By: Geneva Bass
The market for zero-days began with $10 and a pair of crocodile cowboy boots. In 2002, a Texan named John P. Watters bought the cybersecurity company iDefence for an Alexander Hamilton and the determination to restore profitability after months of hemorrhaging millions.
A zero-day is a computer-software vulnerability. It’s a bug, an undiscovered mistake in code. Its name originates from the fact that once a zero-day becomes known, the code developer has exactly zero days to fix it before it can be exploited.
Under the direction of Watters in 2003, iDefence built its competitive advantage on alerting its clients to vulnerabilities it discovered by paying hackers zero-day bounties. IDefence became the first company to publicly offer bounties for zero-days. Their first zero-days were bought for a mere $75 apiece.
A black market quickly emerged, then a grey market as nation-states entered the fray. Two decades later, prices now range from a few hundred dollars for minor bugs to $2.5 million for a single Apple iOS exploit.
The majority of zero-days today are no longer purchased to secure systems; instead, they are bought to exploit them. The contemporary market for zero-days has far outstripped its iDefence infancy. Nearly every nation-state is now a player, even Finland.
The United States and Israel deployed the first cyberweapon in 2010 when they almost single-handedly and invisibly crippled the Iranian nuclear program with a string of seven Microsoft and Siemens zero-days known as Stuxnet.
When Bush transferred the presidency to Obama, he urged Obama to continue two classified programs. One was called Olympic Games, the codename for the Stuxnet operation. If the Stuxnet code had not escaped the Iranian nuclear facility in summer 2010, Iranian nuclear ambitions would probably have been successfully and remotely neutralized. After Stuxnet, the cyber arms race began. In the wake of Stuxnet, the IRGC alone increased its cyber force budget from a mere $76 million to over $1 billion.
By 2012, the US budgeted at least $14 billion for Cyber Command. The number today is likely far higher. Billions of taxpayer dollars fund national security budgets that leave taxpayers vulnerable; while nation-states such as the United States stockpile zero-day exploits to code into cyberweapons and cyberespionage, the government’s failure to alert technology companies to the vulnerabilities in their code leaves citizens vulnerable to cyberattack.
The NSA’s first answer to aggressive cybersecurity offensive leaving the American public more vulnerable was the Nobody But Us (NOBUS) system. The premise of NOBUS was that the NSA would turn over zero-days it believed its adversaries had the cyber power to discover and use to attack the American public. However, this system was not largely implemented (as later evidenced by Shadow Brokers leaks of NSA Cisco firewall zero-days). Furthermore, the US is no longer the eminent player in the zero-day market; the field has leveled, and American adversaries have gained cyber power that renders NOBUS irrelevant.
2021 recorded the most zero-day cyberattacks in history. By the close of 2021, estimates of cybercrime damages topped $6 trillion USD. If cybercrime was a country, it would tail the US and China as the world’s third-largest economy.
On Ukraine’s Constitution Day in 2017, Russia carried out the most destructive cyberattack in history. It launched leaked NSA cyberweapons into Ukraine that shut down nearly all technology: Ukrainians could not withdraw from ATMs, purchase groceries, buy train tickets, mail, be paid, or even monitor radiation levels at Chernobyl. Ukrainian screens went black in ominous warming from the Kremlin. Damages tallied in the tens of billions USD.
In August 2019, Google’s Project Zero discovered spyware constructed with iOS zero-days planted on many websites sympathetic to China’s Uighur Muslim population. Anyone who visited the sites, even an American college student, would have Chinese surveillance technology downloaded onto their device. A similar Chinese cyber campaign has been uncovered against Tibetans.
The fifth-largest bank robbery of all time was conducted by the North Korean zero-day cyberweapon “WannaCry” in 2017 when it made a $1 billion transfer request from the New York Fed. Although a spelling error prevented it from receiving the entire request, it was still able to heist $81 million.
Terrorist attacks cost the global economy an estimated $38 billion in 2018. By some estimates, cybercrime cost the global economy over $2 trillion in the same year. The market for zero-days that began with crocodile cowboy boots and a directive to secure computer systems has morphed into one of the largest, most invisible arms markets in the world.