Private Sector Responsible for Most 0-Days
Google's Threat Analysis Group Releases New Interesting Report
On 6 February, 2024, Google’s Threat Analysis Group released a new report on the commercial surveillance industry and its impact on security. While filled with a lot of great information, the thing that stands out to me the most is its data that of the 25 0-days found in 2023, 20 of them were exploited by commercial surveillance vendors. Further, of the 72 0-days targeting Google products, Google was able to attribute 35 of these to commercial surveillance vendors.
I have long said that states do not have a monopoly on violence or advanced cyber capabilities in cyberspace. This has largely been an acknowledgement of non-state hackers and their role in the broader eco-system, but now we are starting to have data that shows it is increasingly private, legal enterprises that are responsible for these exploits and are profiting from them.
Last year, Canada joined ten other countries in committing to addressing the proliferation of commercial spyware. This is not to say their efforts are not working, but it does put into perspective that the problem is not strictly about criminal enterprises. While spyware and surveillance software are not all used for criminal activities, the exploitation and growing market for 0-days and exploits degrades the entire security ecosystem. In addition, once a vulnerability is discovered and exploited, it is only a matter of time until it is either discovered or exploited by others.
0-days refers to zero-day exploits, which are exploits actively being used in the wild prior to being known or fixed by the software’s owners.