Responding to accusations that it hoards knowledge of software security vulnerabilities, the U.S. National Security Agency (NSA) released a statement saying that it discloses information about vulnerabilities more than 91 percent of the time.
However, that statement doesn’t seem to be appeasing critics. Reuters writes, “The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.”
President Barack Obama’s cybersecurity coordinator, Michael Daniel, has said that he recently revamped the process for determining whether to disclose security vulnerabilities and that the Department of Homeland Security is now part of the process. The NSA website says that most of the time it is in the country’s best interest to disclose vulnerabilities, but adds, “The trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks.”