By Joseph Menn
SAN FRANCISCO (Reuters) -- The U.S. National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving U.S. companies open to cyber attacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.
The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.
At issue is the U.S. policy on so-called "zero-days," the serious software flaws that are of great value to both hackers and spies because no one knows about them. The term zero-day comes from the amount of warning users get to patch their machines protectively; a two-day flaw is less dangerous because it emerges two days after a patch is available.
The best-known use of zero-days was in Stuxnet, the attack virus developed by the NSA and its Israeli counterpart to infiltrate the Iranian nuclear program and sabotage centrifuges that were enriching uranium.
Before its discovery in 2010, Stuxnet took advantage of previously unknown flaws in software from Microsoft Corp and Siemens AG to penetrate the facilities without triggering security programs.
A shadowy but robust market has developed for the buying and selling of zero-days, and as Reuters reported in May 2013, the NSA is the world's top buyer of the flaws. The NSA also discovers flaws through its own cyber programs, using some to break into computer and telecommunications systems overseas as part of its primary spying mission.
Some zero-days are worth more than others, depending on such factors as the difficulty in finding them and how widespread the targeted software is. While some can be bought for as little as $50,000, a prominent zero-day broker said this week that he had agreed to pay $1 million to a team that devised a way to break into a fully updated Apple iPhone. Chaouki Bekrar, of the firm Zerodium, told Reuters the iPhone technique would "likely be sold to U.S. customers only," including government agencies and "very big corporations."
Government officials say there is a natural tension as to whether zero-days should be used for offensive operations or disclosed to tech companies and their customers for defensive purposes.
In the wake of revelations by former NSA contractor Edward Snowden and a Reuters report that detailed how the government paid security firm RSA to include NSA-tainted encryption in its software, a White House review panel recommended tilting government policy more towards defense.
President Barack Obama's cybersecurity coordinator, Michael Daniel, then said he had "reinvigorated" the review process that decides what to do about each flaw that comes to government attention. The details of that process remain classified, but interviews show that the changes sharply elevated the role of the Department of Homeland Security, which is responsible for defense and had not previously been at the center of inter-governmental debates on the issue.
After Daniel described the revamped process broadly, the activist Electronic Frontier Foundation sued for documents about it under the Freedom of Information Act.
The most significant release in that case came in September, with an undated and partly redacted 13-page memo outlining how agencies should handle knowledge about software vulnerabilities. The memo states that the NSA's defensive arm, the Information Assurance Directorate, served as the executive secretariat for the process.
A redacted portion of the memo lists the agencies that participated in the process as a matter of course. An unredacted part refers to other agencies that can ask to participate on a case-by-case basis, and the Department of Homeland Security appears in that section, along with the departments of State, Justice, Treasury and Commerce.
Two former White House officials said that the memo referred to the old system, before Daniel reorganized it about a year and a half ago.
In an interview, Daniel told Reuters that DHS was a key part of the new system, which is run by the White House's National Security Council.
"DHS is at the table in the process I'm running," Daniel said.
An NSA spokeswoman referred questions about its policy to the NSC, where a spokesman referred Reuters back to the NSA.
The NSA says on its website that it understands the need to use most flaws for defense.
"In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest," according to the website.
"But there are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences.
"Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."
The agency said: “Historically, NSA has released more than 91 percent of vulnerabilities discovered in products that have gone through our internal review process and that are made or used in the U.S."
It said the rest included some that had already been fixed as well as those held back "for national security reasons."
One former White House official noted that the NSA did not say when the disclosures were made, adding that it would be “a reasonable assumption” to conclude that much of that 91% covers flaws the NSA had already used to gather intelligence before alerting the companies. He also said the figure includes those bought from outside entities. NSA and NSC officials declined to address those assertions.
It is anyone's guess how long the average gap is between offensive use and defensive disclosure, said Denelle Dixon-Thayer, chief legal and business officer of Firefox browser maker the Mozilla Foundation.
The bigger that gap is, the greater the likelihood that other countries or hackers using similar hunting techniques have also discovered it. Even if they haven't, the target of a U.S. cyber attack can detect what technique was used and repurpose it against the U.S. and others.
"If it's disclosed after it's already been executed against, that's a really important question," Dixon-Thayer said.
In the revamped U.S. evaluation process, another former official said that the Department of Homeland Security is often the most vigorous “dove” in the discussions, arguing for disclosures before others find the same flaw and exploit it.
A current official administration official said that the proportion of serious flaws disclosed to vendors did not jump after the NSC took control of the process. "It's still early, but the trend has not significantly changed," the official said.
The growing discussion about U.S. policy on vulnerability disclosure comes as House and Senate leaders prepare to fine-tune three related bills on cybersecurity information-sharing, which are designed to give companies legal protection for reporting attacks to the government.
Mozilla and many other technology companies oppose those bills because they will give the government more information about customers and attacks without requiring the government to give more information to the companies.
Dixon-Thayer said officials could even take what they learn about new techniques from the industry to launch their own attacks instead of helping defenders.
(Reporting by Joseph Menn in Washington; Editing by Jonathan Weber and John Pickering)