In the last weeks the news related to PRISM has not stopped since leaked by Edward Snowden, who worked for Booz Allen Hamilton, a defense contractor for the NSA.
One interesting outcome of these leaks is the NSA access to 0Day vulnerabilities on Microsoft products and who knows if other big companies as well (Google, Apple, Adobe, etc.) under the cooperation programs Microsoft Active Protections program (MAPPS) and the Security Cooperation Program (SCP). The first program is for security companies and the second for government agencies -for example the Spanish intelligence agency (CNI) is a member of this program- in order to be informed first when vulnerabilities appear to be able to protect themselves before the security patch is released and to update their security products.
These programs were created for defensive purposes, but they raise an interesting issue: the use of this information for offensive purposes.
Finding vulnerabilities in products from large companies is increasingly more expensive so access to information about 0day by intelligence agencies makes them gain time and save resources. Now they only have to develop exploits to attack any system, remember that the security patch has not been published yet…
Countries wishing to establish offensive and defensive capabilities should create national programs that offer financial rewards (depending on a scale) to individuals that inform them of 0Day.
Large software and big Internet companies are mainly American but many vulnerabilities are discover and reported by foreign security experts. If there were a national program in place on vulnerability reporting they could first inform their Government and not the software companies.
The question is why to report vulnerabilities to software companies so they in turn inform their intelligence agencies to carry out offensive actions against other nations?
Remember that 0Day vulnerabilities and exploits have economic value today, and many public and private companies pay good money for them.
Quite honestly we should not be surprised by NSA acts since at the end their mission is national security using all possible means (legal ¿?), the same as many countries’ intelligence agencies.
What is clear is that the PRISM case may have more consequences to the United States as seemed at first, and certainly many countries will change their policies on defensive / offensive cyber security.
It will certainly be interesting to see how cyber security policies evolve in countries in the coming years.
What changes do you think are necessary in cyber security policies?
— Simon Roses Femerling
