The National Security Agency has apparently upped its game to help keep American firms safe from cyber-attack.
The agency said it informs U.S. firms about security vulnerabilities 91 percent of the time — an obvious bid to improve its image which suffered greatly after former contractor-turned whistleblower revealed back in 2013 the scope of the NSA’s surveillance programs.
The remaining nine percent, the NSA said, were either fixed by the vendors before they could be notified or were “not disclosed for national security reasons.”
“The U.S. government takes seriously its commitment to an open and interoperable, secure, and reliable Internet,” the agency said in a post. “In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. We all rely on the Internet and connected systems for much of our daily lives. Plus, our economy would not function without them. For these reasons, disclosing vulnerabilities usually makes sense. But there are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks.”
However, according to current and former U.S. government officials who spoke to Reuters, the NSA’s assertion may be disingenuous because it itself often uses flaws in computer systems to launch its own cyber-attacks to gather intelligence. It is only after it uses the flaws that the NSA discloses them to technology companies so the vulnerabilities can be fixed and updates shipped to customers, the officials said.
According to the Reuters report, the U.S. policy on “zero-days,” — crucial software vulnerabilities that are valued greatly by both hackers and spies because no one knows about them — is an ongoing problem.
The officials told Reuters there is a “natural tension” about if zero-days should be used by the NSA or revealed to tech companies so they can be fixed.