NSA chief says agency discloses '91 percent' of zero day bugs
- By Sean Lyngaas
- Nov 09, 2015
Admiral Michael Rogers, shown here at a May 2015 event, said on Nov. 7 that the National Security Agency discloses 91 percent of the "zero-day" vulnerabilities that it discovers.
The National Security Agency last year disclosed to the private sector about 91 percent of previously unknown software vulnerabilities the agency discovered, according to NSA Director Adm. Michael Rogers.
"There shouldn’t be any doubt in anyone's mind that the direction clearly to us within the U.S. government structure is a preference to disclose vulnerabilities because a secure Internet is in the best interests of our nation and the broader world around us," said Rogers, who also heads U.S. Cyber Command. He spoke Nov. 7 at the Reagan National Defense Forum in Simi Valley, Calif.
The topic of "zero-day" vulnerabilities, or those unknown to the broader IT security community, has been a hot one, with evidence suggesting the NSA has hoarded such software flaws to exploit them in covert activities.
When asked what makes some zero-days worth keeping, Rogers said the decision to withhold a vulnerability is based on the intelligence insight it generates. Among the other considerations in an inter-agency process for disclosing the vulnerabilities, he said, are: "What’s the price of not sharing this vulnerability? How broadly is it deployed? What’s the economic impact?" The zero-day disclosure process was once internal to the NSA but is now overseen by the National Security Council, according to an NSA statement.
The statement said that "historically," the NSA has released more than 91 percent of the vulnerabilities it has discovered. The other 9 percent were either already fixed by vendors or kept "for national security reasons," the statement added.
"Disclosing a vulnerability can mean that we forego an opportunity to: collect crucial foreign intelligence that could thwart a terrorist attack; stop the theft of our nation’s intellectual property; [or] discover even more dangerous vulnerabilities that are being used to exploit our networks," the NSA statement said.
Chaouki Bekrar, founder of Zerodium, a startup that rewards researchers for discovering zero-days, noted that some vulnerabilities are more critical than others. "The NSA didn’t say the criticality of [zero days] reported vs unreported," he tweeted. "Reporting non-exploitable [zero days] is a cheap way to improve your reports stats."
Rogers was joined at the Reagan National Defense Forum by, among others, Rep. Adam Schiff (D-Calif.), the House Permanent Select Committee on Intelligence's ranking minority member.
Schiff used the aftermath of the hack of Sony Pictures Entertainment, which U.S. officials attributed to North Korea, to explain why he thought the United States lacked a credible deterrent in cyberspace. In the wake of the hack, North Korea’s frail Internet infrastructure experienced an outage, leading some to speculate that the United States had retaliated in kind. The lack of clarity on whether Washington was responsible for the outage was problematic for the congressman.
"If it was a response, it wouldn't be a very effective one," he said, "because part of having a deterrent capability is they got to know when they’re suffering the repercussions."
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.