U.S. tech companies sharing bug info with U.S. govt before releasing fixes
A recent report by Bloomberg’s Michael Riley has revealed that a great many U.S.-based companies are voluntarily sharing sensitive information with the U.S. national security agencies (both intelligence and military) in order to get information about potential risks and attacks.
This group of “trusted partners” includes many of the biggest Internet, hardware and software companies, security companies, as well as telecoms, ISPs, banks and companies from other sectors, and the information shared by them usually does not involve user information, but things like equipment specifications, security flaws, and more.
This type of information seems innocuous at first glance, but the problem is that it can be used by the government not only to defend its systems from all types of cyber attacks, but also to launch cyber attacks against other nations and cyber espionage against any and every type of target using those technologies.
Riley’s sources have revealed that companies such as Microsoft and other Internet, security and software companies share information about vulnerabilities in their widely-used software before they issue a fix for them, and they can’t be sure that this information is not misused to compromised foreign targets.
Some U.S. telecoms allegedly also give the intelligence agencies access to all the data held in facilities located abroad, as the Foreign Intelligence Surveillance Act (FISA) doesn’t require oversight nor permission from a court.
Not many people in these companies apparently know about these arrangements – more often than not, only a few of the people at the top are aware they exist. And with the latest revelations about the existence of PRISM and how giants like Google, Microsoft, Apple, Yahoo and others cooperate (or are forced to) with the data collection, the aforementioned arrangements don’t sound so unbelievable.
Microsoft has reacted to the revelations by saying that the company has several programs through which they disclose information regarding vulnerabilities, some of which have government participants.
“Prior to any fix being released to the ~1B computers that receive automatic security updates each month, Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers,” they claim.
“One example is our Microsoft Active Protections Program (MAPP), which supplies Microsoft vulnerability information to security software partners prior to Microsoft’s monthly security update release so partners can build enhanced customer protections. Another example of information sharing is the Security Cooperation Program (SCP) for Governments. Membership provides key technical information on security vulnerabilities prior to the security update being publicly available. This allows members more time to prioritize creating and disseminating authoritative guidance for increasing network protections,” they stated, adding that U.S. intelligence agencies do not receive information before other governments on the SCP.
McAfee’s CTO Michael Fey commented that “McAfee’s function is to provide security technology, education, and threat intelligence to governments. This threat intelligence includes trending data on emerging new threats, cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity.”
Examples of other information shared with the U.S. government is metadata about system specifications (OS, browser type and version, Java use, and so on), and that about communications between two foreign systems that passes via U.S. fiber optic cables.