Whether $10M is a lot of money to the NSA or not is also only part of the story. The remaining part is how much they value the outcome they will achieve from the attack.

That reminds me somehow of an old expression: If you like apples, you might pay a dollar for one, and if you really like apples you might pay $10 for one, but there's one price you'll never pay, no matter how much you like them, and that's two apples.

You're right. It's only part of the story. Another part of the story is that the cost of these attacks is so far below the noise floor of any state-level actor that raising their costs will probably have perverse outcomes. For the same reason you don't routinely take half a course of antibiotics, there are reasons not to want to deliberately drive up the cost of exploits as an end in itself. When you do that, you're not hurting NSO; you're helping them, since their business essentially boils down to taking a cut.

We should do things that have the side effect of making exploits more expensive, by making them more intrinsically scarce. The scarcer novel exploits are, the safer we all. But we should be careful about doing things that simply make them cost more. My working theory is that the more important driver at NSA isn't the mission as stated; like most big organizations, the real driver is probably just "increasing NSA's budget".

> there are reasons not to want to deliberately drive up the cost of exploits as an end in itself. When you do that, you're not hurting NSO; you're helping them, since their business essentially boils down to taking a cut.

In essence, NSO their income is (price of exploits) * (number of exploit customers).

If the price of exploits goes up, that doesn't mean their income does. That depends on how the price affects the number of customers. Governments have lots of money to spend, but generally they still have some price sensitivity. Especially the more fringe governments.

I am not sure what the effect on NSO their income would be.

My contention, which is counterintuitive and very possibly wrong, but I feel strongly enough about it to defend it on a message board, is that exploits are so cheap that state-level actors are in fact not meaningfully price-sensitive to them.

It's true that you can't charge $2MM for a Firefox exploit right now. But that's because someone else is selling that exploit for an (orders of magnitude) lower price. So NSO can't just jack up exploit prices to soak the IC.

But if all exploit prices for a target are driven up, everywhere, my contention is that the IC will shrug and pay. That's because the value per dollar for exploits is extremely high compared to the other sources of intelligence the IC has, and will remain extremely high almost no matter how high you can realistically drive their prices. The fact is that for practically every government on the planet, the dollar figures we're talking about are not meaningful.

Ah, that is a novel and surprising take. Thanks!

Essentially exploits are sold massively under their "true value" and NSO doesn't get to capture this value because there are so many others giving them away for free.

It seems to me that a lot of exploits / PoCs are developed by security researchers doing it for the sport and making a name for themselves. This is probably part of the reason why exploits are so cheap. So then the question is, how much less productive will these researchers be if building exploits gets harder.

My feeling is that they will put in roughly the same amount of time. And hence their exploit production will probably drop proportionally to how much harder exploits are to find.

> The problem is that state-level actors don't just have a lot of money; they (and their decision makers) also put a much much lower value on their money than you do.

They also have something else most people don't have: time. Nation-states and actors at that level of sophistication can devote years to their goals. This is reflected in the acronym APT, or Advanced Persistent Threat. It's not that just once they have hacked you they'll stick around until they are detected or have everything they need, it's also that they'll keep trying, playing the long game, waiting for their target to get tired or make a mistake, and fail to keep up with advancing sophistication?

In your example, you spend $1M on your home network, but do you keep spending the money, month after month, year after year, to prevent bitrot? Equifax failed to update Struts to address a known vulnerability, not just because of cost but also time. It's cost around $2billion so far, and the final cost might never really be known.

Most organizations should not really be factoring state level actors into their risk assessment. It just doesn't make sense. If you are an actual target for state level actors you likely will know about it. You will also likely have the funding to protect yourself against them. And if you can't, that isn't a failing of your risk assessment decision making.

An illustrative counterexample of "if you are an actual target for state level actors you likely will know about it" is the case of Intellect Services, a small company (essentially, father and daughter) developing a custom accounting product (M.E.Doc) that assists preparation of Ukrainian tax documents.

It turned out that they were a target for state level actors, as their software update distribution mechanism was used in a "watering hole attack" to infect many companies worldwide (major examples are Maersk and Merck) in the NotPetya data destruction (not ransomware, as it's often wrongly described) attack, causing billions of dollars in damage. Here's an article about them https://www.bleepingcomputer.com/news/security/m-e-doc-softw...

In essence, you may be an actual target for state level actors not because they care about you personally, but because you just supply some service to someone whom they're targeting.

I did say “likely know”. The point was not so much who the targets of state level actors are, but if you are a target there is not much you can do about it. The resources they can invest, especially against a smaller but more critical company, is orders of magnitude more than that organization can afford to defend against. There just isn’t a lot you can do practically to defend yourself from those kind of threat actors at smaller business. I think medium to large business have way more tools at their disposal.

Are you a semi-large American company?

Then you are an actual target for state level actors.

as a security engineer at a semi large American company, we factor in state actors. we do tool for, and routinely hunt for nation state actors.

most people I know, even those in mid size businesses tool for and hunt for nation state TAs as well. it's just something you have to do. the line between ecrime and nation state is sooooo thin, you might as well. especially when your talking about NK, were you have nation state level ecrime.

Said state level actors probably have agents in your company anyways.

Heck, are you in the supply chain of a semi-large American company?

What counts as a state-level actor? The NSA, obviously. But a lot of other groups seem to be in more of a grey area.

The corresponding agencies in China and Russia, obviously. But usually a state-level actor wants deniability, which is where the "grey area" hacker teams come in (groups that appear to be state actors but this can be difficult to prove).

It’s really just about the resources an organization has. Can be lots of different government and NGO type entities.

Meanwhile, the biggest state-level actors are developing offensive capabilities at the scale of "we can wipe out everything on the enemy's entire domestic network" which includes thousands of businesses of unknown value. The same way strategic nuclear weapons atomize plenty of civilian infrastructure.

Sure, in that kind of event, an org might be more concerned with flat out survival. But you never know if you'll be roadkill. And once that capability is developed, there is no telling how some state-level actors are connected to black markets and hackers who are happy to have more ransomware targets. Some states are hurting for cash.

"So, sure, "good enough" security is possible in principle, I think it's fair to say "You probably can't afford good-enough security against state-level actors.""

I don't think so. State level actors also have limited ressources (and small states have very limited ressources) and everytime they deploy their tools, they risk that they get discovered and anyalized and added to the antivirus heuristics and with that rendered allmost worthless. Or they risk the attention of the intelligence agencies of your state. So when that happens, heads might be rolling, so the heads want to avoid that.

So if there is a state level group looking for easy targets for industry espionage - and they find a tough security, where it looks like people care - I would say chances are that they go look for more easy targets (of which there are plenty).

Unless of course there is a secret they absolutely want to have. Then yes, they will likely get in after a while, if the state backing it, is big enough.

But most hacking is done on easy targets, so "good enough" security means not beeing an easy target, which also means not getting hacked in most of the cases. That is the whole point of "good enough".

This reminds me of the US's program against the Soviet Union in Afghanistan (or at least one fictionalised version of it). Supposedly the pitch for funding involved the cost of a US stinger missile being much less than the cost of a Soviet helicopter. If it's an effective means to force a rivalrous actor to waste money, the fact the decision makers don't care about the money they spend could be a counterattack vector.

> The problem is that state-level actors don't just have a lot of money; they (and their decision makers) also put a much much lower value on their money than you do.

I think you have a false perception of the budgetary constraints mid-level state actors are dealing with. Most security agencies have set budgets and a large number of objectives to achieve, so they'll prioritize cost-effective solutions/cheap problems (whereby the cost is both financial and political but finances act as hard constraint). Germany actually didn't buy Pegasus largely because it was too expensive.

Without Pegasus, Morocco's security apparatus probably wouldn't have the resources otherwise to target such a wide variety of people, ranging from Macron to their own king.

Sure, there might be other theoretical concerns beyond just getting to “uneconomical”, but they are all basically irrelevant compared to the fundamental economical problem that you do not spend $1M to force the attacker to spend $10M, you spend $100M to make the attacker spend $1M. We need to start by improving systems by 10,000% to fix that problem before worrying about minutiae like relative willingness to pay.

For the likes of NSO there is no “we can’t afford that,” there is only “your Highness, this will cost $MUCH” and for, say, Saudi Arabia the boss might not even blink.

> I'd have to make the costs of hacking me so high that someone at NSO would say "wait a minute, even we can't afford that!

No really. You just have to do what just happened happen a couple more times and they are finished. If they can't protect their data they have no business, their reputation is destroyed and there's no point of hiring them if a week later the list of the people you are spying leaks. Turn the game around, info security is asymmetric by definition, it's a lot easier to attack than to defend. As a defender you need to plug all possible holes but If you become the attacker you just need to find one.