US spying agency reveals bug disclosure program’s stats
An NSA spokesperson said the agency discloses zero-day bugs to manufacturers and affected companies in 91% of the cases it discovers, as per a Reuters report.
This small morsel of information slipped out after the agency was trying to defend its bug disclosure policies.
Due to public criticism in recent years and after the Edward Snowden revelations, Americans have been questioning the government’s aggressive offensive hacking capabilities.
The White House responded by saying it has shifted the focus towards defensive capabilities and increased the role of the Department of Homeland Security (DHS).
Michael Daniel, President Barack Obama’s cybersecurity coordinator, said that the NSA also changed its security bugs disclosure program. Following this statement and the lack of other details, the Electronic Frontier Foundation sued the US government and managed to obtain a document that describes this new procedure, albeit heavily redacted.
91% may be a lower number
This is where the NSA spokesperson, trying to ensure the agency is still the “good guy,” said that the NSA had always engaged in the proper disclosure of security bugs, and that in previous cases, the agency informed manufacturers and affected companies of around 91% of the security bugs it discovered.
Explaining the 9% of the zero-day bugs it discovers but does not tell anyone about, the NSA spokesperson told Reuters the agency keeps those vulnerabilities for offensive purposes.
But there’s a problem with the numbers. The NSA spokesperson declined to comment on how many of the 91% disclosed bugs were at the time of their discovery, kept back for offensive purposes, before releasing them to manufacturers (for defensive purposes).
This means that the agency could have exploited more bugs for offensive purposes, and after it was done with them, it told manufacturers and added them to the 91%-side of the pile.
“The National Security Council has an interagency process to consider when to disclose vulnerabilities,” said the NSA in a public statement. “The process requires the government to weigh many factors, including the importance of the information to the nation’s security. While these decisions can be complex, the government’s bias is to responsibly and discreetly disclose vulnerabilities.”