The National Security Agency (NSA) might soon face some legal oversight over how and when it discloses previously unknown flaws, but for now it can do as it pleases — even if that raises the threat level for organisations in the US and its allies.
At least until former NSA contractor Edward Snowden began leaking documents, the agency had a big appetite for getting hold of previously unknown or 'zero day' flaws in software, systems and devices. Besides the ones its own bug hunters found, Snowden's leaks showed the spy agency spent $25m on acquiring these prized exploits from third-party contractors last year.
One of the company's it bought them from was French security outfit Vupen, a regular bounty winner at competitions such as HP's CanSecWest Pwn2Own contest, where it just landed around $400,000 for four exploits.
While the NSA is known to build and use exploits for zero day flaws in its foreign intelligence missions, little is known about what rules, if any, it follows for disclosing flaws to vendors so that organisations in the US and allied countries can mitigate the risk of attacks that are being used in the wild.
NSA chief nominee US Navy vice admiral Michael S Rogers on Tuesday gave a vague outline of rules the spy agency has for handling such flaws, which includes an internal "adjudication process" for determining whether to let the vendor of an affected product know about it; or just keep it under wraps for spying.
"Within NSA, there is a mature and efficient equities resolution process for handling '0-day' vulnerabilities discovered in any commercial product or system (not just software) utilized by the US and its allies,” Rogers said in a written response to Senate questions on Tuesday.
"The policy and process ensure that all vulnerabilities discovered by NSA in the conduct of its lawful missions are documented, subject to full analysis, and acted upon promptly."
That's probably little comfort to those responsible for defending computer systems at critical infrastructure organisations. While no one knows how often the NSA does disclose flaws to vendors, according to Rogers, the NSA's default position is to disclose vulnerabilities in products and systems used by the US and its allies.
However, disclosing a flaw is a double-edged sword, Rogers noted. Disclosure could for example raise the threat to US organisations, but he also admitted that withholding them makes it more complex for those companies to mitigate risks.
"Since adversaries frequently study industry patches to learn about underlying vulnerabilities that will remain in unpatched systems, NSA disclosure of a vulnerability may temporarily increase the risk to US systems, until the appropriate patches are installed," Rogers wrote.
"When NSA decides to withhold a vulnerability for purposes of foreign intelligence, then the process of mitigating risks to US and allied systems is more complex."
Late last year, a panel appointed by president Barack Obama recommended winding back the NSA's use of zero day exploits to rare instances for high priority intelligence collection, following senior, interagency review involving all appropriate departments — a move that Rogers said he will support if appointed.
Hat tip to Christopher Soghoian.