Firstly, as barbarousrelic mentioned it is the NSA, as opposed to the CIA, who command most of the available computing power. However, from what I can gather, both are believed -- at least in the past -- to command similar budgets [1].
So, how much computing power could they command? Well, firstly, supercomputers are off the list. A Top 500 supercomputer, the CX2 at Imperial College London has around 10,000 cores (Intel Core 2 era) [2]. Lets say each core can do 1mhash/s; this gives us ~10ghash/s. Compare this to a high end GPU (one 'core') which can do 150mhash/s. We break even at around 70 GPUs (or 45 if we use dual-GPU cards, even less if we overclock).
In other words: forget supercomputers; they're out.
So, what can take on a GPU? Well, lets take a look at some dedicated FPGA's (field programmable gate arrays). The NSA@Home project uses 15 Virtex-II Pro FPGA's (originally intended for video transcoding) to crack SHA1 and MD5 hahes. The result is claimed to be equivalent to 1500 AMD FX CPUs and requires on the order of 240 W [3].
When analysing this two points are key. Firstly, the FPGAs used are not even close to state of the art. More modern FPGAs will not only be capable of doing an entire SHA256 round in a single cycle but will also be clocked higher. Secondly, the board on which they are mounted was not designed for hashing -- but rather transcoding. Now, the FPGAs are not cheap (however, I can't find a price for the specific model used in NSA@Home which appears to have been discontinued,) but they can be retooled (so are something of a long term investment for an agency).
If a large quantity are required it becomes cheaper to fab an ASIC. The cost for such an operation is easily in the $ mln range, but is far cheaper when it comes to bulk production.
Given a reasonable five-figure sum I am confident that in 3-6 months I could have a working FPGA for bitcoin mining. Even less if existing SHA256 IP were used. A simple Google search for "SHA256 FPGA" will show that there is no shortage of existing work, from both academia and industry, on the subject. It requires expertise and is far from trivial, but definitely doable.
It is therefore almost certain that if the NSA (or others) wanted to attack bitcoin they could do so. It would probably take no more than a month to retool their existing FPGAs and bring them online. While I will not speculate as to the theoretical hashing power I would expect it to be in the thash/s -- easy. Such capabilities are also in reach of multinationals with expertise in the field of integrated circuits or even well funded individuals with too much time (and hardware!) on their hands.
Regards, Freddie.
[1] -
http://www.fas.org/irp/commission/budget.htm (Outdated.)
[2] -
http://www3.imperial.ac.uk/ict/services/teachingandresearchservices/highperformancecomputing[3] -
http://nsa.unaligned.org/index.php