Former National Security Agency chief Gen. Keith Alexander. Photo: Evan Vucci/AP

The NSA has never said much about the open secret that it collects and sometimes even pays for information about hackable flaws in commonly used software. But in a rare statement following his retirement last month, former NSA chief Keith Alexander acknowledged and defended that practice. In doing so, he admitted the deeply contradictory responsibilities of an agency tasked with defending Americans security and simultaneously hoarding bugs in software they use every day.

I would love to have all the terrorists just use that one little sandbox over there so that we could focus on them. But they dont.

When the government asks NSA to collect intelligence on terrorist X, and he uses publicly available tools to encode his messages, it is not acceptable for a foreign intelligence agency like NSA to respond, Sorry we cannot understand what he is saying, Alexander told the Australian Financial Review, which he inexplicably granted a 16,000-word interview. To ask NSA not to look for weaknesses in the technology that we use, and to not seek to break the codes our adversaries employ to encrypt their messages is, I think, misguided. I would love to have all the terrorists just use that one little sandbox over there so that we could focus on them. But they dont.

The NSA has been widely criticized for using its knowledge of security flaws for spying, rather than working to patch those flaws and make internet users more secure.Alexanders defense of the practice boils down to the notion that separating friend and foe when seeking to break codes has become a nearly impossible task.

The interesting change has been the diffusion of encryption technologies into everyday life, he told AFR. It used to be that only, say, German forces used a crypto-device like Enigma to encipher their messages. But in todays environment encryption technology is embedded into all our communications.

At other points in his statement, Alexander argued that the NSA does disclose some of the vulnerabilities it finds in software to those who can patch the flaws, insisting that it focuses its bug-hunting primarily on defense, rather than using vulnerabilities for offensive purposes. He also went further, stating that the NSA categorically [does] not erode the defenses of U.S. communications, or water down security guidance in order to sustain access for foreign intelligence.

The latter claim contradicts numerous reports that the NSA is seeking to weaken encryption to give itself a backdoor into encrypted communications.

Last December, a group of advisers to the White House issued a report to President Obamacalling on him to rein-in the intelligence communitys use of so-called zero-day vulnerabilitiesnewly discovered hackable software bugs for which there exist no patch. The group went on to propose that zero-days only be used sparingly for high priority intelligence collection, and that those uses must be approved by a senior-level, interagency approval process.

In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection, the report reads. Eliminating the vulnerabilitiespatching themstrengthens the security of U.S. Government, critical infrastructure, andother computer systems.

Continued here:

Former NSA Chief Defends Stockpiling Software Flaws for Spying