When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it’s typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs it finds, NSA Director Mike Rogers said, but not all of them.
Speaking at an event at Stanford University, Rogers said that the NSA has been told by President Barack Obama that the default decision should be to share information on new vulnerabilities.
“The president has been very specific to us in saying, look, the balance I want you to strike will be largely focused on when you find vulnerabilities, we’re going to share them. By orders of magnitude, when we find new vulnerabilities, we share them,” Rogers said.
However, that’s not always going to be the case. The NSA has a dual mission of information assurance–protecting American networks–and signals intelligence–gathering electronic data on foreign networks. The latter mission also involves penetrating those foreign networks, sometimes using privately discovered vulnerabilities. Those vulnerabilities have a value to the NSA only if they stay undisclosed for a period of time, and Rogers said that the president acknowledged that duality in his discussions with the director.
“He also said, look, there are some instances when we’re not going to [share vulnerability information]. The thought process as we go through this policy decision, the things we tend to look at are, how foundational and widespread is this potential vulnerability? Who tends to use it? Is it something you tend to find in one nation state? How likely are others to find it? Is this the only way for us to generate those insights we need or is there another alternative we could use?” Rogers said. “Those answers shape the decision.”
Rogers took over as NSA director in April, inheriting an agency that had spent much of the last year defending itself against accusations and allegations resulting from the Edward Snowden revelations. He has been speaking publicly somewhat regularly in the last few months, addressing some of the allegations. One of the issues that outside critics have brought up repeatedly is that the NSA’s dual mission creates an inherent conflict. Rogers said he has no intention of splitting the agency in two.
“I strongly disagree with separating them, because I made the following arguments. When you’re trying to work penetration of networks and defend networks, the techniques and insights that you gain help reinforce each other and you want them aligned,” he said. “If you split these two, you’ll hurt the information assurance mission.”
Rogers said that vulnerability information isn’t the only thing that NSA shares with private industry.
“By orders of magnitude, the default mechanism is to share them, and most of them you will never hear about. In the immediate aftermath of Heartbleed, the first media reporting I saw said that the NSA knew about this and had been exploiting it for an extended period of time. Wrong. The seventh of April was the first we were aware of it and on the eighth of April we developed a patch and shared it with the private sector,” Rogers said.