Security Advisor

Microsoft Gives NSA Early Access to Zero-Day Security Info

Microsoft is just one of many who have been sharing information on hardware specs and software vulnerabilities with government organizations.

According to anonymous sources at Bloomberg, Microsoft routinely sends the National Security Agency (NSA) information on newly discovered security issues before publicly releasing a fix.

The practice is just one of thousands of examples of the NSA receiving private information from the tech industry in exchange for "receiving benefits that include access to classified intelligence," according to a report released today.

Microsoft's willingness to share data with the NSA first, before the public, gives the government the ability to protect systems from zero-day attacks, but it also provides the NSA with an opportunity

"Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials," read the Bloomberg report.  "Microsoft doesn't ask and can't be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential."

Discussing this exchange of information, Microsoft spokesperson Frank Shaw told Bloomberg that this is just one of many instances in which the company provides the government with security information.

Microsoft isn't the only software company that routinely feeds the government information on newly discovered security vulnerabilities. According to the report, McAfee also participates in a similar activity. However, Michael Fey, the company's worldwide chief technology officer, argues that data on specific individuals is never shared with the NSA.

"We do not share any type of personal information with our government agency partners," Fey said in an e-mailed statement to Bloomberg. "McAfee's function is to provide security technology, education, and threat intelligence to governments."

Other info allegedly handed to the government by the tech industry includes non-personal data that includes specific hardware specs, network operational data and software vulnerabilities.

Today's report comes just one week after the company denied involvement in the newly publicly disclosed NSA program called Prism -- an operation that collects private user data from companies like Microsoft, Google and Apple. However, allegedly leaked NSA slides accused Microsoft of being willing participants in the program as far back as 1997 and even include allowing the NSA access to eavesdrop on private Skype conversations in a separate program.

What's your take? Should tech firms like Microsoft continue to share zero-day security data with the government, prior to the public, because it adds to U.S. national security protections? Or are such actions kind of sketchy given global cyberwar tendencies and the potential for unchecked governmental abuses of power? Share your thoughts in the comments below.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube