So it seems the NSA doesn’t do all of its own dirty work after all. On occasion, it’s also prepared to stump up a fair bit of cash to get its hands on so-called ‘zero-day vulnerabilities” (previously unknown bigs) that it can use to attack computer systems, according to a new freedom-of-information request.
The request was made by the public records service MuckRock, and shows that the NSA took out a contract with a notorious French company called Vupen that specializes in finding zero-day flaws in software and computer systems. Once a vulnerability has been discovered, Vupen then develops exploits and sells these to governments that wish to take advantage of them.
Not that anyone will be surprised that the NSA has taken out this kind of contract. The US government has been caught buying exploits in the past – while the Stuxnet malware that wreaked havoc on Iran’s nuclear program contained at least four different zero-day exploits that were most likely purchased from private individuals or companies like Vupen.
More surprising are the NSA’s reasons for wanting to buy such vulnerabilities, and this is where it gets a little more interesting. Thanks to Ed Snowden, we’ve learned that the NSA’s spooks are more than capable of hacking into just about any program or server as it is, but that doesn’t always serve its purposes.
According to Christopher Soghoian, principal technologist and senior policy analyst for the ACLU’s Speech, Privacy and Technology Project, the most likely reasons for the Vupen contract are so the NSA can carry out false flag and deniable cyber operations, and of course, simply to learn what other governments may know.
“There are times when U.S. special forces use AK-47s, even though they have superior guns available,” Soghoian tweeted. “Same for NSA’s Vupen purchase. Deniability.”
Vupen itself doesn’t try to hide what it gets up to, stating on its website that it works alongside “government agencies and the intelligence community.” However, as CEO Chaouki Bekrar pointed out in an interview with ThreatPost last year, Vupen insists that all customers must meet its “strict eligibility criteria,” which includes being a member or partner of NATO, ANZUS (Australia, New Zealand, United States Security Treaty) or ASEAN (Association of Southeast Asian Nations). In addition, Vupen states that its customers must also meet the United States’ “Know Your Customer” guidance, and must not be subject to any sanctions issued by the USA, EU or the United Nations.
But this doesn’t mean that the trade in zero-day security flaws is any the less controversial. While Vupen is one of the cleaner operators in this ‘industry’, it’s still attracted criticism from some quarters. Meanwhile there are plenty of other security researchers out there who’ll sell to the highest bidder without any of the restrictions that Vupen imposes.