Should the NSA Reveal Leaked Exploits?
The leak changes the equation for what constitutes an equitable arrangement between the NSA's desire to have exploitation capabilities and its mission to protect U.S. computer systems and communications, stated Nicholas Weaver, senior staff researcher at the International Computer Science Institute in Berkeley, Calif. "Previously, equities calculations generally relied on the probability that someone else might independently discover and exploit a vulnerability," he said in a post to the Lawfare blog. "How does this calculation change when the NSA's own tools might be stolen, without detection? Is there a policy on what to do when the NSA knows that their tools are compromised?" If the NSA knew that the information had been lost, it should have notified the vendors, he said. "If the NSA knew of the breach of their tools and failed to notify Cisco and Fortinet, this would represent a serious dereliction of the NSA's Information Assurance mission because both of those products are used by the government and on DOD systems which IAD is charged with protecting," Weaver said.Yet Michael Daniel, special assistant to the president and cyber-security coordinator, who penned the statement, argued that the decision is not always easy. "[T]here are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences," he said. "Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks." For the most part, companies have remained mum on the issue. Cisco, Juniper and Fortinet declined to comment for this article, and their spokespeople pointed to already published statements on their patches for the vulnerabilities. The NSA also did not return requests for comment. However, Exodus Intelligence's Brown said that, ultimately, the choice to disclose the issues may not lie with the spy agency. If the Equation Group is a private firm, which counts the NSA as a client, then the intellectual property—and decisions about that IP—belong to the private firm, Brown said. In that case, "it's not the government's IP, it is the Equation Group's IP," Brown said.
In the past, the U.S. government has stated that it would disclose vulnerabilities when there is a clear need to protect the Internet and the nation's computer systems. Following the disclosure of a widespread flaw in OpenSSL known as Heartbleed, the White House stressed that it did not know about the issue, and if it had, it would have notified the public.