Vice Admiral Mike Rogers, here speaking to students at the Navy’s Center for Information Dominance, told a Senate committee that the NSA keeps some zero day vulnerabilities—but reveals most of them to vendors to boost security.

In response to a series of questions posed before his confirmation hearing in front of the Senate Armed Services Committee, National Security Agency director nominee Vice Admiral Michael Rogers said that the NSA is working with the White House to create a process to determine what to do with zero-day vulnerabilities that the agency uncovers.
In his response to the questions, posted on the Armed Services Committee’s website, Rogers acknowledged that some of those bugs are kept secret by the NSA for “purposes of foreign intelligence.” But he added that the NSA always had a process for handling information on flaws it discovers in commercial software and hardware, and more often than not, the agency discloses the vulnerabilities discovered in products to their developers or manufacturers.
The NSA has the dual role of directing cybersecurity (“information assurance”) policies for the US military and overcoming the cybersecurity of other countries’ networks for intelligence collection. So the agency has a built-in conflict of interests when it comes to dealing with zero-day security vulnerabilities discovered in commercial products.

An August 2013 report by The Washington Post revealed that the agency spent $25 million in 2013 alone on “software vulnerabilities from private malware vendors.”

Leave a Reply