NSA says how often, not when, it discloses software flaws
By Joseph Menn
SAN FRANCISCO (Reuters) - The U.S. National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving U.S. companies open to cyber attacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.
The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.
At issue is the U.S. policy on so-called "zero-days," the serious software flaws that are of great value to both hackers and spies because no one knows about them. The term zero-day comes from the amount of warning users get to patch their machines protectively; a two-day flaw is less dangerous because it emerges two days after a patch is available.
The best-known use of zero-days was in Stuxnet, the attack virus developed by the NSA and its Israeli counterpart to infiltrate the Iranian nuclear program and sabotage centrifuges that were enriching uranium.
Before its discovery in 2010, Stuxnet took advantage of previously unknown flaws in software from Microsoft Corp and Siemens AG to penetrate the facilities without triggering security programs.
A shadowy but robust market has developed for the buying and selling of zero-days, and as Reuters reported in May 2013, the NSA is the world's top buyer of the flaws.[here] The NSA also discovers flaws through its own cyber programs, using some to break into computer and telecommunications systems overseas as part of its primary spying mission.
Some zero-days are worth more than others, depending on such factors as the difficulty in finding them and how widespread the targeted software is. While some can be bought for as little as $50,000, a prominent zero-day broker said this week that he had agreed to pay $1 million to a team that devised a way to break into a fully updated Apple iPhone. Chaouki Bekrar, of the firm Zerodium, told Reuters the iPhone technique would "likely be sold to U.S. customers only," including government agencies and "very big corporations."
Government officials say there is a natural tension as to whether zero-days should be used for offensive operations or disclosed to tech companies and their customers for defensive purposes. Continued...