Like any government agency, the NSA hires outside companies to help it do the work it's supposed to do. But an analysis of the intelligence community's black budget reveals that unlike most of its peers, the agency's top hackers are also funneling money to firms of dubious origin in exchange for computer malware that's used to spy on foreign governments.
This year alone, the NSA secretly spent more than $25 million to procure "'software vulnerabilities' from private malware vendors," according to a wide-ranging report on the NSA's offensive work by the Post's Barton Gellman and Ellen Nakashima.
Companies such as Microsoft already tell the government about gaps in their product security before issuing software updates, reportedly to give the NSA a chance to exploit those bugs first. But the NSA is also reaching into the Web's shadier crevices to procure bugs the big software vendors don't even know about — vulnerabilities that are known as "zero-days."
Just who might the NSA be paying in this covert marketplace?
One of the most famous players in the arena is Vupen, a French company that specializes in selling zero-day exploits. A 2011 brochure made public on WikiLeaks showed Vupen boasting that it could "deliver exclusive exploit codes for undisclosed vulnerabilities discovered in-house by Vupen security researchers.
"This is a reliable and secure approach to help [law enforcement agencies] and investigators in covertly attacking and gaining access to remote computer systems," the brochure continued. To take advantage of the service, governments can purchase an annual subscription. The subscription comes with a number of "credits" that are spent on buying zero-day exploits; more sophisticated bugs require more credits. In 2012, Vupen researchers who discovered a bug in Google Chrome turned down the chance to win a $60,000 bounty from the search giant, presumably in order to sell the vulnerability to a higher bidder. The company announced earlier this month that it would be opening an office in the same state as the NSA's headquarters in Fort Meade, Md.Expanding the team, the biz, the pwn: VUPEN to open a US office in Maryland soon. We'll be hiring researchers (TS/SCI-cleared) #CNO #CNA
— VUPEN Security (@VUPEN) August 6, 2013
WikiLeaks identified a total of nearly 100 companies participating in the electronic surveillance industry worldwide, though not all of them are involved in the sale of software vulnerabilities.
Zero-days are particularly effective weapons that can sell for up to hundreds of thousands of dollars each.
The market for these exists in a legal gray area. Beyond that, it's still unclear whether the NSA is actually drawing on black-market sources to bolster its network intrusion capabilities. But would it really surprise any of us if it were?