To The NSA, The Word 'Security' Is Synonymous With 'Gaping, Unpatched Holes In US Developers' Software'

from the Vulnerability-EXPLOITATION-Process dept

A former Defense Intelligence Agency officer has taken to LinkedIn to point out to all of us griping about the broken Vulnerability Equities Process — exposed by hackers holding NSA zero-days — have it all wrong. Michael Tanji says the NSA isn’t here to protect developers from malicious attacks. It never was and it’s never going to be.

Intelligence agencies exist to gather information, analyze it, and deliver their findings to policymakers so that they can make decisions about how to deal with threats to the nation. Period. You can, and agencies often do, dress this up and expand on it in order to motivate the workforce, or more likely grab more money and authority, but when it comes down to it, stealing and making sense of other people’s information is the job. Doing code reviews and QA for Cisco is not the mission.

Suck it up, Cisco. That gaping hole uncovered by the Shadow Brokers was discovered at least three years ago by the NSA and if it chose not to tell you about it, it had its reasons. Namely: national security.

The Obama administration made sympathetic noises in the wake of the Snowden leaks, suggesting the NSA err on the side of disclosure. It simultaneously gave the agency no reason to ever do that by appending “unless national security, etc.” to the statement.

But part of the phrase “national security” is the word “security.” (And the other part — “national” — suggests this directive also covers protecting US companies from attacks, not just the more amorphous “American public.”) Allowing tech companies who provide network security software and hardware to other prime hacking targets to remain unaware of security holes doesn’t exactly serve the nation or its security. So, while Tanji may claim the NSA isn’t in the QA business, it sort of is. The thing is the NSA prefers to exploit QA issues, rather than give affected developers a chance to patch them.

And if an NSA operative left behind a bag of tech tools in a compromised server, it really doesn’t do much for the argument that the government can be trusted with encryption backdoors — the sort of thing FBI Director James Comey is still hoping will materialize as a result of his never ending “going dark” sales pitch. Julian Sanchez, writing for Cato, points out the NSA’s mistake should lead to some pretty severe trust issues.

This hack also ought to give pause to anyone swayed by the government’s assurances that we can mandate government backdoors in encryption software and services, allowing the “good guys” (law enforcement and intelligence agencies) to access the communications of criminals and terrorists without compromising the security of millions of innocent users. If even the NSA’s most closely guarded hacking tools cannot be secured, why would any reasonable person believe that keys to cryptographic backdoors could be adequately protected by far less sophisticated law enforcement agencies? The Equation Group hack is a disturbingly concrete demonstration of what network security experts have been saying all along: Once you create a backdoor, there is no realistic way to guarantee that only the good guys will be able to walk through it.

So, that’s one huge problem with both the hoarding of exploits and the NSA’s refusal to actually participate in the Vulnerability Equities Process. The definition the NSA has chosen for “national security” doesn’t mesh with statements made by its cybersecurity overseers.

Back in 2014, federal cybersecurity coordinator Michael Daniel insisted in a post on the White House blog that the process is strongly weighted in favor of disclosure. The government, he assured the public, understands that “[b]uilding up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”

Maybe things have changed in the past couple of years, but they haven’t changed as much as Michael Tanji claims. He states that the NSA is no longer charged with playing cyber-defense.

The one element in the intelligence community that was charged with supporting defense is no more. I didn’t like it then, and it seems pretty damn foolish now, but there you are, all in the name of “agility.” NSA’s IAD had the potential to do the things that all the security and privacy pundits imagine should be done for the private sector, but their job was still keeping Uncle Sam secure, not Wal-Mart.

That’s simply not true. The NSA may secretly wish it had been completely rerouted to “attack” mode. That would more easily justify the hoarding of vulnerabilities and its ongoing refusal to hand over info to affected developers. But it’s still supposed to be playing defense — which means it has an obligation to both the American public who use software/hardware the NSA would rather see left unpatched, as well as the developers it’s purposefully leaving open to malicious attacks.

The NSA has decided the best way to handle these competing directives is to muddy the waters by making them inseparable.

Because computers are now the easiest way to spy on people, and because everyone — even U.S. adversaries — uses the same Internet, there has long been what officials like to call a “healthy” or “creative” tension between the foreign espionage mission and the information assurance mission of the NSA.

Crudely put, the IA’s cyber mission is to find security holes in Internet infrastructure and common software and patch them; the signals intelligence mission is to find the same holes and keep them open as long as possible so they can be used to spy on foreigners.

When the two directorates merge, some fear that the much larger and better funded signals intelligence mission will simply absorb the IA mission.

As it stands now, the offensive side of the NSA’s cybersquad is roughly twice the size of its defensive team — which clearly indicates which end of the equation the NSA believes is more important to its national security mission.

The NSA’s actions in regards to the Vulnerability Equities Process shows it believes some forms of national security are more equal than others. It’s far more interested in ensuring its collections continue to be fed than it is with patching security holes — holes it has often created — that affect millions of US citizens and dozens of hacker-tempting firms.

It also shows the government is not to be trusted when it demands “good guy only” access. It can’t protect the backdoors it’s already created and it has only the slightest interest in protecting the nation from the bad guys that will inevitably find its secret entrances.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “To The NSA, The Word 'Security' Is Synonymous With 'Gaping, Unpatched Holes In US Developers' Software'”

Subscribe: RSS Leave a comment
I.T. Guy says:
They may want to revisit their Mission Statement again.

Core Values
Honesty – We recognize that national leaders and the American people at large have placed great trust in us, and we strive at all times to be deserving of that trust. We will be truthful with each other, and honor the public’s need for openness, balanced against national security interests.
Respect for the Law – Everything that we undertake in our missions is grounded in our adherence to the U.S. Constitution and compliance with U.S. laws and regulations that govern our activities.
Integrity – We recognize that national leaders and the American people at large have placed great trust in us, and we strive at all times to be deserving of that trust. We will behave honorably and apply good judgment as we would if our activities were under intense public scrutiny.
Transparency – We embrace transparency to the fullest extent possible. We never forget that we, too, are Americans and that every activity we engage in is aimed at ensuring the safety, security, and liberty of our fellow citizens.

Lord_Unseen (profile) says:


It’s wrongheaded for the NSA not to disclose vulnerabilities it finds. Even if their only job was “keeping Uncle Sam secure, not Wal-Mart,” which would be a really stupid objective, keeping vulnerabilities secret in security products would mean the government itself is more vulnerable. Kind of stupid all around, if you ask me.

Anonymous Coward says:

Arrogance at the NSA, who would have thought

Citizens exist to create their own information, analyze it, and deliver their findings to themselves so that they can make decisions about how to deal with purchases. Period. You can, and citizens often do, dress this up and expand on it in order to motivate their own purchases, or more likely grab more money and authority about their purchases from their spouse, but when it comes down to it, retaining and making sense of their own information and network communications is their own business, not the governments. Providing the NSA access to all of a citizens personal information is not the mission of that citizen. Citizens owe the NSA nothing and that is what the NSA should get.

That One Guy (profile) says:

Can anyone say 'Conflict of interest'?

The idea that the same agency should handle both offense and defense is beyond absurd, and a recipe for disaster from the get-go. Each vulnerability found and patched by the defense team is a vulnerability that the offensive team can’t use, so it’s a given that whichever gets higher priority(offense in this case) is going to be calling the shots.

It wouldn’t surprise me in the least if the ‘defensive’ half had basically just been re-purposed into finding and then reporting vulnerabilities to the offensive side, rather than fixing those vulnerabilities, given it’s pretty obvious at this point that the only security the NSA cares about is their own, meaning the more vulnerabilities in other systems the better from their point of view.

Anonymous Coward says:

Re: Can anyone say 'Conflict of interest'?

That and the fact that since Sept 2001, they have been grabbing everything possible on everyone possible. The current president was not protected in any way at the time and any blackmail gathered prior to him becoming a senator, is still useful to ensuring the intelligence community gets exactly what they want. The way that the government has turned everything on its head to allow them to do whatever they want, makes it at least plausible that they are now the ones running the show.

The Wanderer (profile) says:

Re: Can anyone say 'Conflict of interest'?

On the other hand, if you split attack and defense into two agencies, there becomes room for the funding levels of the two to diverge; you could easily wind up with the “attack” agency getting far more funding than the “defense” one, to the point where the latter can’t effectively do its job.

Combine that with the fact that you’d end up with two separate organizations spending money to do duplicate research into the same thing – security vulnerabilities – and it’s easy to see why someone might decide that having a single agency with both mandates is the better alternative.

If the oversight weren’t so biased in favor of the attack side, it might even have worked out.

Matthew A. Sawtell (profile) says:

If 'protecting Uncle Sam' is the objective...

… then it appears that mission has been a failure if the NSA failed to inform its sister security agencies (FBI, DEA, ICE, etc.) that the equipment they were using was faulty and exploitable, let alone the branches of the Military. Heck, Point 8 in the report that was released in the wake last year’s breach at the OPM ( gives the air to that idea.

Lesath says:

National Security is not the same as Government Security

The problem is that people in government have come to believe that, instead of the government serving the national interest, it *is* the national interest. Thus, “national security” becomes “government security” where the highest priority is protecting the government itself, not the nation.

Power corrupts.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...