Openness and the NSA are not happy bedfellows; by its very nature, the agency is highly secretive. But in recent years, post-Edward Snowden, the organisation has embarked on something of a PR campaign in an attempt to win back public trust.
The latest manoeuvre sees the NSA promoting the fact that when it discovers security vulnerabilities and zero-days in software, it goes public with them in 91 per cent of cases... but not before it has exploited them. No information about the timescale for disclosures is given, but what most people will be interested in is the remaining 9 per cent which the agency keeps to itself.
The NSA has long been accused of sitting on the software vulnerabilities it discovers, and now it is seeking to reassure people by pointing to the number of flaws it does disclose. Many people will be disappointed to learn that before the companies behind software with security issues are told about the vulnerabilities, the NSA will first use the exploits for its own advantage. The agency has even gone as far as developing viruses like Stuxnet to attack foreign nations.
Government officials have revealed that the NSA comes clean about vulnerabilities in more than 90 per cent of cases. This enables software developers to produce patches that can be pushed to users, but the admission that a percentage of security flaws are not shared means that a large number of known vulnerabilities go unpatched and remain exploitable by the NSA or hackers.
On its website, the NSA cites 'national security reasons' for holding back information about some vulnerabilities: