The United States government may be stockpiling far fewer digital arms than anyone expected, according to new research.
The study centers around “zero day” exploits, which are soft spots in product security that companies are not aware of or have not patched. Depending on the severity of a vulnerability, zero days sell on the slightly-more-legal-than-black market known as a gray market for tens of thousands to more than a million dollars a piece.
Governments are the primary buyers of zero days and spend vast resources researching them. Since the U.S. is not short on capital and invests heavily into its offensive cyber warfare positions, even people in the zero day business assumed it held a few hundreds of these vulnerabilities.
“Today, the best, surest 0-days acquirer is the [National Security Agency], in truth a really insatiable one,” David Vincenzetti, founder and CEO of the military spyware contractor Hacking Team, wrote in one his company’s emails leaked last year.
“Today, the largest 0-days producers are U.S. companies, possibly large U.S. defense contractors, selling their stuff directly and possibly exclusively to the NSA.”
But new research shows that might not be the case.
Jason Healey, a senior researcher at Columbia University, says the number of vulnerabilities held by the government is closer to 50.
“I don’t think this is just a surprise to the DEFCON community, however, it was a surprise to me, and other policymakers as well,” said Healey.