The
CIA’s vast database of software vulnerabilities has not only been
putting the cyber security of millions of Americans at risk for
years, it has also cost American taxpayers millions of dollars, as
the agency has had to pay for a monopoly on the vulnerabilities.
Considering that the CIA lost control of this database over a year
ago, those dollars have essentially been wasted.
Part
3 - The Cost of the CIA’s Exploit Arsenal
With such a
hefty price tag, one has to wonder – how much is the government
spending on these exploits? Though Wikileaks doesn’t list exact
figures, the known market price per exploit can give us an idea. Tech
companies themselves offer rewards or “bounties” for flaws in
their products, ranging up to 200,000 dollars per flaw for Apple and
Google, with Microsoft offering less.
However,
these bounties are dwarfed by what private companies are willing to
pay, with most offering well over double the amounts given by
manufacturers. For most companies, prices depend on the flaw’s
sophistication and whether or not the software is commonly used. For
that reason, vulnerabilities in Apple’s iOS, the operating system
for iPhones, have been known to top 1.5 million dollars per exploit.
Some companies, like the French firm Vupen, charge customers a
100,000-dollar yearly subscription fee in addition to the charges per
sale.
But the
figures offered by tech companies “pale in comparison to what
the government pays” Christopher Soghoian of the American Civil
Liberties Union told the New York Times. The U.S. government, he
added, “created Frankenstein by feeding the market.”
Indeed, if these private companies are paying over a million dollars
per exploit, those that then sell them to the federal government are
likely charging significantly more.
It therefore
seems likely that much of the massive U.S. “black budget” used to
fund clandestine programs for U.S. intelligence is used to purchase
these incredibly expensive exploits. When Snowden confirmed the size
of the black budget for the first time – 52.6 billion dollars in
fiscal year 2013 – it was revealed that offensive cyber operations
and research devoted to decoding encrypted communications were among
the biggest priorities for the intelligence community.
Source
and links:
Comments
Post a Comment