The NSA keeps 9 percent of the vulnerabilities it discovers to itself
Openness and the NSA are not happy bedfellows; by its very nature, the agency is highly secretive. But in recent years, post-Edward Snowden, the organization has embarked on something of a PR campaign in an attempt to win back public trust.
The latest manoeuvre sees the NSA promoting the fact that when it discovers security vulnerabilities and zero-days in software, it goes public with them in 91 percent of cases... but not before it has exploited them. No information about the timescale for disclosures is given, but what most people will be interested in is the remaining 9 percent which the agency keeps to itself.
The NSA has long been accused of sitting on the software vulnerabilities it discovers, and now it is seeking to reassure people by pointing to the number of flaws it does disclose. Many people will be disappointed to learn that before the companies behind software with security issues are told about the vulnerabilities, the NSA will first use the exploits for its own advantage. The agency has even gone as far as developing viruses like Stuxnet to attack foreign nations.
Government officials have revealed that the NSA comes clean about vulnerabilities in more than 90 percent of cases. This enables software developers to produce patches that can be pushed to users, but the admission that a percentage of security flaws are not shared means that a large number of known vulnerabilities go unpatched and remain exploitable by the NSA or hackers.
On its website, the NSA cites 'national security reasons' for holding back information about some vulnerabilities:
In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. But there are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences.
Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks. Historically, NSA has released more than 91 percent of vulnerabilities discovered in products that have gone through our internal review process and that are made or used in the US.