NSA: Our zero days put you at risk, but we do what we like with them

NSA: Our zero days put you at risk, but we do what we like with them

Summary: NSA chief nominee US Navy Vice Admiral Michael S Rogers details some of the procedures it follows for disclosing or withholding its trove of zero day flaws.

TOPICS: Security

The National Security Agency (NSA) might soon face some legal oversight over how and when it discloses previously unknown flaws, but for now it can do as it pleases — even if that raises the threat level for organisations in the US and its allies.

At least until former NSA contractor Edward Snowden began leaking documents, the agency had a big appetite for getting hold of previously unknown or 'zero day' flaws in software, systems and devices. Besides the ones its own bug hunters found, Snowden's leaks showed the spy agency spent $25m on acquiring these prized exploits from third-party contractors last year.

One of the company's it bought them from was French security outfit Vupen, a regular bounty winner at competitions such as HP's CanSecWest Pwn2Own contest, where it just landed around $400,000 for four exploits.

While the NSA is known to build and use exploits for zero day flaws in its foreign intelligence missions, little is known about what rules, if any, it follows for disclosing flaws to vendors so that organisations in the US and allied countries can mitigate the risk of attacks that are being used in the wild.

NSA chief nominee US Navy vice admiral Michael S Rogers on Tuesday gave a vague outline of rules the spy agency has for handling such flaws, which includes an internal "adjudication process" for determining whether to let the vendor of an affected product know about it; or just keep it under wraps for spying.

"Within NSA, there is a mature and efficient equities resolution process for handling '0-day' vulnerabilities discovered in any commercial product or system (not just software) utilized by the US and its allies,” Rogers said in a written response to Senate questions on Tuesday.

"The policy and process ensure that all vulnerabilities discovered by NSA in the conduct of its lawful missions are documented, subject to full analysis, and acted upon promptly."

That's probably little comfort to those responsible for defending computer systems at critical infrastructure organisations. While no one knows how often the NSA does disclose flaws to vendors, according to Rogers, the NSA's default position is to disclose vulnerabilities in products and systems used by the US and its allies.

However, disclosing a flaw is a double-edged sword, Rogers noted. Disclosure could for example raise the threat to US organisations, but he also admitted that withholding them makes it more complex for those companies to mitigate risks.

"Since adversaries frequently study industry patches to learn about underlying vulnerabilities that will remain in unpatched systems, NSA disclosure of a vulnerability may temporarily increase the risk to US systems, until the appropriate patches are installed," Rogers wrote.

"When NSA decides to withhold a vulnerability for purposes of foreign intelligence, then the process of mitigating risks to US and allied systems is more complex."

Late last year, a panel appointed by president Barack Obama recommended winding back the NSA's use of zero day exploits to rare instances for high priority intelligence collection, following senior, interagency review involving all appropriate departments — a move that Rogers said he will support if appointed.

Hat tip to Christopher Soghoian

Read more on this story

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The security of the vast majority should always outweigh getting criminals

    In the real world. That is a 'period and done with'. If the NSA cannot understand that, then it's about time that they were reigned in.

    I am less concerned about a random terrorist (who by and large are NOT using electronic means of communication today but sneakernets according to the NSA themselves) blowing something up somewhere than I am about cyber-criminals hacking my browser and stealing all my password data.
    • Your title can be used both sides.

      Interesting isn't it? Playing the devil's advocate do you think those that loose loved ones in mass random acts are concerned with your credit card?
  • NSA = National Stupidity Association

    Zero day exploits are not generally used by terrorists groups but by criminals who want to steal victims' financial information for profit. Terrorists, if they have any brains, know their communication systems are a weak link and the most secure system minimizes reliance on all forms of electronic communication, use a sneakernet as Lerianis10 noted. The criminals what financial gain and any weaknesses, human or technical, they can exploit will be used.

    The NSA trying to "manage" zero-day exploits is being foolish because, by definition, no one knows if they are not already being used in the wild. So, could be exploiting a zero-day the NSA wants to use against the US already.
  • The NSA is just another buyer for these exploits

    And they are hardly the only government agency, here or abroad, that does it. The real issue is having commonly used, poorly coded software that can be counted on to be so buggy and exploitable as to create an apparently lucrative marketplace for these exploits.
  • The NSA doesn't use these flaws against the US.

    Just against the US citizenry.
  • It is sad that we no longer consider the national security

    and the security of its citizens to be synonymous. If a major door lock manufacturer (such as Schlage or Yale, just as examples) found that one of its most popular locks could be opened by a paperclip inserted in a hidden hole, or a magnet held in a certain position, and the NSA found out, they are saying that they would not tell the manufacturer about it so that it could recall its locks, they would keep quiet knowing that many more home burglaries would be enabled (and made harder to detect until long after the crime), JUST IN CASE someday they may need to break into a "bad guy's" home and do their own snooping. This is exactly what would happen if a regular BURGLAR (such as the guy who just resigned from the manufacturer) knew about a weakness in the lock! In other words, they are not only anticipating BREAKING THE LAW, they are THINKING LIKE A CRIMINAL!