“The National Security Agency is known for keeping secrets. But a bug it recently discovered in Microsoft’s operating system was so potentially catastrophic that it fast-tracked a lengthy decision-making process to alert the company and the public as quickly as possible.
The quick disclosure marks a big pivot for the agency, which has historically been eager to hold onto hackable computer bugs that it can use to spy on U.S. adversaries — at least temporarily — before sharing them with companies and has been loath to advertise its role in uncovering them.
It also underscores the havoc the Microsoft flaw could have caused if it was discovered and exploited by U.S. adversaries in Russia, Iran or elsewhere who could have compromised millions of computers for surveillance or sabotage.
“Internally the decision was clear” to disclose, said a government official, who like others interviewed spoke on the condition of anonymity to describe internal discussions. “It was a no-brainer.”
Officials across the government typically convene when they discover dangerous computer bugs to weigh whether it’s better to disclose or hold onto them — an exercise known as the “vulnerabilities equities process” or VEP. The meetings are chaired by the White House’s senior director for cybersecurity policy, Grant Schneider.
Yet NSA officials in this case worried that if malicious hackers detected the bug, it could be turned into a weapon to use against Americans and others and wreak havoc before Microsoft had a chance to patch it. The longer they held it, the greater the danger it would be discovered by others. “That’s not in anybody’s interest,” the official said.”