The government has another public balancing act on its hands with the disclosure this week of exploits against commercial security products that were purportedly cooked up by the NSA.
These attack tools revealed by a group called Shadow Brokers date from sometime before June 2013 and some of them were still effective this week, which means the NSA never told the vendors about them.
That helps flesh out what the Obama administration meant two years ago when it said that under most circumstances the NSA would tell vendors if it exploits vulnerabilities in their security products. The exception: the disclosure policy wouldn’t apply if there were a clear national security or law enforcement need.
So if it was being true to its policy, the government had some legitimate need not to reveal these exploits to the makers of the affected gear.
The balancing act is assessing when it becomes more important to protect the businesses and individuals from these exploits than it is to hold onto them to help law enforcement and protect national security.
One of the exploits was against Cisco firewalls. That means it’s been more important since at least 2013 to have a zero day for breaking into Cisco firewalls than it’s been to let Cisco know so it could tell customers to plug the vulnerability.
Exploitable vulnerabilities can exist unnoticed in products for years, but the longer they’re there, the better the chance that someone will discover them. So the longer the government held onto the Cisco exploit, the better the chance that someone with more malicious intent would discover it, too. That’s a danger to a broad range of enterprises and represents the potential for incalculable damage.
The NSA and other U.S. agencies can’t carry out their business without using this type of cyber weaponry. But neither can enterprises carry out their business without reliable security gear to protect them.
The government, businesses and makers of security gear need to devise rules that spell out how and when zero days discovered by official agencies will be disclosed to affected vendors.
It won’t be easy. This is the same group of parties interested in either requiring or rejecting creation of encryption backdoors in the interest of law enforcement and national security. That discussion has taken place mainly in courtrooms and Congress, but there’s still no concerted effort to come to grips, and there needs to be one.