Is the NSA Using Zero-Day Exploits before Reporting Them?
According to the NSA, it will report zero-day security vulnerabilities to software vendors “9 out of 10 times.” The other 10% of the time, it won’t say what it does with them, but it does say there are times when the military and national security benefits outweigh the benefit to disclosing vulnerabilities to vendors.
The leaks of Edward Snowden put the agency’s name on the tip of the nation’s tongue a few years back, and research shows it could be decades before Americans know the whole story. It is no longer a question of whether the NSA and other organs of the surveillance state do conduct electronic surveillance on ordinary Americans, but whether or not what they’re doing is legal and the means by which they are doing as much.
The issue raises an important question for software vendors doing business in the United States, who are very near having immunity in reporting customer data to the government. The question is, if the government is not always going to report flaws to the companies, how can the companies trust that the government will always use the data it turns over in ethical ways?
There is a bit of irony to the situation. Companies pay out millions in taxes to the federal government. In 2016, the US intelligence community will get a $3 billion dollar raise, to about $53 billion. This money is in turn partially used to research vulnerabilities in software, and then some of those vulnerabilities are not disclosed. More than a mere breach in service, companies could rightly suffer significant losses in customer base a result of such activities. It seems the only logical next step to the government’s current trends is to require source code be turned over as well, even unto trade secrets. This despite the government’s checkered history with network security.
All things come out in the wash, but certainly most will agree that if the government is doing security research, it should be for the benefit of all society, not just its operations. Otherwise, it should leave such research to the private industry that has cropped up to do it.
Image from Shutterstock.