Now Reading
Is the NSA Using Zero-Day Exploits before Reporting Them?

Is the NSA Using Zero-Day Exploits before Reporting Them?

by P. H. MadoreNovember 10, 2015

According to the NSA, it will report zero-day security vulnerabilities to software vendors “9 out of 10 times.” The other 10% of the time, it won’t say what it does with them, but it does say there are times when the military and national security benefits outweigh the benefit to disclosing vulnerabilities to vendors.

The leaks of Edward Snowden put the agency’s name on the tip of the nation’s tongue a few years back, and research shows it could be decades before Americans know the whole story. It is no longer a question of whether the NSA and other organs of the surveillance state do conduct electronic surveillance on ordinary Americans, but whether or not what they’re doing is legal and the means by which they are doing as much.

The agency was not quick to explain exactly what happens to the information if it is not disclosed to the companies in question. Security has always had a few factions, and of the bad variety, there are two main bodies: the government actors and those out for personal gain. Exploiting a javascript vulnerability in browsers which enables one to capture saleable personal information would be an example of the latter, while what the NSA potentially does is an example of the latter. For it would seem that if they’re not using the exploits they discover, then there is no good justification for not disclosing them. The existence of an un-leveraged security vulnerability on the computers of foreign adversaries does not good. The only reason to leave them open is that they are being used, but then the question arises: strictly foreign or domestic as well?

The issue raises an important question for software vendors doing business in the United States, who are very near having immunity in reporting customer data to the government. The question is, if the government is not always going to report flaws to the companies, how can the companies trust that the government will always use the data it turns over in ethical ways?

There is a bit of irony to the situation. Companies pay out millions in taxes to the federal government. In 2016, the US intelligence community will get a $3 billion dollar raise, to about $53 billion. This money is in turn partially used to research vulnerabilities in software, and then some of those vulnerabilities are not disclosed. More than a mere breach in service, companies could rightly suffer significant losses in customer base a result of such activities. It seems the only logical next step to the government’s current trends is to require source code be turned over as well, even unto trade secrets. This despite the government’s checkered history with network security.

All things come out in the wash, but certainly most will agree that if the government is doing security research, it should be for the benefit of all society, not just its operations. Otherwise, it should leave such research to the private industry that has cropped up to do it.

Image from Shutterstock.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it