Earlier this month, a Bloomberg News investigative piece revealed that Microsoft, anti-virus software maker McAfee and numerous other American technology firms shared advance information about vulnerabilities in their software with the U.S. government — before the information was released to the general public.
Such knowledge, Bloomberg reported, could be weaponized, giving the United States a tool to break into the computer systems of adversaries — or of its own citizens.
But the reality may be less alarming. Microsoft and McAfee already share advance security information with various government agencies, which are clients like any other and need to be alerted of urgent security risks.
Microsoft, through its Microsoft Active Protections Program, also supplies dozens of anti-virus firms around the world, including McAfee, with advance information on software vulnerabilities. Any one of those firms could pass the information along to its national government.
In fact, when it comes to devising attacks using previously unknown software vulnerabilities — "zero-day exploits" in hacker lingo — intelligence agencies such as the National Security Agency and the Central Intelligence Agency don't need Microsoft or McAfee to tell them how.
Instead, the cyberwarriors and spies are better off doing it the old-fashioned way — by buying the exploits from hackers.
Robert Graham, CEO and founder of Atlanta-based Errata Security, said that there's a relatively open and semi-legal market for zero-day exploits.
Security researchers, Graham explained, will discover a new vulnerability, write the code that makes it exploitable and shop it around to people they know in the field — including employees of government agencies.
"When your computer crashes, it just crashes," Graham said, explaining the hacker mentality that helps find vulnerabilities. "When mine does, I spend 10 hours trying to find out what happened and write code to duplicate it."
Selling an exploit involves more than merely publishing a paper on a theoretical vulnerability. To make a true exploit effective, it has to be replicated. Replicating it means writing code, and it's the code that's valuable.
"Zero-days are considered the weapons in a cyberwar scenario," said Mark Wuergler, senior security researcher at Immunity Inc. in Miami Beach. "It's the zero-days getting you in undetected to target resources in a way that target won't expect."
There's even a French company, VUPEN, that makes money finding zero-days and quietly selling them to governments. (VUPEN has told journalists it sells only to NATO members and allies.)
A really good zero-day exploit can fetch hundreds of thousands of dollars, Graham said. More common ones are much less than that.
So what if an American company discovered a security flaw on its own? Would it have to ask the government whether it could disclose it publicly?
Probably not. The NSA, in particular, wouldn't tell a company like Microsoft or Verizon to hide a security flaw. If it turned out that a software firm deliberately concealed a known flaw, the act of omission might reveal more than the NSA would want other countries to know.
On top of that, ignoring flaws, disclosed or not, would mean that a company was not fixing problems. If that policy were exposed, it would give its customers reason to go to another vendor.
There have been questions recently, Wuergler said, about long time lags between when major Microsoft software vulnerabilities have been discovered and when they've finally been fixed.
Was Microsoft keeping the vulnerabilities open for the NSA? Wuergler said there's little hard evidence for that.
But is it really fair to give big corporations, security firms and U.S. government agencies advance warning of information that the public won't get for several more days?
Wuergler explains that it has to be that way.
When Microsoft releases a security patch through its regular patch cycle, usually on the second Tuesday of every month, it isn't uncommon for hackers to try to immediately exploit the newly disclosed vulnerabilities before all users and IT administrators install the patch.
For this reason, Wuergler said, the day after Patch Tuesday" has acquired the nickname "Exploit Wednesday."
Giving larger Microsoft customers and partners — including government agencies — advance notification of the new security flaw helps those customers mitigate such blowback.
"It helps prepare for the onslaught," Wuergler said.
We don't just do Windows
However, security experts worry about more than just PC software vulnerabilities.
There are also hardware and software security flaws in telecommunications equipment and in the industrial control systems (ICS's) that run factories and power plants. Both are vulnerable to hackers and occasionally have zero-day exploits.
The Stuxnet worm in 2010, most likely a U.S. intelligence project, damaged centrifuges used for purifying uranium in Iran. It carried at least one zero-day exploit for the centrifuge control systems, and possibly others for the centrifuges themselves.
That was in addition to four Windows zero-day exploits, which were targeted at the Iranian nuclear facility's main computer systems. Five zero-days — worth potentially millions of dollars — are more than any single piece of malware has carried before or since.
We may never learn how Stuxnet's creators found those zero-days. The exploits could have been bought on the open hacker market, could have been independently discovered by the malware's creators or could have been disclosed privately by the software vendors — or all three.
"There's a real concern that was raised a very long time ago, that what happened with Stuxnet ... was never really communicated to industry," said Joe Weiss, managing partner at Applied Control Solutions, a consulting firm in the Bay Area, and the author of books about protecting industrial systems. "But the industrial-control world is a lot different from the IT world."
Telecommunications equipment is another category of technology that spies — foreign or domestic — might take advantage of. But here, there's no question that the government has access.
The Communications Assistance for Law Enforcement Act of 1994 mandates that telecom equipment be built with "backdoors" to let police and government agencies monitor traffic.
The law was extended in 2004 to cover Voice over Internet Protocol telephone calls. (The FBI now wants the White House to extend it to social media and instant messaging as well.)
NSA leaker Edward Snowden told Hong Kong newspapers that the agency carries out a giant "man in the middle" attack upon foreign telecommunications networks, picking up data packets as they go by.
When the Chinese equipment maker Huawei wanted to expand in the United States, members of Congress said it might be a security risk.
Graham said he has seen evidence of spying via Huawei's equipment, but declined to go into technical details. Even then, though, it wasn't clear which government had done the spying.
"It could have been the French, or whoever," Graham said. "Huawei's cybersecurity is so pitifully bad, the source could have been the NSA having hacked Huawei, rather than the Chinese government."
But fundamentally, the information-sharing between intelligence agencies and technology companies is more prosaic than many people think.
"The company doesn't do anything that would get their customers upset," Graham said.