The CIA’s vast database of software vulnerabilities has not only been putting the cyber security of millions of Americans at risk for years, it has also cost American taxpayers millions of dollars, as the agency has had to pay for a monopoly on the vulnerabilities. Considering that the CIA lost control of this database over a year ago, those dollars have essentially been wasted.
Part 3 - The Cost of the CIA’s Exploit Arsenal
With such a hefty price tag, one has to wonder – how much is the government spending on these exploits? Though Wikileaks doesn’t list exact figures, the known market price per exploit can give us an idea. Tech companies themselves offer rewards or “bounties” for flaws in their products, ranging up to 200,000 dollars per flaw for Apple and Google, with Microsoft offering less.
However, these bounties are dwarfed by what private companies are willing to pay, with most offering well over double the amounts given by manufacturers. For most companies, prices depend on the flaw’s sophistication and whether or not the software is commonly used. For that reason, vulnerabilities in Apple’s iOS, the operating system for iPhones, have been known to top 1.5 million dollars per exploit. Some companies, like the French firm Vupen, charge customers a 100,000-dollar yearly subscription fee in addition to the charges per sale.
But the figures offered by tech companies “pale in comparison to what the government pays” Christopher Soghoian of the American Civil Liberties Union told the New York Times. The U.S. government, he added, “created Frankenstein by feeding the market.” Indeed, if these private companies are paying over a million dollars per exploit, those that then sell them to the federal government are likely charging significantly more.
It therefore seems likely that much of the massive U.S. “black budget” used to fund clandestine programs for U.S. intelligence is used to purchase these incredibly expensive exploits. When Snowden confirmed the size of the black budget for the first time – 52.6 billion dollars in fiscal year 2013 – it was revealed that offensive cyber operations and research devoted to decoding encrypted communications were among the biggest priorities for the intelligence community.
Source and links: