The Risks of Managing a Purchased Cyber Arsenal

In March 2013, WikiLeaks began publishing a series of CIA documents. When it leaked the files, WikiLeaks claimed, “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA.” The leaked documents were collectively labeled Vault 7. Vault 7 revealed that of the fourteen exploits used by the CIA to target Apple’s iOS operating systems at the time, four were purchased. 

We know that some government agencies are regular buyers on the market for zero-days, previously unknown vulnerabilities which vendors have not had time to prepare a patch for. Zero-days, and their use by threat actors, are a common topic, but how zero-day purchases complicate arsenal management decisions is rarely discussed. Not least, buying zero-day exploits, rather than developing them internally, increases the chances of early discovery due to potential non-exclusive sales (even if the exploit was supposed to be sold to only one buyer) which subsequently incentivizes the imprudent use of the exploits. 

Types of exploits and their life span 

Exploits come in three main flavors: zero-day exploits (those that use a vulnerability previously unknown to the vendor), unpatched N-day exploits (those that use a vulnerability in software or hardware that is known to the vendor but does not have a patch in place to fix the flaw), and patched N-day exploits (those that use a vulnerability in software or hardware that is known to the vendor and has a patch in place to fix the flaw).  

Zero-days are the most powerful form of exploit, because companies and governments have no warning that a vulnerability may exist or any plans to patch the vulnerability. Whilst this makes zero-days particularly useful for penetrating computers and networks, note that mature cyber commands and intelligence organizations still primarily use known exploits for their operations.  

The average life span of a zero-day exploit–i.e., before the exploit gets discovered–is long: seven years, according to a study from RAND Corporation. However, there is major variation; on average, about 25 percent of all exploits do not survive for more than one and a half years, but another 25 percent will survive more than nine and a half years.   

The risk of co-discovery 

The likelihood that two (or more) independent parties will discover a vulnerability is known as the vulnerability collision rate. A RAND study found that, for a given stockpile of zero-day vulnerabilities, after a year, almost 6 percent have been publicly discovered and disclosed by another entity. 

Normally, this risk of co-discovery drives semi-calculated decisions about exploit use. A threat actor may, for example, decide to only go after the most valuable victims or keep exploits for some unusual circumstances to avoid discovery. In fact, we know from the Snowden leaks that the National Security Agency (NSA) developed “FOXACID”, a tool to help optimize exploit use. FOXACID is an “exploit orchestrator,” a tool that automatically matches targeted computer systems with different types of exploits. As Bruce Schneier, a computer expert, notes, FOXACID “is designed to be modular, with flexibility that allows [NSA’s Office of Tailored Access Operations (TAO), now Computer Network Operations,] to swap and replace exploits if they are discovered, and only run certain exploits against certain types of targets. The most valuable exploits are saved for the most important targets. Low-value exploits are run against technically sophisticated targets where the chance of detection is high.” 

The risk of co-sales 

However, when an intelligence agency or cyber command buys exploits, rather than develops them internally, it further complicates the decision-making process around their usage. A buyer, like the NSA, can either purchase an ‘exclusive’ or ‘non-exclusive’ exploit. Exclusive purchases mean that the exploit is only sold to one client and is thus pricier. Vice versa, non-exclusive exploits can be sold to multiple clients and are cheaper.   

In the case of non-exclusive sales, the client has thus to take into consideration the chances that the exploit is sold to one or more other clients, and whether others who buy the exploit will use it discreetly.  

A tragedy of the commons 

A popular concept in economics is the “tragedy of the commons,” a situation in which individuals who have access to an open-access or unregulated resource, such as ocean fish stock, act independently according to their own self-interest and, contrary to the benefit of all users, cause depletion of the resource through their uncoordinated actions.  

A non-exclusive exploit is not an open-access resource unhampered by shared social structures. But sales of exploits to independent actors–i.e., not knowing who else owns the exploit–does create similar incentives to use the resource imprudently. It incentivizes “use it or lose it” behavior, the belief that an exploit should be used quickly before it becomes ineffective. 

This additional risk is also nonzero in the case of exclusive sales; there is no certainty that the broker does not sell it on to other actors, or that the developer does not shop it around to multiple brokers. These latter risks, however, are minimized in the case of trusted channels that carry repeated transactions between developer and broker, or broker and end user buyer.  

Buying exploits can be convenient. It may lead to targeting options that are not otherwise available. Yet, it also further complicates the decision-making of government agencies that use these purchased capabilities and introduces additional risk into the already fraught world of cybersecurity.  

Max Smeets is a Senior Researcher at the Center for Security Studies (CSS) at ETH Zurich, Director of the European Cyber Conflict Research Initiative, and author of 'No Shortcuts: Why States Struggle to Develop a Military Cyber-Force’, published with Oxford University Press and Hurst in May 2022.  

This essay is adapted from No Shortcuts: Why States Struggle to Develop a Military Cyber Force