The NSA, Microsoft, and Cybersecurity Collaboration
This week in cybersecurity news, something uplifting happened between the NSA and Microsoft. The NSA discovered CVE-2020-0601, a critical vulnerability in Windows 10, and informed Microsoft so that the company could immediately provide a patch. To those unfamiliar with cybersecurity and the intelligence world, this may seem like expected behavior. However, based on the NSA’s past, this behavior is actually quite unexpected.
In 2015, Joseph Menn of Reuters reported about the NSA’s response to accusations of “hoarding” vulnerability information known as “zero-day” vulnerabilities. Vulnerabilities are weaknesses in a system that could be exploited by attackers; zero-day vulnerabilities are unknown to the public and to victims until it is too late. Menn mentioned that the NSA would keep vulnerabilities a secret in order to use them in attacks before eventually disclosing them to vendors, with the most noteworthy example of such an attack being the sabotage of the Iranian nuclear program in 2010. Furthermore, in 2015, the NSA stated that it informed firms about vulnerabilities “more than 90 percent of the time.” That year, Chris Perkins of Mashable reported that this estimate was actually 91 percent, and that the remaining 9 percent was either fixed by developers or remained a secret. Additionally, he mentioned that the NSA, and by extension the U.S. government, would sometimes purchase zero-day vulnerabilities from malware vendors—those who sell tools that could harm your business.
Hoarding zero-day vulnerabilities is somewhat of a double-edged sword. Zero-day vulnerabilities give entities like the NSA the opportunity to fight for the interests of the U.S. and its allies. However, one cannot guarantee that government entities are the only parties aware of a zero-day vulnerability. Imagine the following scenario: a cybersecurity government entity discovers a vulnerability that, if exploited, could cripple the operations of some bad actors . . . in addition to your business. The government entity then enters the weaponization phase so that they could attack an enemy, but in the meantime, another bad actor discovers the same vulnerability by chance. This other bad actor uses the vulnerability to cripple your business before the government entity disclosed it, but if the vulnerability was disclosed earlier, your assets could’ve been protected. Your IT department, however small, could’ve installed a patch that morning that would’ve protected your systems. Weaponizing zero-day vulnerabilities poses risks that only affect the vulnerable, who would have to hope that the benefits of weaponizing the vulnerability would be greater than potential damage.
Thus, the recent news of the NSA cooperating with the private sector should be pleasant indeed. One can hope that it will be a continuing trend moving forward, so that both businesses and individuals alike will be protected in the long run.