MINNEAPOLIS – The past week has not been a good one for the CIA. Ever since Wikileaks published a trove of documents exposing the agency’s ability to hack everything from smartphones to smart televisions to PCs, the CIA has been on the defensive, framing its shady behavior as necessary for protecting national security.
Despite the oft-used excuse of “national security” to justify a reduction in constitutionally-guaranteed civil liberties, the fact remains that the CIA – as Wikileaks has revealed – is able to hack any device that is Internet-enabled, meaning no one is safe from the prying eyes of the government’s ever-expanding surveillance state.
In addition to revealing the CIA’s hacking capabilities, the documents – nicknamed “Vault 7” by Wikileaks – also exposed the agency’s hoarding of software vulnerabilities in smartphones and other devices. These vulnerabilities, specifically those known as “zero-day” exploits, were amassed by U.S. intelligence agencies not for the purpose of fixing them, but in order to intentionally keep them open for the purpose of undisclosed surveillance.
These vulnerabilities were hidden from both technology manufacturers and consumers alike. It remains unknown how long the CIA allowed technology used by millions of Americans to remain vulnerable after the agency became aware of their existence.
And the controversy doesn’t end there. The “Vault 7” release also officially confirmed that the CIA is spending millions of dollars to have monopolistic control over these exploits, paying up to 1.5 million dollars (or perhaps more) per exploit. Even worse, the CIA – according to Wikileaks – recently lost control of its vast arsenal of hacking tools and exploits, meaning the large amount of money spent to control them was essentially wasted on an effort that has now made the entire world significantly more vulnerable and less secure.
Feeding the Beast: Explosive Growth in the “Zero-day” Exploit Market
While the Wikileaks release is the first public disclosure of the U.S. government’s hefty expenditures on software vulnerabilities, the practice has been known about for years. In 2013, the New York Times reported on the sale of “zero-day” exploits to government agencies, bolstering claims made by NSA whistleblower Edward Snowden that government surveillance assets were embedded in software developed by private companies.
“Zero-day” refers to weaknesses in hardware or software that are not known to manufacturers, leaving them with zero days to create patches to address the vulnerabilities. While private companies have “bounty” programs that are meant to incentivize the reporting of weaknesses, governments find them incredibly attractive and valuable, using them in sophisticated cyberattacks or investigations.
Decades ago, hackers and other tech-savvy individuals would often inform tech companies of vulnerabilities for free for pennies on the dollar if they were sold. However, growing government – as well as criminal – interest has led to the emergence of a lucrative business in recent years, with companies dedicated to the discovery and sale of zero-day exploits springing up throughout the world.
Not surprisingly, many of these companies are secretive and refuse to disclose their clientele. However, Snowden’s revelations strongly suggested that the U.S. government was among the main buyers of programming flaws, though that evidence was not clear-cut.
Releases from Wikileaks have now proven that the U.S. government is very much involved in the purchase of exploits from contractors that specialize in their sale. In a document detailing some of the CIA’s exploits of iOS and Android, several exploits are listed as having been “purchased by the NSA” and “shared with CIA.” It also lists other tools that were acquired from several contractors, who were given code-names like Baitshop, SurfsUp, Fangtooth and Anglerfish.
— Edward Snowden (@Snowden) March 7, 2017
While the code-names have obfuscated the identities of these companies (for now), there are some likely candidates. This 2013 New York Times article on the zero-day exploit market mentions a Virginia company called Endgame “in which a former director of the NSA is playing a major role.” According to the Times, Endgame has developed “a number of tools that it sells primarily to the United States government to discover vulnerabilities, which can be used for fighting cyber-espionage and for offensive purposes.”
Endgame also gained notoriety as being of particular interest to imprisoned journalist Barrett Brown and was allegedly part of a story slain journalist Michael Hastings was working on at the time of his death. Brown had uncovered an email in which former Endgame CEO Chris Rouland stated that he wanted to “keep a low profile” on his company’s work for the federal government. Another company – Netragard – is also named by the Times as having “strictly U.S.-based” clientele whose demand for its “services” pushed the price it charged per flaw up dramatically, rising from 35,000 dollars in 2010 to 160,000 dollars in 2013.
The Cost of the CIA’s Exploit Arsenal
With such a hefty price tag, one has to wonder – how much is the government spending on these exploits? Though Wikileaks doesn’t list exact figures, the known market price per exploit can give us an idea. Tech companies themselves offer rewards or “bounties” for flaws in their products, ranging up to 200,000 dollars per flaw for Apple and Google, with Microsoft offering less.
However, these bounties are dwarfed by what private companies are willing to pay, with most offering well over double the amounts given by manufacturers. For most companies, prices depend on the flaw’s sophistication and whether or not the software is commonly used. For that reason, vulnerabilities in Apple’s iOS, the operating system for iPhones, have been known to top 1.5 million dollars per exploit. Some companies, like the French firm Vupen, charge customers a 100,000-dollar yearly subscription fee in addition to the charges per sale.
But the figures offered by tech companies “pale in comparison to what the government pays” Christopher Soghoian of the American Civil Liberties Union told the New York Times. The U.S. government, he added, “created Frankenstein by feeding the market.” Indeed, if these private companies are paying over a million dollars per exploit, those that then sell them to the federal government are likely charging significantly more.
It therefore seems likely that much of the massive U.S. “black budget” used to fund clandestine programs for U.S. intelligence is used to purchase these incredibly expensive exploits. When Snowden confirmed the size of the black budget for the first time – 52.6 billion dollars in fiscal year 2013 – it was revealed that offensive cyber operations and research devoted to decoding encrypted communications were among the biggest priorities for the intelligence community.
Losing Control and Compromising Security on an Unprecedented Scale
Despite pouring millions into the purchase and hoarding of technological vulnerabilities, the contents of this vast database did not stay secret for very long. Wikileaks, during its press conference on the “Vault 7” release, noted that the CIA “lost control of the the majority of its hacking arsenal.” According to the source that provided the documents to Wikileaks, the CIA’s hacking tools and exploits had been “circulated among former U.S. government hackers and contractors in an unauthorized manner,” leading to their proliferation.
Watch the full WikiLeaks Vault 7 press conference on the CIA:
As Wikileaks also noted, proliferation is a major risk in this case, considering that “once a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike.” More concerning is that the “unauthorized manner” in which the tools were shared means that these rival states and faceless hackers likely gained access to the CIA’s hacking tools and exploit long before Wikileaks made them public. However, the CIA still kept these vulnerabilities hidden from tech companies and the public, despite having lost control over them.
But even before the CIA lost control, it was already compromising the security of millions of Americans by intentionally leaving the vulnerabilities open. The fact that U.S. intelligence agencies intentionally threatened the cyber security of millions of citizens to surreptitiously favor its own surveillance tactics makes the “national security” excuse decidedly ineffective.
This is particularly true as the U.S. government isn’t the only group that is likely making use of such tools, especially considering that they were shared so loosely and have now been made public.
As Kevin Bankston, the director of the New America Foundation’s Open Technology Institute, told Wired:
“If the CIA can use it, so can the Russians, or the Chinese or organized crime. The lesson here, first off, is that stockpiling a bunch of vulnerabilities is bad for cybersecurity. And two, it means they’re likely going to get leaked by someone.”
With leakers currently plaguing the CIA and other parts of the U.S. government, it seems the CIA’s quest to become all-powerful in cyberspace has ultimately had the consequence of weakening cybersecurity and privacy for everyone – including themselves.