NSA chief says agency discloses '91 percent' of zero day bugs

The National Security Agency last year disclosed to the private sector about 91 percent of previously unknown software vulnerabilities the agency discovered, according to NSA Director Adm. Michael Rogers.

"There shouldn’t be any doubt in anyone's mind that the direction clearly to us within the U.S. government structure is a preference to disclose vulnerabilities because a secure Internet is in the best interests of our nation and the broader world around us," said Rogers, who also heads U.S. Cyber Command. He spoke Nov. 7 at the Reagan National Defense Forum in Simi Valley, Calif.

The topic of "zero-day" vulnerabilities, or those unknown to the broader IT security community, has been a hot one, with evidence suggesting the NSA has hoarded such software flaws to exploit them in covert activities.

When asked what makes some zero-days worth keeping, Rogers said the decision to withhold a vulnerability is based on the intelligence insight it generates. Among the other considerations in an inter-agency process for disclosing the vulnerabilities, he said, are:  "What’s the price of not sharing this vulnerability? How broadly is it deployed? What’s the economic impact?" The zero-day disclosure process was once internal to the NSA but is now overseen by the National Security Council, according to an NSA statement.

The statement said that "historically," the NSA has released more than 91 percent of the vulnerabilities it has discovered. The other 9 percent were either already fixed by vendors or kept "for national security reasons," the statement added.

"Disclosing a vulnerability can mean that we forego an opportunity to: collect crucial foreign intelligence that could thwart a terrorist attack; stop the theft of our nation’s intellectual property; [or] discover even more dangerous vulnerabilities that are being used to exploit our networks," the NSA statement said.

Chaouki Bekrar, founder of Zerodium, a startup that rewards researchers for discovering zero-days, noted that some vulnerabilities are more critical than others. "The NSA didn’t say the criticality of [zero days] reported vs unreported," he tweeted. "Reporting non-exploitable [zero days] is a cheap way to improve your reports stats."

Rogers was joined at the Reagan National Defense Forum by, among others, Rep. Adam Schiff (D-Calif.), the House Permanent Select Committee on Intelligence's ranking minority member.

Schiff used the aftermath of the hack of Sony Pictures Entertainment, which U.S. officials attributed to North Korea, to explain why he thought the United States lacked a credible deterrent in cyberspace. In the wake of the hack, North Korea’s frail Internet infrastructure experienced an outage, leading some to speculate that the United States had retaliated in kind. The lack of clarity on whether Washington was responsible for the outage was problematic for the congressman.

"If it was a response, it wouldn't be a very effective one," he said, "because part of having a deterrent capability is they got to know when they’re suffering the repercussions."