Bug Data Buys Businesses Intel From U.S. Government

Thousands of businesses are reportedly exchanging information with the government on zero-day vulnerabilities and online threats in return for classified intelligence.

(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Thousands of American businesses -- technology manufacturers, information security vendors, banks, satellite telecommunications providers and many others -- share threat intelligence with U.S. intelligence agencies, including details of secret zero-day vulnerabilities. In exchange, they receive access to classified intelligence, including early warnings on any attacks that have been detected that may target their networks or intellectual property, as well as where the attacks originated.
These information-sharing arrangements between businesses -- known in government parlance as trusted partners -- and the National Security Agency (NSA), CIA, FBI, U.S. military and other government agencies was first
reported Thursday by Bloomberg
. The revelations suggest that U.S. intelligence agencies Internet monitoring programs extend far beyond the handful of secret projects detailed by recently leaked NSA documents.
Information published last week, based on
secret documents
leaked by former NSA contractor Edward Snowden, detailed the existence of a program to
intercept metadata
-- phone numbers, call duration, approximate geographical location -- on millions of U.S. cell phone subscribers. The leaked information also
detailed Prism
, which is an arrangement between the NSAs Special Source Operations unit program and nine U.S. Internet companies -- including Facebook, Google, Microsoft and Yahoo -- that targets foreign voice, email and video communications.
[ More information keeps coming out on government-industry security arrangements. Read
Obama Defends NSA Prism, Google Denies Back Door
. ]
Another secret NSA project made public by Snowdens leaked information was
Blarney
, which according to the
Washington Post
is an ongoing collection program that leverages IC [intelligence community] and commercial partnerships to gain access and exploit foreign intelligence obtained from global networks by targeting network backbones. Blarney collects metadata for computers being used to send emails or browse the Internet. The collected metadata includes the devices operating system, the browser being used as well as
Java software version
. Using that information would provide an intelligence agency with a shortcut to infiltrating any of those systems, for example by targeting known vulnerabilities in the browser or Java client.
Some of the shared information reportedly includes zero-day vulnerability details. Microsoft, for example, reportedly participates in the trusted-partner program, and shares information of vulnerabilities in its products with the government, before releasing those details -- or related fixes -- to business partners or the public. Such information could be used not only to proactively secure government computers against attack, but also to infiltrate foreign systems.
But two government officials, speaking anonymously to Bloomberg, said that while Microsoft is aware that the information it divulges can be used to target its foreign customers, legally speaking its not allowed to ask -- and cant be told -- how the government might us this information. A Microsoft spokesman didnt immediately respond to an emailed request for comment about the full extent of its vulnerability-information-sharing arrangements with the U.S. government.
The
Microsoft Active Protections Program
(MAPP) counts a number of businesses and government organizations as participants, and gives them early information on vulnerabilities, in part to allow security firms to offer virtual patches against the bugs prior to their being detailed publicly. But the alleged information sharing between Microsoft and intelligence agencies would occur prior to bug information being distributed via MAPP.
The information-sharing news casts new light on how the U.S. government might have
obtained the four zero-day vulnerabilities
that were
targeted by Stuxnet
, which anonymous U.S. government officials said was a
joint U.S.-Israeli project
. Security researchers have said that the Stuxnet code base is quite similar to
Flame
and
Duqu malware
, suggesting that they were also the product of a U.S.-commissioned cyber weapons factory.
One critical, legal point is that unlike some U.S. government interception programs -- such as Prism -- trusted partners arent necessarily at the receiving end of a court order or
National Security Letter
, which can legally not only force their participation but also silence. Instead, the trusted partner program appears to be voluntary, and includes manufacturers providing detailed information about their hardware and software to the U.S government, although they appear to be sharing no customer information.
Likewise, many telecommunications companies reportedly give U.S. intelligence agencies direct access to their offshore data centers and other facilities, which is both legal and which exempts any resulting information intercepts from oversight under the
Foreign Intelligence Surveillance Act
.
The former director of the NSA and CIA, Michael Hayden, told Bloomberg that this
information sharing
would be invaluable. If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful, he said.
To create these types of relationships, intelligence agencies reportedly first approach one key executive, who then handpicks a few
trusted IT administrators
to help. You would keep it closely held within the company and there would be very few cleared individuals, Hayden said. Businesses sometimes also request immunity from any civil suits that might result from their information sharing.
Government officials told Bloomberg that Google co-founder Sergey Brin received a temporary clearance so that he could be briefed on what came to be known as the
Operation Aurora
advanced persistent threat (APT) attacks against Google. The attacks were reportedly
traced to a Chinese Peoples Liberation Army cyber-attack unit
that specialized in launching APT attacks. Based on the documents leaked by Snowden, at that point, Google would have been part of the Prism program for more than a year.
Google CEO Larry Page last week said in a statement that hed never heard of Prism, denied giving the U.S. government direct access to any Google servers and said the company only shared data with governments only in accordance with the law.
A Google spokesman didnt immediately respond to a request for comment about Googles information-sharing arrangements with the U.S. government.
But in the face of a potential backlash from domestic and overseas customers, Google, Facebook, Microsoft and Twitter have recently
petitioned the Department of Justice
and FBI, requesting that they be allowed to publicly detail the ways in which they share information with the U.S. government.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Bug Data Buys Businesses Intel From U.S. Government