Well they could pretty easily demonstrate that only a state actor could pull off an attack like this in an objective manner. If it takes state-level resources to breach their systems, then they can just announce and put out an open prize for anybody who can breach their systems that pays out less than state-level resources. If it actually takes state-level resources to breach their systems, but pays out less than that, then it would be unprofitable for people to claim their prize and provide pretty good evidence for their security. However, if somebody does claim the prize, then we can reasonably assume that their security level is less than the prize as it is profitable for somebody to claim the prize despite the unknown level of risk involved in a blind uncontracted penetration test.
So, what do we all think would be a level of resources that only a state could support? I think we can just start somewhere pretty low like $1,000,000,000. Fortune 500 companies and many criminal organizations could reasonably afford that, but the total number of organizations is still pretty limited, so it is probably a good lower bound. I do not think we can go much lower because if we drop down to $100,000,000 then even FireEye, which is not a Fortune 500 company, could theoretically fund such a venture with its revenue of $890,000,000.
Okay, so starting with "only a state" resource level of $1,000,000,000, we should probably divide it by 10 to make it highly unlikely people will do it just to prove they can even if it is unprofitable to get the prize. That leaves us with a simple open prize of $100,000,000 for the first person to demonstrate that they can breach their systems. If nobody claims the prize, then it is highly likely that this attack would take a state-level actor. If somebody does claim the prize, then it is probably doable by somebody who is not a state-level actor. This would provide an unbiased answer about the truth of their implications. If they think such a prize is too high, then they can just set it to a lower X that will give us an unbiased answer to the question: "Does it take more than X resources to breach their systems?"
Indeed. It would, however, provide very strong evidence for most such claims. The primary problem with actually implementing it in general is the risk of getting unlucky if you have a very large payout. Say you claim $100,000,000,000. Even if it is an accurate assessment, somebody could randomly luck into a vulnerability that would normally actually take $100,000,000,000 to find and suddenly you are dead since it is highly unlikely you are one of the few companies that can actually survive such a payout. You could alleviate that to some degree with insurance in the middle range, but it is highly unlikely that would work at the very high payouts. Luckily, in this case, a payout of $100,000,000 is actually within FireEye's reach given their revenue and market cap. In fact, they lost more in market cap on this breach news than such a payout. So, if their claims are actually true, this is an entirely feasible and useful demonstration to run.
Personally, I think if they actually announced a $100,000,000 prize they would be breached within a week on the outside. At $100,000,000 people can burn dozens to hundreds of zero-days to be the first to get the payout and still come out ahead. Even at $10,000,000 I doubt they would last more than 1 month. At $10,000,000 the prize would be the most attractive bounty in the entire industry by a factor of 3-10x and people could still burn some zero-days and still come out ahead.
Because you can use statistics to analyze random events. A claim that your system requires resources on the order of $100,000,000 to breach can be converted, assuming a rate of $300,000/engineer-year to a statement like: "Your system will require on average 300 engineer-years to breach." If the first person who tries is able to breach your system after 1 engineer-year that is an indication that maybe your calculations are incorrect. If it happens again after 1 engineer-year then you have almost absolutely incorrectly determined your true failure rate. If it repeatedly happens over and over again then you are wrong and, conveniently, you will promptly go out of business as people arbitrage your lies. If, however, your analysis is correct, then the probability of getting unlucky multiple times relative to your true failure rate is highly unlikely and the outcomes will stabilize in the long run. Assuming you did not set the payout so high as to be instant death, which I did suggest in FireEye's case as FireEye can, in fact, support a $100,000,000 payout, it provides a relatively sound, objective, statistical basis for inferring the actual cost.
Ah. The premise of "let people hack you, and pay out a bounty, not just once but dozens of times so you get decent statistics" was not explicit in your proposal, but definitely makes it even less attractive.
I believe not a single cyber offensive op performed by a nation state had a budget of $1B. I'd say $1M is an upper bound here. Cyber warfare is used because it's cheap.
My comment is not arguing whether a state actor breached FireEye, but whether only a state actor could breach FireEye as they are implying as nobody else could fund or develop such a "sophisticated" or "advanced" attack. If it is at most $1M as you say, then you are actually agreeing with me as that would hardly constitute something that only a "state actor" could do given that literally any mid-sized business, of which there are millions, could support such an expense. To actually demonstrate that it is so difficult to develop that "only a state actor" has the resources to develop/deploy such an attack should require demonstrating that it is out of reach for all but a state actor for which a $1B budget is likely a good bottom-end as only a very small number of non-state entities can actually support such an effort. I hope that clarifies my point.
Licensing costs for law enforcement "remote access tools" (state trojans) can be millions (distributed among dozens of uses, but IMHO easy to see spending as much on a high-value single use).
From the wiki article about the iPhone-encryption debate: "On April 7, 2016, FBI Director James Comey said that the tool used can only unlock an iPhone 5C like that used by the San Bernardino shooter, as well as older iPhone models lacking the Touch ID sensor. Comey also confirmed that the tool was purchased from a third party but would not reveal the source,[59] later indicating the tool cost more than $1.3 million and that they did not purchase the rights to technical details about how the tool functions"
Yes, Stuxnet probably cost more. But Stuxnet was a higher level op, the target was also a nation state.
In this case they went after the tools to avoid detection and/or attribution in future ops. They could instead contract a company like their victim to develop such tools from scratch for about $10M.
Also, we're talking about nation states other than US.
So, what do we all think would be a level of resources that only a state could support? I think we can just start somewhere pretty low like $1,000,000,000. Fortune 500 companies and many criminal organizations could reasonably afford that, but the total number of organizations is still pretty limited, so it is probably a good lower bound. I do not think we can go much lower because if we drop down to $100,000,000 then even FireEye, which is not a Fortune 500 company, could theoretically fund such a venture with its revenue of $890,000,000.
Okay, so starting with "only a state" resource level of $1,000,000,000, we should probably divide it by 10 to make it highly unlikely people will do it just to prove they can even if it is unprofitable to get the prize. That leaves us with a simple open prize of $100,000,000 for the first person to demonstrate that they can breach their systems. If nobody claims the prize, then it is highly likely that this attack would take a state-level actor. If somebody does claim the prize, then it is probably doable by somebody who is not a state-level actor. This would provide an unbiased answer about the truth of their implications. If they think such a prize is too high, then they can just set it to a lower X that will give us an unbiased answer to the question: "Does it take more than X resources to breach their systems?"