Friday, April 3, 2009

NSA and the Equities Dilemma

The equalities dilemma can best be described as weighing the pros and cons of exploiting or disclosing a vulnerability.  For example, imagine that the National Security Agency (NSA) discovers a flaw in Microsoft Outlook that allows a remote attacker to read the entire contents of a target's email account.  Does the NSA inform Microsoft of this vulnerability or does it use it to exploit the target's vulnerable email account for signals intelligence collection?  Will keeping the vulnerability secret hurt the United States - as other hackers, cyber criminals, or nation-states may have discovered the same flaw and are using it to gather intelligence on US Government and private sector targets?

In a recent Wall Street Journal Op-Ed, Bruce Schneier nicely summarizes this dilemma stating, 
what happens when both the good guys the NSA wants to protect, and the bad guys the NSA wants to eavesdrop on, use the same systems? They all use Microsoft Windows, Oracle databases, Internet email, and Skype. When the NSA finds a vulnerability in one of those systems, does it aler the manufacturer and fix it - making both the good and bad guys more secure? Or does it keep quiet about the vulnerability and not tell anyone - making it easier to spy on the bad guys but also keeping the good guys insecure?
Can this dilemma be resolved via a calculation regarding our exposure to a vulnerability compared to the potential value of intelligence gained through the vulnerability? Is it possible to calculate our total exposure to a vulnerability when many of the targets of cyber crime and cyber espionage are in the private sector?

No comments: