Are cyberweapons worth it? The economics behind this clandestine market

(Image credit: Image Credit: BeeBright / Shutterstock)

The use of cyberweapons as a form of retaliation against hostile states by world governments has never been more evident. Take, for example, the US Government’s response to Iran’s downing of one of its surveillance drones in June 2019, when it reportedly disabled the Iranian computer-controlled weapons system, likely through an already established backdoor. ‘Hacking back’ is clearly in vogue.

Indeed, this type of cyberwarfare is arguably being encouraged. For example, if passed, the Active Cyber Defense Certainty Act, which is currently being debated by the US Congress, would effectively allow hacked companies to hack back against their attackers. As the US attack on Iran demonstrates, some governments already possess the tools, skills and vulnerabilities required to launch an attack on a hostile adversary, and if legislation like this is introduced in the US and perhaps beyond, it is reasonable to expect that organisations will follow suit, by developing or buying their own arsenals.

But at what cost?

A look at the costs

The market for vulnerabilities and cyberweapons is already extremely competitive. Zero-day vulnerabilities and their related exploits, especially if they affect mobile devices, are being bought for up to $2m. Indeed, legitimate exploit broker Zerodium, confirmed it would pay this amount for zero-click jailbreaks of Apple’s iOS, while it would also offer up to $1m for exploits that take over secure messaging apps WhatsApp and iMessage. Companies such as Zerodium also claim to only sell the exploits on to lawful governments.

The underground vulnerability market is perhaps even more lucrative. Here, commercially-savvy hackers can also make vast sums of money without taking huge risks. Different countries’ cyber-legislations vary considerably, so they can always find a safe harbour where there is no fear of prosecution or extradition. To provide an indication of how much money it’s possible to make, the Cyber Threat Alliance calculates that the CryptoWall virus raised hundreds of millions of dollars, with version 3 of the malware alone generating an eye-watering $325m in revenues.

Vulnerabilities that fulfil certain criteria are especially sought after and large sums are paid for them. The easier they are to exploit or the more systems or devices they will affect, the higher the price.

To generate yet more profit, those selling high-profile vulnerabilities don’t always sell to a single user. If a buyer wants exclusive use the price-tag goes up still further. An educated guess would be that the price would go up by a factor of ten, or even more.

Another game changing approach is the offer of ‘cybercrime-as-a-service’, where the cybercriminal licenses the use of a vulnerability on a shared platform, rather than selling it outright. This ‘Amazon’ style service allows for a shared knowledge of a vulnerability, with users writing recommendations for each other, and also as a way for hackers to be recruited to search for new vulnerabilities, allowing cybercriminals to generate money in even more ways.

The knock-on costs could be even higher

It’s not just the market cost of a cyberweapon that needs to be taken into consideration. The consequences of these vulnerabilities need to be factored in. Take the case of EternalBlue, for example, which was the name given to a Microsoft vulnerability ‘discovered’ by the US National Security Agency (NSA) during 2011/2012.

The NSA didn’t share its knowledge of the vulnerability with Microsoft, not at least until it was obligated to do so. Its hand was forced when a hacking group called Shadow Brokers learnt of the vulnerability and threatened to publish the files. The NSA eventually informed Microsoft about EternalBlue in March 2017, but by then, the WannaCry ransomware attack had begun to wreak havoc across the globe, exploiting this very same vulnerability.

Looking at the financial fallout of this leaked vulnerability, WannaCry and the other malware variants exploiting EternalBlue – NotPetya being its most famous successor – are estimated to have caused hundreds of millions, if not billions of pounds worth of damage. According to the UK Department of Health, WannaCry caused close to £100m worth of damage to the NHS alone.

There were many other victims too. Airplane maker, Boeing, was hit in March 2018, while chip manufacturer TSMC fell victim in August 2018. Indeed, TSMC estimated it suffered $170m worth of damage.

The ramifications from EternalBlue still aren’t over, as recent data from Shodan indicates that millions of computers connected to the internet are still vulnerable.

A new perspective

Estimating the total global damage of cybercrime each year is not easy, but some figures do exist.

Cybersecurity Ventures, in its 2019 Official Annual Cybercrime Report, predicts that cybercrime will cost $6tn globally by 2021 as cyberattacks continue to grow in size, sophistication and cost. Given that cybercrime hits corporate revenues and profits, it follows that this will have a knock-on effect on the amount of corporation tax governments can collect - currently $1.3tn globally.

A simple calculation would be to multiply the $6tn worth of damage by an average corporate income tax rate of 22 per cent. This would equal $1.32tn in taxes not realised due to reduced income related to damages or costs incurred. Interestingly, the total budget of the five largest western economies is $12.3tn, while their combined budget deficit is $1.23tn.

Governments – with their acquisition of cyberweapons for their own use, and their growing openness to their idea that companies should be able to hack back against their aggressors – are propping up and even fuelling an underground market that already costs society more than the combined budget deficits of the world’s richest nations.

It’s hard to justify the business case of this model.

Dirk Schrader, cyber resilience architect, Greenbone Networks