We all know that the National Security Agency has access to most or all of the data we send and receive. They also know a lot about the cyber threats that are targeting us on a daily basis. Recently the NSA was accused of retaining information regarding security flaws in the computer world. Now they decided to respond to the accusations. Their answer is quite surprising, to be honest. The US National Security Agency actually admitted to retaining a part of the information they gather about security flaws. To be more precise, they stated that they disclose this kind of information about 90 percent of the time. But what about the remaining 10 percent?
At the same time, the NSA didn’t say just how quickly they warn the targeted US technology firms about the security flaws the NSA comes to know about. It is possible that they only tell these firms about their security flaws after the NSA exploits them in their own favor. We wouldn’t like to think that they also use this kind of information as a currency, but on a hypothetical basis this isn’t excluded either. According to current and former US government officials telling tech companies about their security flaws is not necessarily an urgent matter for the NSA. They take their time to exploit the vulnerabilities and only after benefiting as much as they can from the security flaws found, they announce the tech companies to take measures. This is also in the interest of the NSA. They get into a favorable light, as the protectors of the nation and they also make sure that no one else will be using the security flaws to gather information about companies or individuals located on the territory of the USA.
As Reuters reported back in 2013, the NSA is the world’s top buyer of zero- days. These are software security flaws that are of great value to both hackers and spies because no one knows about them. Since no one knows about them, the few people who do can take their time to exploit the security flaws as they wish. Beside being a zero- days buyer, the NSA also has its own group of hackers that detect all kinds of security flaws in different software. And we are pretty confident that they don’t announce the targeted companies about their security flaws before they get all the information they could use.
Although we understand that information is power and the NSA needs all the power they can get in order to protect the citizens of the US, we think that their behavior is sometimes a little shady. They should tell technology companies 100 percent of the time about the software security flaws they discover. And they should do it immediately, not after exploiting them. This would be the right thing to do and we are sure that the governmental agencies that exploit security flaws in different companies’ software know this.