When the National Security Agency (NSA) discovers a vulnerability, a number of factors are taken into account, the Agency may choose to not disclose the vulnerability using it towards their advantage claiming it a “National Security Need,” or the latter. Yet, NSA Director, Michael S. Rogers, claims the agency discloses “most” of the vulnerabilities they uncover, but not all of them.
In a public event held at Stanford University, Rogers said the NSA has been ordered by President Barrack Obama that the default decision should be to publicly disclose vulnerabilities, allowing the service providers to patch the service safeguarding it from attacks.
“The president has been very specific to us in saying, look, the balance I want you to strike will be largely focused on when you find vulnerabilities, we’re going to share them. By orders of magnitude, when we find new vulnerabilities, we share them,” Rogers said.
However that will not always be the case. The NSA needs to operate on two sides with quality assurance, protection of American networks while still gathering data from foreign networks. The agency claims it needs to focus on penetrating foreign networks, privately utilizing undisclosed vulnerabilities to gather information. The agency claims they only remain undisclosed for a short period of time, where they are then disclosed to secure the people.
“He also said, look, there are some instances when we’re not going to [share vulnerability information]. The thought process as we go through this policy decision, the things we tend to look at are, how foundational and widespread is this potential vulnerability? Who tends to use it? Is it something you tend to find in one nation state? How likely are others to find it? Is this the only way for us to generate those insights we need or is there another alternative we could use?” Rogers said. “Those answers shape the decision.”
The NSA saying the following is the same agency that privately exploited Heartbleed for 2 years, a severe vulnerability that put hundreds of millions of people and servers at risk. The same agency that targets and infects entire populations computers with malware, the same agency that threatened to fine Yahoo if they did not comply with near illegal surveillance standards, the same agency that reaps billions of communications daily storing them in a convenient and easy to use metadata search engine. The same agency that has abused several vulnerabilities for years for personal gain while they remain undisclosed.
“By orders of magnitude, the default mechanism is to share them, and most of them you will never hear about. In the immediate aftermath of Heartbleed, the first media reporting I saw said that the NSA knew about this and had been exploiting it for an extended period of time. Wrong. The seventh of April was the first we were aware of it and on the eighth of April we developed a patch and shared it with the private sector,” Rogers concluded.
Rogers comes as head of the NSA after previous agency director, General Keith Alexander, Alexander spent a vast majority of his time dealing with Edward Snowden allegations, an NSA whistleblower who exposed the agency was illegally surveilling the people.
While the agency claims to publicly disclose nearly all vulnerabilities they encounter, many security experts remain suspicious as the NSA does not have a great track record with the truth. While Rogers denied heartbleed claims, many of the agencies practices are left in the dark.
Photo via National Security Agency/Wikipedia [Public Domain]