Thankfully those who shutdown biological weapons development in the DoD didn't follow the same logic. Purely from a strategic perspective: defense costs much more than offense, it doesn't make sense for a superpower to spend more on offense than defense when their potential adversaries can't afford to defend themselves against low cost attacks.
As regards software security vulnerabilities, defensive spending in the USG utterly and completely dwarfs offensive spending.
The median venture capitalist in the valley could outspend the US --- actually, probably the world --- on vulnerability acquisition. But there probably isn't an investor and there may not be a single tech company that outspends the USG on defensive security acquisitions.
I'd really love to know how you know this. I can think of a handful of very public DARPA, NIST, USN and NSA programs that are dedicated to hardening (most are little more than academic curiosities, measured in millions) - whereas the NSA's black budget (measured in billions) easily dwarfs those. Are you saying that the NSA is secretly spending large sums of money on hardening software outside of their black cube?
I don't disagree on the lack of private hardening spending, which is really beside the point, because obviously there is very little incentive for a company when all they have to do is budget for useless CYA lifelock service.
And? What do you think they're spending those billions on? Giant computing centers in Utah and all the signals intelligence the entire country does --- all the satellites, all the underseas cable taps, all the deployments of hardware implants on Chinese military computers.
Exploit development is a rounding error in that budget.
Satellites and undersea cable taps fall to the NRO and the USN, though I'm sure the NSA pays for some of it. That is beside the point though, the issue is exploit to hardening ratio - not exploit to everything-else ratio.
Yes, and the USG (and DOD) spend vastly more on hardening than on offensive security. By orders of magnitude; note plural. Both in opex and (particularly) capex.
Is the money being spent wisely? Different question. But: nobody really knows how to effectively spend 100MM on hardening (a nice round number I picked at random).
Nothing would make me happier than to be able to take your word for it, but I think your definition of "hardening" might be incredibly broad. DoD funding Ada development, SELinux, rainbow series, cyber grand challenge - hardening. DoD buying firewalls and maintaining Oracle licenses isn't hardening.
No, it isn't - it is basic network administration, and it does nothing to advance the state of the art. That is a bad faith interpretation, especially when considered in the context of offensive development. You're putting license maintenance in the same category as TCSEC, which broadens "hardening" to the point of losing all meaning - hell, throw in the cost of electricity to power the firewalls.
