The U.S. government has become one of the largest purchasers of malware, purposefully buying computer exploits and tools to further its cyberespionage abilities.
The government, aiming to keep its library of exploits as versatile as possible, doesn't disclose its knowledge of vulnerabilities to software companies and customers.
"There has been a traditional calculus between protecting your offensive capability and strengthening your defense," NSA director Michael Hayden told Reuters in a special report. "It might be time now to readdress that at an important policy level, given how much we are suffering."
Not disclosing those exploits has caused more critical cyberattacks by hackers and criminal organizations. One exploit, named Duqu, was thought to be U.S. government exploit targeting Windows-based computers. When the vulnerability was discovered, enterprising hackers rolled the exploit into kits which they sold to an international market. Hackers used those kits to conduct massive attacks and installed viruses on vulnerable computers before Microsoft could issue a fix.
U.S. officials are increasingly worried, and vocal, about cyberattacks from overseas rivals like China. But those public fears often belie cyberattacks driven by the U.S. government. The most reported case of a U.S.-driven cyberattack was the virus Stuxnet, which targeted, and disrupted, Iran's nuclear research program by remotely damaging Iran's uranium-enriching centrifuges.
Such a lucrative market, exploits are, that developers previously working to find and patch security vulnerabilities have instead turned to selling their findings to those offering money. Other developers have organized and worked as defense contractors and list their offerings in catalogues.
Software companies, obviously, don't like this, but they are largely to blame for the burgeoning market because they refused to pay developers to find and submit security vulnerabilities.
"As our research costs became higher and higher, we decided to no longer volunteer for multi-billion-dollar companies," One vendor told Reuters. "Software vendors created this market by not decently paying researchers for their hard work."
Some companies, like Google and Facebook, do pay for exploits, but not nearly enough to outcompete government entities. A single exploit can go anywhere between $50,000 to $100,000 on the grey market.
So what can these exploits do? One vendor lists its exploits in a catalog, advertising programs capable of turning iPhones into eavesdropping devices. Other programs allow Internet-connected devices, like printers, to transmit viruses through radio waves to other computers, even if the computer isn't connected to a network.