The U.S. National Security Agency (NSA) released some statistics and guidelines behind how its vulnerability disclosure...
policy works, but experts said that important details have been left out.
The website detailing the NSA policy on vulnerability disclosure poses the binary question: Will the NSA disclose the vulnerabilities it finds? According to the NSA, the answer to that question is "yes," most of the time, because responsible disclosure is "clearly in the national interest." But the NSA also claims the decision to disclose can be more difficult and complex.
"There are legitimate pros and cons to the decision to disclose vulnerabilities, and the tradeoffs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences," the NSA wrote. "Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."
David Goldschlag, current senior vice president of strategy at Pulse Secure LLC in San Jose, Calif., who previously held positions within the U.S. Department of Defense and NSA, said he was sympathetic to the NSA in this matter.
"Although I am an advocate of disclosing vulnerabilities so vendors can fix them, one needs to remember that the NSA has dual missions: information collection and information protection," Goldschlag said. "Sometimes, to this end, these responsibilities conflict, and the NSA has to establish policies that enable it to do its job." The NSA said that historically, in 91% of cases, a vulnerability that is discovered goes through the agency's internal review process and will be disclosed to the vendor. In the remaining 9% of cases, the vulnerabilities are either fixed by vendors before the NSA could disclose the issue, or the vulnerability is not disclosed for national security reasons.
Experts noted that this explanation offers no concrete numbers on how many vulnerabilities the NSA has disclosed, the timeframe for disclosure or even the severity of vulnerabilities disclosed, so there was no way to know if zero-day vulnerabilities were disclosed or not.
However, Tom Gorup, security operations leader for Rook Security Inc., based in Indianapolis, said that giving the data in percentages raised more questions than it answered.
"We don't know the number of vulnerabilities that the NSA is working with or the time period this covers. Is that a five, 10 or 20-year number? Are we talking about 1,000, 10,000 [or] 100,000 vulnerabilities?" Gorup asked. "Without the raw numbers, it's impossible to ascertain the time to disclose (TTD), and, ultimately, dilutes the metric. I would like to see a TTD metric, a raw count of total disclosed and over what period of time this metric covers."
Gorup said having vulnerabilities sitting around for months or years adds a tremendous risk to the private industry, so we should demand more transparency from the NSA.
"I completely understand the need for intelligence gathering as it applies to national security," Gorup said. "We need to trust our government to make the right decisions, but we also must have some sort of verification and understanding of the underlying process. It's foolhardy to believe others have not, or will not, discover the undisclosed vulnerabilities."
Find out more about the NSA's security toolkit