NSA Pats Self On Back For Disclosing Vulnerabilities '90% Of The Time,' Doesn't Specify How Long It Uses Them Before Doing So

from the honest.-you'll-be-the-first-to-know-when-we're-finished-with-them. dept

The NSA likes its software vulnerabilities. There are those it discovers on its own and others it purchases from "weaponized software" dealers. There are also certain tech companies that hand over exploits to the NSA first before working on a patch for the rest of us.

Up until now, the NSA really hasn't discussed its policies regarding software vulnerabilities and exploits. A few months after the Snowden leaks began, the White House told the NSA to start informing software companies of any exploits/vulnerabilities it had discovered. The quasi-directive set no time limit for doing so and allowed the agency to withhold discovered exploits if there was a "clear national security or law enforcement" reason to do so.

While other parties have discussed the NSA's hoarding of software exploits, the agency itself hasn't. All information gathered to date has come from outside sources. Snowden provided some of the documents. The EFF knocked a couple more loose with an FOIA lawsuit against James Clapper's office.

The NSA has finally chosen to speak for itself. Its reassurances are far from reassuring.

The U.S. National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving U.S. companies open to cyber attacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.
Disclosing nine out of ten exploits sounds good, but these disclosures are likely only occurring after the vulnerability or exploit is no longer useful.
The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.
Status remains quo. National security interests still override the security interest of millions of affected users. The NSA can't keep criminals from using the same security holes it's discovered. The only way to prevent a vulnerability from being exploited by malicious parties or unfriendly state actors is to disclose it. Eventual disclosure is better than no disclosure, but it's not nearly as altruistic as the NSA's 90% disclosure rate would make it appear.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: attacks, cybersecurity, delay, disclosure, nsa, vulnerabilities


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 11 Nov 2015 @ 8:09pm

    Re:

    Of course it is clear what the criteria is:
    "about the most serious flaws it finds"

    My guess is they wait till they have a 3rd way to pwn something then report the oldest 0day for that scenario.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.