NSA says how often, not when, it discloses software flaws
SAN FRANCISCO: The US National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving US companies open to cyber attacks, said last week that it tells US technology firms about the most serious flaws it finds more than 90 percent of the time.
The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former US government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.
At issue is the US policy on so-called “zerodays,” the serious software flaws that are of great value to both hackers and spies because no one knows about them. The term zero-day comes from the amount of warning users get to patch their machines protectively; a twoday flaw is less dangerous because it emerges two days after a patch is available.
The best-known use of zero-days was in Stuxnet, the attack virus developed by the NSA and its Israeli counterpart to infiltrate the Iranian nuclear program and sabotage centrifuges that were enriching uranium.
Before its discovery in 2010, Stuxnet took advantage of previously unknown flaws in software from Microsoft Corp and Siemens AG to penetrate the facilities without triggering security programs.
A shadowy but robust market has developed for the buying and selling of zero-days, and as Reuters reported in May 2013, the NSA is the world’s top buyer of the flaws.[http://www.reuters.com/article/2013/05/10/us-usa-cyberweaponsspecialreport-idUSBRE9490EL20130510 ] The NSA also discovers flaws through its own cyber programs, using some to break into computer and telecommunications systems overseas as part of its primary spying mission.
Some zero-days are worth more than others, depending on such factors as the difficulty in finding them and how widespread the targeted software is. While some can be bought for as little as $50,000, a prominent zero-day broker said this week that he had agreed to pay $1 million to a team that devised a way to break into a fully updated Apple iPhone. Chaouki Bekrar, of the firm Zerodium, told Reuters the iPhone technique would “likely be sold to U.S. customers only,” including government agencies and “very big corporations.”
Government officials say there is a natural tension as to whether zero-days should be used for offensive operations or disclosed to tech companies and their customers for defensive purposes.
In the wake of revelations by former NSA contractor Edward Snowden and a Reuters report that detailed how the government paid security firm RSA to include NSA-tainted encryption in its software, [http://www.reuters.com/arti- cle/2013/12/21/us-usa-security-rsaidUSBRE9BJ1C220131221 ] a White House review panel recommended tilting government policy more towards defense. [http://www.reuters.com/article/2014/05/16/us-cyber-summit-reformsidUSBREA4F0MX20140516
President Barack Obama’s cybersecurity coordinator, Michael Daniel, then said he had “reinvigorated” the review process that decides what to do about each flaw that comes to government attention. The details of that process remain classified, but interviews show that the changes sharply elevated the role of the Department of Homeland Security, which is responsible for defense and had not previously been at the center of intergovernmental debates on the issue.
After Daniel described the revamped process broadly, the activist Electronic Frontier Foundation sued for documents about it under the Freedom of Information Act.
The most significant release in that case came in September, with an undated and partly redacted 13-page memo outlining how agencies should handle knowledge about software vulnerabilities. The memo [https://www.eff.org/document/vulnerabilities-equities-process-redactions ] states that the NSA’s defensive arm, the Information Assurance Directorate, served as the executive secretariat for the process.
A redacted portion of the memo lists the agencies that participated in the process as a matter of course. An unredacted part refers to other agencies that can ask to participate on a case-by-case basis, and the Department of Homeland Security appears in that section, along with the departments of State, Justice, Treasury and Commerce.
Two former White House officials said that the memo referred to the old system, before Daniel reorganized it about a year and a half ago. In an interview, Daniel told Reuters that DHS was a key part of the new system, which is run by the White House’s National Security Council. “DHS is at the table in the process I’m running,” Daniel said. An NSA spokeswoman referred questions about its policy to the NSC, where a spokesman referred Reuters back to the NSA. The NSA says on its website that it understands the need to use most flaws for defense.
“In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” according to the website. [https:// www.nsa.gov/ public_info/ news_information/2015/ncsam /discovering_solving_sharing_it_solutions.sht ml]
“But there are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. — Reuters
HELSINKI: These is a computer generated emojis made available by Finland’s Foreign Ministry on Wednesday Nov. 4, 2015. Finland is launching a series of ‘national emojis’ that include people sweating in saunas, classic Nokia phones and heavy metal head-bangers. Petra Theman from the Finnish Foreign Ministry says the emojis will be released as a way to promote the country’s image abroad and are based on themes associated with Finland. — AP