NSA discloses most zero-day flaws it finds, but won't say if it uses them first

The agency reportedly uses some of the bigger flaws to first develop cyber-weapons.
Written by Zack Whittaker, Contributor
Outside the NSA headquarters in Fort Meade
(Image: stock image)

Claims by the National Security Agency that it discloses the vast majority of previously unknown security vulnerabilities it discovers has been met with skepticism, because the agency won't say if it uses them first.

Last week, the spy agency under scrutiny in the wake of the disclosures leaked by Edward Snowden said it will tell tech companies about the most severe flaws it finds in about nine-out-of-ten cases. The agency said in the cases it doesn't disclose the flaws it can be because of "national security reasons," which includes whether the intelligence or military benefits outweigh the need to secure affected systems.

Simply put: if the NSA can use it to score intelligence it wouldn't get otherwise, it may use the flaw and not disclose it.

According to a former White House official speaking to the news agency, it was a "reasonable assumption" to believe that the flaws had been used to collect intelligence prior to alerting the companies.

But a big question remains: would the NSA delay notifying a company to allow the agency to exploit the flaw in the meanwhile?

That decision is set by a policy made by the White House's National Security Council, which has an "interagency process" to decide whether or not a flaw will be disclosed.

When asked if the NSA would use a flaw before it's disclosed, an NSC spokesperson referred comment to the NSA. But an NSA spokeswoman did not have any additional comment.

Documents leaked by whistleblower Edward Snowden revealed that the agency will exploit vulnerabilities it finds -- and in some cases purchases -- in order to gather intelligence. But the rules determining whether or not a flaw is severe enough to publicly disclose the flaw to those who can fix it remain mostly under wraps.

In the wake of the Heartbleed bug, which affected hundreds of millions of devices on the internet, the NSA said it would disclose a bug that it deems "clearly in the national interest" to prevent mass cyber-attacks or harm to the country's systems or economy.

"Building up a huge stockpile of undisclosed vulnerabilities while leaving the internet vulnerable and the American people unprotected would not be in our national security interest," said White House cybersecurity coordinator Michael Daniel at the time.

The NSA denied it knew of the flaw at the time. But, the White House said it would -- if there was a clear "need" -- exploit some flaws.

Security flaws vary widely in scope and capability. The 91 percent figure may well be made up of minor flaws and bugs, which have low-level use for intelligence agencies, whereas flaws found in universal platforms and protocols, such as Heartbleed, can give intelligence agencies almost unlimited access to affected machines.

Even then, the numbers may not fully represent the nature of the flaws discovered.

Mozilla security lead Daniel Veditz said on Twitter that the NSA "haven't reported any" flaws to the company.

The browser maker is known to have been targeted by the NSA. In a 2012 leaked slide, the NSA was trying to exploit a flaw in Firefox in an effort to unmask users of Tor, the anonymity network, a feat they had limited success in.

Questioning the figure, Veditz said it's rare if not unheard of to hear a company say the NSA reported a vulnerability.

"Maybe they use proxies, but it makes 91 percent sound like bulls**t," he said.

Editorial standards