Oct. 30, 2015 —
Q: When the U.S. government learns of vulnerabilities in information-technology products, will it disclose information about those vulnerabilities?
A: The U.S. government takes seriously its commitment to an open and interoperable, secure, and reliable Internet. In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. We all rely on the Internet and connected systems for much of our daily lives. Plus, our economy would not function without them. For these reasons, disclosing vulnerabilities usually makes sense. But there are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks.
The National Security Council has an interagency process to consider when to disclose vulnerabilities. The process requires the government to weigh many factors, including the importance of the information to the nation's security. While these decisions can be complex, the government's bias is to responsibly and discreetly disclose vulnerabilities.
For many years prior to the establishment of the interagency process, NSA had an internal review process in this area. NSA's review continues and now informs the interagency process. Historically, NSA has released more than 91 percent of vulnerabilities discovered in products that have gone through our internal review process and that are made or used in the United States. The remaining 9 percent were either fixed by vendors before we notified them or not disclosed for national security reasons.
The men and women of NSA make a difference.
For more than 60 years, the National Security Agency has worked to ensure that appropriate security solutions are in place to protect our critical infrastructure, national security systems, and the information on those systems. NSA's Information Assurance Directorate pioneered what is now called cybersecurity. We make information and information technology an asset for the United States — and a liability for its adversaries.