S. government was among the main buyers of
programming flaws, though that evidence was not clear-cut.
Releases
from Wikileaks have now proven that the U.S. government is very much
involved in the purchase of exploits from contractors that specialize
in their sale. In a document detailing some of the CIA’s exploits
of iOS and Android, several exploits are listed as having been
“purchased by the NSA” and “shared with CIA.” It also lists
other tools that were acquired from several contractors, who were
given code-names like Baitshop, SurfsUp, Fangtooth and Anglerfish.
While the
code-names have obfuscated the identities of these companies (for
now), there are some likely candidates. This 2013 New York Times
article on the zero-day exploit market mentions a Virginia company
called Endgame “in which a former director of the NSA is playing a
major role.” According to the Times, Endgame has developed “a
number of tools that it sells primarily to the United States
government to discover vulnerabilities, which can be used for
fighting cyber-espionage and for offensive purposes.”
Endgame also
gained notoriety as being of particular interest to imprisoned
journalist Barrett Brown and was allegedly part of a story slain
journalist Michael Hastings was working on at the time of his death.
Brown had uncovered an email in which former Endgame CEO Chris
Rouland stated that he wanted to “keep a low profile” on his
company’s work for the federal government. Another company –
Netragard – is also named by the Times as having “strictly
U.S.-based” clientele whose demand for its “services” pushed
the price it charged per flaw up dramatically, rising from 35,000
dollars in 2010 to 160,000 dollars in 2013.
Source
and links:
Comments
Post a Comment