Computer security exploits are one of the more lucrative markets you’ve probably never heard of. Find a vulnerability in commonly used software, and sell it to the highest bidder. Ideally, the vulnerability is one the software designer doesn’t know about yet — called zero-day exploits — but even vulnerabilities that have been identified and patched can still be exploited — like a lot of us ordinary computer users, many governments agencies and companies don’t keep their software up-to-date or run old versions that are still vulnerable.
Selling vulnerabilities, and the software tools that exploit them to give you greater access or control over a system than you’re supposed to have, is big business — and not confined by any means to criminals. How big seems to vary: when Italian security firm Hacking Team got hacked in 2014 and gigabytes of its internal documents were released online, we learnt zero-day exploits in major operating systems like iOS or the major browsers like Chrome could sell for a hundred thousand dollars — in one case, up to a quarter of a million US dollars each. In 2011, the company Endgame was revealed to be offering 25 zero-day exploits for $2.5 million – the sort of numbers that explain why that company successfully raised millions in investment from major US institutions. But many exploits go for smaller sums: an alleged Microsoft Windows zero-day was on offer from Russian hackers recently for $90,000.
What’s the role of security agencies in this market of security weaknesses and tools? Far from trying to shut it down or regulate it, western intelligence agencies in fact compete with criminals and software companies (many IT companies offer valuable rewards for pinpointing vulnerabilities in their systems) to purchase exploits, pushing the price up. You’d think this purchasing would be to protect their citizens, companies and other government agencies from intrusion by alerting software companies to flaws in their code, but in fact it’s to enable them to access the systems of other countries citizens, companies and agencies — and, of course, of their own countries and those of allies.
And in a demonstration of just how perverse the incentives can be in this market, IT security researchers who publicly reveal security flaws can be referred to police, arrested or even sentenced to prison.
The exploit industry and the role of security agencies within it has been dragged into the spotlight this week with a cache of National Security Agency hacking tools being offered online by an unidentified group. The tools include both vulnerability-exploiting code to control the kinds of systems used by large companies and government agencies, and to exfiltrate information from them. The tools are — supposedly — for sale to the highest bidder.
Whether the tools were stolen from the NSA, or NSA officers got careless in the course of their operations and left them in the wild to be taken, isn’t clear; Edward Snowden suggested the second scenario — and some possible motives for those behind the offer – in a tweetstorm this week. But as one security expert pointed out, they contradict the Obama administration’s assertion that it carefully weighs whether to reveal vulnerabilities it obtains — thereby enabling software companies to protect citizens, companies and government agencies — or use them.
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the internet vulnerable and the American people unprotected would not be in our national security interest,” Obama’s cybersecurity coordinator said in 2014. “But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”
The NSA, however, appears to have weighed all the trade-offs in favour of keeping and exploiting vulnerabilities, leaving major US IT companies like Cisco, and everyone who uses a Cisco product, exposed to attack and reputational damage.
It’s yet another demonstration of how the devotion of the NSA and its Five Eyes buddies like the Australian Signals Directorate to global-scale surveillance, notionally in the name of keeping us safe, in fact makes us less safe. In this case, they’ve left us more vulnerable to criminals, foreign governments and joyriding hackers who can develop similar tools to exploit the vulnerabilities our security agencies are happy to leave in place for its own purposes.