That may make the agency a far more significant player in patching the fraying digital fabric that secures our lives than has previously been understood.
George’s comments come as the technology industry and the government grapple with the question of how intelligence agencies and law enforcement disclose bugs they discover.
Last month, the FBI said that it could not release the technical details of the hacking tool it used to break into an iPhone used by San Bernardino shooter Syed Rizwan Farook.
And suspicions remain about whether intelligence agencies withhold bugs so they can use them in offensive cyberattacks — like the Stuxnet worm unleashed against Iran’s nuclear program in 2010.
From the 1990s until his retirement from the NSA in 2011, George said, he was responsible for disclosing serious bugs to private companies.
“I imagine everybody had a similar process to the one that we had at NSA,” he said. Regulations required a review board, he explained: “Anybody who finds a vulnerability in a product has to report it to that board, so that we can figure out how we are going to address it.”
George said that in disclosing a problem, the NSA had to provide detailed information to the company whose software or hardware was affected.
“You can’t just say, ‘You have a problem here,’” he said. “You’ve got to convince them that there is a problem. (You) really have to have details about what the problem is.”
Recently, the government has worked on a multiagency information-sharing program, which partially declassified documents have revealed is called the Vulnerabilities Equities Process.
Here’s what is known about this process, based on documents released through Freedom of Information Act requests:
In 2008, the government convened a working group to help make plans for such a system, and two years later, it internally published a policy statement that outlined how the vulnerabilities program should work.
In 2014, after the discovery of the Heartbleed bug in commonly used Web software raised questions about the effectiveness of government bug disclosure, the process became “reinvigorated,” wrote White House cybersecurity policy coordinator Michael Daniel in a blog post. (Daniel didn’t name the then-secret program, but last month, Reuters wrote that he was commenting on what we now know as the Vulnerabilities Equities Process.)
The National Security Agency originally oversaw the bug-disclosure program, but it now appears that the National Security Council has taken on that role, said Andrew Crocker, a staff attorney at the Electronic Frontier Foundation.
In April, the FBI reportedly told Apple about separate issues involving iPhone and Mac software, according to Reuters, which suggests that bugs are, in fact, making it through the process.
The NSA is known for using undisclosed vulnerabilities. For instance, Stuxnet, a digital weapon developed by the U.S. and Israel, reportedly employed several previously unknown vulnerabilities to launch attacks against Iran’s uranium enrichment program.
Those may be more the exception than the rule. In October, the NSA said it discloses roughly 9 out of every 10 flaws that it discovers.
George said that in the roughly 15 years he spent in charge of reviewing bugs at the NSA, the only times a vulnerability wasn’t disclosed was when the agency couldn’t find the company involved, because it had shuttered, or the NSA couldn’t provide enough information to be of any real help.
There were about 300 incidents a year, he said. Each contained about three to seven software or hardware issues, “probably about 1,500 a year — that’s a pretty rough estimate, but not off by a large factor.”
That number is staggering, said Brian Martin, the director of vulnerability intelligence at Risk Based Security.
For comparison, he said, Google’s Project Zero, a team of security researchers searching for new exploits, reported a little less than a third of that amount last year.
“You’re saying the NSA is claiming to have found three times more than Project Zero — which, sure, it’s not beyond possibility — but that means that their budget and their resources that they are putting towards finding vulnerabilities is considerable,” Martin said.
The NSA, Martin said, has been given little if any credit for the flaws it does find.
The reason for that is simple, said George. Companies see no benefit in revealing the source of a bug discovery — especially when it’s the government.
“They don’t tell anybody that they got it from us ... (because) a lot of companies don’t want foreign governments knowing that they are getting intelligence from us,” he said.
Still, George said, he understands why there is mistrust of both the intelligence community and law enforcement when it comes to bug disclosure.
“I tend to think that you mistrust anything that you don’t know about,” said George, now the senior adviser for cybersecurity at Johns Hopkins. “So that’s the problem.”
©2016 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.
