The National Security Agency said it has alerted Microsoft to a critical vulnerability in its operating system to allow the company to fix the issue, in an apparent shift away from its traditional approach of weaponising flaws as hacking tools of its own.
Microsoft issued a patch — or update — to its systems on Tuesday in response, and said in a blog post that the flaw could have potentially exposed users of its Windows 10 system to third-party breaches or surveillance.
“Our goal is to rapidly alert that this is an important [patch],” Anne Neuberger, director of cyber security at the NSA, told reporters on Tuesday. “The percentage of enterprises that patch is still far lower than is needed.”
The American intelligence agency, which was at the centre of leaks by US contractor Edward Snowden about its vast spying capabilities, is seeking to improve its reputation and develop closer relationships with the private sector.
The decision to share its findings with Microsoft stands in contrast to its typical approach of keeping vulnerabilities to itself in the hope of wielding them for its own spying purposes.
The NSA has faced harsh criticism for sitting on several bugs in order to develop its own hacking tools — tools that subsequently fell into the hands of cyber criminals and others who exploited them.
For example, the NSA developed one such tool, dubbed “EternalBlue”, to secretly exploit a Windows flaw that it had discovered and did not disclose to Microsoft. This exploit was then leaked online by a mysterious entity called the Shadow Brokers, and later wielded by cyber criminals as part of the WannaCry ransomware campaign that hit British hospitals, businesses and government agencies in 2017.
“We wanted to take a new approach to sharing and also really work to build trust with the cyber security community . . . Part of building trust is showing the data,” Ms Neuberger said. She said it was the first time the agency had taken credit for such an action but that it had regularly alerted private sector companies of such gaps in the past so that they could fix them.
She said the US government, including the defence department, would not be able to secure its own networks without help from the private sector, which owns and operates 90 per cent of them. “Ensuring that vulnerabilities can be mitigated is an absolute priority.”
Nevertheless some in the industry remained sceptical of the NSA’s apparent change of tack. Chris Morales, head of security analytics at the cyber security group Vectra, said that while the move may have been prompted by genuine concern that others could exploit the vulnerability, “it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it”.
Rick Holland, chief information security officer at San Francisco-based Digital Shadows, which provides digital risk protection software, said: “Please make no mistake, though; the NSA will continue to hoard zero-days and leverage them as required to accomplish their objectives.”
Ms Neuberger said that alongside helping the private sector fix vulnerabilities, the agency was still dedicated to its spy mission, which is focused on supporting US combat operations, building secure communications and defending against cyber attack.
“We’ve always pursued both those missions in order to keep country and our allies safe,” she said.