Generally when security researchers uncover zero-day vulnerabilities in software, they disclose them to the vendor to be fixed; to do otherwise would leave critical infrastructure systems and other computers open to attack from criminal hackers, corporate spies and foreign intelligence agencies. But when the NSA uncovers a zero-day vulnerability, it has traditionally kept the information secret in order to exploit the security hole in the systems of adversaries. In doing so, it leaves critical systems in the U.S—government computers and other systems that control the electric grid and the financial sector—vulnerable to attack.
It’s a government model that relies on keeping everyone vulnerable so that a targeted few can be hacked—the equivalent of withholding vaccination from an entire population so that a select few can be infected with a strategic biological virus.
It’s also a policy that pits the NSA’s offensive practices against the Department of Homeland Security’s defensive ones, since it’s the latter’s job to help secure critical infrastructure. That’s more than just poor policy. It’s a combination that could someday lead to disaster.
Join the conversation as a VIP Member