NSA Cybersecurity Directorate Head Anne Neuberger Explains Why NSA Revealed Windows 10 Bug

WASHINGTON (VINnews) — In the past, when the NSA has detected flaws in Windows it has exploited them for its own purposes of digital espionage. The public announcement Tuesday of a flaw in Windows 10 and the insistence by NSA that it had not used the flaw for its own purposes marks a change in policy by the NSA, a change likely initiated by new Cybersecurity Directorate head Anne Neuberger, the highest-ranking orthodox Jew in the NSA.

The bug was found in Windows’ mechanism for confirming the legitimacy of software or establishing secure web connections. If the verification check itself isn’t trustworthy, attackers can exploit that fact to remotely distribute malware or intercept sensitive data. Windows has since released a patch to fix the popular Windows 10 software as well as Server 2016.

“[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing,” Anne Neuberger, head of the NSA’s Cybersecurity Directorate, said on a call with reporters on Tuesday. “When we identified a broad cryptographic vulnerability like this we quickly turned to work with the company to ensure that they could mitigate it.”

Neuberger may be stating the new NSA policy but in the past the secretive agency has preferred in the past to utilize bugs without publicizing them, such as the Eternal Blue bug revealed in 2017, which the agency had used for five years previously without publicizing the flaw.

Neuberger said that disclosing the code verification bug to Microsoft and the public is part of a new NSA initiative in which the agency will share its vulnerability findings more quickly and more often. The effort will work alongside the existing Vulnerability Equities Process run by the National Security Council, which weighs the national security importance of keeping hacking tools secret versus disclosing vulnerabilities.

That’s why the NSA didn’t just disclose the vulnerability, but made its role public. “It’s hard for entities to trust that we indeed take this seriously,” she said, “and [that] ensuring that vulnerabilities can be mitigated is an absolute priority.