The government already admitted that they are hoarding vulnerabilities:<p><i>...the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is "a clear national security or law enforcement" use)...</i><p>Obviously any valuable zero-day flaw has clear national security use to a national security agency that's tasked with breaking into "enemy" systems.
Here's what I've never understood despite following security for a number of years. How on earth can the NSA <i>ever</i> conclude "nobody but us" short of silicon level exploits at manufacturing? Do they really think they can do things that the Chinese or other governments with significant agencies and supercomputers can't?
Now that the code makers have run far beyond the code breakers, hacking is all entities like the NSA have left. So of course they are hording vulnerabilities. That's all they can do.<p>Cracking systems probably isn't going to lead to anything worthwhile. It isn't targeted enough. The thing that the NSA fears the most is the perception that they are not worth the money. It's a legitimate fear.
> If there are any vulnerabilities that according to the standards established by the White House and the NSA should have been disclosed and fixed, it's these.<p>It's too bad -- there's really just no accountability for these espionage organizations. And it seems like it will never change.
A bunch of thoughts:<p>1. It's not true that there's broad agreement among experts about how the government ought to handle vulnerabilities. In fact, that's close to the opposite of the truth. On the question of regulation, the field is riven over Wassenaar and the prospect of vuln research regulation. It's also divided between people with operational knowledge of how zero-day is used by the IC and people looking from the outside in, and also between privacy activists and security researchers, which is a Venn diagram with only partial overlap.<p>2. Schneier is showily beating up on the USG "vulnerability equities process", which supposedly determines whether or not the USG will publish vulnerabilities. It's fair game. But something that there <i>is</i> broad agreement on among practitioners is that the VEP is a PR farce. Nobody needed "Shadow Brokers" to confirm this; you can't have been paying attention over the last 10 years and not see that SIGINT roflstomps IAD. Read between the lines: even without specific NSA disclosures, to believe that NSA was serious about VEP, you'd have to believe that NSA is unique among all global intelligence agencies about protecting industry from vulnerabilities.<p>3. Schneier's perspective on whether, why, and how vulnerabilities should be disclosed is probably naive. The best account I've read on this so far is Aitel's Vulnerability Equities post on Lawfare. For a simple example: NSA SIGINT cannot necessarily disclose old vulnerabilities, even for products that have been discontinued, without revealing to its opponents a catalog of every machine they've compromised over the lifespan of the vulnerability. Take for instance the Cisco SNMP vulnerability: SNMP is so low-volume that even mid-sized US corporations maintain full packet logs of every SNMP request sent on their network. To premise operation decisions on the idea that FSB doesn't do that would be extremely poor tradecraft.<p>That's not dispositive! It could be the case that the USG should simply give up on computer-based SIGINT, unilaterally disarming and working instead to help industry defend against foreign SIGINT. That would be a radical change and it would come with tradeoffs, but it's a coherent position.<p>A far more straightforward argument to make is that NSA SIGINT should be entirely exempt from any equities process, but that NSA should be stripped of its IAD mission, and a separately funded and operated IAD capability should be spun up under DHS, with clear directives to disclose immediately to vendors.<p>4. I'm a little biased on this, not because I'm a vuln researcher (I am, but I don't do the kind of work that gets marketed to government, nor have I or will I ever work with governments) but because I think Bruce Schneier's track record on this subject is both bad and inconsistent, dating back to his use of his popular newsletter to vilify eEye for disclosing to the public vulnerabilities later used to build worms.
I think what would work best is the following. NSA alerts US companies of the vulnerabilities in their products with the understanding that the companies will not publicize that the vulnerability was fixed. This will let the NSA continue to exploit the vulnerabilities; most customers never update things like routers and other obscure pieces of the infrastructure.
I think that as long as the NSA can estimate they do have more of those cyber weapons, they won't push for patching them, and it makes sense.<p>The day the chinese of the russians are able to discover more of those vulnerabilities, they will all get fixed.<p>It's a simple arms race. Simple as that.
I do not understand this "they're making us less secure" argument. The only way that the NSA could be actively making systems less secure would be if they were putting vulnerabilities into the source code or silicon. The reality is that the NSA need not do that because these systems were already insecure and the NSA just had to figure out how they were insecure. They would have been insecure, even if the NSA had never scrutinized them.<p>The affected systems are ones that I had told others were likely insecure (by virtue of being closed source), but no one listened to me. If you care about network security, then you should use a properly configured software firewall/router running Linux or *BSD. This Cisco/Juniper/etcetera equipment is closed source, hard to scrutinize and almost certainly has horrible flaws that would never be allowed into a serious OSS project.<p>Of course, things like pfSense are not "enterprise grade", so people will continue to ignore advice to use them, put these vulnerable systems into production and then be surprised when it comes out that the security was terrible.