Via the MIT Technology Review, Tom Simonite writes:
A freshly discovered weakness in a popular piece of software, known in the trade as a “zero-day” vulnerability, can be cashed in for prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments. This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing portions of the U.S. national defense budget.
It became clear that this type of assault would define a new era in warfare in 2010, when security researchers discovered a piece of malicious software known as Stuxnet. Now [known] to have been a project of U.S. and Israeli intelligence, Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran’s nuclear program.
No U.S. government agency has gone on the record as saying that it buys zero-days. But U.S. defense agencies and companies have begun to publicly acknowledge that they intend to launch as well as defend against cyberattacks, a stance that will require new ways to penetrate enemy computers.
Christopher Soghoian, a principal technologist at the ACLU, says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, he says, in order to sneak spy software onto suspects’ computers or mobile phones.
The new focus of America’s military and defense contractors may concern some taxpayers. An escalating cycle of competition between U.S and overseas government agencies and contractors could make the world more dangerous for computer users everywhere.