You're right. It's only part of the story. Another part of the story is that the cost of these attacks is so far below the noise floor of any state-level actor that raising their costs will probably have perverse outcomes. For the same reason you don't routinely take half a course of antibiotics, there are reasons not to want to deliberately drive up the cost of exploits as an end in itself. When you do that, you're not hurting NSO; you're helping them, since their business essentially boils down to taking a cut.
We should do things that have the side effect of making exploits more expensive, by making them more intrinsically scarce. The scarcer novel exploits are, the safer we all. But we should be careful about doing things that simply make them cost more. My working theory is that the more important driver at NSA isn't the mission as stated; like most big organizations, the real driver is probably just "increasing NSA's budget".
> there are reasons not to want to deliberately drive up the cost of exploits as an end in itself. When you do that, you're not hurting NSO; you're helping them, since their business essentially boils down to taking a cut.
In essence, NSO their income is (price of exploits) * (number of exploit customers).
If the price of exploits goes up, that doesn't mean their income does. That depends on how the price affects the number of customers. Governments have lots of money to spend, but generally they still have some price sensitivity. Especially the more fringe governments.
I am not sure what the effect on NSO their income would be.
My contention, which is counterintuitive and very possibly wrong, but I feel strongly enough about it to defend it on a message board, is that exploits are so cheap that state-level actors are in fact not meaningfully price-sensitive to them.
It's true that you can't charge $2MM for a Firefox exploit right now. But that's because someone else is selling that exploit for an (orders of magnitude) lower price. So NSO can't just jack up exploit prices to soak the IC.
But if all exploit prices for a target are driven up, everywhere, my contention is that the IC will shrug and pay. That's because the value per dollar for exploits is extremely high compared to the other sources of intelligence the IC has, and will remain extremely high almost no matter how high you can realistically drive their prices. The fact is that for practically every government on the planet, the dollar figures we're talking about are not meaningful.
Essentially exploits are sold massively under their "true value" and NSO doesn't get to capture this value because there are so many others giving them away for free.
It seems to me that a lot of exploits / PoCs are developed by security researchers doing it for the sport and making a name for themselves. This is probably part of the reason why exploits are so cheap.
So then the question is, how much less productive will these researchers be if building exploits gets harder.
My feeling is that they will put in roughly the same amount of time. And hence their exploit production will probably drop proportionally to how much harder exploits are to find.
We should do things that have the side effect of making exploits more expensive, by making them more intrinsically scarce. The scarcer novel exploits are, the safer we all. But we should be careful about doing things that simply make them cost more. My working theory is that the more important driver at NSA isn't the mission as stated; like most big organizations, the real driver is probably just "increasing NSA's budget".