NSA HQ

The NSA is  seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving U.S. companies open to cyber attacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.

The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.

At issue is the U.S. policy on so-called “zero-days,” the serious software flaws that are of great value to both hackers and spies because no one knows about them.

The best-known use of zero-days was in Stuxnet, the attack virus developed by the NSA and its Israeli counterpart to infiltrate the Iranian nuclear program and sabotage centrifuges that were enriching uranium.

Before its discovery in 2010, Stuxnet took advantage of previously unknown flaws in software from Microsoft Corp and Siemens AG to penetrate the facilities without triggering security programs.

The agency’s website says: “Historically, NSA has released more than 91 percent of vulnerabilities discovered in products that have gone through our internal review process and that are made or used in the U.S.”

It said the rest included some that had already been fixed as well as those held back “for national security reasons.”

One former White House official noted that the NSA did not say when the disclosures were made, adding that it would be “a reasonable assumption” to conclude that much of that 91% covers flaws the NSA had already used to gather intelligence before alerting the companies.

NO COMMENTS