In a move designed for public reassurance and transparency, the National Security Agency (NSA) will now be more forthright, sharing cybersecurity attacks with companies rather than discreetly analyzing them in secret for the agency’s internal use. On Tuesday, The New York Times reported that the agency alerted Microsoft to a vulnerability in its Windows operating system.
Previously, the NSA would collate various information technology vulnerabilities and then utilize that knowledge to learn more about U.S. adversaries, sometimes even designing and initiating hacks themselves.
That secret strategy has backfired in recent years, however, when some of this research was found and exploited by cybercriminals and other U.S. enemies, among them North Korea.
The NSA has now adopted a more contrite and open approach within the cybersecurity community.
“We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community,” Anne Neuberger, the agency’s cybersecurity director, told reporters.
In the past, the NSA privately shared concerns and weaknesses to Microsoft as well as other technology companies. But these firms could never openly acknowledge the NSA’s assistance. That approach has been modified.
“Ensuring vulnerabilities can be mitigated is an absolute priority,” Ms. Neuberger said.
Industry analysts and other experts praised the move, but several noted its spirit and intent ran counter to the Justice Department’s recent confrontation with Apple, when that government agency ordered the company to break encryption on their phones.
The long-term results from the NSA’s policy shift remain to be seen. Future vulnerabilities analyzed by the NSA could subsequently be used to benefit global users rather than to become weaponized.
Russia, China, and Iran will remain ongoing security concerns, regardless.
As PYMYNTS recently reported, Iranian cyber agents have attacked U.S. companies, universities, industrial systems and financial institutions. They have called out journalists as a direct target, plus President Donald Trump and other government officials. The United States has attacked online the nuclear capabilities and computer systems within Iranian infrastructure.