Sure, there is increasing State-Sponsored vulnerability research (see http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf for China-specific examples of this) as governments become more attuned to the need for both offensive as well as defensive computer security capabilities. But that’s not evidence of a Crowding Out effect–exactly the opposite, actually.

Stereotypical “Mom’s Basement” hackers are not going away just because governments are funding vulnerability research, they’re just increasing their odds of making a buck from the comfort of their dungeon lairs.

Third parties, often in the Grey Hat world or just flat-out Black Hats are being hired or commissioned to do this work. Soldiers are being trained in how to utilize these tools. The technical capabilities and available labor pool is being expanded in, I fear, the worst ways possible.

My personal opinion is that we are seeing growing pools of people for whom this kind of work is a legitimate living, and they will work for whomever is willing to pay them to do it. This is dramatically increasing the risk of running a a typically-insecure corporate network if the company has any information or intellectual property assets at all (as opposed to, say, being nothing but a dinosaur existing on rents ensured by legislative carve-outs).

The most interesting (frustrating?) aspect of this is watching what happens when soft (corporate) networks, where cost saving is king, are targeted with military-grade tools and techniques, a function of governments and corporations now sharing a common information platform.

It’s exciting, but doesn’t leave one with much hope for the future.