To close out Cybersecurity Awareness Month a couple of weeks ago, the publicity arm of the NSA went on record to tout the agency's rate of vulnerability disclosure, stating that it had a record of disclosing 91% of vulnerabilities that it finds through its own internal research.
Though it was meant to be a feel-good number, the fact is that some in the security industry believe that even if the rate of disclosure was 100%, it wouldn't really reflect how good a job the agency is doing in working to help the public at large deal with zero-day threats in a timely fashion.
NSA acknowledges that in the other 9% of cases, it holds back either because the vulnerability has already been discovered by the vendor in question, or because the agency chooses to use it in intelligence operations. It makes the case that these vulnerabilities offer "an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."
However, it says that its historical record shows that it works to call attention to the flaws it finds.
"The U.S. government takes seriously its commitment to an open and interoperable, secure, and reliable Internet," the NSA said in a statement about its disclosure policies. "In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest."
But the point that many security professionals make--including several in a Reuters report last week--is that the dimension of time is incredibly important in the world of zero-days. In other words, it doesn't matter if the NSA reports 91% of zero days if they've had enough time to be discovered elsewhere, circulate elsewhere, and serve as the vector of numerous attacks.
"Telling us that you disclose 91% doesn't really tell us much because we don't know the timeframe between discovery and disclosure," says Tom Gorup, security operations lead at Rook Security. Gorup says that while he understands why the NSA would want to hang on to vulnerabilities for offensive tactics, it's in the country's best interest for the agency to disclose as soon as possible. "I think it's ignorant to think that you're the only one that has that zero day."
Gorup points to vulnerability peddlers like the Hacking Team as a good example of why hoarding zero-days is a bad idea. This summer's breach of the company showed just how pervasive sales of previously undisclosed vulnerabilities is to nation-states and other organizations seeking to make a buck off of them. Meanwhile, many software creators fly blind even when well-meaning security researchers want to inform them of potentially dangerous zero-day vulnerabilities. According to research out last week from HackerOne, 94% of the Fortune 2000 do not have a vulnerability disclosure program.
The point is that zero-days held by the NSA can just as easily be discovered by other actors, and every day the agency holds onto them is another day that some other parties are granted to discover and use these flaws.
For enterprises, Gorup says that the whole debate is a good lesson in vigilance.
"It's reaffirming that we always need to be vigilant. They clearly state that they're still withholding zero-day exploits for national security reasons," he says. "So that means there's a zero-day exploit that potentially resides within your network."