BREAKING NEWS
This content is not available in your region

From offense to defense: NSA's Microsoft flaw alert shows shift in public strategy

Image: The National Security Agency campus
The National Security Agency campus on March 13, 2015 in Fort Meade, Md.   -   Copyright  Chip Somodevilla Getty Images file
Text size Aa Aa

The National Security Agency is publicly taking credit for discovering a critical new vulnerability in Windows operating systems, a first such open acknowledgment for the normally secretive spy agency.

The NSA announced Tuesday that it had found a flaw in how Microsoft's system identified trusted users or services. But instead of keeping the flaw a secret and potentially using it in its security efforts, the agency alerted Microsoft, which was able to fix the problem before it was made public.

The move reflects the push of the NSA's newCybersecurity Directorate, which became operational last year, to be the public face of the agency, focused on cyber defense.

"When Microsoft asked us, 'Can we attribute this vulnerability to NSA?' we gave it a great deal of thought," Anne Neuberger, head of the directorate, said in a call with reporters. "We've been discovering vulnerabilities for a long time, but we've never permitted attribution."

Both Microsoft and the NSA said they had not seen the vulnerability used by hackers in the wild, and Neuberger said the agency hadn't used it in a tool.

The change in tactics highlights the NSA's role in the defensive work of securing U.S. systems — and its desire for that role to be public — rather than adding to a stockpile of flaws, which it has strongly reduced in recent years, that could be used for hacking operations to gain intelligence.

"Under the new Cybersecurity Directorate — a major organization that unifies NSA's foreign intelligence and cyberdefense missions — NSA will work to prevent and eradicate threats to national security systems and critical infrastructure, with an initial focus on the defense industrial base and the improvement of our weapons' security," the NSA announced in October.

The decision to alert Microsoft — and to hold a press call with reporters about it — is a departure from the way the NSA operated just a couple years ago and brings to mind a public rift between it and the company in 2017.

That April, a mysterious online entity calling itself the Shadow Brokers — whose identity hasn't been made public and whose work is still a sore subject at the NSA — released stolen NSA hacking tools, including a powerful one called EternalBlue, which exploited a different major vulnerability in Windows operating systems.

Though the NSA had quietly alerted Microsoft about that flaw before Shadow Brokers released the tool, plenty of users who either didn't update their systems or used pirated versions were still sitting ducks. Two successive ransomware attacks, WannaCry and NotPetya, respectively created by North Korean and Russian intelligence, spread like wildfire around the world, causing tens of billions of dollars in damage.

Microsoft President Brad Smith penned a blog post at the time that placed some blame on the NSA, comparing it to "the U.S. military having some of its Tomahawk missiles stolen."

The new strategy follows changes made by the U.S. government in 2017 about how to deal with cybersecurity issues.Neuberger said the announcement was in accordance with the Vulnerabilities Equities Process, which agencies are ordered to follow when they find a flaw in technology that can either be identified for the sake of public safety, or exploited by intelligence agencies.

"As soon as we learned of it, we turned it over to Microsoft as discussed via the VEP," Neuberger said. "We do routinely share vulnerabilities."

"This isn't a change — we might be pleased that they're following the VEP," said Jason Healey, a senior researcher at Columbia University and an expert in the VEP. "I'm not trying to take credit from Anne and the team, but this is in line with what the policy should be."

A representative for Microsoft shared the company's list of patches for the vulnerability but declined to comment on the NSA's role in the process.